Windows defender doesn't work properly after fully removing MalwareBytes

[xen07]

I used the uninstall tool that is provided on the MalwareBytes official website. Still nothing works. From the "Security at a glance" and everything else empty, i managed to make defender work but not properly. I believe something is still blocking it. I ran a full mb scan and nothing came back marked as a virus. looked for a lot of solutions and one i found interesting was this fix from this user.

It would be very helpful if someone helped me out here as i believe there are some people with the same issue. Thanks.

.

[Maurice Naggar]

Hello @xen07   

My name is Maurice.  I will be guiding you.  Let me know what name you prefer to be addressed.  As we go along, always attach any reports / files I request from you.

Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system.

You can check here if you're not sure if your computer is 32-bit or 64-bit

• Double-click to run it. When the tool opens click Yes to the disclaimer.
• Press the Scan button.

• It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
• The first time the tool is run, it also makes another log (Addition.txt). If you've run it before it may not and you may need to select it manually
• Please attach both logs to your reply if possible. 
• To Upload  attachments please click the "choose files" at left-side bottom of the Reply box. Then browse to where your file is located and select it and click the Open button.   Then review the main body of your reply.  When ready & all set, click on the button " Submit Reply ".

[xen07]

Hello, thank you. You can call me Alex

Addition.txt FRST.txt

[Maurice Naggar]

Hi, Alex.     Thanks for the FRST reports.  FRST indicates that Windows OS is showing that MS Defender is enabled.

What I do see from the FRST report is that mb-clean-3.1.0.1035.exe was recently downloaded.   Please never use that old tool.  It is way way obsolete.

Actually the another file,  file name is ESDmbam-clean-2.3.0.1001.exe   ....and I have no idea where you got it from.  ??

 

This custom script is for  Xen07  only / for this machine only.

The system will be rebooted after the script has run.   The  custom Fix script is going to be used by the FRST64  tool. They will both work together as a pair.

This run will take care of the MS Defender antivirus service & a few select Windows services & do one quick scan with MS Defender.  And run the Windows System File Checker tool & the Windows DISM tool to check on the health of Windows installation.

Please save the (attached file named) FIXLIST.txt   to the  Downloads  folder

The tool named FRST64 .exe   tool    is already on the Downloads
Start the Windows Explorer and then, to the Downloads folder.

RIGHT click on  FRST64.exe   and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

IF you get a block message from Windows about this tool......
click line More info information on that screen
and click button Run anyway on next screen.

on the FRST window:
Click the Fix button just once, and wait.

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. This run here should be fairly quick.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity   

Please know this will do a Windows Restart.   Just let it do its thing.  

Do let me know how things are overall,  after all this.

 

Fixlist.txt

[xen07]

Hello, the files you mentioned was me trying out different methods i saw on Microsoft's forum that people had the same errors. I ran the fix and here is the log. Defender is still not fully working and scan stays at 0:00. The protection history crashes and it still shows security at a glance if opened from "Open windows security"

 

Fixlog.txt

[Maurice Naggar]

Thanks.  I would like you to know that this issue of lack of full display of all options in Windows Security can be remedied.  Some added patience please, since we need to gather relevant details still.

On the Windows taskbar ,  on the Windows search box,  type in

cmd.exe

and then look at the entire list of choices, and click on Run as Administrator.  

Once the Command prompt window is up,   copy > paste the line in the codebox below into the command-window

It is best to  use COPY & Paste for the following.  All of each line as-is
 

echo > 0 & sc qc securityhealthservice >> 0 & sc queryex securityhealthservice >> 0 & echo >> 0 & notepad 0

tap Enter when ready.   These are queries only.  Then attach or paste the contents of the file 0 on your next reply.

[Maurice Naggar]

PS.  The last screen-grab you had sent "appeared to show" that a Microsoft Defender quick scan was still running at that moment.

At a appropriate & convenient free time, I would like for you to be sure to do one Windows RESTART.

[xen07]

I understand, here is the result. Also i did a restart when i ran the "fix" option from that tool. Tested it and the results were the ones shown on the last screenshot, no progress. Then i shut down my computer as there was no work needed to be done in it at the time. I tried again and had same results. Im relieved to hear that those bugs can be fixed and i am patient enough to do so. One thing i also noticed is that the windows defender doesn't boot on startup. is there something blocking it? 

I also noticed that there are some "Critical events" about defender that are marked on Windows "Reliability monitor" will pasting those errors be a little more helpful on what's wrong?

0.txt

[Maurice Naggar]

Thanks for the last report.  This Windows system is missing the Windows'  Securityhealthservice.

