Author Topic: [In Progress] Unable to keep Windows Defender running  (Read 4351 times)

Offline Foxfire

  • Malware Removal Staff
  • Bronze Member
  • Posts: 445
Re: [In Progress] Unable to keep Windows Defender running
« Reply #15 on: September 08, 2016, 10:10:17 AM »

  Please download AdwCleaner by Xplode and save to your Desktop.
  • Double click on your copy of AdwCleaner.exe to run the tool.
       
  • Vista/Windows 7/8 users right-click and select Run As Administrator
  • The tool will start to update the database, please wait a bit.
  • Click on the Scan button.
       
  • AdwCleaner will begin to scan your computer like it did before.
  • After the scan has finished, click on the Clean button.
       
  • Press OK when asked to close all programs and follow the onscreen prompts.
       
  • Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
       
  • After rebooting, a logfile report (AdwCleaner.txt) will open automatically.
       
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of that logfile will also be saved in the C:\AdwCleaner folder.
>>>>>>>>>>>>>>>>>

Scan with ESET Online Scan

Please go to HERE to run the online scannner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is ticked
  • Click on Advanced Settings and ensure these options are ticked:-

        1.Scan for potentially unwanted applications
        2.Scan for potentially unsafe applications
        3.Enable Anti-Stealth Technology

  • Click Scan
  • Wait for the scan to finish
  • If any threats were found, click the 'List of found threats' , then click Export to text file....
  • Save it to your desktop, then please copy and paste that log as a reply to this topic
  • A logfile will be created at C:\Program Files (x86)\ESET\ESET Online Scanner. Open it using Notepad.
NOTE: Sometimes if ESET finds no infections it will not create a log.
>>>>>>>>>>>>>>>>>>

I need AdwCleaner.txt & Eset log please.

How is the computer running now ?

Try running Windows Defender & advise please.

Platypuss

Offline Grumpy Old Man

  • Bronze Member
  • Posts: 18
Re: [In Progress] Unable to keep Windows Defender running
« Reply #16 on: September 09, 2016, 01:38:01 AM »
Here is AdsCleaner:
# AdwCleaner v6.010 - Logfile created 08/09/2016 at 19:57:51
# Updated on 12/08/2016 by ToolsLib
# Database : 2016-09-09.1 [Server]
# Operating System : Windows 10 Home  (X64)
# Username : Zaacharia - GGSREST
# Running from : C:\Users\Zaacharia\Desktop\AdwCleaner.exe
# Mode: Clean
# Support : https://toolslib.net/forum



***** [ Services ] *****



***** [ Folders ] *****

[-] Folder deleted: C:\WINDOWS\SysNative\Tasks\PCW
[-] Folder deleted: C:\Program Files (x86)\Amazon\Amazon1ButtonApp
[-] Folder deleted: C:\Users\Default User\AppData\Local\Pokki
  • Folder deleted on reboot: C:\Users\Default\AppData\Local\Pokki



***** [ Files ] *****

[-] File deleted: C:\WINDOWS\SysNative\LavasoftTcpService64.dll
[-] File deleted: C:\WINDOWS\SysNative\LavasoftTcpServiceOff.ini
[-] File deleted: C:\WINDOWS\SysWOW64\lavasofttcpservice.dll
[-] File deleted: C:\WINDOWS\SysWOW64\LavasoftTcpServiceOff.ini


