Sean72 Posted May 17, 2021 ID:1457413 Share Posted May 17, 2021 I had some preliminary help in this topic, and was told to continue here with the attached scans. I know my way around Windows pretty well, so let me know if you need anything else. Thank you. MBAMSERVICE.LOG mbscan.txt Addition.txt FRST.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted May 17, 2021 ID:1457438 Share Posted May 17, 2021 (edited) Hi Sean. My name is Maurice. Let's start with this. There is a procedure to do a query, using Powershell. Listed on this post of mine https://forums.malwarebytes.com/topic/273193-malware-deleted-my-windows-defender-service-and-has-admin-access/?do=findComment&comment=1456605 please do that & then attach. Edited May 17, 2021 by Maurice Naggar Link to post Share on other sites More sharing options...
Sean72 Posted May 17, 2021 Author ID:1457448 Share Posted May 17, 2021 OK, Here we go. Windows PowerShell Copyright (C) Microsoft Corporation. All rights reserved. Try the new cross-platform PowerShell https://aka.ms/pscore6 PS C:\Windows\system32> get-mpcomputerstatus AMEngineVersion : 0.0.0.0 AMProductVersion : 4.18.2104.14 AMRunningMode : Not running AMServiceEnabled : False AMServiceVersion : 0.0.0.0 AntispywareEnabled : False AntispywareSignatureAge : 4294967295 AntispywareSignatureLastUpdated : AntispywareSignatureVersion : 0.0.0.0 AntivirusEnabled : False AntivirusSignatureAge : 4294967295 AntivirusSignatureLastUpdated : AntivirusSignatureVersion : 0.0.0.0 BehaviorMonitorEnabled : False ComputerID : C58B3398-615C-48BA-A17C-9048913A55CC ComputerState : 0 FullScanAge : 4294967295 FullScanEndTime : FullScanStartTime : IoavProtectionEnabled : False IsTamperProtected : False IsVirtualMachine : False LastFullScanSource : 0 LastQuickScanSource : 0 NISEnabled : False NISEngineVersion : 0.0.0.0 NISSignatureAge : 4294967295 NISSignatureLastUpdated : NISSignatureVersion : 0.0.0.0 OnAccessProtectionEnabled : False QuickScanAge : 4294967295 QuickScanEndTime : QuickScanStartTime : RealTimeProtectionEnabled : False RealTimeScanDirection : 0 TamperProtectionSource : Signatures PSComputerName : PS C:\Windows\system32> Link to post Share on other sites More sharing options...
Maurice Naggar Posted May 17, 2021 ID:1457462 Share Posted May 17, 2021 Thanks for that. This says that the Windows 10 Microsoft Defender antivirus is not running at all. I'll get back to that later if you intended to have MS Defender as the resident antivirus. I would remark that depending on some conditions, that the Malwarebytes icon could simply be grouped with other hidden icons on the Taskbar. Sometimes. . What I would like to do at this point is to jump ahead this PC's Malwarebytes up a couple of components from where it is now. This will get us (hopefully other good benefits for your pc ). First, do one Windows Restart. Then Lets give this a decent college-try ( as some folks used to say). To get this upgraded to the latest Beta with Component 1.0.1306 Start Malwarebytes for Windows. Click on the Settings ( gear icon). Now click on the tab "General". scroll down. and on the line under Beta updates, click that radio-button to the RIGHT to turn it On. Then scroll up a bit. and then click on "Check for Updates " button. Watch & follow all prompts. That ought to do a check with the update server, and hopefully offer the new Beta version. If it does not, try again later ( one more time ) at the Top of the clock hour. . By then, the MB should be at version 4.4.0.117 & with Component 1.0.1306. Do one more Windows Restart. Let me know after this has been done. Need lots of patience & persistence is needed. Also know, we will be doing many other steps later. Link to post Share on other sites More sharing options...
Maurice Naggar Posted May 17, 2021 ID:1457472 Share Posted May 17, 2021 Remarks. I see that at least as of 6th May, Windows Auto-update for Defender has been crashing. Error code: 0x80070643 . I will help with that too. I will wait for after hearing back from you on the special Malwarebytes update. Link to post Share on other sites More sharing options...
