[SOLVED] Microsoft Defender and Security Center Restricted

[DR M]

Your Edge's content looks completely different compared with what the previous logs showed.


Edge DefaultSearchURL: Default -> hxxps://search.onfireshield.com/?dsf&yh&q={searchTerms}
Edge DefaultSearchKeyword: Default -> FireShield
Edge DefaultSuggestURL: Default -> hxxps://ext.onfireshield.com/api/ext/suggest?q={searchTerms}
Edge Extension: (RoSearcher) - C:\Users\tspep\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\kogoeldkgknjbdajddjjfijggnpcffib [2024-07-12]
Edge Extension: (FireShield) - C:\Users\tspep\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\oaljkhbgbedmfoiieocoenglpaeogjmf [2024-07-12]

Any explanation?

 

[aliseb]

I still have no clue what "FireShield" is. It is not present on my extensions tab. A quick internet search is showing me that it's tied to malware. Perhaps it is hidden or diguised? RoSearcher is an extension which is present on my extensions page, however, I had removed it yesterday, so I have no clue how it returned along with one or two other extensions I removed. I have not tampered with anything since you asked me to remove FireShield yesterday, so I'm not sure what's happening, but it's suspicious. Please advise!

 

[DR M]

I'll remind you not to add/remove anything (even an extension) while we are working here.

Check this:

Click on the 3 horizontal dots in Edge (upper right corner) and choose Settings. Do you have Sync enabled (Profiles tab)?

 

[aliseb]

Yes, I do! I'm so sorry I enabled it today. Is that the problem?

 

[DR M]

That explains it. Please, disable it on your computer first, and then on any other device you are using Edge. Other devices transfer the infections on the clean computer as soon as you turn on the Sync option. I'll tell you when to enable it and how, after we finish from here.

Let's clean again...

FRST fix

Please do the following to run a FRST fix.

NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system

• Select the entire contents of the code box below, from the "Start::" line to "End::", including both lines. Right-click and select "Copy ". No need to paste anything to anywhere.

Start::
CreateRestorePoint:
CloseProcesses:
FirewallRules: [TCP Query User{BDB23954-E610-43AA-A4BD-00C03E864BD5}C:\users\tspep\desktop\xenia_master\xenia.exe] => (Allow) C:\users\tspep\desktop\xenia_master\xenia.exe => No File
FirewallRules: [UDP Query User{103DF285-BD51-42C7-9D2A-98889065F3CA}C:\users\tspep\desktop\xenia_master\xenia.exe] => (Allow) C:\users\tspep\desktop\xenia_master\xenia.exe => No File
FirewallRules: [{EC4EF204-89B3-4A73-909D-027DF3AA8EDF}] => (Allow) C:\Program Files (x86)\Overwolf\0.254.0.12\OverwolfBrowser.exe => No File
FirewallRules: [{F232043E-6C59-4CA0-9E8C-81E148E2F630}] => (Allow) C:\Program Files (x86)\Overwolf\0.254.0.12\OverwolfBrowser.exe => No File
FirewallRules: [{B59628C1-40EB-4652-879D-4C84815BD86A}] => (Block) C:\Program Files (x86)\Overwolf\0.254.0.12\OverwolfBrowser.exe => No File
FirewallRules: [{17094FB2-1912-4318-846C-9FD94EC7CF37}] => (Block) C:\Program Files (x86)\Overwolf\0.254.0.12\OverwolfBrowser.exe => No File
HKU\S-1-5-21-2014961619-3356002675-2201590515-1002\...\Run: [] => [X]
Task: {AB7BAD10-B1F6-41C5-9D52-D94A73028729} - \Opera GX scheduled Autoupdate 1719891387 -> No File <==== ATTENTION
2024-07-02 15:13 - 2024-07-02 15:13 - 000024821 _____ C:\Windows\SysWOW64\IntegratedServicesRegionPolicySet.json
2024-07-02 15:12 - 2024-07-02 15:12 - 000024821 _____ C:\Windows\system32\IntegratedServicesRegionPolicySet.json
2024-07-01 23:36 - 2024-07-01 23:36 - 000000000 ____D C:\Users\tspep\AppData\Local\NetSupport
2024-07-01 23:12 - 2024-07-01 23:12 - 000000000 ____D C:\SolaraTab
Edge DefaultSearchURL: Default -> hxxps://search.onfireshield.com/?dsf&yh&q={searchTerms}
Edge DefaultSearchKeyword: Default -> FireShield
Edge DefaultSuggestURL: Default -> hxxps://ext.onfireshield.com/api/ext/suggest?q={searchTerms}
C:\Users\tspep\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\oaljkhbgbedmfoiieocoenglpaeogjmf [2024-07-12]
Powershell: wevtutil el | Foreach-Object {wevtutil cl "$_"}
EmptyTemp:
End::

• Right-click on FRST64 on your Desktop, to run it as administrator. When the tool opens, click "yes" to the disclaimer.
• Press the Fix button once and wait.
• FRST will process fixlist.txt
• When finished, it will produce a log fixlog.txt on your Desktop.
• Post the log in your next reply.

