WinDef is disabled + Malwarebytes folder doesn't exist in Program Files

[kitula_]

FSS.txt Greetings, tried to install a program from a random site, which resulted in getting malware and my Steam and Discord accounts getting hacked. Tried to download Malwarebytes, but it didn't let me open. Tried to find the location of the Malwarebytes folder, there was none. Ran the FRST scan and found out that Windows Defender is disabled, and I can't turn it back on again. I'm not able to run Malwarebytes, and the Additions.txt isn't an option in FRST, so I can only provide FSS.txt for now

[Porthos]

@kitula_

Let's get the info to get the process started. Be aware it will take many steps and scans to fully remove malware.

Please respond to all future instructions from your helper in a timely manner.

Please do the following so that we may take a closer look at your system for any possible infections.

Do these 2 steps FIRST so that files and folders are set to SHOW, plus also, Turn OFF Windows Fast Start.
Show-Hidden-Folders-Files-Extensions
https://forums.malwarebytes.com/topic/299345-show-hidden-folders-files-extensions/

Disable-Fast-Startup
https://forums.malwarebytes.com/topic/299350-disable-fast-startup/

Then please restart the computer and then do the following.

WARNING: Do Not click the Repair option under Advanced unless requested by a Malwarebytes support agent or authorized helper

NOTE: The tools and the information obtained are safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

• Download the Malwarebytes Support Tool
• In your Downloads folder, open the mb-support-x.x.x.xxx.exe file
• In the User Account Control pop-up window, click Yes to continue the installation
• Run the MBST Support Tool. The tool also downloads and runs a file called FRSTEnglish. Please allow it to run.
• In the left navigation pane of the Malwarebytes Support Tool, click Advanced
• In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine 
• A zip file named mbst-grab-results.zip will be saved to the Desktop or on the hidden Public desktop (usually C:\Users\Public\Desktop), please upload that file on your next reply

• Then be patient for the next expert to take your case.

Thank you

 

• 
• 

 

[kitula_]

Here's the MBST file

mbst-grab-results.zip

[JSntgRvr]

1. Download AV block remover, extract its contents to its own folder.
2. If the file is detected as a threat, allow it to run.
3. Run AVbr.exe. Put a check mark on drive C:.
4. If running AVbr.exe cause error or don't start at all you have to rename it to any name and try to run from the different place (you can rename its folder as well).
5. If it is still not run or closing shortly after the start, please run it in Safe Mode with Networking.

Follow the instructions. After rebooting a log AV_block_remove_date-time.log  is produced in the extracted folder's AV_block_remover sub-folder. Please attach this file to your reply.

Edited March 16 by JSntgRvr
typo

[kitula_]

Here's the AV log

AV_block_remove_2024.03.17-00.43.log

[JSntgRvr]

The Support Tool saved FRST64 in your downloads folder as C:\Users\jihua\Downloads\FRSTEnglish.exe. Please right click on this file and run it as an administrator.

• Make sure that under Optional Scans, there is a checkmark on Addition.txt.
• Press Scan button.
• It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
• The tool will also produce another log (Addition.txt ). Please attach this to your reply.

[kitula_]

Mhm! Here are the logs

FRST.txt Addition.txt

[JSntgRvr]

Well done.

This Fix will empty the following folders:

• Windows Temp
• Users Temp folders
• Edge, IE, FF, Chrome, and Opera caches, HTML5 storages, Cookies and History
• Recently opened files cache
• Discord cache
• Java cache
• Steam HTML cache
• Explorer thumbnail and icon cache
• BITS transfer queue (qmgr*.dat files)
• Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

The system will be rebooted after the fix has run.

• Download the enclosed file  Fixlist.txt
• Save it in the same location FRST64.exe is saved. ( C:\Users\jihua\Downloads)
• Start FRST (FRST64) with Administrator privileges (FRSTEnglish.exe)
• This time around Press the Fix button and wait
• When finished, a log file (Fixlog.txt) will pop up and saved in the same location the tool was ran from.
• Please attach this file in your next reply.

Lets try ESET:

Temporarily disable your AntiVirus and AntiSpyware protection - instructions here.
Please visit the ESET Online Scanner website

• Click the One-Time Scan button to download the esetonlinescanner.exe file to the Desktop
• Double click esetonlinescanner.exe. then the GetStarted button.
• Accept the Terms of Use  and the Get Started again.
• Enable reccomended options, and continue.
• Select the Full scan
• Enable Eset to detect and quarantine potentially unwanted applications
• Click StartScan
• The program will begin to download it's virus database. The speed may vary depending on your Internet connection.
• When completed, the program will begin to scan. This may take several hours. Please, be patient.
• Do not do anything on your machine as it may interrupt the scan.
• When completed it'll show a list of "Threats found", click beneath it on Save to text file.... and save it as ESET log.txt on your Desktop.
• Then click Do not clean. Place a checkmark at Delete application's data on close, click Finish and close the program.
• Attach the ESET log.txt report.

