Windows 10 - Force Stop Windows Defender Service (rootkit)

[izusaga]

Within the past 24 hours, I've detected and isolated a rootkit on a Windows 10 system attached to MpKsl2ad74297.sys in the Windows Defender Definition Update folder, which cannot be purged due unless the Windows Defender Service is disabled.

Searches are not netting me accurate results - how do I disable the Windows Defender Services via CMD to purge the obstinate file? "net stop windefend" results in a System error 5 - Access is denied.

Thanks!

 

[izusaga]

Update:

Computer Configuration > Administrative Templates > Windows Components > Windows Defender

Turn off Windows Defender = Enabled

Through Group Policy seems to have done the trick..

 

[auntjemima]

Should be done like this...

sc config "Name of Service" start= disabled
sc stop "Name of Service"

Two things: you don't need the quotes and the space after start= is important.

 

[auntjemima]

Update:

Computer Configuration > Administrative Templates > Windows Components > Windows Defender

Turn off Windows Defender = Enabled

Through Group Policy seems to have done the trick..

Glad you got it sorted out! The GP editor is really your best bet if you have the option.

 

[izusaga]

Glad you got it sorted out! The GP editor is really your best bet if you have the option.

I'm currently more curious as to how this one attached itself to my primary gaming system which runs bare bones and pretty much only ever runs Steam. Timestamps for all files associated with the rootkit are dated from the day of OS install.

Edit: The only file NOT associated with the OS install of approximately 62 days ago was time stamped in the event manager to the last Windows Update install.. XAPOFX1_3.dll, a DirectX file.

I've purged all the Windows Defender definition files and am now running a manual Windows Update to see what happens.

Edit #2: Interestingly, the XAPOFX1_3.dll update initiated through a Steam install that triggered Windows Update to check DirectX. Starting to feel like a 0-day exploit.

MBAM failed to detect this, but Hitman Pro found it. Glad I still run both.

 

[Biznatch]

what exploit/rootkit is it claiming it found? Are you sure it's not mis-flagging a legit file? When i run the AM/AV checker from work on my laptop, it flags solitaire and 1 other default game as malware.


*edit* If it was a zero day, by definition alone nothing you have installed would have detected it...

 

[Ranma_Sao]

MpKSLRandom.sys usually is the Microsoft anti-rootkit driver.

http://www.networkworld.com/article...oku--maker-of-rootkit-detection-products.html

Why do you think it was a rootkit? Did you check the file properties or the signing info?

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[izusaga]

MpKSLRandom.sys usually is the Microsoft anti-rootkit driver.

http://www.networkworld.com/article...oku--maker-of-rootkit-detection-products.html

Why do you think it was a rootkit? Did you check the file properties or the signing info?

This posting is provided "AS IS" with no warranties, and confers no rights.

Hitman results with the following:

http://imgur.com/a/Y8Qni

 

[BulletDust]

Interesting stuff, you don't run any downloaded media (ie: movies) on this device?

 

[izusaga]

Interesting stuff, you don't run any downloaded media (ie: movies) on this device?

I do, yes. Not frequently, but sometimes Plex doesn't encode the audio well and a movie has to be played via VLC locally.

MBam, TDSSKiller, and GMER do not detect this particular rootkit, but Hitman Pro does.

Any recommendations?

 

[BulletDust]

I do, yes. Not frequently, but sometimes Plex doesn't encode the audio well and a movie has to be played via VLC locally.

MBam, TDSSKiller, and GMER do not detect this particular rootkit, but Hitman Pro does.

Any recommendations?

That's how the infection made it's way to your PC then, is this a media server or a client?

[EDIT] Sorry, just read "main gaming PC". So is the issue that you cannot remove this particular infection?

 

[izusaga]

That's how the infection made it's way to your PC then, is this a media server or a client?

This is the client itself. The media server is clean.

I'm not certain how to proceed with removal without re-installing the OS.

 

[BulletDust]

svchost.exe is the issue, it's running every time you start the machine downloading more infections disguised as a legitimate operating system service. See here:

https://malwaretips.com/blogs/svchost-exe-virus-removal/

[EDIT] Just as an overview, I take no responsibility if that software is not clean as I've never used it.

 

[pendragon1]

if there is an infected svchost then maybe but svchost is a legit file.
seems you(OP) have multiple systems so can you not pull the drive and scan/clean it on another system? that's what id do, will make it easier.
oh and fyi to stop windows update open an admin cmd prompt or power shell and type: net stop wuauserv

 

[BulletDust]

You can boot off a live Linux CD/DVD and run a scan that way, plenty of tools available as preconfigured packages and most are free to use via major AV companies.

 

[pendragon1]

oh yeah that would work and windows has the offline scan tool too(loads and runs before entering windows).

 

[BulletDust]

I reckon I've had this issue before and from memory I think it was the free version of Avria that fixed it.

https://www.avira.com/

 

[izusaga]

if there is an infected svchost then maybe but svchost is a legit file.
seems you(OP) have multiple systems so can you not pull the drive and scan/clean it on another system? that's what id do, will make it easier.
oh and fyi to stop windows update open an admin cmd prompt or power shell and type: net stop wuauserv

Not easily, it's a 1TB 960 Pro M.2.

