Malware messed my Windows Update and Windows Defender

[gonzalo96]

Good morning,

If you are reading this, first of all, let me thank you in advance for the time in this matter.

I will put things into perspective, then put the respective files regarding the situation.

I've been working non-stop for the last month, and I didn't notice that the windows defender was off, went to windows update, and there was an error: 0x80070057. After 3 long hours of trying diferent solutions, i managed to fix the problem by this solution: https://www.wintips.org/fix-windows-10-update-service-is-missing/#method-1

After a virus check with cmd.exe, there was 4 malware detected, eliminated with an anti virus from windows that lasts 10 days (thats what said in description can't recall the name of the anti virus). I really never used any extra anti-virus, always used windows defender only, so its not a conflict between anti-viruses.

Windows update now working, the only thing missing is windows defender, and i found a very good article in this website:

I had the same issues as this guy, did everything (except some steps, like deleting anti viruses), and his solution in the end of: starting windows in safe mode, allowed me to merge the respective file.

at cmd.exe, the following messages appeard too:

''Result for WMIC SERVICE WHERE Name="windefend" set startmode="auto" was:

Updating property(s) of '\\DESKTOP-PDP3S9S\ROOT\CIMV:Win32_Service.Name="WinDefend"'

Property(s) update successful.

 

Result for net start windefend was:

The requested service has already been started.

More help is available by typing NET HELPMSG 2182.''

 

Thinking this would be the fix of the problem, i restart the computer, and windows defender still shows blank, and doesnt start when I open windows. I really don't know what else to do.

 

 

Addition.txt FRST.txt

[Maurice Naggar]

Hello @gonzalo96

I will take a look at your FRST files.   Later on, I will make a new reply.

Cheers,

Maurice

[Maurice Naggar]

As to the Powershell screen-grab  ( above), the "commands" entered belong in a actual Command prompt and not in Powershell.  That is why they did not work.

I would caution to not automatically assume that advice or direction given to others can or should be used without expert guidance.  A lot of times, directions on this forum by our expert helpers is customized specifically to one machine only.

Then I would add that OS commands for Powershell are unique & different to it, and, are not the same syntax at all as the ones for a Command prompt ( CMD ).

.

Please do not do any other self-fixing while this case is open.   Ask me first if you have questions as we go along;  or if something is not clear.

The first thing I need you to do is to use Windows File Explorer.   Go to the folder Downloads

Locate the FRST64.exe

Use the mouse and do a RIGHT-click  and select RENAME

and rename the FRST64  to ENGLISHFRST.TXT

[gonzalo96]

Thank you for the quick reply. I did it in cmd.exe ( open as administrator) as you said before. I did not use Powershell like you told not to on the other thread.

I successfully changed the name of the 'FRST64' to 'ENGLISHFRST.TXT''. I will wait for more instructions.

Thank you for your time.

[Maurice Naggar]

I have made a inadvertent & bad typo.  I wrote the wrong extension.   That has to be changed !

Locate the file we named ENGLISHFRST.TXT   and rename it to ENGLISHFRST.EXE

 

I am sorry for that typo.

The script on this post is ONLY for this machine and NO other.

Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this.

If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached,  please disconnect any of those.

The system will be rebooted after the script has run.

.

This custom script is for  Gonzalo96  only / for this machine only.

The  custom Fix script is going to be used by the ENGLISHFRST  tool. They will both work together as a pair.

Please save the (attached file named) FIXLIST.txt   to the  Downloads  folder

The tool named ENGLISHFRST .exe   tool    is already on the Downloads
Start the Windows Explorer and then, to the Downloads folder.

RIGHT click on  ENGLISHFRST.exe   and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

IF you get a block message from Windows about this tool......
click line More info information on that screen
and click button Run anyway on next screen.

on the FRST window:
Click the Fix button just once, and wait.

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. This run here should be fairly quick.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity   

Please know this will do a Windows Restart.   Just let it do its thing.  

Do let me know how things are overall,  after all this

The expectation after all this, is, that the Microsoft Windows Defender service is set to auto-start.   That it will be active.   That it will be the resident antivirus service.

Fixlist.txt

[gonzalo96]

Just finished doing the process. The system has restarted, still not working windows defender though.

i will send a printscreen of how windows defender appears ( sorry my pc is in portuguese)Fixlog.txt i will translate the title: ''Security at glance''.

