MiguelMichaeL Posted July 3, 2021 ID:1467270 Share Posted July 3, 2021 (I apologize for my bad English) I'm a novice computer user. Recently I found out that every time I run an offline scan with Windows Security something keeps on stopping it from even starting. I've scanned my device not only with Malwarebytes but also ESET, BitDefender, Avast, adwcleaner and Windows Security. All of them told me that my device is clean from threat. I even used window's "reset this PC" option but even so event ID 5007 still happens. Here are the scans after I've reset my PC and without any 3rd party AVs: 1. Product Name Microsoft Defender Antivirus Product Version 4.18.2105.5 Old Value HKLM\SOFTWARE\Microsoft\Windows Defender\Scan\OfflineScanRun = 0x1 New Value HKLM\SOFTWARE\Microsoft\Windows Defender\Scan\OfflineScanRun = 0x0 2. Product Name Microsoft Defender Antivirus Product Version 4.18.2105.5 Old Value Default\IsServiceRunning = 0x0 New Value HKLM\SOFTWARE\Microsoft\Windows Defender\IsServiceRunning = 0x1 3. Product Name Microsoft Defender Antivirus Product Version 4.18.2105.5 Old Value Default\ServiceStartStates = 0x0 New Value HKLM\SOFTWARE\Microsoft\Windows Defender\ServiceStartStates = 0x1 4. Product Name Microsoft Defender Antivirus Product Version 4.18.2105.5 Old Value HKLM\SOFTWARE\Microsoft\Windows Defender\ServiceStartStates = 0x1 New Value Default\ServiceStartStates = 0x0 5. Product Name Microsoft Defender Antivirus Product Version 4.18.2105.5 Old Value Default\ProductAppDataPath = C:\ProgramData\Microsoft\Windows Defender New Value HKLM\SOFTWARE\Microsoft\Windows Defender\ProductAppDataPath = C:\ProgramData\Microsoft\Windows Defender All of this are labelled as Event ID: 5007 Is this normal? Is this bad? Can I do something about this? Link to post Share on other sites More sharing options...
Maurice Naggar Posted July 3, 2021 ID:1467284 Share Posted July 3, 2021 Hello My name is Maurice. I will guide you, Please always attach files / reports as we go along. I need a fuller set of reports for review so that I can review & guide you. Please download Malwarebytes' MBST Support Tool Once you start it click Advanced > Gather Logs Upload an archive once it is done. Attach the mbst-grab-results.zip from the Desktop. Please attach mbst-grab-results.zip to your reply , like displayed here. To send ( upload) attachments please click the link as shown below. Then browse to where your file is located and select it and click the Open button. This is only a report. It does not make changes. I will guide you. Please do not run any other tools on your own. Kindly have patience as we go along. One thing I would point out is that there were no dates on those "events". Link to post Share on other sites More sharing options...
Maurice Naggar Posted July 3, 2021 ID:1467285 Share Posted July 3, 2021 Keep in mind that installing BitDefender or Avast or any other third-party antivirus ( like those 2 or AVG or Norton or McAfee or any other name-brand non-Microsoft antivirus) will cause a change in the status & protections of Microsoft Defender. That is expected & normal. Like I said, there were no dates listed with your list. We cannot tell if some changes were done by you. Or perhaps changes made by Windows Defender as part of its own updates. Event ID 5007 just means that a change was made to the anitimalware platform. Link to post Share on other sites More sharing options...
MiguelMichaeL Posted July 4, 2021 Author ID:1467313 Share Posted July 4, 2021 Thank you for replying! Here's the zip file. mbst-grab-results.zip Link to post Share on other sites More sharing options...
MiguelMichaeL Posted July 4, 2021 Author ID:1467315 Share Posted July 4, 2021 9 hours ago, Maurice Naggar said: Keep in mind that installing BitDefender or Avast or any other third-party antivirus ( like those 2 or AVG or Norton or McAfee or any other name-brand non-Microsoft antivirus) will cause a change in the status & protections of Microsoft Defender. That is expected & normal. Like I said, there were no dates listed with your list. We cannot tell if some changes were done by you. Or perhaps changes made by Windows Defender as part of its own updates. Event ID 5007 just means that a change was made to the anitimalware platform. Even after I've deleted all the other AVS and reset my PC? Link to post Share on other sites More sharing options...