 

[aliseb]

Okay, I'm not sure how to disable sync, because I don't see any button. I did the next best thing and disabled all of the features. Is this acceptable?

 

[DR M]

Choose the Profiles tab and Sign out too, please.

 

[aliseb]

Okay, I have signed out and run the fix on FRST64. Fixlog.txt is attached below. In addition, this message appeared in Edge upon restart:


Is it okay to turn it on?

 

[DR M]

It's the Malwarebytes extension for browsers. It's up to you if you keep or remove it.

Let's see fresh FRST logs now, please.

 

[aliseb]

The files are attached, good sir.

Question: Is there anything suspicious about the link that shows when turning our the Malwarebytes Browser Guard? Image below.

 

[DR M]

If you mean the letters of the extension, no it's just fine.

I'll review your logs tomorrow morning. It's getting late for me now, and I'll shut down.

Remember, do not add/install/remove/uninstall anything, until we finish the cleaning procedure.

By the way, you are still getting the Defender's warnings?

 

[aliseb]

Okay thank you so much for your help today, Dr. M. I appreciate you taking the time and will stay tuned for any instructions. I will not modify my files in any way, per your instruction. Is it okay if I play games?

Also, yes, I am still receiving the warning from Windows Defender/Security, and I am unable to access its page/settings, however, I understand that it listed as "Enabled" in the Addition.txt. I am still greeted with the black screen, IT message, and notification that it needs to be enabled (basically all of the screenshots I sent previously). I'll be awaiting your advice. Thanks again, my friend!

 

[DR M]

Hi!

The logs are clean now.

Let's see how we can deal with the Windows Security issue.

Run Deployment Image Servicing and Management (DISM)

• Click on the Start button and in the search box, type Command Prompt
• When you see Command Prompt on the list, right-click on it and select Run as administrator
• Enter the command below and press on Enter;

DISM /Online /Cleanup-Image /RestoreHealth

• Let the scan run until the end (100%). Depending on your system, it can take some time.
• Please post here the result you got (a screenshot).

When DISM finishes, you can then run SFC from the same command prompt window, but full instructions as if starting fresh:

• Click on the Start button and in the search box, type Command Prompt
• When you see Command Prompt on the list, right-click on it and select Run as administrator
• Enter the command below and press on Enter

sfc /scannow

• Let the scan finish.
• You will normally get one of the following results:
  

  Windows Resource Protection did not find any integrity violations
  Windows Resource Protection found corrupt files and successfully repaired them
  Windows Resource Protection found corrupt files but was unable to fix some of them
  Windows Resource Protection could not perform the requested operation

  Please post the result you got (a screenshot).

After the above, restart, and let me know if the issue is still there.

 

[aliseb]

Good morning, sir!

The screenshots are attached.



I have restarted my computer yet am still receiving the same error message and do not see Windows Defender in the minimized tasks like I used to.

 

[DR M]

OK.

Try Method 1 here and let me know what happens: "The Security Center service can't be started" error message in Windows 7 or in Windows Vista - Microsoft Support

 

[aliseb]

I am unable to continue with step 4 because my Security Center startup is disabled for some reason (screenshot attached).

 

[DR M]

aliseb,

Please do the following to run a FRST fix.

NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system

• Select the entire contents of the code box below, from the "Start::" line to "End::", including both lines. Right-click and select "Copy ". No need to paste anything to anywhere.

Start::
ExportKey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SecurityHealthService
ExportKey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc
End::

• Right-click on FRST64 on your Desktop, to run it as administrator. When the tool opens, click "yes" to the disclaimer.
• Press the Fix button once and wait.
• FRST will process fixlist.txt
• When finished, it will produce a log fixlog.txt on your Desktop.
• Post the log in your next reply.

 

[aliseb]

Here's the log.

 

[DR M]

Start type of the 2 services is 4, which means disabled.

Try Method 1 again, but this time in Safe mode (see here how to do it. Try to do it from Settings).

Same result?

 

[aliseb]

I tried Method 1 again, but to no avail. However, something interesting happened. An error message appeared, and when clicking OK, it would reappear. It is regarding a program named "ctfmon.exe". Images are attached.