Jump to content

Malware deleted my Windows Defender Service and has Admin Access


Go to solution Solved by Maurice Naggar,

Recommended Posts

Hey.

So I recently installed a software which came with a patch file which was not what it should have been. Running that patch file didn't do anything but later I realised that my Windows Defender is disabled automatically. When I checked the Control Panel, I found out that the Virus Protection Part of it is completely gone. It's not there at all (image attached below).

image.thumb.png.9c04878a4b56501fc8fb991ee1f3b244.png

 

So, I tried a few methods from the internet like:-

1. Downloaded and ran the windefend.reg file. (This gave me an error saying I don't have permission.)

image.png.9bb05aead12b733444f0cf0ca6459985.png

2. Ran the Malwarebytes scan twice but didn't find anything.

3. Did the same thing in Safe Mode, still couldn't find anything.

 

I have also run the FRST Scan which I saw a lot of people run and send the logs for analysing the issue. So I did the same thing and I have attached the FRST.txt and Addition.txt below for reference.

 

Can someone please help me cuz I don't have any other Antivirus Softwares installed as Windows Defender is good enough for that purpose and I don't need to expose my PC to any more threats while the service is down.


Thank you.

 

FRST.txt Addition.txt

Link to post
Share on other sites

Hi,       :welcome:

My name is Maurice. I will be helping and guiding you, going forward on this case.

Let me know what first name you prefer to go by.   

 

Please follow my directions as we go along.  Please do not do any changes on your own without first checking with me. 

Please only just attach   all report files, as we go along.

 

Please know I help here as a volunteer.  and that I am not on 24 x 7.

Help on this forum is one to one.   

.

We need at this point, one Widows Restart.   Then please do one new report so I can review.

 

Download   Farbar's Service Scanner utility

http://www.bleepingcomputer.com/download/farbar-service-scanner/dl/62/

and Save to your Desktop.

Right-Click on fss.exe and select Run As Admisnitrator.

Answer Yes to ok when prompted.

If your firewall then puts out a prompt, again, allow it to run.

 

Once FSS is on-screen, be sure the following items are check-marked:

Internet Services

Windows Firewall

System Restore

Security Center/Action Center

Windows Update

Windows Defender

Other services

  

Click on "Scan".

It will create a log (FSS.txt) in the same directory the tool is run.

Kindly attach FSS.txt into your reply. 

 

Thank you,

Sincerely.

Link to post
Share on other sites

Hello @Tahir5253

This is the next thing to do after completing the FSS report.

This machine has infections in addition to the Windows Defender antivirus service being stopped , plus another related service being off.  It also has hacktools + backdoor trojan.

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. 

The download links & the how-to-run-the tool are at this link at Microsoft 

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 Please select "FULL" scan.

Let me know the result of this.

The log is named MSERT.log  

the log will be at  

C:\Windows\debug\msert.log

Please attach that log with your reply.

There is much more to do.

Link to post
Share on other sites

Hello Maurice,

Thank you for replying back. I'm Tahir. (forgot to mention that before 😅)

So I followed all the instructions as stated above. I did a clean windows restart and ran the two scanners (FSS and Microsoft Safety Scanner).

I have attached the log files for both the scans below.

FSS.txt msert.log

Link to post
Share on other sites

Hello Tahir.  The Safety scanner found trojans, hack tools, plus pirated version of Malwarebytes.

Having pirated programs is dangerous practice & opens up the computer for serious infection like this machine.

.

As a next step, to checkout your system a bit more, a scan with Sophos.

Download Sophos Free Virus Removal Tool and save it to your desktop.

If your security alerts to this scan either accept the alert or turn off your security to allow Sophos to run and complete.....

 

Please Do Not use your PC whilst the scan is in progress.... This scan is very thorough so may take several hours...

 

Double click the icon and select Run

 

Click Next

 

Select I accept the terms in this license agreement, then click Next twice

 

Click Install

 

Click Finish to launch the program

 

Once the virus database has been updated click Start Scanning

 

If any threats are found click Details, then View log file... (bottom left hand corner)

 

Copy and paste the results in your reply

 

Close the Notepad document, close the Threat Details screen, then click Start cleanup

 

Click Exit to close the program

 

If no threats were found please confirm that result....