I need you to run one more custom script fix.  The main goal on this is to have a proper Securityhealthservice for this version of the Windows 10 OS.

Find the old FIXLIST.TXT  on Downloads folder & then Delete it.

This custom script is for  Xen07  only / for this machine only.

Lets do a new run with a new script.   The system will be rebooted after the script has run.

The  custom Fix script is going to be used by the ENGLISHFRST  tool. They will both work together as a pair.

Please save the (attached file named) FIXLIST.txt   to the  Downloads  folder

The tool named FRST64 .exe   tool    is already on the Downloads
Start the Windows Explorer and then, to the Downloads folder.

RIGHT click on  FRST64.exe   and select RUN as Administrator and allow it to proceed. 

 Reply YES when prompted to allow to run. Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.

IF Windows prompts you about running this, select YES to allow it to proceed.

IF you get a block message from Windows about this tool......
click line More info information on that screen
and click button Run anyway on next screen.

on the FRST window:
Click the Fix button just once, and wait.

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. This run here should be fairly quick.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity   

Please know this will do a Windows Restart.   Just let it do its thing.  

Do let me know how things are overall,  after all this

Fixlist..txt

[xen07]

When i press fix it says that no fixlist.txt found. should the fixlist.txt be "fixlist" or "Fixlist". I deleted the previous fixlist and then i downloaded the new one. When i opened the FRST it said to update and i did. I run it as administrator. the txt and the tool are in the downloads folder and the new Fixlist is the only list in the downloads folder.

[Maurice Naggar]

The small f or capital F in the filename does not matter.  Ideally, it ought to be captial F.

Did the FRST update finish?

Can you get me a screen-grab of the Downloads folder  that shows both FRST64 + Fixlist.txt

Edited February 12, 2021 by Maurice Naggar

[xen07]

Yes. The txt you provided had 2 dots in the name. No worries tho, i renamed it and the tool ran. I just restarted the machine. Everything seems to be fine and working. I did a quick scan and finished sucessfully. I attached the fixlog.txt

Fixlog.txt

[Maurice Naggar]

Bravo to you.

Please stick with this case.  I want to be sure to run some additional checks.

On the Windows taskbar ,  on the Windows search box,  type in

cmd.exe

and then look at the entire list of choices, and click on Run as Administrator.  

Once the Command prompt window is up,   copy > paste the line in the codebox below into the command-window

It is best to  use COPY & Paste for the following.  All of each line as-is

sfc /scannow

tap Enter.   This should be just a few minutes.   Let me know the bottom line result.

[xen07]

Thanks for the help. Also for the great explanation and better support than Microsoft forums. 
One question tho. Is it possible that this will happen again if i ever decide to get malwarebytes back and if i uninstall it, will this be still necessary to be fixed?

Thanks a lot!

[Maurice Naggar]

The missing entry for  the Windows'  Securityhealthservice has nothing whatsoever to do with Malwarebytes.  nada.

Thanks for the compliments.  Just please hang on, as I wish to insure to do more checks.

 

On the Windows taskbar ,  on the Windows search box,  type in

cmd.exe

and then look at the entire list of choices, and click on Run as Administrator.  

Once the Command prompt window is up,   copy > paste the line in the codebox below into the command-window

It is best to  use COPY & Paste for the following.  All of each line as-is

 DISM /Online /Cleanup-Image /ScanHealth

tap Enter.   This should be just a few minutes.   Let me know the bottom line result.

[xen07]

Yes of course! And thanks for letting me know that this has nothing to do with Malwarebytes. 
Thanks for providing help. I have been looking for solutions for a long time.

[Maurice Naggar]

Good status from DISM.  I would to be sure that you can do a manual run   ....Microsoft Windows Update run  ( Check for Updates)

Settings >> Update and Security >> click "Check for Updates".

Let me know the results.  This most recent set of updates from this week are especially important for security fixes.

.

about "I have been looking for solutions for a long time.".   Where at ?  can you provide a link ?  is it at the MS Answers forum ?