***** [ DLL ] *****



***** [ WMI ] *****



***** [ Shortcuts ] *****



***** [ Scheduled Tasks ] *****



***** [ Registry ] *****

[-] Key deleted: HKLM\SOFTWARE\Classes\AmazonAppIE.AppGateway
[-] Key deleted: HKLM\SOFTWARE\Classes\AmazonAppIE.GadgetGateway
[-] Key deleted: HKLM\SOFTWARE\Classes\LavasoftTcpServiceLib.DataContainer
[-] Key deleted: HKLM\SOFTWARE\Classes\LavasoftTcpServiceLib.DataContainer.1
[-] Key deleted: HKLM\SOFTWARE\Classes\LavasoftTcpServiceLib.DataController
[-] Key deleted: HKLM\SOFTWARE\Classes\LavasoftTcpServiceLib.DataController.1
[-] Key deleted: HKLM\SOFTWARE\Classes\LavasoftTcpServiceLib.DataTable
[-] Key deleted: HKLM\SOFTWARE\Classes\LavasoftTcpServiceLib.DataTable.1
[-] Key deleted: HKLM\SOFTWARE\Classes\LavasoftTcpServiceLib.DataTableFields
[-] Key deleted: HKLM\SOFTWARE\Classes\LavasoftTcpServiceLib.DataTableFields.1
[-] Key deleted: HKLM\SOFTWARE\Classes\LavasoftTcpServiceLib.DataTableHolder
[-] Key deleted: HKLM\SOFTWARE\Classes\LavasoftTcpServiceLib.DataTableHolder.1
[-] Key deleted: HKLM\SOFTWARE\Classes\LavasoftTcpServiceLib.LSPLogic
[-] Key deleted: HKLM\SOFTWARE\Classes\LavasoftTcpServiceLib.LSPLogic.1
[-] Key deleted: HKLM\SOFTWARE\Classes\LavasoftTcpServiceLib.ReadOnlyManager
[-] Key deleted: HKLM\SOFTWARE\Classes\LavasoftTcpServiceLib.ReadOnlyManager.1
[-] Key deleted: HKLM\SOFTWARE\Classes\LavasoftTcpServiceLib.WFPController
[-] Key deleted: HKLM\SOFTWARE\Classes\LavasoftTcpServiceLib.WFPController.1
[-] Key deleted: [x64] HKLM\SOFTWARE\Classes\CLSID\{26B19FA4-E8A1-4A1B-A163-1A1E46F830DD}
[-] Key deleted: [x64] HKLM\SOFTWARE\Classes\CLSID\{BD6ECB00-7C4A-4F97-B425-44117F2A7AAE}
[-] Key deleted: HKLM\SOFTWARE\Classes\CLSID\{0015CAC9-FC30-4CD0-BFAA-7412CC2C4DD9}
[-] Key deleted: HKLM\SOFTWARE\Classes\CLSID\{26C7AFDB-3690-449E-B979-B0AF5CC56DD4}
[-] Key deleted: HKLM\SOFTWARE\Classes\CLSID\{3A5A5381-DAAF-4C0D-B032-2C66B3EE4A8D}
[-] Key deleted: HKLM\SOFTWARE\Classes\CLSID\{472EF1D2-4AAE-470D-AE85-6AF8177916FD}
[-] Key deleted: HKLM\SOFTWARE\Classes\CLSID\{8F010D54-C023-457F-AF03-497EACB6D519}
[-] Key deleted: HKLM\SOFTWARE\Classes\CLSID\{9A754403-27B1-4ED7-96D7-588F07888EBF}
[-] Key deleted: HKLM\SOFTWARE\Classes\CLSID\{CB31FF8F-BF80-4D2B-ADBE-12C6F5347890}
[-] Key deleted: HKLM\SOFTWARE\Classes\CLSID\{FCAA532B-E807-4027-940C-BA16B9D50105}
[-] Key deleted: HKLM\SOFTWARE\Classes\CLSID\{BD6ECB00-7C4A-4F97-B425-44117F2A7AAE}
[-] Key deleted: HKLM\SOFTWARE\Classes\TypeLib\{ED62BC6E-64F1-46BE-866F-4C8DC0DF7057}
[-] Key deleted: HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{BD6ECB00-7C4A-4F97-B425-44117F2A7AAE}
[-] Key deleted: HKU\S-1-5-21-3849050912-3804681739-765561596-1001\Software\APN PIP
[-] Key deleted: HKU\S-1-5-21-3849050912-3804681739-765561596-1001\Software\SweetLabs App Platform
  • Key deleted on reboot: HKCU\Software\APN PIP
  • Key deleted on reboot: HKCU\Software\SweetLabs App Platform
  • [-] Key deleted: HKLM\SOFTWARE\Lavasoft\Web Companion
    [-] Key deleted: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\11598763487076930564
    [-] Key deleted: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{730E03E4-350E-48E5-9D3E-4329903D454D}
    [-] Key deleted:
[x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\4E30E037E0535E84D9E3349209D354D4
[-] Key deleted: [x64] HKLM\SOFTWARE\Classes\Installer\Products\4E30E037E0535E84D9E3349209D354D4
[-] Key deleted: HKLM\SOFTWARE\Classes\Installer\Features\4E30E037E0535E84D9E3349209D354D4
  • Key deleted on reboot: HKLM\SOFTWARE\Classes\Installer\Products\4E30E037E0535E84D9E3349209D354D4
  • [-] Data restored:
[x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\Main [Default_Secondary_Page_URL]
[-] Data restored: HKU\S-1-5-21-3849050912-3804681739-765561596-1001\Software\Microsoft\Internet Explorer\Main [Default_Secondary_Page_URL]
[-] Data restored: HKCU\Software\Microsoft\Internet Explorer\Main [Default_Secondary_Page_URL]
[-] Key deleted: HKCU\Software\Microsoft\Internet Explorer\DOMStorage\itibitiphone.com
[-] Value deleted: HKU\S-1-5-21-3849050912-3804681739-765561596-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run [Itibiti.exe]
[-] Key deleted: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\webcompanion.com


