Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows Defender disabled. Security center disabled.


  • Please log in to reply
4 replies to this topic

#1 blackroseblade

blackroseblade

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:13 PM

Posted 23 November 2015 - 06:46 AM

Good morning.

 

Events:

 

I just started having some problems on my PC. I'm using Windows 10, x64, Professional edition. Non-secure boot.

 

I got a notification from Windows to the effect of "Warning you are not running any security software".

 

I immediately tried to open Windows Defender but what I got instead was all sliders disabled. On opening my Updates tab I saw the message "Some settings are managed by your organization".

 

On trying to open Windows Security Center I didn't get anything. Checking services showed me it had been set to disabled.

 

Steps taken so far:

 

I tried setting it back to Automatic delayed start and restarting the service but immediately it was disabled again.

 

At this point I was running a malwarebytes scan. Malwarebytes found a "Chromebrowser.exe" PUP which I removed.

 

On a rescan it has so far yet to detect anything.

 

Checking Group Policy shows all entries are set to default "Not Configured" except one for automatic removal which I disabled myself when I first installed Windows 10.

 

Changing group policy settings for Allow Telemetry under Data collection and Telemetry (under Computer Configuration, Admin templates, Windows components) to full, then disabling again resulted in the "Some settings are managed by organizatio" notice going away, the previously disabled "Get Started" button for Insider Program became enabled again.

 

Possible cause of infection:

 

The only thing I did download off the internet was a crack file for a game. This is the VirusTotal analysis result:

https://www.virustotal.com/en/file/82046bdbe118c281382e9e5078ebcdbdb9b485db95585210331c3d1014eb9e26/analysis/1448278797/

 

Precautions steps and security tools I use:

 

I am also using a custom host file with 23,000 entries, all ad servers and known malware content hosters. I hope this will at least serve to slow down the infection, if I do have one.

 

I am using Malwarebytes (trial, no real-time), Windows Defender, and NoScript in Firefox to disable all scripting on websites and domains I do not explicitly trust.

 

The rest are the same old common sense "Don't open unknown attachements, Don't click links, Don't go to unknown domains, Don't fall for obvious clickbait and spam, etc".

 

This is the first time I'm facing a problem in a long while, I normally take strict measures and precautions, haven't been infected in over 6 years.

 

Thank you.


Edited by blackroseblade, 23 November 2015 - 06:51 AM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,738 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:13 PM

Posted 23 November 2015 - 03:06 PM

Welcome blackroseblade, let's also do these now.

3Al62Pm.pngMiniToolBox
  • Please download MiniToolBox, save it to your desktop and run it.
  • Checkmark the following checkboxes:
    • Flush DNS
    • Report IE Proxy Settings
    • Reset IE Proxy Settings
    • Report FF Proxy Settings
    • Reset FF Proxy Settings
    • List content of Hosts
    • List IP configuration
    • List Winsock Entries
    • List last 10 Event Viewer log
    • List Installed Programs
    • List Users, Partitions and Memory size.
  • Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run. Note: When using "Reset FF Proxy Settings" option Firefox should be closed.
SXvL3ZF.pngTDSSKiller
  • Download TDSSKiller and save it to your desktop.
  • Extract (unzip) its contents to your desktop.
  • Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is required, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.
zcMPezJ.pngAdwCleaner
  • Please download AdwCleaner by Xplode and save to your Desktop.
  • Double click on AdwCleaner.exe to run the tool. Vista/Windows 7/8 users right-click and select Run As Administrator
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it. If you see an entry you want to keep, let me know about it.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.
lv0mVRW.pngJunkware Removal Tool
  • Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.
cvMlKv6.pngESET Online Scanner
  • Click here to download the installer for ESET Online Scanner and save it to your Desktop.
  • Disable all your antivirus and antimalware software - see how to do that here.
  • Right click on esetsmartinstaller_enu.exe and select Run as Administrator.
  • Place a checkmark in YES, I accept the Terms of Use, then click Start. Wait for ESET Online Scanner to load its components.
  • Select Enable detection of potentially unwanted applications.
  • Click Advanced Settings, then place a checkmark in the following:
    • Remove found threats
    • Scan archives
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Click Start to begin scanning.
  • ESET Online Scanner will start downloading signatures and scan. Please be patient, as this scan can take quite some time.
  • When the scan is done, click List threats (only available if ESET Online Scanner found something).
  • Click Export, then save the file to your desktop.
  • Click Back, then Finish to exit ESET Online Scanner.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 blackroseblade

blackroseblade
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:13 PM

Posted 07 December 2015 - 05:50 PM

All relevant data as required.

 

Mini Toolbox log

 

Spoiler

 

TDSKiller log

 

Spoiler

 

AdwCleaner

Spoiler

 

JunkWare Removal Tool

 

Spoiler

 

Eset Online Scanner

Spoiler

 

 

EDIT: Noticed a new process running today and quickly located it. It's nothing I've ever installed or ran on my PC before. Ran another scan of Malwarebytes. It discovered the following PUP. Attaching log.

 

Spoiler


Edited by blackroseblade, 07 December 2015 - 06:43 PM.


#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,738 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:13 PM

Posted 08 December 2015 - 12:33 AM

Hello, a few serious issues, you have several cracked apps on here. We removed some ,but as is what they do they are downloading and adding more.

You may even have a cracked MSFT office.

You have "injector" infections that do many dangerous things. Such as... Adds or modifies winlogon shell registry value. Could be used to launch a program on startup.


To be sure this is clean we need a new topic and a deeper look.
I would not do any financials or banking from here until it is cleaned.

Please follow this Preparation Guide and post in a new topic.


Let me know if all went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 blackroseblade

blackroseblade
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:13 PM

Posted 08 December 2015 - 05:13 AM

I'm not sure, I've used a few cracks for programs that give too much trouble to use otherwise but I've not had any problems with them so far. I run every suspicious thing through VirusTotal, have rarely received any true positives so far.

 

Will do though, have already done so in fact. Thanks, I'll head on over to the new forum.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users