Main Forum > General Computer Support

Windows Defender removed/disabled by malware

<< < (2/3) > >>

Shane:
Ok now that we found more infections and removed them try my repair tool again. Make sure to do a reg backup before hand and lets see how it goes :wink:

Now hopefully the infection is gone, so now we need to replace the missing reg keys, which my repair will do.

Shane

Dannim:
Hey Shane, I believe I've come across this just recently. 

In my instance in addition to the registry files being missing/corrupt, the Windows Defender folder only contained symlinks to System32\config.  I deleted the file symlinks without issue, however the "en-US" folder could not be removed without attempting to take the System32\config folder with it.  "rmdir" returned "This directory is not empty".

I ended up renaming "en-US" and copying the Windows Defender folder directly from another like machine (Vista x86).  Windows Defender was then able to start and do updates.

I am starting to see this more frequently so I believe there is a new variant of 0access (Sirefef) out there that is causing it.  One of the side effects (intentional or otherwise) appears to be the message "The file contained a virus and was deleted" from IE when downloading.

Shane:

--- Quote from: Dannim on May 18, 2013, 07:19:35 pm ---Hey Shane, I believe I've come across this just recently. 

In my instance in addition to the registry files being missing/corrupt, the Windows Defender folder only contained symlinks to System32\config.  I deleted the file symlinks without issue, however the "en-US" folder could not be removed without attempting to take the System32\config folder with it.  "rmdir" returned "This directory is not empty".

I ended up renaming "en-US" and copying the Windows Defender folder directly from another like machine (Vista x86).  Windows Defender was then able to start and do updates.

I am starting to see this more frequently so I believe there is a new variant of 0access (Sirefef) out there that is causing it.  One of the side effects (intentional or otherwise) appears to be the message "The file contained a virus and was deleted" from IE when downloading.

--- End quote ---

So do you think the virus added the symlinks that broke it?

Shane

Dannim:
Yes, I've seen this happen on 3 machines in the last couple days.

Shane:
Fixing symbolic links would be a great addition to the program since they can truly destroy a machine if you think about.

Problem is I need to find out what API to call to view/edit/add/delete symbolic links.

Shane

Navigation

[0] Message Index

[#] Next page

[*] Previous page

Go to full version