***** [ Web browsers ] *****



*************************

:: "Tracing" keys deleted
:: Winsock settings cleared

*************************

C:\AdwCleaner\AdwCleaner[C0].txt - [5427 Bytes] - [08/09/2016 19:57:51]
C:\AdwCleaner\AdwCleaner[S0].txt - [5947 Bytes] - [07/09/2016 17:57:36]
C:\AdwCleaner\AdwCleaner[S1].txt - [5576 Bytes] - [08/09/2016 19:56:07]

########## EOF - C:\AdwCleaner\AdwCleaner[C0].txt - [5646 Bytes] ##########

After hours of cleaning, ESET crashed without leaving a log file. I am rerunning it and it is nearly done already.
I am in "Security" and can not turn on Defender - I click 'turn on now' but nothing happens. I will update you after the rerun of ESET completes

Offline Grumpy Old Man

  • Bronze Member
  • Posts: 18
Re: [In Progress] Unable to keep Windows Defender running
« Reply #17 on: September 09, 2016, 03:49:38 AM »
The first run of ESET was about 3.5 hours that reported and cleaned 57 or so problems; the second run was 1.5 hours and did not find anything - no log files found. I still can not start Defender. Things really sped up but I think I might have to start all over.

I am getting this message over and over again and it is locking firefox up:
A script on this page may be busy, or it may have stopped responding. You can stop the script now, open the script in the debugger, or let the script continue.

Here is some cheery Tom Waits: https://www.youtube.com/watch?v=5FKpX2MgDsU

Offline Foxfire

  • Malware Removal Staff
  • Bronze Member
  • Posts: 445
Re: [In Progress] Unable to keep Windows Defender running
« Reply #18 on: September 10, 2016, 02:23:55 AM »

Hello Grumpy Old Man,

Thanks for the logs & for the Cemetry Polka  :LOL

Could you tell me if your Spybot is a"paid for" version please?

Platypuss

Offline Grumpy Old Man

  • Bronze Member
  • Posts: 18
Re: [In Progress] Unable to keep Windows Defender running
« Reply #19 on: September 10, 2016, 02:48:17 AM »
Not at this time - when I am feeling rich, I buy a year.

Offline Foxfire

  • Malware Removal Staff
  • Bronze Member
  • Posts: 445
Re: [In Progress] Unable to keep Windows Defender running
« Reply #20 on: September 11, 2016, 01:53:17 PM »


   Hello Grumpy Old Man,

  Safer Networking statement
Quote
"User of Windows 10 may have noticed that Windows Defender will stop running in Windows 10 when Spybot is installed.

Windows will disable this program if it detects another antivirus program on your PC in order to prevent conflict between the multiple antivirus programs installed.

The Free Edition of Spybot also falls into this category, because it contains antivirus components from the paid editions."

The free edition of Spybot does not have an Antivirus realtime component.

