Abe1947 Posted March 24, 2022 ID:1508352 Share Posted March 24, 2022 So I need some help. My Windows Defender stopped working. I followed most of the instructions in the below thread and I still cannot get it to restart or work. I ran the Microsoft safety scanner removed, got all the detected malware removed. When I run cmd prompt as admin WMIC SERVICE WHERE Name="windefend" CALL ChangeStartMode "Automatic" I get return value 2 When I run cmd prompt WMIC SERVICE WHERE Name="windefend" CALL ChangeStartMode "Automatic" I get return value 8 Also my windows security at a glance screen is blank. Any help is appreciated! Link to post Share on other sites More sharing options...
Abe1947 Posted March 24, 2022 Author ID:1508357 Share Posted March 24, 2022 Here is the security check program file. SecurityCheck.txt Link to post Share on other sites More sharing options...
Abe1947 Posted March 24, 2022 Author ID:1508358 Share Posted March 24, 2022 Another screenshot that may be helpful Link to post Share on other sites More sharing options...
Maurice Naggar Posted March 24, 2022 ID:1508362 Share Posted March 24, 2022 Hello @Abe1947 My name is Maurice. We will start with getting a report. This next is just a report to check on some Windows services Download Farbar's Service Scanner utility and Save to your Desktop. Right-Click on fss.exe and select Run As Administrator. Answer Yes to ok when prompted. If your firewall then puts out a prompt, again, allow it to run. Once FSS is on-screen, be sure the following items are check-marked: Internet Services Windows Firewall System Restore Security Center/Action Center Windows Update Windows Defender Other services Click on "Scan". It will create a log (FSS.txt) in the same directory the tool is run. Please attach that file. Link to post Share on other sites More sharing options...
Abe1947 Posted March 24, 2022 Author ID:1508363 Share Posted March 24, 2022 Thank you for your response. Here is the file. FSS.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted March 24, 2022 ID:1508366 Share Posted March 24, 2022 The FSS report indicates that this Windows Operating system has 2 Windows services that are disabled. The 2 services are SecurityHealthService Service + wscsvc Service (Windows Security Center) . These next steps are how to go about getting those back to standard-default for Windows 10 OS. There will be 2 downloads, each one to be saved first, before applying. download, save, Merge for each of the other 2 services. RIGHT click each link with your mouse-pointer and select SAVE ...as.... & guide the folder for saving to a folder ( do not double click / do not 'run' the file / nor open win 10 SecurityHealthService With you mouse, do a RIGHT-click on the .reg file and select Merge Let it do that & insure it finishes ok. [ 2 ] Windows 10 Windows Security Center service Save, then Merge Wscsvc.reg With you mouse, do a RIGHT-click on the .reg file and select Merge Let it do that & insure it finishes ok. NEXT, please do a Windows RESTART. After that, wait till system is settled in. Then run the FSS report another time & attach report. Dont go away. We will need to do other checks. Link to post Share on other sites More sharing options...
Maurice Naggar Posted March 24, 2022 ID:1508367 Share Posted March 24, 2022 (edited) Here is the next report to run. I am presuming this Windows is 64-bit. Download & save a copy of the tool FRST64.exe ( Farbar FRST) from this link SAVE it to the Downloads folder. Do not click on any popup window. disregard the running ads. Close the browser window when done with download. Close other open windows just to get a clear field of view on monitor-screen. Go to Downloads folder. RIGHT-click on FRST64 and select Run as Administrator and tap ENTER. And reply YES to allow to proceed. When the tool opens click Yes to the disclaimer. And be very sure to TICK the box for Addition.txt Press the Scan button. It will make a log (FRST.txt & Addition.txt) in the same directory the tool is run Have patience since the run may take something like 10 or so minutes (less depending on your hardware speed) Close Notepad IF those show up on Notepad. Just please Attach the 2 files FRST.txt +Addition.txt with your next reply. Edited March 24, 2022 by Maurice Naggar Link to post Share on other sites More sharing options...
Abe1947 Posted March 24, 2022 Author ID:1508383 Share Posted March 24, 2022 Alright I followed all instructions and have attached all 3 txt files. FSS.txt FRST.txt Addition.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted March 24, 2022 ID:1508405 Share Posted March 24, 2022 (edited) Stick with me. Meantime, do not do anything online until I give the all clear. No shopping, banking, games, web-surfing, etc Just only go to this forum. Stick with me. I am reviewing all the reports. There is a very serious infection that looks like a persistent trojan with many hooks. I will be posting a special custom script. Edited March 24, 2022 by Maurice Naggar Link to post Share on other sites More sharing options...