Sean72 Posted May 17, 2021 Author ID:1457481 Share Posted May 17, 2021 OK, after one update, I updated again and it says version 4.4.0.117 & with Component 1.0.1306. Link to post Share on other sites More sharing options...
Sean72 Posted May 17, 2021 Author ID:1457483 Share Posted May 17, 2021 Restarted, let it run a scan, herewith the results. Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 5/17/21 Scan Time: 6:15 PM Log File: 64c9ce74-b75d-11eb-a050-b06ebf5fc29a.json -Software Information- Version: 4.4.0.117 Components Version: 1.0.1306 Update Package Version: 1.0.40550 License: Premium -System Information- OS: Windows 10 (Build 19041.985) CPU: x64 File System: NTFS User: USA10\Sean -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 370347 Threats Detected: 0 Threats Quarantined: 0 Time Elapsed: 2 min, 4 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 0 (No malicious items detected) File: 0 (No malicious items detected) Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) Link to post Share on other sites More sharing options...
Maurice Naggar Posted May 17, 2021 ID:1457486 Share Posted May 17, 2021 . Thank you. Bravo. I ll be getting back with you here so that we run a custom script. Link to post Share on other sites More sharing options...
Maurice Naggar Posted May 17, 2021 ID:1457498 Share Posted May 17, 2021 The script Fixlist.txt needs to be saved to the Downloads folder The custom script on this post is ONLY for this machine and NO other. Please be sure to Close any open work files, documents, any apps you started yourself before starting this. If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached, please disconnect any of those. The system will be rebooted after the script has run. Fixlist.txt Please save the (attached file named) FIXLIST.txt to the Downloads folder Start the Windows Explorer and then, to the Downloads folder. RIGHT click on FRSTENGLISH.exe and select RUN as Administrator and allow it to proceed. Reply YES when prompted to allow to run the tool. If the tool warns you the version is outdated, please download and run the updated version. IF Windows prompts you about running this, select YES to allow it to proceed. IF you get a block message from Windows about this tool...... click line More info information on that screen and click button Run anyway on next screen. on the FRST window: Click the Fix button just once, and wait. PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. If you receive a message that a reboot is required, please make sure you allow it to restart normally. The tool will complete its run after restart. When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run. Please attach the FIXLOG.txt with your next reply later, at your next opportunity Please know this will do a Windows Restart. Just let it do its thing. Do let me know how things are overall, after all this. 1 Link to post Share on other sites More sharing options...
Sean72 Posted May 18, 2021 Author ID:1457510 Share Posted May 18, 2021 It ran, relatively quickly, via FRSTEnglish as admin. It flashed up a message, too quick to see, then closed. I think it was trying to restart because a lot of the tray icons dropped. I am restarting it manually, and when you get a chance to look the results over, would be cool to see what worked. Fixlog.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted May 18, 2021 ID:1457537 Share Posted May 18, 2021 (edited) Hello Sean. Thanks. That is a good run. A. You should see Microsoft Defender to be up to date & running. You can check visually thru Windows Settings. Click the Windows Start menu button on the Taskbar, select Settings icon. Then choose Update and Security. In Windows Settings >>> click on Windows Security from the left side list. Next, In Windows Security section: Click on the grey button Open Windows Security Now, click on the shield Virus and threat protection. Take a look there to check on Microsoft Defender. ..... B. Look on the Malwarebytes GUI to see that all Malwarebytes protections are ON. Use this support guide https://support.malwarebytes.com/hc/en-us/articles/360038984793-Real-Time-Protection-in-Malwarebytes-for-Windows As to the Task tray notification icon, if not displayed as a individual, it may have been grouped with other hidden icons under the single-chevron icon. Click that Chevron. Look for Malwarebytes ( in blue ) & if there drag it with mouse & drop onto the Taskbar. PS. If needed, see this guide on Tenforums https://www.tenforums.com/tutorials/5313-hide-show-notification-area-icons-taskbar-windows-10-a.html Edited May 18, 2021 by Maurice Naggar Added link to reference 1 Link to post Share on other sites More sharing options...