 I suggest that you uninstall it using Revo Uninstaller Freeware

Please download and install Revo Uninstaller Freeware
Since it is a more powerful tool, please be sure to follow the instructions carefully.

Read this first :-http://www.wikihow.com/Uninstall-Using-Revo-Uninstaller.

  • Double click Revo Uninstaller to run it
       
  • From the list of programs double click on The Program to remove
  • When prompted if you want to uninstall this program, clickYes.
       
  • Be sure the Moderate option is selected then click
             Next
       
  • The program will run, If prompted again clickYes
       
  • When the built-in uninstaller is finished click on Next.
       
  • Once the program has searched for leftovers....(be patient here ! ) click Next.
       
  • Check /tick the Spybot S&D Only, then click DELETE
       
  • When prompted click on Yes and then on Next.
       
  • Put a check only on highlighted Spybot folders that are found and select delete
       
  • When prompted select yes then on Next
       
  • Once done click Finish
       
When completed try your Windows Defender & see if it will now run.
I can assist with a replacement for Spybot if you wish.
Platypuss

 


   



Offline Grumpy Old Man

  • Bronze Member
  • Posts: 18
Re: [In Progress] Unable to keep Windows Defender running
« Reply #21 on: September 11, 2016, 05:45:35 PM »
As soon as you mentioned Spybot S&D, I looked at their forum for "Defender" and came across a possible solution:
https://forums.spybot.info/showthread.php?72572-Windows-Defender-disabled-with-Spybot-FIX&highlight=defender

I turned off the 'integration' and uninstalled it; as soon as the current system scan is complete, I will reboot and get back to you with the results. I also saw references to how difficult the normal 'uninstall' is. Does this sound workable? are there better 'free' products that work as well as Spybot?

Offline Grumpy Old Man

  • Bronze Member
  • Posts: 18
Re: [In Progress] Unable to keep Windows Defender running
« Reply #22 on: September 11, 2016, 07:39:15 PM »
As soon as you mentioned Spybot S&D, I looked at their forum for "Defender" and came across a possible solution:
https://forums.spybot.info/showthread.php?72572-Windows-Defender-disabled-with-Spybot-FIX&highlight=defender

I turned off the 'integration' and uninstalled it; as soon as the current system scan is complete, I will reboot and get back to you with the results. I also saw references to how difficult the normal 'uninstall' is. Does this sound workable? are there better 'free' products that work as well as Spybot?

It appears to have worked - Windows Defender started up oh its own on the reboot. But, I am grateful for this whole process since there was a lot of '****' that needed removal. I am going to donate shortly for all the help you gave me.

Grumpy/Rodger

Offline Foxfire

  • Malware Removal Staff
  • Bronze Member
  • Posts: 445
Re: [In Progress] Unable to keep Windows Defender running
« Reply #23 on: September 12, 2016, 10:39:00 AM »

 Helllo Grumpy Old Man,


Quote
I am going to donate shortly for all the help you gave me.
That is very kind of you indeed, it is a genuine pleasure
to assist you. A little more to do yet....


 Very good that you discovered the cause of Windows Defender malfunction.
 
 A word of caution, Spybot has not got a high reputation among many Malware Removal experts.

Do you still have the problem with Firefox, if so, try this:-


Regarding Firefox.

Fault finding in Firefox can be laborious. It could be more effective to Refresh Firefox

The refresh feature fixes many issues by restoring Firefox to its default state while saving your essential information
 like bookmarks, passwords, and open tabs. It removes extensions which are often responsible for such faults.

Please go Here &
follow the instructions under Refresh Firefox

Let me know if it was successful please.
>>>>>>>>>>>>>>>>>>>>>>>>>>

I would like you to run your copy of Malwarebytes (MBAM) once more please, just to ensure that you
are now "Clean"

Please open Malwarebytes Anti-Malware.
  • On the Settings tab > Detection and Protection sub tab, Detection Options, tick the box "Scan for rootkits".
       
  • Under Non-Malware Protection sub tab Change PUP and PUM entries to Treat detections as Malware
       
  • Click on the Scan tab, then click on Scan Now >> . If an update is available, click the Update Now button.
       
