Virus & threat service has stopped

[Muduli]

After doing windows 10 x64 KB5018410 22h2 update, My windows defender was disabled it was greyed out
and the virus and threat service was also stopped...
Anybody has any idea how did this occur?

 

[DR M]

Hello.

What happens if you click on the Restart now button?

 

[Muduli]

Thank you for your response, It will just pop a error like this

 

[DR M]

Let's check what is going on with the Services:

1. Check Services

• Please download Farbar Service Scanner and save it on your Desktop.
• Right click on the tool icon and run it as administrator.
• Make sure all the options are checked.
• Click on the Scan button.
• It will create a log (FSS.txt) on your Desktop.
• Copy and paste the log's content to your next reply.

 

[Muduli]

Farbar Service Scanner Version: 13-08-2022 01
Ran by Mudo san (administrator) on 01-11-2022 at 13:14:36
Running from "C:\Users\Mudo san\OneDrive\Desktop"
Windows 10 Pro (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============


Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============


Firewall Disabled Policy:
==================


System Restore:
============


System Restore Policy:
========================


Windows Security:
============


Windows Update:
============


Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Disabled. The default start type is Auto.
The ImagePath of WinDefend: ""C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2209.7-0\MsMpEng.exe"".


Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


Other Services:
==============


File Check:
========
C:\Windows\System32\nsisvc.dll => File is digitally signed
C:\Windows\System32\Drivers\nsiproxy.sys => File is digitally signed
C:\Windows\System32\Drivers\netbt.sys => File is digitally signed
C:\Windows\System32\Drivers\tdx.sys => File is digitally signed
C:\Windows\System32\Drivers\afd.sys => File is digitally signed
C:\Windows\System32\Drivers\tcpip.sys => File is digitally signed
C:\Windows\System32\dnsrslvr.dll => File is digitally signed
C:\Windows\System32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\System32\mpssvc.dll => File is digitally signed
C:\Windows\System32\bfe.dll => File is digitally signed
C:\Windows\System32\Drivers\mpsdrv.sys => File is digitally signed
C:\Windows\System32\SDRSVC.dll => File is digitally signed
C:\Windows\System32\vssvc.exe => File is digitally signed
C:\Windows\System32\SecurityHealthService.exe => File is digitally signed
C:\Windows\System32\wscsvc.dll => File is digitally signed
C:\Windows\System32\\wbem\WMIsvc.dll => File is digitally signed
C:\Windows\System32\wuaueng.dll => File is digitally signed
C:\Windows\System32\qmgr.dll => File is digitally signed
C:\Windows\System32\es.dll => File is digitally signed
C:\Windows\System32\cryptsvc.dll => File is digitally signed
C:\Windows\System32\usosvc.dll => File is digitally signed
C:\Windows\System32\WaaSMedicSvc.dll => File is digitally signed
C:\Program Files\Windows Defender\MpSvc.dll => File is digitally signed
C:\Windows\System32\ipnathlp.dll => File is digitally signed
C:\Windows\System32\iphlpsvc.dll => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed


**** End of log ****

 

[DR M]

Let's try this:

Check WinDefend service

• In the Search area type Services and choose this item when appears.
• Find Microsoft Defender Antivirus Service in the list.
• Double click on it and check the Start-up type. It has to be Automatic. Are you able to change it from Disabled?
• If you are able to set the start-up type to Automatic, try to Start the service again.
• Let me know the result.

 

[Muduli]

@DR M no it is disabled and I can't change it

 

[DR M]

Hi.

Let's do a deeper investigation of the issue:

Download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

If your antivirus software detects the tool as malicious, it’s safe to allow FRST to run. It is a false-positive detection.

If English is not your primary language, right click on FRST.exe/FRST64.exe and rename to FRSTEnglish.exe/FRST64English.exe

• Double-click the FRST icon to run the tool. When the tool opens click Yes to disclaimer.
• Press Scan button and wait for a while.
• The scanner will produced two logs on your Desktop: FRST.txt and Addition.txt.
• Please attach the content of these two logs in your next reply.

 

[Muduli]

Done!

 

[DR M]

Seems to me that you got infected, you downloaded some 3rd party antivirus and Windows Defender got disabled. There are also remnants from several programs you uninstalled.

So...

Please, adhere to the guidelines below, and then carefully follow, with the same order, all the instructions after:

1. Always ask before acting. Do not continue if you are not sure, or if something unexpected happens!

2. Do not run any tools unless instructed to do so. Also, do not uninstall or install any software during the procedure, unless I ask you to do so.

3. Cracked or pirated programs are not only illegal, but also can make your computer a malware target. Having such programs installed, is the easiest way to get infected. Thus, no need to clean the computer, since, soon or later, it will get infected again. If you have such programs, please uninstall them now, before we start the cleaning procedure.

4. If your computer seems to start working normally, don't abandon the topic. Even if your system is behaving normally, there may still be some malware remnants left over. Additionally, malware can re-infect the computer if some remnants are left. Therefore, please complete all requested steps to make sure any malware is successfully eradicated from your PC.