[xen07]

Here is the result. Everything up to date. and i did the update check inside Virus & Threat protection. All up to date,

 

Here are some of the things i tried (some even follow to more solutions):
https://answers.microsoft.com/en-us/protect/forum/protect_defender-protect_start-windows_10/cant-turn-on-windows-defender-your-it/c1a84344-8d83-49f4-8b37-e247b67ff23f?page=2&auth=1

https://answers.microsoft.com/en-us/windows/forum/apps_windows_10-winapps-appscat_tools/windows-defender-app-crashes/0038ead8-f4da-4911-8731-2cce866f71e3

https://answers.microsoft.com/en-us/protect/forum/protect_defender-protect_start-windows_10/windows-defender-scan-stuck/d1ac96a5-3a0f-495b-ad00-314750c02653

https://answers.microsoft.com/en-us/protect/forum/all/windows-defender-deacticated-and-cant-activate/c64676e9-8982-4405-bc47-13ed4799a353?auth=1

https://answers.microsoft.com/en-us/protect/forum/protect_defender-protect_scanning-windows_10/cant-activate-windows-defendersecurity-at-a-glance/f4473250-5e51-45dd-90ee-204706fa9446?auth=1

https://docs.microsoft.com/en-us/mem/intune/user-help/turn-on-defender-windows

 

And another thread suggested that MalwareBytes was the main antivirus app and suppressing Defender and lead to this:

 

The one you asked me about in my downloads folder, i believe i got it from here.

 

Either way i believe all is working correctly thanks to you! If there is any more checks i will be more than happy to do so.

Thank you.

[Maurice Naggar]

Thans for the links at Answers.  Hopefully I can take the time to look there.

As far as the article on "mb-clean", the post is from 2013  when at that time the Malwarebytes only was at Version 2.  Since then Versions 3 & 4 have been released.  The bottom line is to never ever use that old tool.  period.  end-of-story.

That said though, neither the Malwarebytes program nor the other tools from Malwarebytes are the source of the deletion / removal of the Windows OS service named "securityhealthservice".   I believe any such deletion would be from a rogue or malicious malware.

.

I would like you to run one other check.

Download   Farbar's Service Scanner utility
http://www.bleepingcomputer.com/download/farbar-service-scanner/dl/62/
and Save to your Desktop.

If using Windows 7/8 or Vista, Right-Click on fss.exe and select Run As Admisnitrator.
If using XP, double-click to start.

Answer Yes to ok when prompted.

If your firewall then puts out a prompt, again, allow it to run.

Once FSS is on-screen, be sure the following items are checkmarked:
Internet Services
Windows Firewall
System Restore
Security Center/Action Center
Windows Update
Windows Defender
Other services
 
Click on "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.
Copy & Paste contents of FSS.txt into your reply.

 

[xen07]

I ran the program with the listed options ticked. When i downloaded though, defender marked it as a malware and i had to allow it to run.

FSS.txt

[Maurice Naggar]

Kudos.  and bravo for getting around the false block of FSS.  This reports result is excellent.

At this point, and since the Windows Security section of Windows Settings is normal, we can proceed with cleanup of tools we used.

To remove the FRST  tool & its work files, do this.  Go to your Downloads folder.  Do a RIGHT-click on FRST64.exe & select RENAME & then change it to UNINSTALL.exe .
Then run that ( double click on it)  to begin the cleanup process.

 

Delete FSS.exe

Any other download file I had you download, you may delete.

.

Backup is your best friend.  Keep backups of your system on a regular basis to offline storage & keep those safe. https://forums.malwarebytes.com/topic/136226-backup-software/

It is not enough to just have a security program installed. Each pc user needs to practice daily safe computer and internet use.

Best  practices & malware prevention:
Follow best practices when browsing the Internet, especially on opening links coming from untrusted sources.
First rule of internet safety: slow down & think before you "click".
Never click links without first hovering your mouse over the link and seeing if it is going to an odd address ( one that does not fit or is odd looking or has typos).

Free games & free programs are like "candy". We do not accept them from "strangers".

Never open attachments that come with unexpected ( out of the blue ) email no matter how enticing.
Never open attachments from the email itself. Do not double click in the email. Always Save first and then scan with antivirus program.

Pay close attention when installing 3rd-party programs. It is important that you pay attention to the license agreements and installation screens when installing anything off of the Internet. If an installation screen offers you Custom or Advanced installation options, it is a good idea to select these as they will typically disclose what other 3rd party software will also be installed.
Take great care in every stage of the process and every offer screen, and make sure you know what it is you're agreeing to before you click "Next".

Use a Standard user account rather than an administrator-rights account when "surfing" the web.
See more info on Corrine's SecurityGarden Blog http://securitygarden.blogspot.com/p/blog-page_7.html
Don't remove your current login. Just use the new Standard-user-level one for everyday use while on the internet.

 

Keep your system and programs up to date. Several programs release security updates on a regular basis to patch vulnerabilities. Keeping your software patched up prevents attackers from being able to exploit them to drop malware.

For other added tips, read "10 easy ways to prevent malware infection"

I am glad to have guided & worked with you on this.  You did very well.

Stay safe.  I wish you all the best.   😎

Sincerely,

Maurice

[Maurice Naggar]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following for Tips to help protect from infection

Thank you