Jump to content

Constant Popups But No Malware Found

RJK98
 Share
Go to solution Solved by Maurice Naggar,

Recommended Posts

Maurice Naggar

Maurice Naggar

Posted
Posted

Thank you.

  • On the Windows taskbar , on the Windows search box, type in 
cmd.exe

and then look at the entire list of choices, and click on Run as Administrator.

 

  • Once the Command prompt window is up, copy > paste the line in the code-box below into the command-window. 
WMIC SERVICE WHERE Name="windefend" CALL ChangeStartMode "automatic"

tap ENTER-key to run that.

 

  • Next, copy & paste this whole line onto the command-prompt-window 
WMIC SERVICE WHERE Name="windefend" CALL startservice

tap ENTER-key to run that.

 

  • When that completes, place your mouse-pointer on the top bar of the command-window

& do a RIGHT-click & choose  "Select all"
& then choose " COPY "

then into the next Reply box on this topic, right-click on the white box and choose PASTE
You may then close the command window

.

Next I would suggest you run a Update run on Malwarebytes for Windows.

Start Malwarebytes for Windows. Click on the Settings ( gear icon)

Now click on the tab "General". 

Then scroll up a bit. and then click on "Check for Updates " button.

 

Watch & follow all prompts.

 

That ought to do a check with the update server, and hopefully offer the newest component update.

Link to post
Share on other sites
RJK98

RJK98

Posted
  • Author
Posted

Microsoft Windows [Version 10.0.19043.1023]
(c) Microsoft Corporation. All rights reserved.

C:\WINDOWS\system32>WMIC SERVICE WHERE Name="windefend" CALL ChangeStartMode "automatic"
Executing (\\DESKTOP-EBKPDUU\ROOT\CIMV2:Win32_Service.Name="WinDefend")->ChangeStartMode()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
        ReturnValue = 2;
};


C:\WINDOWS\system32>WMIC SERVICE WHERE Name="windefend" CALL startservice
Executing (\\DESKTOP-EBKPDUU\ROOT\CIMV2:Win32_Service.Name="WinDefend")->startservice()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
        ReturnValue = 8;
};


C:\WINDOWS\system32>

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

Please state some details on what you mean of the current issue as of now.   What exactly is it ?  Is it the Block notices from Malwarebytes web protection ?

If the latter is what it is, I need specific detail, such as IP  address or URL link  & whther a web browser is open  ( running).

Please ....always ...state for me the what , where, when, how & detail of what the current issue is.

 

and know that as of the last round, the real-time protections of Windows Defender are ON.

Link to post
Share on other sites
RJK98

RJK98

Posted
  • Author
Posted

The anti-virus section of Windows security still shows real time protection as "off" and greyed out. Quick scan still hangs on 0:00 and 0 files scanned. 

It seems your test indicates Defender is running OK, but on my end this is not indicated. 

I have attached a screenshot.

screenshot AV.png

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

Hi.  Thanks for the screen grab.   Let me ask this. Is this a home computer ?

I notice that bottom line in red.

 

Let me ask this too.  Has this machine ever had a 3rd party ( non-Microsoft) antivirus ?  Like Norton or McAfee, or Avast or AVG, etc ?

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

Next action step, please.

This section involves saving  distinct file from a very very trusted source , saving them AS-IS , saving to the Desktop is preferred ( but if needed you may save to Downloads folder. Just be sure you know where.

Windows 10 SecurityHealthService

Once it is saved, then we are needing to merge the file onto the system, as follows

 

With you mouse, do a RIGHT-click on the  .reg  file  and select Merge

Let it do that & insure it finishes ok.  You should see a visual on-screen confirmation.
After this step is finished, do a Windows RESTART.
Once it is all settled back in, then do a new check on Virus & Threat protection.

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

If the MS Defender scan begins but then seems to stall or is stuck .....it may be due to some problem with the definitions it has, or perhaps even may not have at all.

Anyhow, this needs some digging into.  Hopefully we can get some good clues.   Lets do what follows.

There is a procedure to do a query, using Powershell.

Listed on this post of mine 

https://forums.malwarebytes.com/topic/273193-malware-deleted-my-windows-defender-service-and-has-admin-access/?do=findComment&comment=1456605

please do that & then attach.

 

Link to post
Share on other sites
RJK98

RJK98

Posted
  • Author
Posted

Please see below for the requested PowerShell procedure. 

 

Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Try the new cross-platform PowerShell https://aka.ms/pscore6

PS C:\WINDOWS\system32> get-mpcomputerstatus
get-mpcomputerstatus : Provider load failure
At line:1 char:1
+ get-mpcomputerstatus
+ ~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (MSFT_MpComputerStatus:ROOT\Microsoft\...pComputerStatus) [Get-MpComputerS
   tatus], CimException
    + FullyQualifiedErrorId : HRESULT 0x80041013,Get-MpComputerStatus

PS C:\WINDOWS\system32>

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

Hello Ryan.

Sorry to see the repeat glitch with Powershell trying to get a status inquiry. Doing several searches online on Microsoft, it seems that one possibility as to source of that type problem is the need to re-register one DLL related to Microsoft's Net Framework.  We will attempt to do that in the new script below.

This script will also run a new check with the Windows System File Checker tool, plus also the Microsofot Windows 10 DISM tool.

