Jump to content

Malware deleted my Windows Defender Service and has Admin Access


Go to solution Solved by Maurice Naggar,

Recommended Posts

Ok. This next task is a special custom fix. It needs to be run just as listed.  And also will use the Downloads folder. So do not move it elsewhere.

.

I have attached a new Fixlist.txt

Please save the new one here  (attached file named) FIXLIST.txt to the DOWNLOADS folder.

Start the Windows Explorer and then, to the Downloads folder

 

RIGHT click on FRSTENGLISH.exe and select RUN as Administrator and allow it to proceed. Reply YES when prompted to allow to run.

 

If the tool warns you the version is outdated, please download and run the updated version.

IF Windows prompts you about running this, select YES to allow it to proceed.

 

on the FRST window:

Click the Fix button just once, and wait.

PLEASE have lots of patience when this starts. You will see a green progress bar.  This run here should be fairly quick.

If you receive a message that a reboot is required, please make sure you allow it to restart normally.

 

The tool will complete its run after restart.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity   

 

Please know this will do a Windows Restart. Just let it do its thing. 

Then afterwards, go into the Microsoft Defender UI.

See if anything is marked or flagged.  See about doing a manual Quick Scan with the antivirus.

 

Edited by Maurice Naggar
  • Like 1
Link to post
Share on other sites

Hello. Take your time doing this.

This next link listed below is to a registry file that we need for you to SAVE as is to the Desktop

 

RIGHT click the link with your mouse-pointer and select SAVE ...as.... & guide the folder for saving to DESKTOP ( do not double click / do not 'run' the file / nor open )

 

https://download.bleepingcomputer.com/win-services/win-10/WinDefend.reg

Once it is saved, then we are needing to merge the file onto the system, as follows

 

With you mouse, do a RIGHT-click on the file windefend.reg and select Merge

 

Let it do that & insure it finishes ok.  Following that, do a Windows Restart.

Link to post
Share on other sites

Hello again.

So I followed the instructions above exactly as told and "Merge" the Windefend.reg on DESKTOP. But when I did that, it gave me an error as below.

image.png.0daa2ee5e2f9ee0061c663eefdd56298.png

This is the same error that I got when I tried this myself before starting this topic.

I think the admin privileges issue is still not resolved yet.

Please let me know what steps should I take next.

Thank you for coming this far though. Requires a lot of patience honestly. On both sides. 😄

Hope we fix this once and for all.

Link to post
Share on other sites

Hello. It's not that administrator-related thing is involved here. It s a case where the Windefend registry key exists but has a issue of being updated.

To fix that, I have below a list of steps to do.  Read all of it first. Be sure you follow all just as listed.

If you have a question stop & ask first.

1. Close / Exit other apps that you may have running.

2. Delete the prior file named Fixlist.txt on Downloads 

3. Save as-is the new Fixlist.txt attached here on this reply of mine.  to the Downloads folder

4. Do a Fix run with FRSTENGLISH like on this post https://forums.malwarebytes.com/topic/273193-malware-deleted-my-windows-defender-service-and-has-admin-access/?do=findComment&comment=1453814

 

 

5. After the system Restarts, do the same one more time for the Merge :

With your mouse, do a RIGHT-click on the file windefend.reg and select Merge

 

Let it do that & insure it finishes ok. Following that, do a Windows Restart.

 

Fixlist.txt

Edited by Maurice Naggar
New FIXLIST
Link to post
Share on other sites

Hello again.

So I ran the new Fixlist provided above and did all the steps as mentioned.

But even after the reboot, the Windefend.reg gave me the same error when I tried merging it.

I have attached the new Fixlog below for reference.

Fixlog.txt

Link to post
Share on other sites

Got the last log.  Sad to hear of ongoing issue.  It still seems there is a failure regarding access permissions.

You already have FSS.exe 

 

The service scan tool. I need you to run it again like on 

 

https://forums.malwarebytes.com/topic/273193-malware-deleted-my-windows-defender-service-and-has-admin-access/?do=findComment&comment=1452087

Then attach the report.

Link to post
Share on other sites

Open an elevated command prompt window i.e. run Command Prompt as an administrator .

 

To Get the elevated command prompt, press Windows-key + X key and then selected Command prompt ( Admin )

 

It is best to use the Windows Copy ( CTRL+ C ) and paste ( CTRL+V ) for the whole line, as-is

On that command prompt, Copy & Paste this command

 

WMIC SERVICE WHERE Name="windefend" CALL ChangeStartMode "automatic"

press Enter-key on keyboard and watch & let me know if it succeeds

 

Next Copy & Paste this command

WMIC SERVICE WHERE Name="windefend" CALL startservice

press Enter-key on keyboard

 

Next Copy & Paste this command

sc queryex mpssvc

press Enter-key on keyboard 

 

Next, use your mouse, on the top title bar of the Command window, do a Right-click on it with mouse.

