Cannot disable Windows Defender with Malwarebyte Premium installed

OrigamiSS · December 15, 2020

Hi,

I was referred here by another member of the forum. Seems like my Windows security center is not reading the registry correctly and not recognizing Malwarebytes is installed and active so it will not disable Microsoft defender.

See original post:

Thank you.

mbst-grab-results.zip Addition.txt FRST.txt

Maurice Naggar · December 15, 2020

Hello.

Thanks for the support tool report. It shows the pc is being protected by both Malwarebytes Premium and Windows Defender.

AntiVirus Information
==================================
Anti-Virus Product :    Windows Defender
   Up To Date:   Yes   Enabled:   On
Anti-Virus Product :    Malwarebytes
   Up To Date:   Yes   Enabled:   On

That being so would work fine. If you truly want to not have the Windows 10 Microsoft Defender Antivirus real-time monitoring I can help with that.

However, that all aside, it seems that at one point in the past, you had possibly used AVG or Avast antivirus or some other app like Webroot that has placed a set of policy limitations on this system. I will help you to remove those later. For now, lets do this at this point.

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system.

The download links & the how-to-run-the tool are at this link at Microsoft

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

Do a FULL scan.

Let me know the result of this. The log is named MSERT.log

the log will be at %SYSTEMROOT%\debug\msert.log which in most cases is

C:\Windows\debug\msert.log

Please attach that log with your reply.

Edited December 15, 2020 by Maurice Naggar

Maurice Naggar · December 15, 2020

PART TWO. After completing the scan with the MSERT from Microsoft.

These next steps are aimed to cleanup any leftover traces of Webrrot and to remove the policy restrictions that prevent making any changes to the Microsoft Windows Defender antivirus service, and to run the Windows System File Checker ( SFC ) and to run the DISM app to check the health of this Windows. When all is done, the expectation is that the Microsoft Windows Defender service will be set to on demand ability, rather then always running automatically with Windows startup.
By the way, then end goal is not to disable Windows Defender. That is because we still want to be able to run and use it on-demand. The goal is just to not have it automatically loaded & active at each Windows startup.
Please do all of the following steps, as much as possible. Do all. If you have questions, stop and ask first.
[ 1 ]
What follows is a first step to have Windows 10 show all files and folder. Do not let this spook you out.
There is a how-to at Tenforums. Use either option one or two or three
https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html
[ 2 ]
Get & use the ESET AV Remover tool to remove any leftover traces of Webroot.
Firsy, download and save the tool from
https://download.eset.com/com/eset/tools/installers/av_remover/latest/avremover_nt64_enu.exe
Then run the tool.
The how-to-instructions are at https://support.eset.com/en/kb3527-eset-av-removerlist-of-removable-applications-and-instructions-to-run-the-tool
[ 3 ]
When all that is done, proceed forth with this custom fix script.

Please be sure to Close any open work files, documents, any apps you started yourself before starting this.

If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached, please disconnect any of those.

The system will be rebooted after the script has run.

.

This custom script is for OrigamiSS only / for this machine only.

The custom Fix script is going to be used by the FRSTRNGLISH tool. They will both work together as a pair.

Please save the (attached file named) FIXLIST.txt to the Downloads folder

The tool named FRSTENGLISH .exe tool is already on the Downloads
Start the Windows Explorer and then, to the Downloads folder.

RIGHT click on FRSTENGLISH and select RUN as Administrator and allow it to proceed. Reply YES when prompted to allow to run.
to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

IF you get a block message from Windows about this tool......
click line More info information on that screen
and click button Run anyway on next screen.

on the FRST window:
Click the Fix button just once, and wait.

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. This run here should be fairly quick.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity

Please know this will do a Windows Restart. Just let it do its thing.

Do let me know how things are overall, after all this.

Sincerely.

Fixlist.txt

OrigamiSS · December 15, 2020

Thank you for the detailed steps! I am doing the scan right now will report back when it is done.

OrigamiSS · December 15, 2020

Thank you for the detailed steps! I am doing the scan right now will report back when it is done.

