Windows 7: Windows Defender services missing?!

Hi,
A few hours ago I had a virus/fake anti spyware program called Win 7 anti-spyware, I successfully managed to delete the program with the help of safe mode and MalwareBytes, however, after that was all done, I decided to update windows defender, when it comes up with this error (Check Defender1.png attached)
I've tried EVERYTHING from searching on google, searching the error code, searching to reinstall it.. nothing, and looking around, I found that the service for Windows Defender is MISSING (Defender2.png)
Any ideas how I can fix this? Reinstalling Windows 7 is not an option I'm afraid

Please post the Malwarebytes' log.

Here's how to find the log:

• Launch Malwarebytes' Anti-Malware
• Click on the Logs radio tab.

Next,

Please download and save SecurityCheck.exe to your Desktop from one of the links below.

Link 1
Link 2

• Right click SecurityCheck.exe, select Run as administrator then follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt
• Please post the contents of that document in your next reply.

Unfortunately, I don't have any logs of MalwareBytes, however I Downloaded that security program thingy and the log shows this:
Results of screen317's Security Check version 0.99.10
Windows 7 (UAC is disabled!)
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
Java(TM) 6 Update 22
Out of date Java installed!
Adobe Flash Player 10.2.153.1
Adobe Reader X (10.0.1)
````````````````````````````````
Process Check:
objlist.exe by Laurent
``````````End of Log````````````

Remove Outdated Java
You can install the current version after your computer is clean

• Go to start > control panel > programs and features.
• Right click on Java(TM) 6 Update 22
• Click Uninstall & then follow the prompts to remove it.

================================

Update and Scan with Malwarebytes Anti-Malware

• Launch the application, select the Updates tab and click Check for Updates
• Select the Scanner tab, choose Perform Full Scan then click Scan
• When the scan is complete, click OK, then Show Results to view the results.
• Check all items except items in the C:\System Volume Information folder... and click Remove Selected.
  Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
• When completed, a log will open in Notepad. please copy and paste the log into your next reply.
• The log can also be found here:
  C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

================================


Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.

• When done, DDS will open two (2) logs:
  1. DDS.txt
  2. Attach.txt
• Save both reports to your desktop.

================================

Please post the following in your next reply:

• The Malwarebytes' log
• DDS.txt
• Attach.txt

Thanks for replying Carolyn, I've done everything you've told me to do, and here are the results:

Malwarebytes' Anti-Malware 1.50.1.1100
Malwarebytes

Database version: 6291

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

07/04/2011 00:26:31
mbam-log-2011-04-07 (00-26-31).txt

Scan type: Full scan (C:\|)
Objects scanned: 354973
Time elapsed: 57 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\KiZ\AppData\Local\ewm.exe" -a "C:\Program Files (x86)\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Users\KiZ\AppData\LocalLow\Sun\Java\deployment\cache\6.0\38\72a57626-7c5416dd (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\KiZ\downloads\counter.strike.source.2010.orange.box.nosteam.[setti]\counter.strike.source.2010.orange.box.nosteam.[setti]\counter strike source 2010\bin\steamclient.dll (Trojan.Dropper.PGen) -> Quarantined and deleted successfully.
c:\Users\KiZ\downloads\eXplorer.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

I've attached the other logs, otherwise my post would be a bit too long:

Thanks,
Kieren

Hi Kieren,

P2P - I see you have P2P software ( uTorrent ) installed on your machine. I'm not here to pass judgment on file-sharing as a concept. However, I will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It likely contributed to your current situation.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

I would strongly recommend that you uninstall uTorrent now. You can do so via Control Panel >> Programs and features.

If you choose to leave them on the machine, please refrain from using them while we are cleaning the machine to prevent further infection.

=================================

Turn on User Account Control (UAC)
UAC will help you prevent unauthorized changes to your computer. It works by prompting you for permission when a task requires administrative rights, such as installing software or changing settings that affect other users.

Brink has a great tutorial which explains the benefits of UAC and how to modify UAC settings HERE

=================================

Scan with ESET online scanner:

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

Vista/Windows 7 users: You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.

• Please go here to run the scan.
  
  Quote:

  Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
  All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.
• Select the option YES, I accept the Terms of Use then click on:
• When prompted allow the Add-On/Active X to install.
• Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
• Now click on Advanced Settings and select the following:

• • Scan for potentially unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth Technology
• Now click on:
• The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
• When completed the Online Scan will begin automatically.
• Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
• When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
• Now click on:
• Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
• Copy and paste that log as a reply to this topic.

Thanks for taking your time to help me Carolyn, much appreciated
So I've installed ESET and done the scan, and this is what the log says:

"C:\Users\KiZ\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\29\54b7995d-5d068565 multiple threats"

I'm pretty sure I don't have any malware left on my PC, as far as I can see, the service for windows defender in Services.msc is MISSING, and that's why it's not working, that's what I need help with, is there a sc command to reinstall the service or could you send any files that could help with getting my service back?

(Defender2.PNG on my first post shows that, with the services in alphabetical order, the "Windows Defender" service is not there)

Thanks,
Kieren

Your logs show that there are some Windows Defender processes running but no Windows Defender service so I wanted to make certain that there is no active malware involved.

I can suggest a few options you can try for restoring the Defender service:
Note: I strongly recommend that you back up any important files and folders before you continue.
1. Uninstall then re-install SP1
2. Do a repair installation of Win 7 (that is also known as a non-destructive installation - it should not affect your programs and files but you should still back up your files first!)
3. Install Microsoft Security Essentials - MSE includes defender and you do not presently have any antivirus program installed.

We could try to restore the service, but that is more complicated and it makes more sense to try one of the above options first.

If anyone else has another suggestion for how to proceed, please do chime in.

A lot of good work Carolyn. IMHO all this work will go to wast if P2P and Torrents are still used by the OP.

Thank you for such a thorough and comprehensive reply
Having experienced the same problem I am going through your instructions. However I have come up against a brick wall!!!
How do I run DDS.scr?
Douple-clicking on it does nothing. Looking at the file associations it is labelled as a Screensaver with no associated application. I read elsewhere that scripts are run through Wscript.exe in the System32 folder, but assigning WScript .exe to this file results in a message: 'No script Engine for .scr type files'. In another message board I was instructed to download a .reg file containing many changes to the registry (which I am reluctant to run!).
This all sounds like major work just to run a script.
So, the question remains - how do I run DDS.scr?
I am running Windows 7 Ultimate 32 bit.