5. You have to reply to my posts within 3 days. If you need some additional time, just let me know. Otherwise, I will leave the topic due to lack of feedback. If you are able, I would request you to check this thread at least once per day so that we can resolve your issues effectively and efficiently.

6. Logs from malware diagnostic or removal programs can take some time to get analyzed. Also, have in mind that all the experts here are volunteers and may not be available to assist when you post. Please, be patient, while I analyze your logs.


==============================

Let's start from somewhere.

FRST fix

Please do the following to run a FRST fix.

NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system

• Select the entire contents of the code box below, from the "Start::" line to "End::", including both lines. Right-click and select "Copy ". No need to paste anything to anywhere.

Start::
CloseProcesses:
SystemRestore: On
CreateRestorePoint:
HKU\S-1-5-21-2807344463-2120647681-1166750694-1001\...\StartupApproved\Run: => "360DesktopLite"
FirewallRules: [TCP Query User{662C8B2F-0E1F-44CE-BD91-7FEC7CD0902A}C:\program files (x86)\smartgaga\projecttitan\engine\projecttitan.exe] => (Block) C:\program files (x86)\smartgaga\projecttitan\engine\projecttitan.exe => No File
FirewallRules: [UDP Query User{22FF463E-8753-4B6A-9240-6D209831306D}C:\program files (x86)\smartgaga\projecttitan\engine\projecttitan.exe] => (Block) C:\program files (x86)\smartgaga\projecttitan\engine\projecttitan.exe => No File
FirewallRules: [{9931676E-8CF8-4AEB-9469-18673E37EA7C}] => (Allow) C:\Program Files (x86)\360\Total Security\360TsLiveUpd.exe => No File
FirewallRules: [{94116F4B-4726-4FE0-9039-AAFB05482C82}] => (Allow) C:\Program Files (x86)\360\Total Security\360TsLiveUpd.exe => No File
HKLM\SOFTWARE\Microsoft\Windows Defender: [DisableAntiVirus] Restriction <==== ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
GroupPolicy: Restriction ? <==== ATTENTION
Policies: C:\ProgramData\NTUSER.pol: Restriction <==== ATTENTION
HKU\.DEFAULT\SOFTWARE\Policies\Microsoft\Edge: Restriction <==== ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <==== ATTENTION
2022-10-29 19:36 - 2022-10-29 19:36 - 000000000 ____D C:\Users\Subam Karki\AppData\Local\unali-9268296
2022-10-29 19:36 - 2022-10-29 19:36 - 000000000 ____D C:\Users\Subam Karki\AppData\Local\unali-9267843
2022-10-29 19:14 - 2022-10-30 12:00 - 000000000 ____D C:\Windows\system32\Tasks\Diagnostic
2022-10-29 19:14 - 2022-10-30 12:00 - 000000000 ____D C:\Users\Subam Karki\AppData\Roaming\otodbvpamp
2022-10-29 19:14 - 2022-10-29 19:14 - 000000000 ____D C:\Users\Subam Karki\AppData\Roaming\023FE6AA811C9DC5
2022-10-29 19:08 - 2022-10-29 19:08 - 000000000 ____D C:\Users\Subam Karki\AppData\Local\unali-7577281
2022-10-29 19:00 - 2022-10-29 19:00 - 000000000 ____D C:\Users\Subam Karki\AppData\Local\CleanGenius
2022-10-29 18:41 - 2022-10-29 18:42 - 000000000 ____D C:\Users\Subam Karki\AppData\Local\unali-6016078
2022-10-29 18:41 - 2022-10-29 18:42 - 000000000 ____D C:\Users\Subam Karki\AppData\Local\unali-6015875
2022-10-28 19:52 - 2022-10-28 21:27 - 000000000 ____D C:\Users\Subam Karki\AppData\Roaming\360DesktopLite
2022-10-28 19:49 - 2022-10-29 08:37 - 000000000 ____D C:\Program Files (x86)\360
2022-10-28 15:38 - 2022-10-30 12:06 - 000000000 ____D C:\Users\Subam Karki\AppData\Roaming\f1vkwhl8p5
2022-10-28 15:33 - 2022-11-03 17:16 - 000000000 ____D C:\ProgramData\SurfaceReduction
2022-10-26 13:00 - 2022-10-26 13:00 - 000000000 _____ C:\Users\Subam Karki\AppData\Local\{E0FE5161-65E6-4637-9507-993B314A311B}
2022-10-25 19:57 - 2022-10-25 21:03 - 000000000 ____D C:\Program Files (x86)\NeoSmart Technologies
2022-10-25 19:57 - 2022-10-25 19:57 - 000000000 ____D C:\Users\Subam Karki\AppData\Local\NeoSmart_Technologies
2022-10-25 19:55 - 2022-10-25 19:55 - 002289864 _____ C:\Users\Subam Karki\Downloads\EasyBCD 2.4.exe
2022-10-22 16:01 - 2022-10-22 18:16 - 000000000 ____D C:\Users\Subam Karki\AppData\Roaming\Movavi Video Editor Plus 2022
2022-10-22 15:56 - 2022-10-22 15:56 - 000000000 ____D C:\Users\Subam Karki\AppData\Local\VideoEditorPlus
2022-10-22 15:56 - 2022-10-22 15:56 - 000000000 ____D C:\Users\Subam Karki\AppData\Local\CrashRpt
2022-10-22 15:53 - 2022-10-22 15:56 - 000000000 ____D C:\Users\Subam Karki\AppData\Local\Movavi
2022-10-22 15:53 - 2022-10-22 15:53 - 000012735 _____ C:\ProgramData\goyslgxe.nnn
2022-10-22 15:53 - 2022-10-22 15:53 - 000000016 _____ C:\ProgramData\mntemp
2022-10-14 15:29 - 2022-10-14 15:29 - 000000000 ____D C:\Users\Subam Karki\AppData\Local\Yandex
2022-10-11 13:39 - 2022-10-11 13:39 - 000000000 ____D C:\Program Files\Sublime Text 3
2022-10-06 19:00 - 2022-10-06 19:07 - 000000000 ____D C:\Users\Subam Karki\AppData\Roaming\SmartGaGa
2022-10-06 18:59 - 2022-10-06 19:53 - 000000000 ____D C:\Program Files (x86)\SmartGaGa
Powershell: wevtutil el | Foreach-Object {wevtutil cl "$_"}
EmptyTemp:
End::