 
Don't forget to re-enable previously switched-off protection software!!

[kitula_]

Alright, here is the Fixlog! Gonna run the ESET scanner now

Fixlog.txt

[kitula_]

Here's the ESET scan log! Sorry fot the long wait 

ESET log.txt

[JSntgRvr]

I will remove the Malwarebytes folders. Then I will ask you the Support tool to remove and reinstall a new copy of Malwarebytes Antimalware.

• Download the enclosed file  Fixlist.txt
• Save it in the same location FRST64.exe is saved. ( C:\Users\jihua\Downloads)
• Start FRST (FRST64) with Administrator privileges (FRSTEnglish.exe)
• This time around Press the Fix button and wait
• When finished, a log file (Fixlog.txt) will pop up and saved in the same location the tool was ran from.
• Please attach this file in your next reply.

Open the Support Tool and remove and reinstall Malwarebytes.

 

 

Let me know the outcome.

If successful, run Malwarebytes Antimalware, and attach the reports.

 

[kitula_]

Here's the Fixlog! I did the Clean through MBST and reinstalled Malwarebytes, but it's the same problem as before - it's not opening and the Malwarebytes/Anti-malware folder doesn't exist in Program Files

Fixlog.txt

[JSntgRvr]

• Download the enclosed file  Fixlist.txt
• Save it in the same location FRST64.exe is saved. ( C:\Users\jihua\Downloads)
• Start FRST (FRST64) with Administrator privileges (FRSTEnglish.exe)
• This time around Press the Fix button and wait
• When finished, a log file (Fixlog.txt) will pop up and saved in the same location the tool was ran from.
• Please attach this file in your next reply.

[kitula_]

Here's the Fixlog!
Also, I tried installing the Malwarebytes in the Safe Mode and it worked. Here's the scan report

Fixlog.txt Malwarebytes Scan Report 2024-03-17 085350.txt

[JSntgRvr]

That is outstanding.

How is the computer doing?

[kitula_]

Everything seems to be working in order! Tried to install another antivirus program [Avast] to see if it'll let me install it and it did :)

Thank you so much for your help!

[JSntgRvr]

Congratulations.

Use this application to remove tools used and their quarantined items:
 
Please download KpRm by Kernel-panik and save to your Desktop.

• Click on KpRm.exe to run the tool.

Vista/Windows 7/8/10 users right-click and select Run As Administrator.

• Put a check mark next to these items:

- Delete tools

- Create Restore Point

- Delete now

• Click the "Run" button.

• When the tool has finished, it will create and open a log report and delete itself.

A few final recommendations:
 
The following information will help you to keep your computer and data safer as well as improve your overall privacy

• Recommend using a Password Manager for all websites, etc. that require a password. Never use the same password on more than one site.
  https://www.howtogeek.com/780233/best-password-manager/
• Make sure you're backing up your files https://forums.malwarebytes.com/topic/136226-backup-software/
• Keep all software up to date - PatchMyPC - https://patchmypc.com/home-updater#download     https://patchmypc.com/about-us
• Keep your Operating System up to date and current at all times - https://support.microsoft.com/en-us/windows/windows-update-faq-8a903416-6f45-0718-f5c7-375e92dddeb2
• Further tips to help protect your computer data and improve your privacy: https://forums.malwarebytes.com/topic/258363-tips-to-help-protect-from-infection/
• Please consider installing the following Content Blockers for your Web browsers if you haven't done so already. This will help improve overall security

Malwarebytes Browser Guard

•   Google Chrome: https://chrome.google.com/webstore/detail/malwarebytes-browser-guar/ihcjicgdanjaechkgeegckofjjedodee
•   Microsoft Edge: https://support.malwarebytes.com/hc/en-us/articles/4413298736787-Install-Malwarebytes-Browser-Guard-on-Microsoft-Edge-browser
•   Mozilla Firefox: https://addons.mozilla.org/en-US/firefox/addon/malwarebytes/

uBlock Origin

• Google Chrome: https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm
• Microsoft Edge: https://microsoftedge.microsoft.com/addons/detail/ublock-origin/odfafepnkmbhccpbejgmiehpchacaeak
• Mozilla Firefox: https://addons.mozilla.org/en-US/firefox/addon/ublock-origin

Cybersecurity basics & protection
 
Everything you need to know about cybercrime
https://www.malwarebytes.com/cybersecurity
 
Further reading if you'd like to keep up on the malware threat scene: Malwarebytes Blog  https://blog.malwarebytes.com/
 
Please review the following to help you better protect your computer and privacy
 
Tips to help protect from infection
 
Hopefully, we've been able to assist you with correcting your system issues.
 
Thank you for using Malwarebytes. Please tell your friends and family if they too need assistance with malware removal.