Windows 10: Windows Defender Stuck on Removing Severe Threat

I scanned my PC's with this Microsoft Safety Scanner - Free Virus Scan with the Microsoft Safety Scanner


The scan found a lot of malware and removed all but three items - severe -
and i read that Windows Defender would complete the job/remove the
malware.

the three remaining items are:
VirTool:JS/Obfuscator.HO
VirTool:JS/Obfuscator.HS
VirTool:JS/Obfuscator.HN

my question is - is WD stuck. the message reads "applying your actions
this might take a few SECONDS.

Well, I started it at about 7 a.m. this morning and it's been sitting at about
2/3 the way through the process for almost that entire 13 hours.

Do i just leave it alone? Restart it? Any suggestions?

thanks
Karen

:)

 

Defender's removal of severe threats

I am sorry to say that I only a user and to be honest its very hard to make sentence for this question specially that I am new to use the computer. May be one day I am a genuse of the computer

 

Defender's removal of severe threats

I followed these instructions, but the system would not let me paste the copied item, the command. I tried again, was able to paste the command but then got the following response:

Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\WINDOWS\system32> Set-MpPreference -ScanPurgeItemsAfterDelay 10 DAYS.

Set-MpPreference : A positional parameter cannot be found that accepts argument 'DAYS.'.

At line:1 char:1

+ Set-MpPreference -ScanPurgeItemsAfterDelay 10 DAYS.

+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ CategoryInfo : InvalidArgument: ) [Set-MpPreference], ParameterBindingException

+ FullyQualifiedErrorId : PositionalParameterNotFound,Set-MpPreference

PS C:\WINDOWS\system32> Set-MpPreference -ScanPurgeItemsAfterDelay

 

Hi Karen and welcome to Tenforums.

No, it shouldn't take that long - it's having difficulty.
Please run RKILL. Do NOT reboot.
Then run MBAR.
You should now be able to run Windows Defender to get rid of those infections..
Then run TempFile Cleaner.
Then run JRT (Junkware Removal Tool).
Finally, run ADWCleaner.

That should do it. *Smile

 

I agree with simrick (I usually do *Wink)
Follow the instructions in post# 2

I only stopped in to mention that you can run Defender Offline

Settings > Update and Security > Windows Defender > Defender Offiline

Sometimes windows just needs o be out of the way to clean malware.

I haven't run it this way yet, but it beats the old method:
download the ISO, burn a CD, boot from the CD, scan outside of Windows ... before malware can load..

 

WD was definitely having trouble... it was in the same spot
this morning.

Thank you soooooo very much for your help

I actually started all of this with ADWCleaner because
the following two registry files would not be removed.

type
Key HKCU\software\Microsoft\Windows\CurrentVersion\Ext\Stats\(10921475-03CE-4E04-90CE-E2E7EF20C814)


HKCU\software\Microsoft\Windows\CurrentVersion\Ext\Settings\(10921475-03CE-4E04-90CE-E2E7EF20C814)

I ran ADWCleaner 4 or 5 times to try to get it to delete
these files...

then, I ran the Microsoft tool and WD...

Just ran all of the programs you recommended and finished
with ADWCleaner... and guess what???

These two registry files are still there!!!!!!!

Any suggestions?

I've not manually cleaned anything from the registry before

Again, thank you very much

Karen

 

Thank you...

now, you say to burn a cd... will jump drive do the
same thing?

Karen

 

I'm seeing some references that say some of the Obfuscator variants plant a rootkit, therefore, d/l & run TDSSKiller.

TDSSKiller Download

I see you started with AdwCleaner, the recommended action would be to run RKill first to attempt to terminate the malicious processes. After running this, do not reboot, proceed to scanning with your malware scanners. Please take a moment to read the documentation on the d/l page.

RKill Download

Being that the malware scanners cannot remove the reg keys, you may have to navigate to those points in the registry & manually delete them.

 

So these 2 keys were identified by ADWCleaner as rogue and needing to be removed? Have you tried running ADWCleaner in safe mode to get rid of them?
Borg is right, you may have to go in and delete them yourself. Just be sure to back up your registry and create a restore point first. *Wink

 

Sure, you can put Windows Defender Offline on a jump drive.

But the emphasis of my post is that you no longer have to do that ...
you can launch Defender Offline from Settings > Update and Security > Defender > Defender Offline
as described here: Defender Offline

simrick (safe mode Adwcleaner with a question about the reg entires) and Borg (tdssKiller, Rkill, possible manual reg entries removal) have offered other suggestions - it helps troubleshooting if you always follow the order of the suggestions and report the results.

When you've completed all on-demand scans and other remediation steps, run the following (both commands take a while to complete).

If there are any integrity issues reported in the results on the screen,

Launch Command Prompt (Admin)

Dism /Online /Cleanup-Image /RestoreHealth

SFC /ScanNow

 

If you have any IObit software on your machine - please uninstall those
If you paid for the software make sure you have a key to reinstall (not recommended)

 

I followed the recommendations that I was given here...

when I wrote, "I started with ADWClearner" - that was
BEFORE I came here... the Reg Keys that would not
delete are why i started looking for answers and how
I ended up here.

I ran everything I was advised to run - in the order as
listed and now one of my PC's is squeaky clean...

I can't thank you enough... another has the same
crap on it and I'm going through the same process
on it.

You guys are the best. thanks

Karen

 

Stay safe my comrade.

 

I'm sorry if I misinterpreted that & I'm glad you got it sorted. *Biggrin

If possible, can you post which cleaners you ran & which one deleted the infection so we'll have a reference point down the road should this happen to someone else.

Also, once you have confirmed a clean system, take some time to make a system image. This will be invaluable down the road should your OS be compromised badly or hit with ransomware. Follow the tutorial & keep your images on a external HDD/Flash Drive that is not connected to the computer at all times. Make images on a regular basis. Keep 2 or 3 older ones just in case you inadvertently make one with malware.

System Image - Create in Windows 10 - Windows 10 Forums

 

Hi Slartybart

What does iObit have to do with this?

I have used their uninstaller..... I will
remove it from my PC's

Thanks