The Virus Removal Tool scans the following areas of your computer:

Memory, including system memory on 32-bit (x86) versions of Windows

The Windows registry

All local hard drives, fixed and removable

Mapped network drives are not scanned.

Note: If threats are found in the computer memory, the scan stops. This is because further scanning could enable the threat to spread. You will be asked to click Start Cleanup to remove the threats before continuing the scan.

Saved logs are found here: C:\ProgramData\Sophos\Sophos Virus Removal Tool\Logs

 

Please be sure to attach that log.

Cheers.

Link to post
Share on other sites

Hello again Maurice.

I did realise that there are a few pirated softwares in my PC and I think one of them must have been the source for the current malware. I'll be more careful in the future about what I download (or purchase) from the internet.

Anyways, the Sophos Scan found 2 Malwares altogether. I have attached the log file below and cleaned the two malwares through the software.

Please take a look and let me know what steps come next.

Thank you.

SophosVirusRemovalTool.log

Link to post
Share on other sites

Also,

I went through the logs myself and saw that one of the malware detected was in the "Adobe Illustrator" setup folder (Pirated).

So just FYI (if this helps in anyway), Adobe Illustrator is the setup that I ran which might have been the cause for the virus to enter in the first place.

Link to post
Share on other sites

It needs to be re-emphasized that cracked programs (pirated apps) are super dangerous, as well as illegal. The Malwarebytes program version now on this pc is pirated. It will need to be uninstalled too.

.

I would suggest a free scan with the ESET Online Scanner

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

 

It will start a download of "esetonlinescanner.exe"

Save the file to your system, such as the Downloads folder, or else to the Desktop.

 

Go to the saved file, and double click it to get it started.

When presented with the initial ESET options, click on "Computer Scan".

Next, when prompted by Windows, allow it to start by clicking Yes

When prompted for scan type, Click on Full scan

Look at & tick ( select ) the radio selection "Enable ESET to detect and quarantine potentially unwanted applications" and click on Start scan button.

Have patience. The entire process may take an hour or more. There is an initial update download.

There is a progress window display.

You should ignore all prompts to get the ESET antivirus software program. ( e.g. their standard program). You do not need to buy or get or install anything else.

When the scan is completed, if something was found, it will show a screen with the number of detected items. If so, click the button marked “View detected results”.

Click The blue “Save scan log” to save the log.

If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files” ( in blue, at bottom).

Press Continue when all done. You should click to off the offer for “periodic scanning”.

 We will do much more later. Please be sure to attach the Eset scan log.

Link to post
Share on other sites

Done.

I deleted the Java 8 Update.

But if you don't mind me asking, how did you know I had an obsolete Java 8 Update 45 in my PC. Cuz I didn't see any Java related entry coming in the logs. Not sure though, I might have missed it.

So anyways, what's next?

Link to post
Share on other sites

Hello. The Java had been listed as installed in the FRST report.

.

Now more cleanup by a custom script + a run of the Windows System File Checker tools SFC + DISM.

The script Fixlist.txt  needs to be saved to the same folder that contains FRST64.exe   /  the Desktop

 

The custom script on this post is ONLY for this machine and NO other.   

Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this.

 

If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached,  please disconnect any of those.

The system will be rebooted after the script has run.

 

Please save the (attached file named) FIXLIST.txt   to the  DESKTOP.

Start the Windows Explorer and then, to the DESKTOP.

RIGHT click on  FRST64.exe   and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.

If the tool warns you the version is outdated, please download and run the updated version.

IF Windows prompts you about running this, select YES to allow it to proceed.

IF you get a block message from Windows about this tool......

click line More info information on that screen

and click button Run anyway on next screen.

on the FRST window:

Click the Fix button just once, and wait.

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. This run here should be fairly quick.

If you receive a message that a reboot is required, please make sure you allow it to restart normally.