Maurice Naggar Posted July 4, 2021 ID:1467371 Share Posted July 4, 2021 Hello. Thank you for the support-tool report. What we do here on this sub-forum is to assist and guide you on looking for malware & removing malware if it is found. If no malware is found, and if Windows Defender is working and normal, I may refer you elsewhere. . Request a new query report using Windows Powershell. Start a Elevated Powershell command prompt-window. On the Windows taskbar, on the Search box, type in powershell Wait and look for the results list. Click on the line that shows Powershell with "Run as Administrator". 2 Then you will see the Powershell window. Into that, we want to Copy & Paste this entire line as is get-mpcomputerstatus then tap the Enter-key and wait and watch the result. .3 NEXT COPY & PASTE this whole ines as-is get-mppreference then tap the Enter-key and wait and watch the result. .4 NEXT Copy & Paste this get-mpthreatdetection then tap the Enter-key and wait and watch the result. . 5 When it has displayed a blue screen with lots of info , when done, then use the mouse pointer and do a RIGHT-Click on the top title bar of Powershell window. . 6 Select "Select all" Next then . 7 Select COPY Next, on this forum topic, in a new Reply, Right click the white reply box . 6 And select PASTE onto a Reply box-window here Link to post Share on other sites More sharing options...
MiguelMichaeL Posted July 4, 2021 Author ID:1467383 Share Posted July 4, 2021 Windows PowerShell Copyright (C) Microsoft Corporation. All rights reserved. Try the new cross-platform PowerShell https://aka.ms/pscore6 PS C:\Windows\system32> get-mpcomputerstatus AMEngineVersion : 1.1.18300.4 AMProductVersion : 4.18.2105.5 AMRunningMode : Normal AMServiceEnabled : True AMServiceVersion : 4.18.2105.5 AntispywareEnabled : True AntispywareSignatureAge : 0 AntispywareSignatureLastUpdated : 7/4/2021 10:12:13 AM AntispywareSignatureVersion : 1.343.358.0 AntivirusEnabled : True AntivirusSignatureAge : 0 AntivirusSignatureLastUpdated : 7/4/2021 10:12:14 AM AntivirusSignatureVersion : 1.343.358.0 BehaviorMonitorEnabled : True ComputerID : DA88DF45-7C16-4F6F-847C-2342D351CB03 ComputerState : 0 FullScanAge : 1 FullScanEndTime : 7/3/2021 7:59:12 PM FullScanStartTime : 7/3/2021 7:52:05 PM IoavProtectionEnabled : True IsTamperProtected : True IsVirtualMachine : False LastFullScanSource : 1 LastQuickScanSource : 0 NISEnabled : True NISEngineVersion : 1.1.18300.4 NISSignatureAge : 0 NISSignatureLastUpdated : 7/4/2021 10:12:14 AM NISSignatureVersion : 1.343.358.0 OnAccessProtectionEnabled : True QuickScanAge : 4294967295 QuickScanEndTime : QuickScanStartTime : RealTimeProtectionEnabled : True RealTimeScanDirection : 0 TamperProtectionSource : Signatures PSComputerName : PS C:\Windows\system32> get-mppreference AllowDatagramProcessingOnWinServer : False AllowNetworkProtectionDownLevel : False AllowNetworkProtectionOnWinServer : False AttackSurfaceReductionOnlyExclusions : AttackSurfaceReductionRules_Actions : AttackSurfaceReductionRules_Ids : CheckForSignaturesBeforeRunningScan : False CloudBlockLevel : 1 CloudExtendedTimeout : 1 ComputerID : DA88DF45-7C16-4F6F-847C-2342D351CB03 ControlledFolderAccessAllowedApplications : ControlledFolderAccessProtectedFolders : DisableArchiveScanning : False DisableAutoExclusions : False DisableBehaviorMonitoring : False DisableBlockAtFirstSeen : False