Malware messed my Windows Update and Windows Defender

[Maurice Naggar]

Give this a try   ( assuming that your Windows 10 Settings are the normal default)  to get to a ELEVATED Command Prompt

To Get the elevated command prompt, press Windows-key + X key  and then selected Command prompt ( Admin )

[Maurice Naggar]

It does look to me that the special run has completed.   Look real good on the Desktop  for the file myprefs.txt

That is the one we need to see.

[gonzalo96]

When i don't run as administrator, it says access denied. ( i was just confirming.) then i rum as administrator, and it doesn't do anything honestly. I am checking my desktop too and nothing. Its not powershell right? When I press Wind + X it only shows me powershell + powershell (admin)

[gonzalo96]

I recorded, please check if I am doing something wrong or if it’s just my computer that’s crazy.

[gonzalo96]

Okay for some reason, this video that i filmed with my iphone, i can see it on my phone, but in my computer its just blank. Can you see it?

 

[Maurice Naggar]

Tell me please.   Normally, do you use the regular Command prompt ?     ( or is yours set to use Powershell  ?

BUT I tell you that the screenshot you relayed of the Command prompt run "looked" like it worked.

Tell me, which are you most familiar with,   Command prompt ?  or  Powershell ?

[gonzalo96]

I've used Command prompt a few times, only few times. I don't think I've ever used Powershell... I really don't understand much about these two.

It seems like it worked, but the file is nowhere to be found. maybe we can change the location to another place? Idk

[gonzalo96]

Mine is set to use Powershell. Forgot to answer that question I apologize.

[Maurice Naggar]

Let's see if you can do this  and get a good screen-shot of the result.   Copy and Paste this into a Command Prompt

powershell get-mppreference

Press Enter-key

Iy takes a few seconds   and then there should be a screen full of information.   Can you grab a picture ?

[gonzalo96]

yes

[Maurice Naggar]

OK.  Thank you. These settings look OK.  I do not see here something that prevents the GUI of the Windows Settings that affects the current issue.

The issue is "why" the full display does not show on Windows Security / Virus & threat protection.

However, that aside, the Windows defender service IS running.

You should also be able to run a manual on-demand scan of Windows Defender antivirus by using Powershell.

  Start a Elevated Powershell command prompt-window.
    On the Windows taskbar, on the Search box, type in

powershell

    Wait and look for the results list.  Click on the line that shows Powershell with "Run as Administrator".
    Then you will see the Powershell window.
    Into that, we want to Copy & Paste a few specialized command lines.  Do one at a time.   Tap Enter after each one.

Set-MpPreference -PUAProtection 1

     
    At this point, before going any further,  you want to Close and save any open work files / documents.
    This next command will initiate  ( should initiate) a offline mode scan of Windows Defender.   It should take something under 15 minutes total.
 

Quote

Start-MpWDOScan

tap Enter-key to proceed.
     
    This likely will involve a reboot  and at the end, should return you back into normal Windows. 
 

[gonzalo96]

Okay just finished this process quite easily. The system it's already restarted.

After the restart, i went to check again the Windows defender page. Still blank with that same message.

 

Windows update, was trying to install again this same update: Atualização de Informações de Segurança para Microsoft Defender Antivirus - KB2267602 (Versão 1.329.2361.0) and may seem odd, but it stays at 0% and then dissapears and says ''updated''. but it never went from 0 to 100.

[Maurice Naggar]

Hello.   As to this last mention of Windows Update, I will be recommending that you seek assitance at Sysmative.com Forum.   Just hold on, until later.

Question that you should answer when you make your next reply.

Was this computer always your own?  Has your system ever been used at a comapny or organozation ?   possibly one that had IT Support ?

If the latter, it may be that the Support organization had Windows policies so that the computer ( as a endpoint device) had limited access ( by design ) to the Windows Defender GUI.

.

At this point, I would ask that you review a few Windows services for their status.

Press and hold the Windows-flag-key on keyboard and tap the *R* key to get the RUN menu option.

type in

services.msc

and press Enter key. 

Scroll down the list.   Visually examine these services.

Microsoft Defender Antivirus Service - it should show  Running and set for Automatic start.

Security Center  -It should be running and set for Automatic (delayed) start.

Windows Security Service -  Running and set for Manual start.

also, let us see about a different report:

Download OTL by OldTimer to your desktop: http://oldtimer.geekstogo.com/OTL.exe

• Close all open windows on the Task Bar. Click the icon (for Vista, or Windows 7 Right click the icon and Run as Administrator) to start the program.

• In the lower right corner, checkmark "LOP Check" and checkmark "Purity Check".

• Now click Run Scan at Top left and let the program run uninterrupted. It will take about 4 minutes.

• It will produce two logs for you, one will pop up called OTL.txt, the other will be saved on your desktop and called Extras.txt.

• Exit Notepad. Remember where you've saved these 2 files as we will need both of them shortly!

• Exit OTL by clicking the X at top right.

 

Attach the report files  OTL.txt;  &  Extras.txt

 

 

[gonzalo96]

This computer has been always mine, bought for personal use.

I could find:

-Security Center - Automatic (delayed) and running

Microsoft Defender Antivirus Service - Running and Automatic

Windows Security Service - I couldn't find this one, maybe because of the translation to Portuguese... I found something that says: Microsoft defender antivirus network inspection service -> this one is set to Manual.

I send print screens with this info.

I am gonna finish now the other step of Old Timer. Brb

[gonzalo96]

Here it goes the OTL files. Thank you advance Maurice! You're awesome.

Extras.Txt OTL.Txt

[Maurice Naggar]

What follows is only for this machine.

