Windows Defender service stops

TAPtech

TAPtech

Well-Known Member
Reaction score
521
Location
Fairfield County, CT
It's amazing how infrequent malware infections are when you use proper layered security. This is my first one in a long time! I took over a client recently, and upon installing our A/V software and removing the competitors... it was going nuts! "Gen:Variant.Strictor.165627" kept creating folders and files in the Windows\temp directory. Windows Defender was going berserk as well.

ADWCleaner wasn't able to keep it from coming back, but Bitdefender boot disc did. It was able to remove the virus. Everything on the system is running great now, except that the Windows Defender service will crash after a while. Otherwise, all scans come up clean.

The user has a complex profile so I would like to try some options before a nuke and pave.

So far I've run DISM, check disk, and sfc /scannow. Any thoughts?
 
I'd look in all and any 'temp' folders you can find and empty out anything you can't verify as unharmful. Same goes for the StartUp folder. Does event viewer tell you why Defender is crashing?
 
Startup folder is empty, nothing suspicious in the Task Manager startup. BTW, this is Windows 10 Home.

Here's what I see in event log, not a lot of info for me:
The Windows Defender Antivirus Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 100 milliseconds: Run the configured recovery program.
 
TAPtech said:
Startup folder is empty, nothing suspicious in the Task Manager startup. BTW, this is Windows 10 Home.

Here's what I see in event log, not a lot of info for me:
The Windows Defender Antivirus Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 100 milliseconds: Run the configured recovery program.
Click to expand...
That is an absolutely typical helpful bloody message. Could have been worse - could have told you to contact your system administrator if the problem persists ;)

PS: I found this batch file lying about on the internet - no idea if it will help, but it doesn't look as if will make things worse!
 
Last edited:
TAPtech said:
Everything on the system is running great now, except that the Windows Defender service will crash after a while. Otherwise, all scans come up clean.

The user has a complex profile so I would like to try some options before a nuke and pave.

So far I've run DISM, check disk, and sfc /scannow. Any thoughts?
Click to expand...
It's likely there are additional Service related errors in Event Viewer that may clue you in on the Defender issue.

If needed, the Malwarebytes Toolset has an Issue Scanner that might help solve this problem (e.g. it looks for missing or incorrectly configured default Services and repairs them) or at least help uncover more details on Service related crashes (e.g. it looks for the actual Service crash events and lists them with error details if found). If you would like to give it a run, let me know. PM me or send me an email at alsmith@malwarebytes.com

Mick said:
PS: I found this batch file lying about on the internet - no idea if it will help, but it doesn't look as if will make things worse!
Click to expand...
Nice find!! Seems to replace missing WD related registry values and reset some Services back to their default Start state. It also seems to include settings that may not apply to default consumer scenarios. Plus, who knows if its been vetted on all builds of Windows 10 as these types of settings can change with each new build. For a sure a use at your own risk, but it does make me personally want to dig in to this for future solutions/fixes.
 
TAPtech said:
No, a lot of them run along-side Windows defender. The Bitdefender software I provide is one of them.
Click to expand...
Bitdefender should disable Defenders scanning engine but keep all the other components running. This is what most other AV's do if installed along with defender.
Defender will do periodic scanning if you allow it, otherwise it stays quiet.

The serfef trojan can cause this issue with Defender.
ESET has a great tool for resetting Windows Services back to default here.
 
Barcelona said:
Bitdefender should disable Defenders scanning engine but keep all the other components running. This is what most other AV's do if installed along with defender.
Defender will do periodic scanning if you allow it, otherwise it stays quiet.

The serfef trojan can cause this issue with Defender.
ESET has a great tool for resetting Windows Services back to default here.
Click to expand...

You'll need to run it with the /r switch.

https://support.eset.com/kb2895/?locale=en_EN
"/r => Restore system services: Attempts to restore any system components that have been disabled or damaged by the malware."

