Jump to content

Suspected issue - help appreciated


Go to solution Solved by Maurice Naggar,

Recommended Posts

Hi Sean. My name is Maurice.

Let's start with this.

There is a procedure to do a query, using Powershell.

Listed on this post of mine 

https://forums.malwarebytes.com/topic/273193-malware-deleted-my-windows-defender-service-and-has-admin-access/?do=findComment&comment=1456605

please do that & then attach.

Edited by Maurice Naggar
Link to post
Share on other sites

OK, Here we go.

Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Try the new cross-platform PowerShell https://aka.ms/pscore6

PS C:\Windows\system32> get-mpcomputerstatus


AMEngineVersion                 : 0.0.0.0
AMProductVersion                : 4.18.2104.14
AMRunningMode                   : Not running
AMServiceEnabled                : False
AMServiceVersion                : 0.0.0.0
AntispywareEnabled              : False
AntispywareSignatureAge         : 4294967295
AntispywareSignatureLastUpdated :
AntispywareSignatureVersion     : 0.0.0.0
AntivirusEnabled                : False
AntivirusSignatureAge           : 4294967295
AntivirusSignatureLastUpdated   :
AntivirusSignatureVersion       : 0.0.0.0
BehaviorMonitorEnabled          : False
ComputerID                      : C58B3398-615C-48BA-A17C-9048913A55CC
ComputerState                   : 0
FullScanAge                     : 4294967295
FullScanEndTime                 :
FullScanStartTime               :
IoavProtectionEnabled           : False
IsTamperProtected               : False
IsVirtualMachine                : False
LastFullScanSource              : 0
LastQuickScanSource             : 0
NISEnabled                      : False
NISEngineVersion                : 0.0.0.0
NISSignatureAge                 : 4294967295
NISSignatureLastUpdated         :
NISSignatureVersion             : 0.0.0.0
OnAccessProtectionEnabled       : False
QuickScanAge                    : 4294967295
QuickScanEndTime                :
QuickScanStartTime              :
RealTimeProtectionEnabled       : False
RealTimeScanDirection           : 0
TamperProtectionSource          : Signatures
PSComputerName                  :

PS C:\Windows\system32>

Link to post
Share on other sites

Thanks for that. This says that the Windows 10 Microsoft Defender antivirus is not running at all.

I'll get back to that later if you intended to have MS Defender as the resident antivirus.

I would remark that depending on some conditions, that the Malwarebytes icon could simply be grouped with other hidden icons on the Taskbar.  Sometimes.

.

What I would like to do at this point is to jump ahead this PC's Malwarebytes up a couple of components from where it is now.

This will get us (hopefully other good benefits for your pc ).

First, do one Windows Restart.

Then 

Lets give this a decent college-try ( as some folks used to say). To get this upgraded to the latest Beta with Component 1.0.1306

 

Start Malwarebytes for Windows. Click on the Settings ( gear icon).

 

Now click on the tab "General". scroll down. and on the line under Beta updates, click that radio-button to the RIGHT to turn it On.

 

Then scroll up a bit. and then click on "Check for Updates " button.

Watch & follow all prompts.

That ought to do a check with the update server, and hopefully offer the new Beta version.

 

If it does not, try again later ( one more time ) at the Top of the clock hour.

.

By then, the MB should be at version 4.4.0.117  & with Component 1.0.1306.

 

Do one more Windows Restart.

Let me know after this has been done.

Need lots of patience & persistence is needed.  Also know, we will be doing many other steps later.

Link to post
Share on other sites

Remarks. I see that at least as of 6th May, Windows Auto-update for Defender has been crashing. Error code: 0x80070643

.

I will help with that too. I will wait for after hearing back from you on the special Malwarebytes update.

Link to post
Share on other sites

Restarted, let it run a scan, herewith the results.

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 5/17/21
Scan Time: 6:15 PM
Log File: 64c9ce74-b75d-11eb-a050-b06ebf5fc29a.json

-Software Information-
Version: 4.4.0.117
Components Version: 1.0.1306
Update Package Version: 1.0.40550
License: Premium

-System Information-
OS: Windows 10 (Build 19041.985)
CPU: x64
File System: NTFS
User: USA10\Sean

-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 370347
Threats Detected: 0
Threats Quarantined: 0
Time Elapsed: 2 min, 4 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 0
(No malicious items detected)

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)


(end)

Link to post
Share on other sites

The script Fixlist.txt  needs to be saved to the Downloads folder

 

The custom script on this post is ONLY for this machine and NO other.   

 

Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this.

 

If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached,  please disconnect any of those.

The system will be rebooted after the script has run.

 

Fixlist.txt

Please save the (attached file named) FIXLIST.txt   to the  Downloads folder

Start the Windows Explorer and then, to the Downloads folder.