  • A Threat Scan will begin.
  • With some infections, you may or may not see this message box.
Could not load DDA driver'
   
  • Click 'Yes' to this message, to allow the driver to load after a restart.
  • Allow the computer to restart. Continue with the rest of these instructions.
  • When the scan is complete, click Apply Actions.
       
  • Wait for the prompt to restart the computer to appea[/B]r, then click on Yes.
       
  • After the restart once you are back at your desktop, open MBAM once more.


    To get the log from Malwarebytes do the following:

       
  • Click on the History tab > Application Logs.
        Double click on the scan log which shows the Date and time of the scan just performed.
        Click Export > From export you have three options:

        Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
        Text file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
        XML file (*.xml) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
       
  • Recommend you use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…

Only post the log if it finds anything.

Platypuss.


Offline Grumpy Old Man

  • Bronze Member
  • Posts: 18
Re: [In Progress] Unable to keep Windows Defender running
« Reply #24 on: September 12, 2016, 04:43:14 PM »
Malwarebytes found nothing. I am going to send this before I reset FireFox.

Spybot used to be the best so I stuck with it for 10(?) years now; if its reputation has changed (the issue with Defender while it sells anti-virus is, at the very least, troubling), then I am willing to change. What do you recommend? I have SpywareBlaster operational. I run EULAlyzer on every EULA; I look for 'extra' installations in the EULA or install list.

Offline Grumpy Old Man

  • Bronze Member
  • Posts: 18
Re: [In Progress] Unable to keep Windows Defender running
« Reply #25 on: September 12, 2016, 05:02:50 PM »
Now I remember why I hate 'reset' - it deletes all my Add-ons, sigh. LastPass is always the first one added back. I will get back to you after I have a chance to test the speed.

Offline Grumpy Old Man

  • Bronze Member
  • Posts: 18
Re: [In Progress] Unable to keep Windows Defender running
« Reply #26 on: September 12, 2016, 09:40:42 PM »
Much as I hate the FF reset, it did clear up my problems with RawStory (OMG - they have so many different things for NoScript to block!!).

Offline Foxfire

  • Malware Removal Staff
  • Bronze Member
  • Posts: 445
Re: [In Progress] Unable to keep Windows Defender running
« Reply #27 on: September 14, 2016, 03:32:45 AM »

 

Quote
Spybot used to be the best so I stuck with it for 10(?) years now; if its reputation has changed (the issue with Defender while it sells anti-virus is,
 at the very least, troubling), then I am willing to change. What do you recommend?

Windows Defender is your primary defence with its antivirus running at all times. It is vital to have an An tivirus.

.I assume that you routinely use Spybot as an independant scanner.
Malwarebytes Antimalware (MBAM) is recognised as a most efficient, up to date, standalone scanner & is used by the
majority of Malware Removal experts & it is free.
You have both on your computer, I suggest that you compare their effectiveness.
If you are happy with Spybot, by all means keep it, purely your choice.
Should you decide to remove Spybot I suggest that you use Revo Uninstaller (as detailed in Post No:20 above) which is very thorough.

>>>>>>>>>>>>>>>>>>>>>>>>>>>

The information on the MBAM  scan means that your computer is now clean !

Now for some tidying up:-

Please download
Delfix by Xplode
and save it to your desktop.

Or use the following if first link is down:

"Delfix link mirror"http://ccm.net/download/download-24087-delfix

Double Click to start the program. If you are using Vista or higher, please right-click and choose run as administrator

Make Sure the following items are checked:

    Remove disinfection tools <----- this will remove tools we have used.
    Purge System Restore <--- this will remove all previous and possibly exploited restore points,
                                                                             a new point relative to system status at present will be created.
    Reset system settings  <----this will reset any system settings back to default that were changed either by us
                                                                           during cleansing or malware/infection
Now click on "Run" and wait patiently until the tool has completed.
The tool will create a log when it has completed. I don't need you to post this.

>>>>>>>>>>>>>>>>>>>>>

Rehide Hidden files
  • Please go Here

  • Scroll down to Step 3 & Uncheck Show hidden files, folders, & drives
  • Then check Don`t show hidden files, folders & drives
Let me know if that went satisfactorily please.

Platypuss