We need to run an OTL Custom Fix. 

• Double click on the icon on your desktop.
• Copy and Paste all of the following code into the textbox.   Copy ALL the content of this code-box

:OTL
O4:[b]64bit:[/b] - HKLM..\Run: [SecurityHealth] C:\Windows\SysNative\SecurityHealthSystray.exe (Microsoft Corporation)
:commands
sc queryex securityhealthservice
[Reboot]

• Push
• OTL will ask to reboot the machine. Please do so if asked.
• Click the OK button.
• A report will open. Copy and Paste that report in your next reply.

[gonzalo96]

I was having some trouble finding the report.

I found it on the C:/ disk though I think. At least the date and time it's correct.

It seems there was a problem reading the  code.

01182021_110623.log

[gonzalo96]

Can i remove these two desktop.ini files on my desktop? when i try they say they belong to the system, might chance something.

Am I supposed to leave them there? They appeared now with the OTL

[Maurice Naggar]

To your very last point, Yes you may delete the files named Desktop.ini   ( just keep in mind it may impact the way things are arranged on the desktop.   But you can always re-arrange to how you prefer.   Desktop.ini files are just text-type files / They do not pose any threat.

At this point I would like to get 2 new reports from the OTL.   Find the OTL on the desktop.
  Right click the icon and Run as Administrator) to start the program.
In the lower right corner, checkmark "LOP Check" and checkmark "Purity Check".
Now click Run Scan at Top left and let the program run uninterrupted. It will take about 4 minutes.

It will produce two logs for you, one will pop up called OTL.txt, the other will be saved on your desktop and called Extras.txt.
Exit Notepad. Remember where you've saved these 2 files as we will need both of them shortly!
Exit OTL by clicking the X at top right.
Attach the report files  OTL.txt;  &  Extras.txt

Edited January 18, 2021 by Maurice Naggar
amended some remarks

[gonzalo96]

Sorry i tried everywhere but i can't fimd the ''Extras.txt''. Normally it goes to the same place as OTL.txt or to the past in C:/ folder. But its not there also. Can only send the OTL.text

OTL.Txt

[Maurice Naggar]

Thanks for the OTL.  I know this has been a very long saga.  Thanks for hanging on with me.  I think we may be about to turn the final corner.

Next, I need you to run one more custom script fix.  The main goal on this is to have a proper Securityhealthservice for this version of the Windows 10 OS.

Find the old FIXLIST.TXT  on Downloads folder & then Delete it.

This custom script is for  Gonzalo96  only / for this machine only.

Lets do a new run with a new script.   The system will be rebooted after the script has run.

The  custom Fix script is going to be used by the ENGLISHFRST  tool. They will both work together as a pair.

Please save the (attached file named) FIXLIST.txt   to the  Downloads  folder

The tool named ENGLISHFRST .exe   tool    is already on the Downloads
Start the Windows Explorer and then, to the Downloads folder.

RIGHT click on  ENGLISHFRST.exe   and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

IF you get a block message from Windows about this tool......
click line More info information on that screen
and click button Run anyway on next screen.

on the FRST window:
Click the Fix button just once, and wait.

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. This run here should be fairly quick.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity   

Please know this will do a Windows Restart.   Just let it do its thing.  

Do let me know how things are overall,  after all this

Fixlist..txt

[gonzalo96]

My friend, first of all, I am the one that should be thankful for you keeping the effort in this long matter.

I seriously can't believe this, but it's working! The system has restarted and Windows Defender came back to life. You're freaking awesome I seriously have no words to thank you enough. Everyone was telling me to just make a reset and forget about this, it would be impossible. You made it possible.

Thank you so much for helping me fix this issue, you are the man Maurice!

I send a print screen of the success of this long effort of yours!

[Maurice Naggar]

         

YAY !  That is great.  I am very happy to read & see this.  It has been quite a saga.  And the last thing discovered was that about the status of a Windows service that is named SecurityHealthService.

My theory is that a malicious element of a recent infection had set that to be off and out of the way on purpose.  This case here seems to be a rare one.

It is great to see this result.  At this point, what you could do for me is to look at one or 2 of my most recent posts to you and look athe bottom RIGHT side and click on the Like button.

What I need from you is to attach a copy of the Fixlog report file.

Then to do a manual on demand scan with Microsoft Defender thru the Settings >> Virus & Protection GUI.

Lets be sure it ca update definitions when you click a "Check for updates"

and then do a Quick Scan with Defender.

[gonzalo96]

Hello again! Sure will do that for you!

I can update it, although it's already updated, quick scan finished without any problem: 0 detected.

Everything is green, everything is good man life is good now. I will send the Fix log report file.

It's interesting to see how malware can be underestimated, at it was by me. Malware sure can't mess things up pretty bad. Glad there are geniuses like you Maurice.

Hopefully the Fixlog is fine too!

Fixlog.txt

[Maurice Naggar]

Thank you for the log.  I do appreciate your comments.  Yes, some malware take extra oridinary measures to prevent their detection.

I think we can wrap things up.  Insure that you make a Backup of this system soon to offline baclup media.

Here are a few steps to cleanup the tools I had you use.

First for OTL.   Find OTL.  Start it.  Look on the top far right side and click on the button "Cleanup".   That will remove itself.

For ENGLISHFRST:     

To remove the   tool & its work files, do this.  Go to your Desktop folder.  Do a RIGHT-click on ENGLISHFRST.exe & select RENAME & then change it to UNINSTALL.exe .
Then run that ( double click on it)  to begin the cleanup process.

Any other download file I had you download, you may delete.

Stay safe.  I wish you all the very best.

Sincerely,

Maurice