Question Can malware disable/corrupt Windows Security ?

Spiderkeys

Honorable
Apr 2, 2015
72
0
10,540
2
The reason i'm asking I have relied on Windows Security Center as my own form of virus/malware protection since the release of Windows 10, and somehow I discovered I had a problem with it when I tried to add a folder into it's exclusion list, It wouldn't let me add anything. The ON/OFF Real Time Protection switch was greyed out, and the Protection/Scan Histories was blank, etc.

Since it looked like it wasn't even working at all, I got very worried so I installed Malwarebytes with the 15 day trial. Scanned and it found 17 Threats, the threats seem to explain why my Windows Defender seems corrupt:

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 12/23/20
Scan Time: 7:50 PM
Log File: 0e25d90c-4500-11eb-8da0-001a7dda710a.json

-Software Information-
Version: 4.3.0.98
Components Version: 1.0.1130
Update Package Version: 1.0.34657
License: Trial

-System Information-
OS: Windows 10 (Build 18362.778)
CPU: x64
File System: NTFS
User: GREENFACE-PC\GreenFace

-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 287330
Threats Detected: 17
Threats Quarantined: 0
Time Elapsed: 1 min, 7 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 1
RiskWare.BitCoinMiner, C:\WINDOWS\SYSTEM32\WINLOGUI.EXE, No Action By User, 1710, 604807, , , , , 6B0F42756B43F8D7224EB9178A5B0550, 54BD65A9BB49912AB6A28267955E16DFC5FDC2F346D9B6633BDCF6207183418D

Module: 1
RiskWare.BitCoinMiner, C:\WINDOWS\SYSTEM32\WINLOGUI.EXE, No Action By User, 1710, 604807, , , , , 6B0F42756B43F8D7224EB9178A5B0550, 54BD65A9BB49912AB6A28267955E16DFC5FDC2F346D9B6633BDCF6207183418D

Registry Key: 6
Trojan.Agent, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{C4845940-B9B6-4AC7-B3CA-378AE91EA065}, No Action By User, 7, 782993, 1.0.34657, , ame, , ,
Trojan.Agent, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\LOGON\{C4845940-B9B6-4AC7-B3CA-378AE91EA065}, No Action By User, 7, 782994, , , , , ,
Trojan.Agent, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\MICROSOFT\WINDOWS\APPLICATION EXPERIENCE\StartupCheckLibrary, No Action By User, 7, 782994, 1.0.34657, , ame, , ,
Trojan.Agent, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\Microsoft\Windows\Application Experience\StartupCheckLibrary, No Action By User, 7, 735770, , , , , ,
Trojan.Agent, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{C4845940-B9B6-4AC7-B3CA-378AE91EA065}, No Action By User, 7, 735770, , , , , ,
Trojan.Agent, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\LOGON\{C4845940-B9B6-4AC7-B3CA-378AE91EA065}, No Action By User, 7, 735770, , , , , ,

Registry Value: 2
Trojan.Agent, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{C4845940-B9B6-4AC7-B3CA-378AE91EA065}|PATH, No Action By User, 7, 782993, 1.0.34657, , ame, , ,
RiskWare.BitCoinMiner, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|WINLOGUI, No Action By User, 1710, 604807, 1.0.34657, , ame, , ,

Registry Data: 3
PUM.Optional.DisabledSecurityCenter, HKLM\SOFTWARE\MICROSOFT\SECURITY CENTER|ANTIVIRUSDISABLENOTIFY, No Action By User, 7412, 293294, 1.0.34657, , ame, , ,
PUM.Optional.DisabledSecurityCenter, HKLM\SOFTWARE\MICROSOFT\SECURITY CENTER|FIREWALLDISABLENOTIFY, No Action By User, 7412, 293295, 1.0.34657, , ame, , ,
PUM.Optional.DisabledSecurityCenter, HKLM\SOFTWARE\MICROSOFT\SECURITY CENTER|UPDATESDISABLENOTIFY, No Action By User, 7412, 293296, 1.0.34657, , ame, , ,

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 4
Trojan.Agent, C:\WINDOWS\SYSTEM32\TASKS\MICROSOFT\WINDOWS\APPLICATION EXPERIENCE\STARTUPCHECKLIBRARY, No Action By User, 7, 782994, , , , , 2DF372C67198C50224BDE7BEF53F273F, FC18AA887DBC7CA5FA49455068E6139F4008F077C2BE527AB19B081928CD9768
Trojan.Agent, C:\WINDOWS\SYSTEM32\TASKS\MICROSOFT\WINDOWS\APPLICATION EXPERIENCE\STARTUPCHECKLIBRARY, No Action By User, 7, 735770, 1.0.34657, , ame, , 2DF372C67198C50224BDE7BEF53F273F, FC18AA887DBC7CA5FA49455068E6139F4008F077C2BE527AB19B081928CD9768
RiskWare.BitCoinMiner, C:\WINDOWS\SYSTEM32\WINLOGUI.EXE, No Action By User, 1710, 604807, , , , , 6B0F42756B43F8D7224EB9178A5B0550, 54BD65A9BB49912AB6A28267955E16DFC5FDC2F346D9B6633BDCF6207183418D
Trojan.FakeMS.TskLnk, C:\WINDOWS\SYSTEM32\STARTUPCHECKLIBRARY.DLL, No Action By User, 10511, 676769, 1.0.34657, , ame, , BBF0FF45510CF6EA849F593801E1C8D0, 29B06E1E0CA0318B3E876C8ED8BA58AC0C39728D656DD640B80B5E43F5BF926C

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)


(end)
This PUM.Optional.DisabledSecurityCenter, seems like the answer to my problem.