 

[Maurice Naggar]

Lets do a new run with a new script.

Find the old FIXLIST.TXT  on Downloads folder & then Delete it.

.

The system will be rebooted after the script has run.

.

This custom script is for  Gonzalo96  only / for this machine only.

The  custom Fix script is going to be used by the ENGLISHFRST  tool. They will both work together as a pair.

Please save the (attached file named) FIXLIST.txt   to the  Downloads  folder

The tool named ENGLISHFRST .exe   tool    is already on the Downloads
Start the Windows Explorer and then, to the Downloads folder.

RIGHT click on  ENGLISHFRST.exe   and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

IF you get a block message from Windows about this tool......
click line More info information on that screen
and click button Run anyway on next screen.

on the FRST window:
Click the Fix button just once, and wait.

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. This run here should be fairly quick.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity   

Please know this will do a Windows Restart.   Just let it do its thing.  

Do let me know how things are overall,  after all this

The expectation after all this, is, that the Microsoft Windows Defender service is set to auto-start.   That it will be active.   That it will be the resident antivirus service.

Fixlist.txt

[gonzalo96]

Everything is the same, but this time i think I noticed something i might have done wrong the first time. When i download the 'Fixlist.txt' it said it contained virus and it just opened and closed. Now this second time, i open and manually saved at the download files to make sure its saved.

Did everything like you said, the system has restarted. I am going to proceed to send the respective file.

It just feels like the windows defender is not installed. I've noticed something too, when i do ''search of windows update'' it always says its updated, but sometimes it tries to download an update for windows defender, and just stays at 0% of ''installing'' and then disappears back to ''windows updated''.

I will send a printscreen of this, sorry for the portuguese language on the printscreen.

Fixlog.txt

[Maurice Naggar]

Have patience  and allow that Windows Update to finish.  It likely just needs nore time.

Do not do anything else on your won.  Wait for my further reply later.   But in the meantime, do this nex report.

This next diagnostic will shed some lights about the Windows Update service state.

Download   Farbar's Service Scanner utility from this link

 and Save to your Desktop.

 

Right-Click on fss.exe and select Run As Administrator.

Answer Yes to ok when prompted.

 

If your firewall then puts out a prompt, again, allow it to run.

 

Once FSS is on-screen, be sure the following items are checkmarked:

Internet Services

Windows Firewall

System Restore

Security Center/Action Center

Windows Update

Windows Defender

Other services

 

Click on "Scan".

It will create a log (FSS.txt) in the same directory the tool is run.

Attach FSS.txt into your reply.

[gonzalo96]

Hello again, The link you sent was corrupted, it downloaded and then my computer proceeded to delete it automatically. So i went to a different website and download it, and I will send attached the FSS.txt. 

I am starting to notice something, correct me if I am wrong. I am supposed to not have the windows defender working, however its preventing some files from corrupting my computer somehow? I then tried to: ''Analyse with windows defender'' and it showed me this error: (i will translate from Portuguese)

'' your IT administrator has limited access to some areas of this application and the item you tried to access is not available. For more information, contact IT technical support.'' ( i send print screen #2 attached in Portuguese with the error).

 

Maybe i don't have permission to use windows defender in settings? yesterday when I was trying to fix this problem, I tried some stuff, and i did what is in this    link: https://www.technipages.com/how-to-fix-windows-defender-wont-start

Which didn't have any affect on the problem, but maybe this impacts the permissions of use?

Hopefully I am not making this any more confusing to you sir, I am honestly just trying to think of what can be. I know its much easier when the computer is in front of you.

As asked, i will send the FSS.txt

FSS.txt

[Maurice Naggar]

I am reading this last note.  As I tried to convey before, do not go hunting & searching outside resources or even other posts here.  Please stop trying to self-fix on your own.    Wait for my guidance.  Here is what I would like you to do next.

[    1    ]

The Microsoft Safety Scanner  is a free Microsoft stand-alone virus scanner that  can be used to scan for & remove malware or potentially unwanted software from a system.

The download links & the how-to-run-the tool are at this link at Microsoft

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

please select " FULL " scan from the scan option.

