How do I restore windows security?

Question

Hi. Recently, I tried to install an app following a tutorial that asked me to install an .exe that disables windows security. Since that day, a file called windows.exe started executing on boot.. I searched the internet and found that it's a malware called run.vbs.. I deleted those files after a scan using kvrt, and then ran sfc scannnow.. I tried to run:

PowerShell -ExecutionPolicy Unrestricted -Command "& {$manifest = (Get-AppxPackage WindowsDefender).InstallLocation + '\AppxManifest.xml' ; Add-AppxPackage -DisableDevelopmentMode -Register -ForceApplicationShutdown $manifest}
but it says the file doesn't exist..

After sfc scannnow, I can at least open the windows security app, but now it says no vendors.. Screenshots:

How do I fix it without having to uh reinstall windows?

Answer 1

The Run.vbs miner is still there. Defender has been completely erased from the system.

Please run the fixlist below.

Download fixlist.txt (https://1drv.ms/t/s!AjVYLGw0OBWU4z84uAjJqXtxWhp...)

Save Fixlist.txt to the folder where FRST64English.exe is located.

Close all programs.

Launch the Farbar Scanner tool and click "Fix".

Restart Windows when prompted.

Upload the output log file (FixLog.txt) to your OneDrive.

Once done, repair install Windows 10.

1. Download Windows 10 Media Creation Tool (MCT) from this link:

https://go.microsoft.com/fwlink/?LinkId=2265055

2. Run MCT and accept the license agreement.
3. Click "Upgrade this PC now". This starts the repair installation.

Your apps, settings, and files will be kept by default during a repair install/in-place upgrade.

Standard Disclaimer: There is a link to a non-Microsoft website. The page appears to provide accurate, safe information. Watch out for ads on the site that may advertise products frequently classified as PUPs (Potentially Unwanted Products). Thoroughly research any product advertised on the site before you decide to download and install it.

Answer 2

Glad it's resolved. Thanks for the update, Dev.

Regards,

Answer 3

It worked.. It took some time but now it's fixed. It's sad that it's not possible without reinstalling windows, I usually install such apps if it's really required. I guess I have to stop doing that. Thank you

Answer 4

Thanks for replying. I think the malware is already gone, but I'm not sure, so here are the files

FRST.txt

Addition.txt

Answer 5

Hi Dev,

Run.vbs is a miner/malware that runs as a scheduled task with the highest privileges. It deletes the Microsoft Defender Antivirus service and its executables. A repair installation is most likely needed. Before that, let's altogether remove the malware.

Please run the Farbar Scanner and share your logs to inspect the Defender-related services and check for malware.

1. Download Farbar Recovery Scan Tool 64-bit (FRST64.exe)

https://www.bleepingcomputer.com/download/farba...

Note: If Microsoft Edge or Chrome mislabels the Farbar Scanner executable as PUA/malware, choose to keep it by tapping … in the bottom bar, choosing Keep, and then choosing Keep anyway in the dialog that appears. See this screenshot: https://learn.microsoft.com/en-us/deployedge/me...

2. If the OS language is non-English, rename FRST64.exe to FRST64English.exe.
3. Run the program. Don't check or uncheck any options. Click "Scan".
4. Zip the two logs, FRST.txt and Addition.txt, upload them to your OneDrive and share the link here.

How-To: Share OneDrive files and folders - Microsoft Support

https://support.microsoft.com/en-us/office/shar...

OneDrive sharing options - screenshot

https://imgur.com/a/vZyxpY9

Standard Disclaimer: There is a link to a non-Microsoft website. The page appears to provide accurate, safe information. Watch out for ads on the site that may advertise products frequently classified as PUPs (Potentially Unwanted Products). Thoroughly research any product advertised on the site before you decide to download and install it.