Sean72 Posted May 18, 2021 Author ID:1457680 Share Posted May 18, 2021 Thank you. Virus and threat protection shows MB on. Windows Defender is off, as it considers MB to be the AV program, but there is an option to enable it to scan periodically. Should Defender think of MB as the AV program? Do you like to keep that on or off? Did the logs show any malware or signs of malware damage? Lastly, I know that there are some general reset things like flushdns and so on that you ran, but can you give me an idea of what types of things you encountered that were specifically broken? I don't want to take a lot of your time, but if there were permissions or other issues that you updated, it could help me with future general troubleshooting. BTW, I have my taskbar icons set to show all. Link to post Share on other sites More sharing options...
Maurice Naggar Posted May 18, 2021 ID:1457692 Share Posted May 18, 2021 Your indicating you prefer to have both Microsoft Defender and Malwarebytes Premium to be active & monitor this system. That is do-able. Here is the step needed. Start Malwarebytes. Click Settings ( gear ) icon. Next, lets make real sure that Malwarebytes does NOT register with Windows Security Center Click the Security Tab. Scroll down to "Windows Security Center" Click the selection to the left for the line "Always register Malwarebytes in the Windows Security Center". { We want that to be set as Off .... be sure that line's radio-button selection is all the way to the Left. Close Malwarebytes when done. The Premium Malwarebytes real time protections will still work the same. And MS Defender ought to then show fully active. Give it another minute or two to re-adjust. If not, then do one Windows Restart. . The main things I found was that MS Windows Update was aborting, which also affected updates for Defender. The other thing was that Defender was totally off + the state of it's definitions were just not known. The custom script took care of those issues. The flushdns was simply a normal precaution. But was not a factor. . I would like you to run a tool named SecurityCheck to inquire on the current-security-update status of some applications. Download SecurityCheck by glax24 from here https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe and save the tool on the desktop. If Windows's SmartScreen block that with a message-window, then Click on the MORE INFO spot and over-ride that and allow it to proceed. This tool is safe. Smartscreen is overly sensitive. Right-click with your mouse on the Securitycheck.exe and select "Run as administrator" and reply YES to allow to run & go forward Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file. Attach it with your next reply. You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt 1 Link to post Share on other sites More sharing options...
Sean72 Posted May 19, 2021 Author ID:1458007 Share Posted May 19, 2021 Good to know, thank you. I have run the security check and attached the log. SecurityCheck.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted May 19, 2021 ID:1458020 Share Posted May 19, 2021 Thanks. What follows is what the tool has highlighted as needing your follow-up. FileZilla Client 3.52.2 v.3.52.2 Warning! Download Update Python 2.7.13 v.2.7.13150 Warning! Download Update Cisco Webex Meetings v.41.1.3 Warning! Download Update Zoom v.5.5.0 (12454.0131) Warning! Download Update VLC media player v.3.0.12 Warning! Download Update You gotta Uninstall all Flash player. Adobe Flash Player 32 PPAPI v.32.0.0.465 Warning! This software is no longer supported. Please uninstall it. . Now then, do one more run like before. There is a procedure to do a query, using Powershell. Listed on this post of mine https://forums.malwarebytes.com/topic/273193-malware-deleted-my-windows-defender-service-and-has-admin-access/?do=findComment&comment=1456605 please do that & then attach. 1 Link to post Share on other sites More sharing options...
Maurice Naggar Posted May 24, 2021 ID:1459085 Share Posted May 24, 2021 Good afternoon. How is the overall situation ? There is a new significant official UPDATE for Malwarebytes for Windows. https://forums.malwarebytes.com/topic/274681-malwarebytes-44/ see the notice by Eric. Be sure you do a Check for Updates in Malwarebytes. 1 Link to post Share on other sites More sharing options...