Let me know the result of this.

The log is named MSERT.log 

The log will be at  C:\Windows\debug\msert.log

Go ahead and do all the steps listed below too.

[    2    ]

It appears that 2 Windows services need actions to be done.

need you to get a download and then Save to a known area on your computer, and then "merge" it into the system.  Such as DESKTOP or the Downloads folder.

Click this link / then Download / then SAVE from  https://download.bleepingcomputer.com/win-services/win-10/wuauserv.reg

Once after wuauserv.reg is on your pc, go to that area ( that folder) and then
RIGHT-click with your mouse and select MERGE and allow it to proceed and to merge into the system.
Windows will show a confirmation when done.

 

Next

Click this link / then Download / then SAVE from  https://download.bleepingcomputer.com/win-services/win-10/WinDefend.reg

Once after windefend.reg is on your pc, go to that area ( that folder) and then
RIGHT-click with your mouse and select MERGE and allow it to proceed and to merge into the system.
Windows will show a confirmation when done.

That done, my expectation is that this ought to be a tremendous help. So, next, please do a Windows Restart..
 

NEXT    Just only a visual check.

Press and hold the Windows-flag-key on keyboard and tap the *R* key to get the RUN menu option.

type in

services.msc

and press Enter key. 
Scroll down the list. Look for "Microsoft Defender Antivirus Service".

Does it show in the list as Running?
Please attach the log    C:\Windows\debug\msert.log    with your reply.  

[gonzalo96]

Understood.

I used this exact anti virus yesterday, did a full scan and it detected and eliminated 4 viruses in Windows/C: (sorry i cant remember the rest, should had taken a picture). I am doing it right now again.
Once I finish this steps i will let you know.

 

[gonzalo96]

Step 1 is finished. I am sending attached the result. You will notice the 4 viruses detected in the first one, and 0 on this last one that just finished.

I will now start the 2nd step. I will give feedback once its concluded.

 

msert.log

[gonzalo96]

Update:

 

I did everything as said, wuauserv was merged easily, WinDefend could only be merged in safe mode. However both are merged and i restarted the system in normal mode.

I couldn't find Microsoft Defender Antivirus Service. Only thing i could find related to it, was the firewall of Microsoft Defender.

When i try to use windows update, it shows Microsoft defender update again, and then just disappears again without me even doing anything and goes back to 'system updated. It's like it cant be updated, but no error or whatsoever.

I sent the msert.log in the text above.

 

[Maurice Naggar]

OK, the MS safety scanner reports zero virus / zero malware.  Looking back on the FRST reports, I realize now that this pc does not have Malwarebytes for Windows.

I am listing below, how to install it  ( can be done without cost) & scan with it.   Also to scan with Adwcleaner, just to be sure about adwares.

Then another scan with a different security tool.  We want to insure there is no actual malware at present.

[   1    ]

Get and install Malwarebytes for Windows.

See  Download and install Malwarebytes for Windows – Malwarebytes Support

[   2   ]

In Malwarebytes for Windows program, we want to do a special scan.

Click Settings ( gear icon)   at the top right of Malwarebytes window.   We want to see the SETTINGS window.

Then click the Security tab.   

Scroll down and lets be sure the line in SCAN OPTIONs for "Scan for rootkits" is ON         👈

 

Click it to get it ON  if it does not show a blue-color.

Next, click the small x on the Settings line   to go to the main Malwarebytes Window.

 

Next click the blue button marked Scan.

When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.

You can actually click  ( tick )   the topmost left  check-box  on the very top line to get ALL lines  ticked   ( all selected).   👈

🔻

 

 

Then click on Quarantine selected.

 

Then, locate the Scan run report;  export out a copy;  & then attach in with your  reply.

See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4

[    3     ] 

Be sure you close all web browsers before you click on the "Scan" button on this next procedure.

I  would suggest to download, Save, and then run Malwarebytes ADWCLEANER.

Please close Chrome and all other open web browsers after you have saved the Adwcleaner and before you start Adwcleaner scan.

Adwcleaner  detects factory Preinstalled applications too!

 

Please download  Malwarebytes AdwCleaner  https://downloads.malwarebytes.com/file/adwcleaner
 

Be sure to Save the file first, to your system.  Saving to the Downloads folder should be the default on your system.