DisableCatchupFullScan : True DisableCatchupQuickScan : True DisableCpuThrottleOnIdleScans : True DisableDatagramProcessing : False DisableDnsOverTcpParsing : False DisableDnsParsing : False DisableEmailScanning : True DisableGradualRelease : False DisableHttpParsing : False DisableInboundConnectionFiltering : False DisableIntrusionPreventionSystem : DisableIOAVProtection : False DisableNetworkProtectionPerfTelemetry : False DisablePrivacyMode : False DisableRdpParsing : False DisableRealtimeMonitoring : False DisableRemovableDriveScanning : True DisableRestorePoint : True DisableScanningMappedNetworkDrivesForFullScan : True DisableScanningNetworkFiles : False DisableScriptScanning : False DisableSshParsing : False DisableTlsParsing : False EnableControlledFolderAccess : 0 EnableDnsSinkhole : False EnableFileHashComputation : False EnableFullScanOnBatteryPower : False EnableLowCpuPriority : False EnableNetworkProtection : 0 EngineUpdatesChannel : 0 ExclusionExtension : ExclusionIpAddress : ExclusionPath : ExclusionProcess : ForceUseProxyOnly : False HighThreatDefaultAction : 0 LowThreatDefaultAction : 0 MAPSReporting : 2 MeteredConnectionUpdates : False ModerateThreatDefaultAction : 0 PlatformUpdatesChannel : 0 ProxyBypass : ProxyPacUrl : ProxyServer : PUAProtection : 1 QuarantinePurgeItemsAfterDelay : 90 RandomizeScheduleTaskTimes : True RealTimeScanDirection : 0 RemediationScheduleDay : 0 RemediationScheduleTime : 02:00:00 ReportingAdditionalActionTimeOut : 10080 ReportingCriticalFailureTimeOut : 10080 ReportingNonCriticalTimeOut : 1440 ScanAvgCPULoadFactor : 50 ScanOnlyIfIdleEnabled : True ScanParameters : 1 ScanPurgeItemsAfterDelay : 15 ScanScheduleDay : 0 ScanScheduleQuickScanTime : 00:00:00 ScanScheduleTime : 02:00:00 SchedulerRandomizationTime : 4 SevereThreatDefaultAction : 0 SharedSignaturesPath : SignatureAuGracePeriod : 0 SignatureBlobFileSharesSources : SignatureBlobUpdateInterval : 60 SignatureDefinitionUpdateFileSharesSources : SignatureDisableUpdateOnStartupWithoutEngine : False SignatureFallbackOrder : MicrosoftUpdateServer|MMPC SignatureFirstAuGracePeriod : 120 SignatureScheduleDay : 8 SignatureScheduleTime : 01:45:00 SignaturesUpdatesChannel : 0 SignatureUpdateCatchupInterval : 1 SignatureUpdateInterval : 0 SubmitSamplesConsent : 1 ThreatIDDefaultAction_Actions : ThreatIDDefaultAction_Ids : UILockdown : False UnknownThreatDefaultAction : 0 PSComputerName : PS C:\Windows\system32> get-mpthreatdetection PS C:\Windows\system32> The last command didn't bring up any result. Link to post Share on other sites More sharing options...
Maurice Naggar Posted July 4, 2021 ID:1467386 Share Posted July 4, 2021 Thank you. As to the last command-line, it means that Microsoft Defender has no outstanding threat that requires follow up. Windows resposrts that Microsoft Defender is enabled and is up to date. It looks like there is some sort of issue when a attempt is made to update for the Windows Defender Offline. This is a section of the earlier reports. I will be getting back to you on this later about trying to get that cleared. Quote Date: 2021-07-03 19:50:31 Description: Microsoft Defender Antivirus has encountered an error trying to download and configure Microsoft Defender Offline. Error code: 0x8000000a Error description: The data necessary to complete this operation is not yet available. Link to post Share on other sites More sharing options...