Anyway I let it Quarantine all the Items, restarted PC, unfortunately Windows Defender doesn't still seem to be working, but not too worried for now , as I got Malwarebytes running and protecting my system.

And I have also got the speed of my PC back, I was getting a lot of Frame Rate Freezes jumps/laggy moments with was very noticeable in playing games.

If this is the case it just shows me how awful the Windows Security. If a worm can do this thats some "Security" I thought I was getting.
 

Colif

Win 10 Master
Moderator
Your post seems to answer your own question. Yes, it can be disabled by malware. I don't know how it got through. Something you installed?? Website you visited. something you downloaded and never actually installed - i have found a few this way in historical files I never used.

Defender is free security and its better than nothing.

Windows defender is okay protection for most people but if you find yourself on unsafe sites, it might help to have extras to keep an eye on it. Malwarebytes acts as a good 2nd layer i think. You might also want something like Ublock Origin on your browsers to stop drive by downloads.

I don't use defender, I use Bitdefender as it tends to keep me protected. I can never tell where I will end up when looking for answers to questions here.

the malwware that disabled defender was likely cause of the other problems as it didn't just exist to purely disable defender, that was just so it could do its real purpose. Whatever that was.
 

Spiderkeys

Honorable
Apr 2, 2015
72
0
10,540
2
Yes as soon as Malbytes was up and running it was constantly blocking a requested connection to pool.minexmr.com, 37.59.43.131, Port:4444 every 2 seconds, explain was my PC was performing sluggish for so long.

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 12/23/20
Protection Event Time: 7:53 PM
Log File: 8cbe844e-4500-11eb-bd79-001a7dda710a.json

-Software Information-
Version: 4.3.0.98
Components Version: 1.0.1130
Update Package Version: 1.0.34657
License: Trial

-System Information-
OS: Windows 10 (Build 18362.778)
CPU: x64
File System: NTFS
User: System

-Blocked Website Details-
Malicious Website: 1
, C:\Windows\System32\winlogui.exe, Blocked, -1, -1, 0.0.0, ,

-Website Data-
Category: Trojan
Domain: pool.minexmr.com
IP Address: 37.59.43.131
Port: 4444
Type: Outbound
File: C:\Windows\System32\winlogui.exe
Related to winlogui.exe
[/quote]

Anyway if I can't fix Windows Security within 15 days I will either have to either find an alternative protection, try to repair OS, or reinstall windows..
 

Phillip Corcoran

Titan
Moderator
Win 10 Defender has always kept my PC free of malware --- it's perfectly adequate if you practice safe surfing habits, stay away from dodgy sites, no piracy downloads etc.

Re-install Windows is good advice above. It's the only way to be sure it's clean. Then create a backup image of it so you can get up-and-running in the future faster than a full re-install. Also, backup image is always a good thing to have in the case the OS drive goes belly-up.
 

Spiderkeys

Honorable
Apr 2, 2015
72
0
10,540
2
I am a cautious user, I certainly never run exe files from untrusted sources, considering myself as a cautious user, I thought the Win10 Defender was enough. The PC and OS is only 8 months old, and have never thought of scanning the system as of today. Can't even install Updates either just getting the 0x80080005 code errors let alone my Defender no longer functions.

Ok I admit I occasionally browse a few free streaming p0rn sites, and sometimes give unwanted pop-ups with unwanted autoplay videos. I like to use Vivaldi due to it's nature of a lightweight browser.

I got a second PC too, and I thought, I should try the same with this, but it turns out clean, but I surprised this had happened to my Main PC.
 

Colif

Win 10 Master
Moderator
defender should have been auto scanning so you shouldn't need to run one yourself. Since you assumed it was there.
I run a quick scan every few weeks , i shouldn't need to as my AV is pro active and will stop anything I try to install.

Can't even install Updates either just getting the 0x80080005 code errors let alone my Defender no longer functions.
sounds like a clean install would fix that.

if you have 2 drives, copy anything you want to save onto 2nd drive
On another PC, download the Windows 10 media creation tool and use it to make a win 10 installer on USB

Unplug PC & d/c 2nd drive from power inside case (stops windows putting things on 2nd drive during install)
boot from installer
follow this guide: https://forums.tomshardware.com/faq/how-to-do-a-clean-installation-of-windows-10.3170366/
once hdd boots fine after install,
reinstall malwarebytes
reattach the other hdd and use malwarebytes to scan the folders before you use any of the files again.
 

ASK THE COMMUNITY