Go to the folder where you saved Adwcleaner. Double click Adwcleaner  to start it.

At the prompt for license agreement, review and then click on I agree.

 

You will then see a main screen for Adwcleaner. ( if you do not see it right away, minimized the other open windows, so you can see Adwcleaner).

Then click on Dashboard button.

Click the blue button "Scan Now".

 

allow it a few minutes to finish the Scan.   Let it remove what it finds.

NOTE:  When it comes to the section "

Pre-installed applications

 

You can skip that.

Please find and send the Adwcleaner "C" clean report.

In Adwcleaner, click the "Reports" button.  Look at the list of reports for the latest date & type "Clean".

Double Click that line & it will open in Notepad.   Save the file to your system and then Attach that with your reply.

 

That C clean report will be the one with the most recent Date and time at folder  C:\AdwCleaner\Logs

[     4     ]

I would suggest a free scan with the ESET Online Scanner
Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

It will start a download of "esetonlinescanner.exe"
Save the file to your system, such as the Downloads folder, or else to the Desktop.

Go to the saved file, and double click it to get it started.

When presented with the initial ESET options, click on "Computer Scan".
Next, when prompted by Windows, allow it to start by clicking Yes
When prompted for scan type, Click on Full scan

Look at & tick  ( select )   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click on Start scan button.
Have patience.  The entire process may take an hour or more. There is an initial update download.

There is a progress window display.
You should ignore all prompts to get the ESET antivirus software program.   ( e.g.  their standard program).   You do not need to buy or get or install anything else.
When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.
Click The blue “Save scan log” to save the log.

If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files”  ( in blue, at bottom).
Press Continue when all done.  You should click to off the offer for “periodic scanning”.

We will do more later.

[gonzalo96]

Good morning,

I am sending attached the respective report files.

Malwarebyte - detected 10

adwcleaner - detected 4

ESET anti-virus- Detected 0

Should I uninstall these programs now? Will they get in conflict between each other?

AdwCleaner[C00] report.txt ESET txt.txt Malwarebyte report.txt

[Maurice Naggar]

You inquired 

Quote

Will they get in conflict between each other?

Answer, No.

As to 

Quote

Should I uninstall these programs now? 

There is no need to rush to do any of that. Adwcleaner you may keep and use on-demand to check for adwares.  It is not a "installed" program.  It is free-standing executable program to find adwares & P U P  ( potentially unwanted programs).   It is free to use,  It's presence does not conflict.

Malwarebytes for Windows is very handy.  I suggest you keep it installed. I would just suggest one adjustment.

Start Malwarebytes. Click Settings ( gear ) icon. Next, lets make real sure that Malwarebytes does NOT register with Windows Security Center 

Click the Security Tab. Scroll down to 

"Windows Security Center"

Click the selection to the left  for the line "Always register Malwarebytes in the Windows Security Center".

{   all the way to the left side so that it is set to Off.}

Close Malwarebytes when done.

..

It is good to see the ESET scan app report no virus.  We are done with it. You may delete the downloaded file named esetonlinescanner.exe

.

The scan by Malwarebytes for Windows did do cleanups that are quite handy, timely, and very helpful to this situation.  It did remove a setting on the firewall from a Trojan.BitCoinMiner leftover trace   & also PUM.Optional.DisabledSecurityCenter & also PUP.Optional.Restoro

.

Next, I need you to run one more custom script fix.  The main goal on this is to remove one extremely suspicious driver file.

This custom script is for  Gonzalo96  only / for this machine only.

This run may take something like 30 minutes or so.

 

Lets do a new run with a new script.

Find the old FIXLIST.TXT  on Downloads folder & then Delete it.

.

The system will be rebooted after the script has run.

The  custom Fix script is going to be used by the ENGLISHFRST  tool. They will both work together as a pair.

Please save the (attached file named) FIXLIST.txt   to the  Downloads  folder

The tool named ENGLISHFRST .exe   tool    is already on the Downloads
Start the Windows Explorer and then, to the Downloads folder.

RIGHT click on  ENGLISHFRST.exe   and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

IF you get a block message from Windows about this tool......
click line More info information on that screen
and click button Run anyway on next screen.

on the FRST window:
Click the Fix button just once, and wait.