OrigamiSS · December 15, 2020

4 hours ago, Maurice Naggar said:

Hello.

Thanks for the support tool report. It shows the pc is being protected by both Malwarebytes Premium and Windows Defender.

AntiVirus Information
==================================
Anti-Virus Product :    Windows Defender
   Up To Date:   Yes   Enabled:   On
Anti-Virus Product :    Malwarebytes
   Up To Date:   Yes   Enabled:   On

That being so would work fine. If you truly want to not have the Windows 10 Microsoft Defender Antivirus real-time monitoring I can help with that.

However, that all aside, it seems that at one point in the past, you had possibly used AVG or Avast antivirus or some other app like Webroot that has placed a set of policy limitations on this system. I will help you to remove those later. For now, lets do this at this point.

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system.

The download links & the how-to-run-the tool are at this link at Microsoft

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

Do a FULL scan.

Let me know the result of this.   The log is named MSERT.log

the log will be at %SYSTEMROOT%\debug\msert.log   which in most cases is

C:\Windows\debug\msert.log

Please attach that log with your reply.

msert.log

OrigamiSS · December 15, 2020

2 hours ago, Maurice Naggar said:

PART TWO. After completing the scan with the MSERT from Microsoft.

These next steps are aimed to cleanup any leftover traces of Webrrot and to remove the policy restrictions that prevent making any changes to the Microsoft Windows Defender antivirus service, and to run the Windows System File Checker ( SFC ) and to run the DISM app to check the health of this Windows. When all is done, the expectation is that the Microsoft Windows Defender service will be set to on demand ability, rather then always running automatically with Windows startup.
By the way, then end goal is not to disable Windows Defender. That is because we still want to be able to run and use it on-demand. The goal is just to not have it automatically loaded & active at each Windows startup.
Please do all of the following steps, as much as possible. Do all. If you have questions, stop and ask first.
[ 1 ]
What follows is a first step to have Windows 10 show all files and folder. Do not let this spook you out.
There is a how-to at Tenforums. Use either option one or two or three
https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html
[ 2 ]
Get & use the ESET AV Remover tool to remove any leftover traces of Webroot.
Firsy, download and save the tool from
https://download.eset.com/com/eset/tools/installers/av_remover/latest/avremover_nt64_enu.exe
Then run the tool.
The how-to-instructions are at https://support.eset.com/en/kb3527-eset-av-removerlist-of-removable-applications-and-instructions-to-run-the-tool
[ 3 ]
When all that is done, proceed forth with this custom fix script.

Please be sure to Close any open work files, documents, any apps you started yourself before starting this.

If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached, please disconnect any of those.

The system will be rebooted after the script has run.

.

This custom script is for OrigamiSS only / for this machine only.

The custom Fix script is going to be used by the FRSTRNGLISH tool. They will both work together as a pair.

Please save the (attached file named) FIXLIST.txt to the Downloads folder

The tool named FRSTENGLISH .exe tool is already on the Downloads
Start the Windows Explorer and then, to the Downloads folder.

RIGHT click on FRSTENGLISH and select RUN as Administrator and allow it to proceed. Reply YES when prompted to allow to run.
to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

IF you get a block message from Windows about this tool......
click line More info information on that screen
and click button Run anyway on next screen.

on the FRST window:
Click the Fix button just once, and wait.

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. This run here should be fairly quick.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity

Please know this will do a Windows Restart. Just let it do its thing.

Do let me know how things are overall, after all this.

Sincerely.

Fixlist.txt 2.39 kB · 1 download

Fixlog.txt

OrigamiSS · December 15, 2020

looks like I cannot edit my post, so I did all the steps, eset didnt find any traces of Webroot. I did the fixlist but after reboot Windows defender is still running like usual.

Maurice Naggar · December 15, 2020

Thanks for the reports. The run with the MS Safety scanner was a very very good cleanup. It found a few trojans and a couple of hack tools.

The scrip run with Fixlist was mainly good. It is not entirely bad that Windows Defender is running. We;; do some other stuff later.

At this point, you can Delete the ESET AV remover tool.

What I suggest we next do is a few different scans, that will not take too much time.