• Right-click on FRST64 on your Desktop, to run it as administrator. When the tool opens, click "yes" to the disclaimer.
• Press the Fix button once and wait.
• FRST will process fixlist.txt
• When finished, it will produce a log fixlog.txt on your Desktop.
• Post the log in your next reply.

 

[Muduli]

I have downloaded a antivirus software called "Malwarebytes" by it's official
store don't think so it disabled or infected any program of my computer...

 

[DR M]

Please do the following:


1. Run AdwCleaner (scan only)

Download AdwCleaner and save it to your desktop.

• Double click AdwCleaner.exe to run it.
• Click Scan Now.
  • When the scan has finished, a Scan Results window will open.
  • Click Cancel (at this point do not attempt to Quarantine anything that is found)
• Now click the Log Filestab.
  • Double click on the latest scan log (Scan logs have a [S0*] suffix, where * is replaced by a number. The latest scan will have the largest number)
  • A Notepad file will open containing the results of the scan.
  • Please post the contents of the file in your next reply.

2. Run Malwarebytes (scan only)

• Open Malwarebytes.
• Click the little gear on the top right (Settings) and when it opens, click the Security tab and make sure about the following:
  

  Under the title Scan Options, all the options are checked.
  Under the title Windows Security Center (Premium only) the option is NOT checked.
  Under the title Potentially unwanted items all options are set to Always.

• Click on the little gear to return to the main menu and select Scan. The program will start scanning your computer. This may take about 10 minutes, but in some cases it may be take longer.
• When finished, you will see the Threat Scan Summary window open.

If threats are not found, click View Report and proceed to the two last steps below.

If threats are found, make sure that all threats are not selected, close the program and proceed to the next steps below.

• Open Malwarebytes again, click on the Scanner, and then on the Reports tab.
• Find the report with the most recent date and double click on it.
• Click on Export and then Copy to Clipboard.
• Paste its content here, in your next reply.

In your next reply, please post:

1. The AdwCleaner[S0*].txt
2. The Malwarebytes report

 

[Muduli]

Didn't found any threats

 

[DR M]

AdwCleaner detected something.

To clean it, please do the following:

• Double click AdwCleaner.exe on your Desktop, to run it as you did before.
• Click Scan Now.
• When the scan has finished a Scan Results window will open.
• Please check all the boxes and then click Quarantine.
• Click Next.
  • If any pre-installed software was found on your machine, a prompt window will open. Click OK to close it.
  • Check any pre-installed software items you want to remove.
  • Click Quarantine.
• A prompt to save your work will appear.
  • Click Continue when you're ready to proceed.
• A prompt to restart your computer will appear.
  • Click Restart Now.
• Once your computer has restarted:
  • If it doesn't open automatically, please start AdwCleaner.
  • Click the Log Files tab.
  • Double click on the latest Clean log (Clean logs have a [C0*] suffix, where * is replaced by a number, the latest scan will have the largest number)
  • A Notepad file will open containing the results of the removal.
  • Please post the contents of the file in your next reply.

After that, run FRST again, and attach for me to check fresh logs, Addition and FRST.

 

[Muduli]

I Quarantined the preinstalled software. As you said it

 

[DR M]

The pre-installed software was not a problem. This one it is, and I see that it is not deleted: HKCU\SOFTWARE\c53c9a28700491efb8fedf1c3497f86c

Please now let me see fresh FRST logs, FRST and Addition.

 

[Muduli]

what about now?

 

[DR M]

How can this be the latest log result since it has the suffix C00??

No, the registry item is not deleted.

Please let me see fresh FRST logs.

 

[Muduli]

Sorry but didn't you said that i have to remove this
HKCU\SOFTWARE\c53c9a28700491efb8fedf1c3497f86c
From the adwcleaner?

 

[DR M]

Yes. The item is not deleted.