Tweaking.com - Windows Repair contains a preset for Malware Cleanup Repairs that, among other repairs, includes restoring important Windows services and set them to default startup:
Capture.jpg
 
Last edited:
AlexCa said:
You'll need to run it with the /r switch.

https://support.eset.com/kb2895/?locale=en_EN
"/r => Restore system services: Attempts to restore any system components that have been disabled or damaged by the malware."
Click to expand...
On top of that, isn't that infection pre-Windows 10? Has their tool been updated or designed to detect the proper version of Windows and apply the right default values and permissions for these Services? Not saying it won't work, just that it might not be the right tool for restoring Services on all versions of Windows.

AlexCa said:
Tweaking.com - Windows Repair contains a preset for Malware Cleanup Repairs that, among other repairs, includes restoring important Windows services and set them to default startup:
Capture.jpg
Click to expand...
Good call. This tool is regularly updated and would be a solid option for repairing Windows Services.
 
@Alex Smith I don't know, I was following up the previous post because I knew that the /r switch was necessary to do what was proposed. Yes, I also think that Windows Repair is a good option.
 
Last edited:
Hi guys. I wanted to thank everyone for all of the replies and Alex for the PM and trial offer of the MB toolkit. It looks like a great option for shops that do a lot of this type of repair. Very automated and seems very thorough. I wasn't having much luck so I took the "easy" way out. The HDD in this machine was running rather slow, so I decided to swap in an SSD and reload the machine. It is lightning fast now and I'm sure the user will be pretty stoked to be the only one in the office with SSD.

So now I'll drop it off, plant my SSD seed, and wait for them to approve the rest of the machines to be upgraded :D
 
TAPtech said:
I wasn't having much luck so I took the "easy" way out. The HDD in this machine was running rather slow, so I decided to swap in an SSD and reload the machine. It is lightning fast now and I'm sure the user will be pretty stoked to be the only one in the office with SSD.

So now I'll drop it off, plant my SSD seed, and wait for them to approve the rest of the machines to be upgraded :D
Click to expand...
Some times Windows gets broken and nothing but a nuke will fix it.
And adding SSD's is just the icing on the cake to make a computer worth using again.
 
AlexCa said:
@Alex Smith I don't know, I was following up the previous post because I knew that the /r switch was necessary to do what was proposed. Yes, I also think that Windows Repair is a good option.
Click to expand...
I should have clarified. That wasn't aimed at you. My bad :)

TAPtech said:
Hi guys. I wanted to thank everyone for all of the replies and Alex for the PM and trial offer of the MB toolkit. It looks like a great option for shops that do a lot of this type of repair. Very automated and seems very thorough.
Click to expand...
Thanks for the update and kind words on the Toolset!! If you have any questions or feedback on it, just let me know. Oh, if anyone else wants to take it for a spin just let me know.
 
Infections are so rare these days I don't even bother with them. Nuke it and start over. It's the only way to be sure. The infections that can get through even just Defender these days are so devious you can never be certain they are gone!
 
Sky-Knight said:
Infections are so rare these days I don't even bother with them. Nuke it and start over. It's the only way to be sure. The infections that can get through even just Defender these days are so devious you can never be certain they are gone!
Click to expand...
This ^^
Scanning for malware is so passe now. With Windows 10 it's [becoming] more cost effective to just, Fabs, and N & P rather than tie up bench space for hours trying to find bugs - then go through all the remediation steps.
 
You must log in or register to reply here.

Similar threads

GTP
Windows Taskbar.
Replies
1
Views
136
Sky-Knight
Sky-Knight
HCHTech
Slow opening times for files on a network drive
Replies
10
Views
354
trevm999
trevm999
Appletax
[TIP] Manually Resize Recovery Partition in Win 10 so Updates Do Not Fail
Replies
5
Views
510
Appletax
Appletax
C
Windows 11 on parallels missing plug and play service, how to reinstall?
Replies
6
Views
3K
computertechguy
C
Rigo
Flaky browsers especially on new tabs
2
Replies
26
Views
2K
GTP
GTP
Back
Top