We want to do a special scan.
Click Settings ( gear icon) at the top right of Malwarebytes window. We want to see the SETTINGS window.
Then click the Security tab.

Scroll down and lets be sure the line in SCAN OPTIONs for "Scan for rootkits" is ON 👈
Click it to get it ON if it does not show a blue-color
.

Then scroll down to the section Potentially Unwanted items. We need the next 2 lines ( for P U P & for P U M) to be set to "Always ( Recommended) ".
You can make the change by clicking on the down-arrow selection list-control. We want all P U P & P U M to be marked for removal.

Next, click the small x on the Settings line to go to the main Malwarebytes Window.

Next click the blue button marked Scan.
When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.
You can actually click the topmost left check-box on the very top line to get ALL lines ticked ( all selected). 👈

🔻

Then click on Quarantine selected.

Then, locate the Scan run report; export out a copy; & then attach in with your reply.
See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4

We will do more later.

OrigamiSS · December 15, 2020

7 minutes ago, Maurice Naggar said:

Thanks for the reports. The run with the MS Safety scanner was a very very good cleanup. It found a few trojans and a couple of hack tools.

The scrip run with Fixlist was mainly good. It is not entirely bad that Windows Defender is running. We;; do some other stuff later.

At this point, you can Delete the ESET AV remover tool.

What I suggest we next do is a few different scans, that will not take too much time.

We want to do a special scan.
Click Settings ( gear icon)   at the top right of Malwarebytes window.   We want to see the SETTINGS window.
Then click the Security tab.

Scroll down and lets be sure the line in SCAN OPTIONs for "Scan for rootkits" is ON   👈
Click it to get it ON if it does not show a blue-color
.

Then scroll down to the section Potentially Unwanted items.   We need the next 2 lines   ( for P U P  & for P U  M)  to be set to "Always ( Recommended) ".
You can make the change by clicking on the down-arrow selection list-control.   We want all P U P  &  P U M to be marked for removal.

Next, click the small x on the Settings line   to go to the main Malwarebytes Window.

Next click the blue button marked Scan.
When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.
You can actually click the topmost left check-box  on the very top line to get ALL lines ticked   ( all selected).   👈

🔻

Then click on Quarantine selected.

Then, locate the Scan run report;  export out a copy;  & then attach in with your  reply.
See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4

We will do more later.

Hi Looks like scan came back clean.

scan.txt

Maurice Naggar · December 15, 2020

That is very good. This next scan should not take very much time.

Be sure you close all web browsers before you click on the "Scan" button on this next procedure.

I would suggest to download, Save, and then run Malwarebytes ADWCLEANER.

Please close Chrome and all other open web browsers after you have saved the Adwcleaner and before you start Adwcleaner scan.

Adwcleaner detects factory Preinstalled applications too!

Please download Malwarebytes AdwCleaner https://downloads.malwarebytes.com/file/adwcleaner

Be sure to Save the file first, to your system. Saving to the Downloads folder should be the default on your system.

Go to the folder where you saved Adwcleaner. Double click Adwcleaner to start it.

At the prompt for license agreement, review and then click on I agree.

You will then see a main screen for Adwcleaner. ( if you do not see it right away, minimized the other open windows, so you can see Adwcleaner).

Then click on Dashboard button.

Click the blue button "Scan Now".

allow it a few minutes to finish the Scan. Let it remove what it finds.

NOTE: When it comes to the section "

Pre-installed applications

You can skip that.

Please find and send the Adwcleaner "C" clean report.

In Adwcleaner, click the "Reports" button. Look at the list of reports for the latest date & type "Clean".

Double Click that line & it will open in Notepad. Save the file to your system and then Attach that with your reply.

That C clean report will be the one with the most recent Date and time at folder C:\AdwCleaner\Logs

Thanks. Keep me advised. We will be doing more in the next rounds.

OrigamiSS · December 16, 2020

2 hours ago, Maurice Naggar said:

That is very good. This next scan should not take very much time.

Be sure you close all web browsers before you click on the "Scan" button on this next procedure.