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. This run here should be fairly quick.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity   

Please know this will do a Windows Restart.   Just let it do its thing.  

Do let me know how things are overall,  after all this

Fixlist.txt

[gonzalo96]

Hello again sir, thank you for the effort on fixing this problem.

I will send attached the respective fixlog.

So, windows defender doesn't appear when I start windows, and still appears the same message at the control panel. I will send a printscreen.

(read this when you see the printscreen): On the left side, should be all the icons/options of windows defender, like quickscan etc... and it just shows the same old message.

Fixlog.txt

[Maurice Naggar]

Thank you for the Fixlog.  That run is a good run.

Now then, please go real slow  and let's not rush.   Take your time.  First, when Windows restarts, it takes time before all is loaded.  And then, normally, it is not expected  to have a visual notice about Microsoft Defender antivirus service.

On the window titled "seguranca do windows"  ( which in English means Windows Security )  you should click on the button that is marked "Abrir a seguranca do windows"   and after that, see the new display on the window that follows.

[gonzalo96]

I will do the translation of the print screen myself:

Security at a glance
See what happens with the safety and functional state of the device and take any necessary actions.

 

Once again thank you for your time.

[Maurice Naggar]

Hello.  I have to say, that the situation here seems odd.  Let us collect 2 different reports.

[     1      ]

Please download RogueKiller (x64) using the link below.
→ http://download.adlice.com/api?action=download&app=roguekiller&type=x64

•  
• Save the file first,
• Close any running programs that you started on your own ( if any).
• Please disconnect any USB or external drives from the computer before you run this scan!

Double-click  RogueKillerx64.exe to run the program.

Follow the prompts. If a browser window opens, close the window.

In the HOME tab, click Scan button

Next, on the Quick scan pane, click om the Start button to proceed.

.

Upon completion, a browser window may open. Close this window.

 Important: Please do not have RogueKiller remove any detected items.

Click the HISTORY tab followed by Scan Reports.

Double-click the scan log. Click Export TXT, enter a filename and save the file to your Desktop.

Please attach the file in your next reply.

[     2    ]

I would like you to run a tool named SecurityCheck to inquire on the current-security-update  status  of some applications.

• Download SecurityCheck by glax24 from here  https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe
• and save the tool on the desktop.
• If Windows's  SmartScreen block that with a message-window, then
• Click on the MORE INFO spot and over-ride that and allow it to proceed.
• This tool is safe.   Smartscreen is overly sensitive.
• Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"   and reply YES to allow to run & go forward
• Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file.  Attach it with your next reply.
• You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

Edited January 17, 2021 by Maurice Naggar

[gonzalo96]

I know right... The only solution might be a reset, problem is I really don't know how to do it.

I will send attached the respective files. Thank you Maurice.

 

Rogue Report File.txt SecurityCheck.txt

[gonzalo96]

By the way, nothing was found by the RogueKiller.

[Maurice Naggar]

Thanks for the reports.   Just hold on.  I now think it is a situation of a registry value that is specific to Microsoft Defender that effectively prevents the dis[lay.

Just hold on with me here.  I would very much like to gather a different report about the Defender preference, by using a Elevated Command prompt.

What follows is a first step to have Windows 10 show all files and folder. Do not let this spook you out.

There is a how-to at Tenforums. Use either option one or two or three

https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html

 

Using a Command prompt.   

On the Windows taskbar ,  on the Windows search box,  type in

cmd.exe

and then look at the entire list of choices, and click on Run as Administrator.

 

It is best to  use COPY & Paste for the following.   paste into the Command prompt window

powershell get-mppreference >%userprofile%\Desktop\myprefs.txt

press Enter-key on keyboard to run this inquiry.  Allow a  minute for it to finish.

When finished, the command prompt window should return with the flashing right-arrow caret symbol.

When it is all completed, there will be a new text file on the Desktop named 

Quote

myprefs.txt

Please attach that file with your next reply.   There will be more to do.  I expect on the next round we will do a special adjustment.

[gonzalo96]

Hello again...

I am afraid the command is having no effect on cmd.exe

I write it, and nothing happens.

I did the step 1, ''show all files and folders''. I took a print screen of that to show you, and a print screen of my cmd.exe.