Maurice Naggar Posted March 24, 2022 ID:1508427 Share Posted March 24, 2022 I see many malicious EXE files + malicious scheduled tasks here. It was not just a case that the antivirus was messed with. Be sure you isolate this machine so that it is only used to get to this forum or the sites I may guide you to for other tools. We are looking at this critical run, plus, there will be more to follows. Be very sure to Save any work-files you have open at this point. Close & Save any open edits, if any. Next, a custom script to do checks & some cleanups. We will use FRST64.exe on the Downloads folder to run a custom script. The system will be rebooted after the script has run. This custom script is for Abe1947 only / for this machine only. This custom script has some specific things, plus some general aspect to help the system overall. Hoping it will not exceed 60 minutes in execute time. NOTE-1: This script will run a scan using System File Checker to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. . It will rebuild the Winsock. It will reset the firewall rules. NOTE-2: It will attempt to do 1 quick scan + 1 custom path scan with Microsoft Defender antivirus. It will attempt to set MS Defender antivirus to stronger protection settings. It will attempt to remove the malicious EXE files & related scheduled tasks. There are many !!! NOTE-3: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. The following directories are emptied: Windows Temp Users Temp folders Edge, IE, FF, Chrome, and Opera & BRAVE caches, HTML5 storages, Cookies and History Recently opened files cache Flash Player cache Java cache Steam HTML cache Explorer thumbnail and icon cache Recycle Bin Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix. Please be sure to Close any open work files, documents, any apps you started yourself before starting this. If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached, please disconnect any of those. Please save the (attached file named) FIXLIST.txt to the Downloads folder Fixlist.txt <<< - - - - - Then, Start the Windows Explorer and then, go to the Downloads folder. RIGHT click on FRST64.exe and select RUN as Administrator and allow it to proceed. Reply YES when prompted to allow to run. to run the tool. If the tool warns you the version is outdated, please download and run the updated version. IF Windows prompts you about running this, select YES to allow it to proceed. IF you get a block message from Windows about this tool...... click line More info information on that screen and click button Run anyway on next screen. on the FRST window: Click the Fix button just once, and wait. PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. If you receive a message that a reboot is required, please make sure you allow it to restart normally. The tool will complete its run after restart. When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run. Please attach the FIXLOG.txt with your next reply later, at your next opportunity. Link to post Share on other sites More sharing options...
Abe1947 Posted March 24, 2022 Author ID:1508431 Share Posted March 24, 2022 Is there a different way to run the script or is it just load it into the downloads folder and then hit Fix on the FRST program? The instructions don’t specifically say how to run the script? Link to post Share on other sites More sharing options...
Maurice Naggar Posted March 24, 2022 ID:1508432 Share Posted March 24, 2022 We must have the Fixlist.txt to be in the same folder as FRST64. Kindly go slow. The post above has ALL the details, plus a image. all about how to do the run. Take your time and read all of it all the way thru. Link to post Share on other sites More sharing options...
Abe1947 Posted March 24, 2022 Author ID:1508454 Share Posted March 24, 2022 Maurice, Thank you for all the help so far. The program is complete, here is the txt file. Fixlog.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted March 25, 2022 ID:1508457 Share Posted March 25, 2022 That run did a lot of cleanups. But there is still other checks and scans to be done. Keep up your patience. One other action: Malwarebytes for Windows can detect and remove most malware with no further actions required for free. Since it does not appear that this machine has it, go and install Malwarebytes for Windows. See https://support.malwarebytes.com/hc/en-us/articles/360038479134-Download-and-install-Malwarebytes-for-Windows After the setup has completed, run a Threat Scan, open Malwarebytes for Windows and click the blue Scan button. Then, locate the Scan run report; export out a copy; & then attach in with your reply. See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4 Link to post Share on other sites More sharing options...
Abe1947 Posted March 25, 2022 Author ID:1508460 Share Posted March 25, 2022 Maurice, Here is the Malwarebytes Report. I also screenshotted the quarantine screen. I will await your response whether to quarantine these items or not and further direction Malwarebytes Report.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted March 25, 2022 ID:1508463 Share Posted March 25, 2022 YES do quarantine all that is listed. I will have a new run for you just after this is done. Link to post Share on other sites More sharing options...