Sean72 Posted May 25, 2021 Author ID:1459197 Share Posted May 25, 2021 My apologies, I overlooked your last email. Here is the results of the PowerShell command: Windows PowerShell Copyright (C) Microsoft Corporation. All rights reserved. Try the new cross-platform PowerShell https://aka.ms/pscore6 PS C:\Windows\system32> get-mpcomputerstatus AMEngineVersion : 1.1.18100.6 AMProductVersion : 4.18.2104.14 AMRunningMode : Normal AMServiceEnabled : True AMServiceVersion : 4.18.2104.14 AntispywareEnabled : True AntispywareSignatureAge : 1 AntispywareSignatureLastUpdated : 5/23/2021 11:37:02 AM AntispywareSignatureVersion : 1.339.1276.0 AntivirusEnabled : True AntivirusSignatureAge : 1 AntivirusSignatureLastUpdated : 5/23/2021 11:37:01 AM AntivirusSignatureVersion : 1.339.1276.0 BehaviorMonitorEnabled : True ComputerID : C58B3398-615C-48BA-A17C-9048913A55CC ComputerState : 0 FullScanAge : 4294967295 FullScanEndTime : FullScanStartTime : IoavProtectionEnabled : True IsTamperProtected : True IsVirtualMachine : False LastFullScanSource : 0 LastQuickScanSource : 2 NISEnabled : True NISEngineVersion : 1.1.18100.6 NISSignatureAge : 1 NISSignatureLastUpdated : 5/23/2021 11:37:01 AM NISSignatureVersion : 1.339.1276.0 OnAccessProtectionEnabled : True QuickScanAge : 5 QuickScanEndTime : 5/19/2021 7:25:19 PM QuickScanStartTime : 5/19/2021 7:24:04 PM RealTimeProtectionEnabled : True RealTimeScanDirection : 0 TamperProtectionSource : Signatures PSComputerName : PS C:\Windows\system32> I also updated MalwareBytes after this ran, and it shows the version as 4.4.0.117 component package 1.0.1308 as per the update you posted. I really appreciate your help. The PC is running great overall. Though I have disabled FastBoot, MB is still not running by itself each time, but I have switched all the startup settings off and on and checked a few other startup items for duplicates and will see how the startup performs the next few times. Link to post Share on other sites More sharing options...
Solution Maurice Naggar Posted May 25, 2021 Solution ID:1459271 Share Posted May 25, 2021 Bravo. The Malwarebytes for Windows is the latest most recent release. If you have a Premium license, be sure you check that it is set to auto-start with Windows. See https://support.malwarebytes.com/hc/en-us/articles/360038984953-Security-settings-in-Malwarebytes-for-Windows The section on Start Malwarebytes at Windows startup. . Bravo. The Microsoft Defender is all On & current. It is in fine state. At a opportune moment, see that you can do a manual Check for Update ( for definitions update) & also run a Quick Scan thru the GUI. https://support.microsoft.com/en-us/help/4012987/windows-10-virus-threat-protection-windows-security and, Go to the Windows taskbar. Look for the search box type in security and maintenance and click on it Look for the section ( in blue ) Security click on the down-arrow to expand Do a visual review of status display. Just want to be sure things are well. ( On a later pass, I will guide you on tools cleanup . ). 1 Link to post Share on other sites More sharing options...
Sean72 Posted May 25, 2021 Author ID:1459290 Share Posted May 25, 2021 Great, thank you. I do have a premium subscription with several seats for computers in our small office. Link to post Share on other sites More sharing options...
Maurice Naggar Posted May 25, 2021 ID:1459295 Share Posted May 25, 2021 Additional remarks It is best practice to have the Windows Fastboot option OFF. In several ways, as mentioned many times on this forum, Fastboot will lead to quirky situations. Keep it off. Then, you mentioned "MB is still not running by itself each time". There are many other ways to check for the status of mbamservice. One is thru Task Manager, but better yet, thru having MS Sysinternals Process Explorer. Yet another is thru a Elevated Command prompt query SC qc mbamservice 1 Link to post Share on other sites More sharing options...
Maurice Naggar Posted June 8, 2021 ID:1462234 Share Posted June 8, 2021 Glad we could help. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Please review the following for Tips to help protect from infection Thank you Link to post Share on other sites More sharing options...
Recommended Posts