 

RIGHT click on  FRSTENGLISH.exe   and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run the tool. If the tool warns you the version is outdated, please download and run the updated version.

IF Windows prompts you about running this, select YES to allow it to proceed.

 

IF you get a block message from Windows about this tool......

click line More info information on that screen

and click button Run anyway on next screen.

 

on the FRST window:

Click the Fix button just once, and wait.

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. 

If you receive a message that a reboot is required, please make sure you allow it to restart normally.

The tool will complete its run after restart.

When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

 

Please attach the FIXLOG.txt with your next reply later, at your next opportunity   

 

Please know this will do a Windows Restart.   Just let it do its thing.  

Do let me know how things are overall,  after all this.

  • Like 1
Link to post
Share on other sites

It ran, relatively quickly, via FRSTEnglish as admin.  It flashed up a message, too quick to see, then closed.  I think it was trying to restart because a lot of the tray icons dropped.  I am restarting it manually, and when you get a chance to look the results over, would be cool to see what worked.

Fixlog.txt

Link to post
Share on other sites

Hello Sean. Thanks. That is a good run.

A. You should see Microsoft Defender to be up to date & running.  You can check visually thru Windows Settings.

 Click the Windows Start menu button on the Taskbar, select Settings icon. Then choose Update and Security.

 

In Windows Settings >>> click on Windows Security from the left side list.

 

Next, In Windows Security section: Click on the grey button Open Windows Security

Now, click on the shield Virus and threat protection.

Take a look there to check on Microsoft Defender.

.....

B. Look on the Malwarebytes GUI to see that all Malwarebytes protections are ON.

Use this support guide https://support.malwarebytes.com/hc/en-us/articles/360038984793-Real-Time-Protection-in-Malwarebytes-for-Windows

 

As to the Task tray notification icon, if not displayed as a individual, it may have been grouped with other hidden icons under the single-chevron icon. Click that Chevron. Look for Malwarebytes ( in blue ) & if there drag it with mouse & drop onto the Taskbar.

PS. If needed, see this guide on Tenforums https://www.tenforums.com/tutorials/5313-hide-show-notification-area-icons-taskbar-windows-10-a.html

 

Edited by Maurice Naggar
Added link to reference
  • Thanks 1
Link to post
Share on other sites

Thank you. Virus and threat protection shows MB on. Windows Defender is off, as it considers MB to be the AV program, but there is an option to enable it to scan periodically.  Should Defender think of MB as the AV program?  Do you like to keep that on or off?

Did the logs show any malware or signs of malware damage?

Lastly, I know that there are some general reset things like flushdns and so on that you ran, but can you give me an idea of what types of things you encountered that were specifically broken?  I don't want to take a lot of your time, but if there were permissions or other issues that you updated, it could help me with future general troubleshooting.

BTW, I have my taskbar icons set to show all.

Link to post
Share on other sites

Your indicating you prefer to have both Microsoft Defender and Malwarebytes Premium to be active & monitor this system. 

That is do-able.

Here is the step needed.

Start Malwarebytes. Click Settings ( gear ) icon. Next, lets make real sure that Malwarebytes does NOT register with Windows Security Center 

 

Click the Security Tab. Scroll down to 

"Windows Security Center"

 

Click the selection to the left  for the line "Always register Malwarebytes in the Windows Security Center".

 

{ We want that to be set as Off   .... be sure that line's  radio-button selection is all the way to the Left.  

Close Malwarebytes when done.

The Premium Malwarebytes real time protections will still work the same. And MS Defender ought to then show fully active.  Give it another minute or two to re-adjust.  If not, then do one Windows Restart.

.

The main things I found was that MS Windows Update was aborting, which also affected updates for Defender.

The other thing was that Defender was totally off + the state of it's definitions were just not known.

The custom script took care of those issues.

The flushdns was simply a normal precaution.  But was not a factor.

.

I would like you to run a tool named SecurityCheck to inquire on the current-security-update  status  of some applications.

 

Download SecurityCheck by glax24 from here  https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe

and save the tool on the desktop.

If Windows's  SmartScreen block that with a message-window, then

Click on the MORE INFO spot and over-ride that and allow it to proceed.

This tool is safe.   Smartscreen is overly sensitive.

Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"   and reply YES to allow to run & go forward

Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file.  Attach it with your next reply.

You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

  • Like 1
Link to post
Share on other sites

Thanks. What follows is what the tool has highlighted as needing your follow-up.

FileZilla Client 3.52.2 v.3.52.2 Warning! Download Update

 

Python 2.7.13 v.2.7.13150 Warning! Download Update

 

Cisco Webex Meetings v.41.1.3 Warning! Download Update

 

 Zoom v.5.5.0 (12454.0131) Warning! Download Update

 

VLC media player v.3.0.12 Warning! Download Update

 

You gotta Uninstall all Flash player.