Choose "Select all" then choose COPY.

When done, on the Reply box of forum at the white text box.  Do a PASTE. So that all contents are in the reply.

Thanks.

Link to post
Share on other sites

Microsoft Windows [Version 10.0.19042.928]
(c) Microsoft Corporation. All rights reserved.

C:\WINDOWS\system32> WMIC SERVICE WHERE Name="windefend" CALL ChangeStartMode "automatic"
Executing (\\DESKTOP-7MQGQ0T\ROOT\CIMV2:Win32_Service.Name="WinDefend")->ChangeStartMode()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
        ReturnValue = 2;
};


C:\WINDOWS\system32> WMIC SERVICE WHERE Name="windefend" CALL startservice
Executing (\\DESKTOP-7MQGQ0T\ROOT\CIMV2:Win32_Service.Name="WinDefend")->startservice()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
        ReturnValue = 8;
};


C:\WINDOWS\system32> sc queryex mpssvc

SERVICE_NAME: mpssvc
        TYPE               : 20  WIN32_SHARE_PROCESS
        STATE              : 4  RUNNING
                                (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
        PID                : 2684
        FLAGS              :

C:\WINDOWS\system32>

Link to post
Share on other sites

Hello again.

Sorry to say this but nothing seems to be changed.

I tried running the Quick Scan but it's still stuck on 0%.

I tried the Windefend.reg but it gave me the same error.

And the notification popup for the windows defender still leads me to the same error window as before saying the same thing as before

image.thumb.png.3f2b698d5f0e04ef151d3cb8e517cd45.png

Link to post
Share on other sites

  • Solution

Hello.

This is to suggest a repair-in-place of Windows 10.

This will need to use a USB-flash-thumb drive of at least 8 GB

 

You may do a Windows 10 "repair install" by following a guide article at Tenforums.

The title is "How to Do a Repair Install of Windows 10 with an In-place Upgrade"

https://www.tenforums.com/tutorials/16397-repair-install-windows-10-place-upgrade.html

 

Study that article first. Get familiar with it.

Read the top of the article. & also study all of step 6

 

You will need a USB-thumb-flash drive. Where you will use the Microsoft Media Creation tool.

( which will be where the Windows 10 setup media will be saved ).

You will do the download from Microsoft.

 

You will do step 6: To do a repair install of Windows 10 with Media Creation Tool.

 

Essentially this repair is intended to be done in-place over the current Windows install.

You want to select "Upgrade this pc"

You want to "keep personal files and apps"

( all of this is shown and described in the article

  • Thanks 1
Link to post
Share on other sites

Hello again.

Long time.........I got caught up with some work and didn't get time to work on the above method.

I'm reading through it now and I had a doubt.

So the Step 6 in the referred forum, says how to repair using the Media Creation Tool.

But this step doesn't require me to use a USB Flash Drive as u pointed out in your reply above. It only tells me to save the Media Creation Tool on Desktop and take it from there. Nothing about a Flash Drive.

Link to post
Share on other sites

Hello Again.

Some GOOD news finally. The Windows Repair did the trick I guess. After everything completed, the windows rebooted normally and everything was back to normal.

The Virus Protection is showing again in the Security Tab and I even ran a Quick Scan. It's running as I'm typing this and and it's running normal.

 

So I think the problem's solved as far as I know.

 

But if there is a way to be sure about it or any further steps to finalise everything then please do let me know.

 

Thanks for all the help so far.

Link to post
Share on other sites

2 hours ago, Tahir5253 said:

The Virus Protection is showing again in the Security Tab and I even ran a Quick Scan. It's running as I'm typing this and and it's running normal ....

Hi. I am so glad. Also proud of your persistence.  :D:cool:

We can run 2 reports.

[1] You already have FSS.exe 

The service scan tool. I need you to run it again like on

https://forums.malwarebytes.com/topic/273193-malware-deleted-my-windows-defender-service-and-has-admin-access/?do=findComment&comment=1452087

 

Then attach the report.

[ 2 ]

I would like you to run a tool named SecurityCheck to inquire on the current-security-update  status  of some applications.

 

Download SecurityCheck by glax24 from here  https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe

and save the tool on the desktop.

If Windows's  SmartScreen block that with a message-window, then

Click on the MORE INFO spot and over-ride that and allow it to proceed.

This tool is safe.   Smartscreen is overly sensitive.

Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"   and reply YES to allow to run & go forward

Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file.  Attach it with your next reply.

You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

  • Like 1
Link to post
Share on other sites

Thank you.

The FSS report about some key Windows services, including Microsoft Defender is perfect.

.

Request a new query report using Windows Powershell.