 

[pendragon1]

ah yeah that makes it a little more difficult. you could try the windows offline scan but I think a live cd/usb with current av is probably the best way to go.

 

[izusaga]

I reckon I've had this issue before and from memory I think it was the free version of Avria that fixed it.

https://www.avira.com/

Thanks. I'll give it a try. Willing to throw anything free at it if possible.

ah yeah that makes it a little more difficult. you could try the windows offline scan but I think a live cd/usb with current av is probably the best way to go.

When you say current av, do you mean Avira as recomended above?

 

[izusaga]

I reckon I've had this issue before and from memory I think it was the free version of Avria that fixed it.

https://www.avira.com/

No dice. =/

http://imgur.com/a/lXk5I

 

[pendragon1]

umm I should have googled first, prob a false alarm.
https://answers.microsoft.com/en-us...rying-to/05886700-30ac-4512-a943-7221bf0f1a90

 

[izusaga]

umm I should have googled first, prob a false alarm.
https://answers.microsoft.com/en-us...rying-to/05886700-30ac-4512-a943-7221bf0f1a90

That's a thread from January 2011 involving Win7. Not entirely sure it's completely applicable.

I have 3 systems running Win10 Pro from the same install media and only one is getting these results from HMP. All 3 are on the same update schedule and were installed within 3 weeks of eachother. If truly a false-positive, wouldn't all 3 show the same results?

I'm skeptical.

 

[pendragon1]

it sounds like your alternative av is picking up windows defender files. remove defender and try scanning again.
not if you've removed wd from those other two...

see I got one too: its the definition files for windows defender.

 

[izusaga]

it sounds like your alternative av is picking up windows defender files. remove defender and try scanning again.
not if you've removed wd from those other two...

see I got one too: its the definition files for windows defender.
View attachment 27935

How does one go about "removing" Windows Defender? I'm on build 1607 and it won't even let me disable the service unless I do so via group policy.

 

[pendragon1]

this should still work with 1607, try the first solution too.
https://partnersupport.microsoft.co...s/5829f484-939c-4365-8545-770ba0efc66d?auth=1

 

[izusaga]

this should still work with 1607, try the first solution too.
https://partnersupport.microsoft.co...s/5829f484-939c-4365-8545-770ba0efc66d?auth=1

Unfortunately, Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SecurityHealthService does not exist on 1607. This appears to be Creator-only, and since I already have to go through great lengths to disable Microsoft's spying telemetry, I certainly won't be installing the newest update which is even worse spyware.

I really appreciate the help, either way.

 

[pendragon1]

Unfortunately, Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SecurityHealthService does not exist on 1607. This appears to be Creator-only, and since I already have to go through great lengths to disable Microsoft's spying telemetry, I certainly won't be installing the newest update which is even worse spyware.

I really appreciate the help, either way.

no prob! then I would disable real-time protection and anything to do with windows defender. then mark that directory as an exception in your other av. then you wont get the false alarms.

 

[izusaga]

no prob! then I would disable real-time protection and anything to do with windows defender. then mark that directory as an exception in your other av. then you wont get the false alarms.

I'm not convinced these are false alarms. If they were, the other two near-identical systems would also be getting them.

 

[pendragon1]

then boot off a live cd/usb and delete the file. see what happens.

 

[BulletDust]

Good job Pendragon1. It's odd that Hitman Pro flags the file as being an issue, I've never had it do that before and I use it all the time.

 

[BulletDust]

When you scan with Hitman Pro and it detects those two threats, what happens if you try to delete them? Specifically svchost.exe?

 

[izusaga]

When you scan with Hitman Pro and it detects those two threats, what happens if you try to delete them? Specifically svchost.exe?

Both are re-created on boot, along with a registry key associated with them.

 

[pendragon1]

re-reading thread trying to come up with a solution for ya but I still think is a false alarm. "suspicious" does not mean infected, it means it doesn't know what it is so it alerting you just in case.
one way to see is to update defender* and see if the file name changes as it should. svchost gets used for tons of things too. I was gonna post a pic of my taskman to show you but I have so many running I have to scroll through a whole screen of just svchosts, figured that'd make the point.

*edit: my wd just updated so yours would/should too.

 

[B00nie]

Try copying the 'suspicious' file from the supposedly clean system (assuming they're the same version) and see if the warnings continue.

 

[BulletDust]

And if they do continue, copy a clean file from a known good system and apply it to the faulting machine.

 

[B00nie]

And if they do continue, copy a clean file from a known good system and apply it to the faulting machine.

This is actually what I was trying to say except I don't consider any windows as 'known good'. What I meant is to copy the file from the system that didn't flag the file.

 

[Ranma_Sao]

Guys,
That is a Microsoft file, check the signing with sigcheck. Your system is fine. Hit man pro has a false positive. I helped write mpksl I know what it does.

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[pendragon1]

that's what ive been telling him....

 

[BulletDust]

Guys,
That is a Microsoft file, check the signing with sigcheck. Your system is fine. Hit man pro has a false positive. I helped write mpksl I know what it does.

This posting is provided "AS IS" with no warranties, and confers no rights.

So by that logic it should appear as a false positive on every Windows 10 PC the OP owns?