MiguelMichaeL Posted July 4, 2021 Author ID:1467396 Share Posted July 4, 2021 Sure Maurice, thanks :) Link to post Share on other sites More sharing options...
Solution Maurice Naggar Posted July 4, 2021 Solution ID:1467400 Share Posted July 4, 2021 [ 1 ] As a next basic step, Please set File Explorer to SHOW ALL folders, all files, including Hidden ones. Use OPTION ONE or TWO of this article https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html [ 2 ] This custom script is intended to do a few things. Attempt to help with the overall update ability for Windows Update & for Microsoft Defender. Attempt to do a Quick scan with Microsoft Defender. Remove a few suspect files in the \appdate\local\temp folder Please save the (attached file named) FIXLIST.txt to the Downloads folder Fixlist.txt The custom script on this post is ONLY for this machine and NO other. Please be sure to Close any open work files, documents, any apps you started yourself before starting this. If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached, please disconnect any of those. The system will be rebooted after the script has run. Start the Windows Explorer and then, to the Downloads folder. RIGHT click on FRSTENGLISH.exe and select RUN as Administrator and allow it to proceed. Reply YES when prompted to allow to run the tool. If the tool warns you the version is outdated, please download and run the updated version. IF Windows prompts you about running this, select YES to allow it to proceed. IF you get a block message from Windows about this tool...... click line More info information on that screen and click button Run anyway on next screen. on the FRST window: Click the Fix button just once, and wait. PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. If you receive a message that a reboot is required, please make sure you allow it to restart normally. The tool will complete its run after restart. When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run. Please attach the FIXLOG.txt with your next reply later, at your next opportunity. Link to post Share on other sites More sharing options...
MiguelMichaeL Posted July 4, 2021 Author ID:1467410 Share Posted July 4, 2021 Thank you Maurice, I'll try this tomorrow since it is currently 1:57 am where I'm at :). Link to post Share on other sites More sharing options...
MiguelMichaeL Posted July 4, 2021 Author ID:1467416 Share Posted July 4, 2021 Woke up and got a little uneasy so I did it instead lol. Here it is :). BTW after I did that the fixlist was removed, is that a sign that I did it right? Fixlog.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted July 4, 2021 ID:1467444 Share Posted July 4, 2021 Yes, that was a very very good run. 😀 If you wish, you can select to do a Defender Offline scan from the Defender GUI menu. Link to post Share on other sites More sharing options...
MiguelMichaeL Posted July 5, 2021 Author ID:1467494 Share Posted July 5, 2021 Hi Maurice! It's still saying 5007 :(. BTW the event ID 1002 was my fault, I accidentally chose quick scan instead of offline. Here's the powershell and log reports: Windows PowerShell Copyright (C) Microsoft Corporation. All rights reserved. Try the new cross-platform PowerShell https://aka.ms/pscore6 PS C:\Windows\system32> get-mpcomputerstatus AMEngineVersion : 1.1.18300.4 AMProductVersion : 4.18.2105.5 AMRunningMode : Normal AMServiceEnabled : True AMServiceVersion : 4.18.2105.5 AntispywareEnabled : True AntispywareSignatureAge : 0 AntispywareSignatureLastUpdated : 7/5/2021 9:19:57 AM AntispywareSignatureVersion : 1.343.418.0 AntivirusEnabled : True AntivirusSignatureAge : 0 AntivirusSignatureLastUpdated : 7/5/2021 9:19:58 AM AntivirusSignatureVersion : 1.343.418.0 BehaviorMonitorEnabled : True ComputerID : DA88DF45-7C16-4F6F-847C-2342D351CB03 