I would suggest to download, Save, and then run Malwarebytes ADWCLEANER.

Please close Chrome and all other open web browsers after you have saved the Adwcleaner and before you start Adwcleaner scan.

Adwcleaner detects factory Preinstalled applications too!

Please download Malwarebytes AdwCleaner  https://downloads.malwarebytes.com/file/adwcleaner

Be sure to Save the file first, to your system. Saving to the Downloads folder should be the default on your system.

Go to the folder where you saved Adwcleaner. Double click Adwcleaner  to start it.

At the prompt for license agreement, review and then click on I agree.

You will then see a main screen for Adwcleaner. ( if you do not see it right away, minimized the other open windows, so you can see Adwcleaner).

Then click on Dashboard button.

Click the blue button "Scan Now".

allow it a few minutes to finish the Scan.   Let it remove what it finds.

NOTE: When it comes to the section "

Pre-installed applications

You can skip that.

Please find and send the Adwcleaner "C" clean report.

In Adwcleaner, click the "Reports" button. Look at the list of reports for the latest date & type "Clean".

Double Click that line & it will open in Notepad.   Save the file to your system and then Attach that with your reply.

That C clean report will be the one with the most recent Date and time at folder C:\AdwCleaner\Logs

Thanks. Keep me advised. We will be doing more in the next rounds.

AdwCleaner[C04].txt

Maurice Naggar · December 16, 2020

Thanks for the Adwcleaner report. That run did find adwares & removed them. If you could, I would like to have a fresh run of the FRST reports.

The report tool FRSTENGLISH.exe is on the Downloads folder.

Right-click on FRSTENGLISH.exe and select Run as Administrator to start the tool , and reply YES to allow it to proceed and run.

Windows 10 users will be prompted about Windows *SmartScreen protection* - click line More info information on that screen and click button Run anyway on next screen.

Click YES when prompted by Windows U A C prompt to allow it to run.
Note: If you are prompted by Windows SmartScreen, click More info & followup & choose Run anyway.

Approve the Windows UAC prompt on Windows Vista and newer operating systems by clicking on Continue or Yes.

Click Yes when the* disclaimer* appears in FRST.
The tool may want to update itself - in that case you'll be prompted when the update is completed and ready to use.

Make sure that Addition options is *checked* - the configuration should look exactly like on the screen below (do not mark additional things unless asked).
Press Scan button and wait.

The tool will produce 2 logfiles on your desktop: FRST.txt , Addition.txt
Click OK button when it shows up. Close the Notepad windows when they show on screen. The tool saves the files.

Please attach these 2 files to your next reply.

Thank you.

OrigamiSS · December 16, 2020

9 hours ago, Maurice Naggar said:

Thanks for the Adwcleaner report. That run did find adwares & removed them. If you could, I would like to have a fresh run of the FRST reports.

The report tool FRSTENGLISH.exe is on the Downloads folder.

Right-click on FRSTENGLISH.exe and select Run as Administrator to start the tool , and reply YES to allow it to proceed and run.

Windows 10 users will be prompted about Windows *SmartScreen protection* - click line More info information on that screen and click button Run anyway on next screen.

Click YES when prompted by Windows U A C prompt to allow it to run.
Note: If you are prompted by Windows SmartScreen, click More info & followup & choose Run anyway.

Approve the Windows UAC prompt on Windows Vista and newer operating systems by clicking on Continue or Yes.

Click Yes when the* disclaimer* appears in FRST.
The tool may want to update itself - in that case you'll be prompted when the update is completed and ready to use.

Make sure that Addition options is *checked* - the configuration should look exactly like on the screen below (do not mark additional things unless asked).
Press Scan button and wait.

The tool will produce 2 logfiles on your desktop: FRST.txt , Addition.txt
Click OK button when it shows up. Close the Notepad windows when they show on screen. The tool saves the files.

Please attach these 2 files to your next reply.

Thank you.

Hi Maurice, see attached.

FRST.txt Addition.txt

Maurice Naggar · December 17, 2020

Thanks. Please Delete the prior copy of Fixlist.txt off the Downloads folder. I have here a new one below.