That will be the custom script in the first section.   The second section will be to get a new / fresh copy of the Microsoft Defender service registry file & insure to merge it in.

Hopefully all told, at the finish of all this, that Microsoft Defender will fully be available when looking at the GUI section of the Security module. ( Virus & Threat Protection Settings )

[   1    ]  

The custom script on this post is ONLY for this machine and NO other.   

First, delete old Fixlist.txt on Desktop.

This new, latest  script Fixlist.txt  needs to be saved to the same folder that contains FRST64.exe   /  you have yours saved on Desktop

 

Fixlist.txt

 

Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this.

 

If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached,  please disconnect any of those.

 

The system will be rebooted after the script has run.

 

  • Start the Windows Explorer and then, to the Desktop folder.

 

RIGHT click on  FRST64.exe   and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run

 the tool.

  • If the tool warns you the version is outdated, please download and run the updated version.

IF Windows prompts you about running this, select YES to allow it to proceed.

 

  • IF you get a block message from Windows about this tool......

click line More info information on that screen

and click button Run anyway on next screen.

 

  • on the FRST window:

Click the Fix button just once, and wait.

 

PLEASE have lots  of patience when this starts. You will see a green progress bar start. Lots of patience. This run here should be fairly quick.

  • If you receive a message that a reboot is required, please make sure you allow it to restart normally.

The tool will complete its run after restart.

When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

[    2    ]  

This next links listed below is to  registry files that we need for you to SAVE as is to the Desktop

 

RIGHT click the link with your mouse-pointer and select SAVE ...as.... & guide the folder for saving to DESKTOP ( do not double click / do not 'run' the file / nor open

Microsoft Defender Antivirus service 

Once it is saved, then we are needing to merge the files onto the system, as follows

 

With you mouse, do a RIGHT-click on the file windefend.reg and select Merge

Let it do that & insure it finishes ok.

.

RIGHT click the link with your mouse-pointer and select SAVE ...as.... & guide the folder for saving to DESKTOP ( do not double click / do not 'run' the file / nor open

Windows 10 Windows Security Center service

Save, then Merge Wscsvc.reg.     

With you mouse, do a RIGHT-click on the file Wscsvc.reg and select Merge

Let it do that & insure it finishes ok.

.

Now RESTART Windows & let it settle back on.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity

 

Link to post
Share on other sites
  • 2 weeks later...
Maurice Naggar

Maurice Naggar

Posted
Posted

Hello.  I hope you are doing well.  I have not heard back from you in several days.  Checking in to see about status & whther you have seen & done my last set of tips 

https://forums.malwarebytes.com/topic/274765-constant-popups-but-no-malware-found/?do=findComment&comment=1462667

:cool:

Link to post
Share on other sites
RJK98

RJK98

Posted
  • Author
Posted

Hi Maurice,

Thank you for your patience. 

I ran FRST64 fix feature and received an error about a certain .dll not being in the right place. I screenshotted it but it was lost during the restart. Attached is the log. 

Trying to merge Microsoft Defender Antivirus Service returned an error which I screenshotted and have attached.

Windows 10 Security Centre Service merged successfully. 

Clicking quick scan results in the same issue, 0:00:00 with no progress and no files scanned. Windows Security pop-ups indicating Defender Anti-Virus is off continue to pop up in the bottom right corner of my screen. 

ERROR2.png

Fixlog.txt

Link to post
Share on other sites
  • Solution
Maurice Naggar

Maurice Naggar

Posted
  • Solution
Posted (edited)

Hello @rjk98

Lets do this, please.  Restart the machine into SAFE mode of Windows.

This article is a how-to on how to get to safe mode for Windows 10 

· Windows 10: http://windows.microsoft.com/en-gb/windows-10/start-your-pc-in-safe-mode  

 

Then

With you mouse, do a RIGHT-click on the file windefend.reg and select Merge

Let it do that & insure it finishes ok.

Then do a Restart back to normal mode.   Then lets see.

Edited by AdvancedSetup
corrected font issue
  • Thanks 1
Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted (edited)

Once all that is done, then uninstall Sophos antivirus thru Control Panel >> Programs & Features.

Also, please run the FSS report tool again.

Right-Click on fss.exe and select Run As Administrator.

Answer Yes to ok when prompted.

If your firewall then puts out a prompt, again, allow it to run.

Once FSS is on-screen, be sure the following items are check-marked:

  • Internet Services
  • Windows Firewall
  • System Restore
  • Security Center/Action Center
  • Windows Update
  • Windows Defender
  • Other services

  

Click on "Scan".

It will create a log (FSS.txt) in the same directory the tool is run.    Attach FSS,txt  with your new reply.

Edited by Maurice Naggar
Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

Hi.  That is great.  I want to make very sure, so please, can you run the FSS report tool  ( like above)

and also, one other readout

 would recommend getting a readout report as to update status of some key apps.

Download SecurityCheck by glax24 from here  https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe

 

and save the tool on the desktop.

  • If Windows's  SmartScreen block that with a message-window, then

Click on the MORE INFO spot and over-ride that and allow it to proceed.

This tool is safe.   Smartscreen is overly sensitive.

  • Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"   and reply YES to allow to run & go forward
  • Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file.  Attach it with your next reply.

You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

.

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following for Tips to help protect from infection

Thank you

 

 

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.