The tool will complete its run after restart.

When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

 

Please attach the FIXLOG.txt with your next reply later, at your next opportunity   

Please know this will do a Windows Restart.   Just let it do its thing.  

Do let me know how things are overall,  after all this.

Fixlist.txt

Link to post
Share on other sites

Hello again.

I ran the Fixlist as instructed and have attached the Fixlog.txt file below.

The process ran smoothly and a normal reboot happened without any errors.

But the problem still persists after the restart. The Windows Defender is not active and even though I get a notification to activate the service every time I start my PC, I always get an error like below.

image.thumb.png.3f2b698d5f0e04ef151d3cb8e517cd45.png

So I'm guessing there is still some problem which is stopping my PC from getting admin rights for the service to start I guess.

(I don't have any other antivirus software controlling the virus protection part)

Please let me know any further steps I should take to fix this.

Thank you.

Fixlog.txt

Link to post
Share on other sites

Ok, thanks. We will do a new inquiry & new report.

First, Delete the prior file named Fixlist.txt that was on the Desktop.

 

Please save the new one here  (attached file named) FIXLIST.txt to the DESKTOP.

 

Start the Windows Explorer and then, to the DESKTOP.

 

RIGHT click on FRST64.exe and select RUN as Administrator and allow it to proceed. Reply YES when prompted to allow to run.

 

If the tool warns you the version is outdated, please download and run the updated version.

 

IF Windows prompts you about running this, select YES to allow it to proceed.

 

on the FRST window:

 

Click the Fix button just once, and wait.

 

PLEASE have lots of patience when this starts. You will see a green progress bar.  This run here should be fairly quick.

 

If you receive a message that a reboot is required, please make sure you allow it to restart normally.

 

The tool will complete its run after restart.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity   

Please know this will do a Windows Restart. Just let it do its thing.  

Fixlist.txt

Link to post
Share on other sites

Hello again Maurice.

Sorry for a late response, I got caught up with some work so I was away from my PC for a while.

I ran the new Fixlist.txt using the FRST64 scan. This scan was very quick compared to the last one. (Didn't take more that 5 secs max). It rebooted normally without any issues.

I have attached the new Fixlog below.

Though, the problem still persists. I'm getting the same error as the last message and still don't have the Virus Protection tab showing.

image.png.2d650b739f2c8f5f4cce8fb545f5262c.png

I get this notification, but it leads me back to the error in the above message.

Fixlog.txt

Link to post
Share on other sites

Ok, thanks. Keep the faith here. There is still what looks like 1 or 2 Windows services that are AWOL.

By the way, rather than look at the Notifications area (like last image) I would urge that you get on the Windows Settings >> Update & Security >> Virus & Threat protection.

Just to check close there.

At this point, I have 2 things to ask from you.

Please do the query - report procedure on this 1 post of mine 

https://forums.malwarebytes.com/topic/270884-windows-defender/?do=findComment&comment=1440112

After that, attach the result back here. Just so you know, we are likely 2 or so rounds from success.

:D

Link to post
Share on other sites

Hello again.

1. So regarding the FRST64.exe, I have always kept it in the D:\Illustrator folder. Both the scans (1st and 2nd) I ran from this location only (D:\Illustrator). I have been running all my scans from that one folder only. I don't usually like cluttering my desktop with unwanted files so I keep them all in one folder.

I'm sorry, but I thought the file location wouldn't affect the scans so I didn't put them directly on the DESKTOP. Please let me know if they are specifically supposed to be on DESKTOP for all the scan runs. I'll do that then.

2. As for checking the "Windows Settings >> Update & Security >> Virus & Threat protection", I surprisingly did find it there though it doesn't open from the notification. But there still seems to be a problem with it. Mainly something related to admin access. I have attached the screenshots below.