Abe1947 Posted March 25, 2022 Author ID:1508464 Share Posted March 25, 2022 I quarantined them all 👍 Link to post Share on other sites More sharing options...
Maurice Naggar Posted March 25, 2022 ID:1508465 Share Posted March 25, 2022 These are the next steps. There are a few "startup settings" that the boogers had put in place; which we want to be sure are gone. This is a 2nd run of custom script. Please set File Explorer to SHOW ALL folders, all files, including Hidden ones. Use OPTION ONE or TWO of this article https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html Be very sure to Save any work-files you have open at this point. Close & Save any open edits, if any. Next, a custom script to do checks & some cleanups. Delete the file named Fixlist.txt that I had had you save on Downloads folder We will use FRST64.exe on the Downloads folder to run a 2nd custom script. The system will be rebooted after the script has run. This custom script is for Abe1947 only / for this machine only. This custom script has some specific things, plus some general aspect to help the system overall. Hoping it will not exceed say 25 minutes. Please be sure to Close any open work files, documents, any apps you started yourself before starting this. Please save the (attached file named) FIXLIST.txt to the Downloads folder Fixlist.txt <<< - - - - - Then, Start the Windows Explorer and then, go to the Downloads folder. RIGHT click on FRST64.exe and select RUN as Administrator and allow it to proceed. Reply YES when prompted to allow to run. to run the tool. If the tool warns you the version is outdated, please download and run the updated version. IF Windows prompts you about running this, select YES to allow it to proceed. IF you get a block message from Windows about this tool...... click line More info information on that screen and click button Run anyway on next screen. on the FRST window: Click the Fix button just once, and wait. PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. If you receive a message that a reboot is required, please make sure you allow it to restart normally. The tool will complete its run after restart. When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run. Please attach the FIXLOG.txt with your next reply later, at your next opportunity. Link to post Share on other sites More sharing options...
Abe1947 Posted March 25, 2022 Author ID:1508471 Share Posted March 25, 2022 This finished rather quickly. Here is the txt file Fixlog.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted March 25, 2022 ID:1508472 Share Posted March 25, 2022 This log looks so very much like the very first that I had you run ( before). PLEASE be very sure that you first Delete the old existing Fixlist on the Downloads. and then re -do the run list I listed above including downloading that Fixlist off of that post. https://forums.malwarebytes.com/topic/285090-windows-defender-no-longer-working/?do=findComment&comment=1508465 I have the proper 2nd script on that link. Link to post Share on other sites More sharing options...
Abe1947 Posted March 25, 2022 Author ID:1508473 Share Posted March 25, 2022 I cannot find either Fixlist file that I had saved. After the program runs, that file dissapears. Even with searching the folder I cannot find it? Link to post Share on other sites More sharing options...
Maurice Naggar Posted March 25, 2022 ID:1508474 Share Posted March 25, 2022 (edited) The proper Fixlist is on my last post. I have checked & know that is so. I need you to be very sure you get & save the Fixlist.txt attached ...saved to Downloads. Then re-do the run like posted ....please. Thanks. Do not rush. we want to be sure to do it right. Edited March 25, 2022 by Maurice Naggar Link to post Share on other sites More sharing options...
Abe1947 Posted March 25, 2022 Author ID:1508476 Share Posted March 25, 2022 I see that. I cannot find the fixlist files that I have downloaded in my downloads folder. After I run the program, the fixlist file itself, disappears from the downloads folder. See the screenshot I attached. So I am not sure how to delete a file that I cannot find Link to post Share on other sites More sharing options...
Maurice Naggar Posted March 25, 2022 ID:1508478 Share Posted March 25, 2022 what I am saying is that ( from what I saw) you did not grab / download the new Fixlist.txt in my last post. Please look again on my post here & see the attachment there. https://forums.malwarebytes.com/topic/285090-windows-defender-no-longer-working/?do=findComment&comment=1508465 IF you do not see the old file .....just get the new one off my link and re-do the procedure as listed. Link to post Share on other sites More sharing options...
Abe1947 Posted March 25, 2022 Author ID:1508481 Share Posted March 25, 2022 Maurice, Once again I really appreciate all this help. I have downloaded the fixlist and have attached a screenshot. I ran the program, restarted the computer and have uploaded the txt file. Fixlog.txt Link to post Share on other sites More sharing options...
Recommended Posts