Start a Elevated Powershell command prompt-window. On the Windows taskbar, on the Search box, type in

powershell

Wait and look for the results list. Click on the line that shows Powershell with "Run as Administrator".

 

Then you will see the Powershell window. Into that, we want to Copy & Paste this entire line as is

 

get-mpcomputerstatus

then tap the Enter-key and wait and watch the result.

When it has displayed a blue screen with lots of info , when done, then use the mouse pointer and do a RIGHT-Click on the top title bar of Powershell window.

Select "Select all"

Next then 

Select COPY

Next, on this forum topic, in a new Reply, Right click the white reply box 

And select PASTE 

Link to post
Share on other sites

Additional Note. Per the SecurityCheck report.

Windows Defender (enabled and up to date).   :D

 Windows Defender Firewall (mpssvc) - The service is running

:cool:.  YAY 

.

You need to Uninstall the app 

 Sophos Virus Removal Tool v.2.9.0

Using Windows Settings >>>Programs & Features 

Doing a regular uninstall procedure.

Later on, I will have more remarks about Security report.

Link to post
Share on other sites

Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Try the new cross-platform PowerShell https://aka.ms/pscore6

PS C:\WINDOWS\system32>  get-mpcomputerstatus


AMEngineVersion                 : 1.1.18100.6
AMProductVersion                : 4.18.1909.6
AMServiceEnabled                : True
AMServiceVersion                : 4.18.1909.6
AntispywareEnabled              : True
AntispywareSignatureAge         : 0
AntispywareSignatureLastUpdated : 5/13/2021 5:01:12 AM
AntispywareSignatureVersion     : 1.339.568.0
AntivirusEnabled                : True
AntivirusSignatureAge           : 0
AntivirusSignatureLastUpdated   : 5/13/2021 5:01:11 AM
AntivirusSignatureVersion       : 1.339.568.0
BehaviorMonitorEnabled          : True
ComputerID                      : 66F0D6A6-EF2C-47B8-94B4-1632B3564041
ComputerState                   : 0
FullScanAge                     : 4294967295
FullScanEndTime                 :
FullScanStartTime               :
IoavProtectionEnabled           : True
IsTamperProtected               : True
IsVirtualMachine                : False
LastFullScanSource              : 0
LastQuickScanSource             : 0
NISEnabled                      : True
NISEngineVersion                : 1.1.18100.6
NISSignatureAge                 : 0
NISSignatureLastUpdated         : 5/13/2021 5:01:11 AM
NISSignatureVersion             : 1.339.568.0
OnAccessProtectionEnabled       : True
QuickScanAge                    : 4294967295
QuickScanEndTime                :
QuickScanStartTime              :
RealTimeProtectionEnabled       : True
RealTimeScanDirection           : 0
PSComputerName                  :

 

PS C:\WINDOWS\system32>

----------------------------------------------------------------------------------------------------------------

 

I have also unistalled the Sophos Virus Removal Tool from the Control Panel.

Link to post
Share on other sites

Bravo. We can do a 'happy dance. :D^_^

The Windows Defender is all present, and ON, and protecting.

 AntispywareEnabled : True 

AntivirusEnabled : True 

 AntivirusSignatureLastUpdated : 5/13/2021 5:01:11 AM

.

You should take a few minutes to do a Quick Scan with Microsoft Defender.

I will have other remarks on the SecurityCheck.  I will also guide you on removing the tools we used.

 

  • Thanks 1
Link to post
Share on other sites

Per the SecurityCheck report, these items need your follow-up & action to get them up+to-date or other action. Know that security updates are critical to keep up with.

 

NVIDIA GeForce Experience 3.20.5.70 v.3.20.5.70 Warning! Download Update

 

TeamViewer v.15.5.6 Warning! Download Update  

 

WinRAR 5.40 (64-bit) v.5.40.0 Warning! Download Update

 

 Microsoft Teams v.1.3.00.30866 Warning! Download Update

 

Torrent v.3.5.5.46010 Warning! Ad-supported P2P-client

 

VLC media player v.3.0.12 Spotify v.1.1.53.608.g7ed9c03a Warning! Download Update

 

Cloud v.5.4.1.534 Warning! Download Update

..

To remove the FRST  tool & its work files, do this.  Go to your Downloads folder.  Do a RIGHT-click on FRSTENGLISH.exe & select RENAME & then change it to UNINSTALL.exe .

 

Then run that ( double click on it)  to begin the cleanup process.

.

Delete FSS.exe 

Delete SecurityCheck.exe

Delete msert.exe

Delete the esetonline download file.

Any other download file I had you download, you may delete.  

.

Let me know if you need something else at this point.

Be sure to take time to do a full Backup of this system to a local offline media ( like a large portable USB backup drive.).

:D:cool:

Edited by Maurice Naggar
  • Like 1
Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.