Adobe Flash Player 32 PPAPI v.32.0.0.465 Warning! This software is no longer supported. Please uninstall it.

.

Now then, do one more run like before.

There is a procedure to do a query, using Powershell.

Listed on this post of mine 

https://forums.malwarebytes.com/topic/273193-malware-deleted-my-windows-defender-service-and-has-admin-access/?do=findComment&comment=1456605

 

 

please do that & then attach.

  • Thanks 1
Link to post
Share on other sites

Good afternoon.

How is the overall situation ?

There is a new significant official UPDATE for Malwarebytes for Windows.

https://forums.malwarebytes.com/topic/274681-malwarebytes-44/

see the notice by Eric.

Be sure you do a Check for Updates in Malwarebytes.  :cool:

 

  • Like 1
Link to post
Share on other sites

My apologies, I overlooked your last email.  Here is the results of the PowerShell command:

Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Try the new cross-platform PowerShell https://aka.ms/pscore6

PS C:\Windows\system32> get-mpcomputerstatus


AMEngineVersion                 : 1.1.18100.6
AMProductVersion                : 4.18.2104.14
AMRunningMode                   : Normal
AMServiceEnabled                : True
AMServiceVersion                : 4.18.2104.14
AntispywareEnabled              : True
AntispywareSignatureAge         : 1
AntispywareSignatureLastUpdated : 5/23/2021 11:37:02 AM
AntispywareSignatureVersion     : 1.339.1276.0
AntivirusEnabled                : True
AntivirusSignatureAge           : 1
AntivirusSignatureLastUpdated   : 5/23/2021 11:37:01 AM
AntivirusSignatureVersion       : 1.339.1276.0
BehaviorMonitorEnabled          : True
ComputerID                      : C58B3398-615C-48BA-A17C-9048913A55CC
ComputerState                   : 0
FullScanAge                     : 4294967295
FullScanEndTime                 :
FullScanStartTime               :
IoavProtectionEnabled           : True
IsTamperProtected               : True
IsVirtualMachine                : False
LastFullScanSource              : 0
LastQuickScanSource             : 2
NISEnabled                      : True
NISEngineVersion                : 1.1.18100.6
NISSignatureAge                 : 1
NISSignatureLastUpdated         : 5/23/2021 11:37:01 AM
NISSignatureVersion             : 1.339.1276.0
OnAccessProtectionEnabled       : True
QuickScanAge                    : 5
QuickScanEndTime                : 5/19/2021 7:25:19 PM
QuickScanStartTime              : 5/19/2021 7:24:04 PM
RealTimeProtectionEnabled       : True
RealTimeScanDirection           : 0
TamperProtectionSource          : Signatures
PSComputerName                  :

PS C:\Windows\system32>

 

I also updated MalwareBytes after this ran, and it shows the version as 4.4.0.117 component package 1.0.1308 as per the update you posted.  I really appreciate your help.  The PC is running great overall.  Though I have disabled FastBoot, MB is still not running by itself each time, but I have switched all the startup settings off and on and checked a few other startup items for duplicates and will see how the startup performs the next few times.

Link to post
Share on other sites
  • Solution

Bravo. The Malwarebytes for Windows is the latest most recent release. If you have a Premium license, be sure you check that it is set to auto-start with Windows. See https://support.malwarebytes.com/hc/en-us/articles/360038984953-Security-settings-in-Malwarebytes-for-Windows

The section on Start Malwarebytes at Windows startup.

.

Bravo. The Microsoft Defender is all On & current. It is in fine state.

At a opportune moment, see that you can do a manual Check for Update ( for definitions update) & also run a Quick Scan thru the GUI.

https://support.microsoft.com/en-us/help/4012987/windows-10-virus-threat-protection-windows-security

 

and,       

Go to the Windows taskbar.

Look for the search box

type in

security and maintenance

 

and click on it

Look for the section ( in blue ) Security

click on the down-arrow to expand

Do a visual review of status display. Just want to be sure things are well.

( On a later pass, I will guide you on tools cleanup . ).  :D

  • Like 1
Link to post
Share on other sites

Additional remarks

It is best practice to have the Windows Fastboot option OFF. In several ways, as mentioned many times on this forum, Fastboot will lead to quirky situations.  Keep it off.

Then, you mentioned "MB is still not running by itself each time".

There are many other ways to  check for the status of mbamservice.

One is thru Task Manager, but  better yet, thru having MS Sysinternals Process Explorer.

Yet another is thru a Elevated Command prompt query 

SC qc mbamservice

  • Thanks 1
Link to post
Share on other sites
  • 2 weeks later...

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following for Tips to help protect from infection

Thank you

 

 

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.