ComputerState : 0 FullScanAge : 1 FullScanEndTime : 7/3/2021 7:59:12 PM FullScanStartTime : 7/3/2021 7:52:05 PM IoavProtectionEnabled : True IsTamperProtected : True IsVirtualMachine : False LastFullScanSource : 1 LastQuickScanSource : 1 NISEnabled : True NISEngineVersion : 1.1.18300.4 NISSignatureAge : 0 NISSignatureLastUpdated : 7/5/2021 9:19:58 AM NISSignatureVersion : 1.343.418.0 OnAccessProtectionEnabled : True QuickScanAge : 0 QuickScanEndTime : 7/5/2021 2:14:07 PM QuickScanStartTime : 7/5/2021 2:13:48 PM RealTimeProtectionEnabled : True RealTimeScanDirection : 0 TamperProtectionSource : Signatures PSComputerName : PS C:\Windows\system32> get-mppreference AllowDatagramProcessingOnWinServer : False AllowNetworkProtectionDownLevel : False AllowNetworkProtectionOnWinServer : False AttackSurfaceReductionOnlyExclusions : AttackSurfaceReductionRules_Actions : AttackSurfaceReductionRules_Ids : CheckForSignaturesBeforeRunningScan : True CloudBlockLevel : 1 CloudExtendedTimeout : 1 ComputerID : DA88DF45-7C16-4F6F-847C-2342D351CB03 ControlledFolderAccessAllowedApplications : ControlledFolderAccessProtectedFolders : DisableArchiveScanning : False DisableAutoExclusions : True DisableBehaviorMonitoring : False DisableBlockAtFirstSeen : False DisableCatchupFullScan : True DisableCatchupQuickScan : True DisableCpuThrottleOnIdleScans : True DisableDatagramProcessing : False DisableDnsOverTcpParsing : False DisableDnsParsing : False DisableEmailScanning : True DisableGradualRelease : False DisableHttpParsing : False DisableInboundConnectionFiltering : False DisableIntrusionPreventionSystem : DisableIOAVProtection : False DisableNetworkProtectionPerfTelemetry : False DisablePrivacyMode : False DisableRdpParsing : False DisableRealtimeMonitoring : False DisableRemovableDriveScanning : True DisableRestorePoint : True DisableScanningMappedNetworkDrivesForFullScan : True DisableScanningNetworkFiles : False DisableScriptScanning : False DisableSshParsing : False DisableTlsParsing : False EnableControlledFolderAccess : 0 EnableDnsSinkhole : False EnableFileHashComputation : False EnableFullScanOnBatteryPower : False EnableLowCpuPriority : False EnableNetworkProtection : 0 EngineUpdatesChannel : 0 ExclusionExtension : ExclusionIpAddress : ExclusionPath : ExclusionProcess : ForceUseProxyOnly : False HighThreatDefaultAction : 0 LowThreatDefaultAction : 0 MAPSReporting : 1 MeteredConnectionUpdates : False ModerateThreatDefaultAction : 0 PlatformUpdatesChannel : 0 ProxyBypass : ProxyPacUrl : ProxyServer : PUAProtection : 1 QuarantinePurgeItemsAfterDelay : 90 RandomizeScheduleTaskTimes : True RealTimeScanDirection : 0 RemediationScheduleDay : 0 RemediationScheduleTime : 02:00:00 ReportingAdditionalActionTimeOut : 10080 ReportingCriticalFailureTimeOut : 10080 ReportingNonCriticalTimeOut : 1440 ScanAvgCPULoadFactor : 50 ScanOnlyIfIdleEnabled : True ScanParameters : 1 ScanPurgeItemsAfterDelay : 15 ScanScheduleDay : 0 ScanScheduleQuickScanTime : 00:00:00 ScanScheduleTime : 02:00:00 SchedulerRandomizationTime : 4 SevereThreatDefaultAction : 0 SharedSignaturesPath : SignatureAuGracePeriod : 0 SignatureBlobFileSharesSources : SignatureBlobUpdateInterval : 60 SignatureDefinitionUpdateFileSharesSources : SignatureDisableUpdateOnStartupWithoutEngine : False SignatureFallbackOrder : MicrosoftUpdateServer|MMPC SignatureFirstAuGracePeriod : 120 SignatureScheduleDay : 8 SignatureScheduleTime : 01:45:00 SignaturesUpdatesChannel : 0 SignatureUpdateCatchupInterval : 1 SignatureUpdateInterval : 0 SubmitSamplesConsent : 1 ThreatIDDefaultAction_Actions : ThreatIDDefaultAction_Ids : UILockdown : False UnknownThreatDefaultAction : 0 PSComputerName : PS C:\Windows\system32> get-mpthreatdetection PS C:\Windows\system32> mbst-grab-results.zip Link to post Share on other sites More sharing options...