(All the switch buttons are turned off and greyed out so I can't switch them on from my side)

image.thumb.png.5202e3c5f896d7083d787d92b4fd784f.png

image.thumb.png.e2d37ed7bed6e2740e11ed5d2dafef19.png

image.thumb.png.561a73514a0021182b923dd42a3149f1.png

image.thumb.png.c3c5e854b2728d5887940daa910421f2.png

 

3. I also went through the referred query and report. I did the "Gather Logs" from the Malwarebytes Advanced Support, and also ran the CMD.exe command mentioned there. Attached both the files below.

mbst-grab-results.zip 0.txt

Link to post
Share on other sites

Thank you for the reports.  It is very timely that you got the Malwarebytes support tool.

I need you to make special use of it.  To do the CLEAN reinstall procedure for MB using this How-To 

https://support.malwarebytes.com/hc/en-us/articles/360039023473-Uninstall-and-reinstall-Malwarebytes-using-the-Malwarebytes-Support-Tool

Since you already have the support tool, you can skip step #1 for download.  Use the one you just got.

Do all the rest of steps there. Have lots & lots of patience after the Reboot.

It may take several minutes before the prompt for re-install of MB to re-appear.  Reply YES when prompted for Reinstall.

We will get back to the Microsoft Defender later.

:D

Link to post
Share on other sites

Additional notes related to your 2nd screen grab from above on the Virus & Threat Protection. 

image.png.4e86258ffac1420dd9a5780faa16af

 

You should be able to click on the QUICK SCAN to do a manual scan with the Microsoft Defender antivirus.

When you get some free time, please do that.

( While the real time active protection is off, you can still do a manual run.)

Like I said, more to do later to get it squared away.  :D

 

Link to post
Share on other sites

This is the 3rd reply, an additional one, for after you have done the previous 2.

This is to get a Elevated Command window & to do 2 special commands for the Windows Defender service.

DO the steps listed in this one post of mine 

https://forums.malwarebytes.com/topic/266996-woke-up-to-find-windows-defender-was-deleted/?do=findComment&comment=1422855

Link to post
Share on other sites

Hello again.

I reinstalled the Malwarebytes through the Support tool again. But the system didn't reboot after the clean. It directly jumped to installing the new version of Malwarebytes on the system. But the install occured normally and no errors happened.

As for the Quick scan, I tried running the quick scan, it started but it's not scanning any files. It's just stuck on 0 files scanned like the below image. (It has been stuck like this for more than 10 mins now so I think there's probably something wrong.)

image.thumb.png.f1fe8441db4dcdb24536484c8c92265f.png

 

I also ran the 2 CMD commands from the other post. I took a screenshot of the result I got after running both of them.

image.png.4d26859c1cde1e42663dca6ed4c34601.png

As instructed in the other post, I tried running the Quick scan again manually after doing these commands, but it's still stuck at 0 files scanned. (Like the above image)

Link to post
Share on other sites

Thanks for that last screen-grab of the Command-prompt window. It shows you are able to run a administrator-level command prompt.

I am sorry to hear about the other news. I suspect that Microsoft Defender is stuck or having issues getting new updates from MS.

So I would also guess that MS Windows Update may be having issues.

I believe we will overcome all that eventually.  Keep up your patience.

I have a couple of tips here for now.

[ 1 ]  this next step, just only take a few seconds .

Start Malwarebytes. Click Settings ( gear ) icon. Next, lets make real sure that Malwarebytes does NOT register with Windows Security Center

Click the Security Tab. Scroll down to 

"Windows Security Center"

Click the selection to the left for the line "Always register Malwarebytes in the Windows Security Center".

 

{ We want that to be set as Off .... be sure that line's radio-button selection is all the way to Off )

Close the program when done.

[  2 ]. You already have FSS.exe 

The service scan tool. I need you to run it again like on 

https://forums.malwarebytes.com/topic/273193-malware-deleted-my-windows-defender-service-and-has-admin-access/?do=findComment&comment=1452087

Then attach the report.

Link to post
Share on other sites

Hey, just a quick question before I run the FSS scan.

The FSS.exe doesn't specifically has to be on the DESKTOP right? I can run it from some other folder? (I have been running all my scans from D:\Illustrator folder till now.)

 

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.