Maurice Naggar Posted July 5, 2021 ID:1467521 Share Posted July 5, 2021 It seems to me that we need to 'suspend' pursuit ( for the time being) of the 5007 line entry. Rather, first concentrate on whether the "offline scan" starts, whether it finishes. There is a very excellent set of directions on how to run Offline scan and pictures at Tenforums.com I would suggest that you use OPTION THREEhttps://www.tenforums.com/tutorials/42305-how-run-microsoft-defender-offline-scan-windows-10-a.html Make sure you are logged in with a user-account that has administrator-rights. Study the pictutes & sequence of Option Three as shown. Watch the monitor display the whole time as you begin the run & continue to do so to see for the completion. Before you start the run, let me suggest that you Close other windows / apps that you may have started yourself during the current Windows session. Microsoft Defender Offline Scan log files are stored as a MPLog-YYYYMMDD-HHMMSS.log file located in the C:\Windows\Microsoft Antimalware\Support folder. Link to post Share on other sites More sharing options...
Maurice Naggar Posted July 5, 2021 ID:1467527 Share Posted July 5, 2021 added note: I have reason to understand that a event entry 5007 means or rather, indicates Quote MALWAREPROTECTION_CONFIG_CHANGED That is all that it is. Documentation. This is a normal condition. No further action is required. Link to post Share on other sites More sharing options...
MiguelMichaeL Posted July 5, 2021 Author ID:1467531 Share Posted July 5, 2021 So does that means that everything is alright? Link to post Share on other sites More sharing options...
Maurice Naggar Posted July 5, 2021 ID:1467574 Share Posted July 5, 2021 Yes, the Microsoft Defender is alright. Yes, your system is alright. You can do a scan like the following to do a check scan. Microsoft Safety Scanner The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. The download links & the how-to-run-the tool are at this link at Microsoft: https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download On the Scan OPTIOS, please select "Quick scan". Please let me know the results of this scan. The log is named MSERT.log the log will be at %SYSTEMROOT%\debug\msert.log which in most cases is C:\Windows\debug\msert.log Please attach that log with your next reply. Link to post Share on other sites More sharing options...
MiguelMichaeL Posted July 6, 2021 Author ID:1467681 Share Posted July 6, 2021 Here it is. I accidentally chose full scan on the first one and cancelled it. msert.log Link to post Share on other sites More sharing options...
Maurice Naggar Posted July 6, 2021 ID:1467682 Share Posted July 6, 2021 MS Safety scanner reports Quote NO infection found Bravo. Is there any other help you need ? You may delete msert.exe Link to post Share on other sites More sharing options...
MiguelMichaeL Posted July 6, 2021 Author ID:1467683 Share Posted July 6, 2021 Thanks a lot for the help! :) 1 Link to post Share on other sites More sharing options...
Maurice Naggar Posted July 6, 2021 ID:1467699 Share Posted July 6, 2021 Hello. I am very pleased to have worked with you & to have helped you. To remove the FRST tool & its work files, do this. Go to your Desktop folder. Do a RIGHT-click on FRSTENGLISH.exe & select RENAME & then change it to Quote UNINSTALL.exe . Then run that ( double click on it) to begin the cleanup process. Delete mb-support-1.8.4.896.exe on Desktop Any other download file I had you download, you may delete. Sincerely. 1 Link to post Share on other sites More sharing options...
Maurice Naggar Posted July 6, 2021 ID:1467700 Share Posted July 6, 2021 Glad we could help. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Please review the following for Tips to help protect from infection Thank you 1 Link to post Share on other sites More sharing options...
Recommended Posts