Win11x64 running Defender
Back in November, defender found "Backdoor:Win32/Bladabindi!ml" in a folder
that no longer exists (it was an old game trainer). I have tried to
Quarantine it, Remove it, and Allow on device, but it keeps popping up that
it's still there.
I have searched the PC and the registry for any instance of the file and the
backdoor name, but nothing shows up. I have done every scan listed in
Defender with the result of "0 threat(s) found".
Ran SuperantiSpyware and MalwareBytes; no threats found.
How do I get rid of this notification? After the first notice in November, I
thought it was taken care of, but it started popping up again on December
1st and every day since. I'm sure the PC is clean; just can't convince
Defender of it.

TIA!
SCTom

On 2023-12-07 16:11, SC Tom wrote:
> Win11x64 running Defender
> Back in November, defender found "Backdoor:Win32/Bladabindi!ml" in a
> folder that no longer exists (it was an old game trainer). I have tried
> to Quarantine it, Remove it, and Allow on device, but it keeps popping
> up that it's still there.
> I have searched the PC and the registry for any instance of the file and
> the backdoor name, but nothing shows up. I have done every scan listed
> in Defender with the result of "0 threat(s) found".
> Ran SuperantiSpyware and MalwareBytes; no threats found.
> How do I get rid of this notification? After the first notice in
> November, I thought it was taken care of, but it started popping up
> again on December 1st and every day since. I'm sure the PC is clean;
> just can't convince Defender of it.

Maybe you have it configured to scan empty disk space.

--
Cheers,
Carlos E.R.

"Carlos E. R." <robin_listas@es.invalid> wrote in message
news:kte6gaFpmpvU1@mid.individual.net...
> On 2023-12-07 16:11, SC Tom wrote:
>> Win11x64 running Defender
>> Back in November, defender found "Backdoor:Win32/Bladabindi!ml" in a
>> folder that no longer exists (it was an old game trainer). I have tried
>> to Quarantine it, Remove it, and Allow on device, but it keeps popping up
>> that it's still there.
>> I have searched the PC and the registry for any instance of the file and
>> the backdoor name, but nothing shows up. I have done every scan listed in
>> Defender with the result of "0 threat(s) found".
>> Ran SuperantiSpyware and MalwareBytes; no threats found.
>> How do I get rid of this notification? After the first notice in
>> November, I thought it was taken care of, but it started popping up again
>> on December 1st and every day since. I'm sure the PC is clean; just can't
>> convince Defender of it.
>
> Maybe you have it configured to scan empty disk space.
>
> --

And where do you check that?

On 2023-12-07 18:02, SC Tom wrote:
> "Carlos E. R." <robin_listas@es.invalid> wrote in message
> news:kte6gaFpmpvU1@mid.individual.net...
>> On 2023-12-07 16:11, SC Tom wrote:
>>> Win11x64 running Defender
>>> Back in November, defender found "Backdoor:Win32/Bladabindi!ml" in a
>>> folder that no longer exists (it was an old game trainer). I have
>>> tried to Quarantine it, Remove it, and Allow on device, but it keeps
>>> popping up that it's still there.
>>> I have searched the PC and the registry for any instance of the file
>>> and the backdoor name, but nothing shows up. I have done every scan
>>> listed in Defender with the result of "0 threat(s) found".
>>> Ran SuperantiSpyware and MalwareBytes; no threats found.
>>> How do I get rid of this notification? After the first notice in
>>> November, I thought it was taken care of, but it started popping up
>>> again on December 1st and every day since. I'm sure the PC is clean;
>>> just can't convince Defender of it.
>>
>> Maybe you have it configured to scan empty disk space.

> And where do you check that?

I don't know where exactly, but some antivirus do have that feature. I
would be surprised to learn that Defender does that by default.

--
Cheers,
Carlos E.R.

SC Tom <sc@tom.net> wrote:
> Win11x64 running Defender
> Back in November, defender found "Backdoor:Win32/Bladabindi!ml" in a folder
> that no longer exists (it was an old game trainer). I have tried to
> Quarantine it, Remove it, and Allow on device, but it keeps popping up that
> it's still there.
> I have searched the PC and the registry for any instance of the file and the
> backdoor name, but nothing shows up. I have done every scan listed in
> Defender with the result of "0 threat(s) found".
> Ran SuperantiSpyware and MalwareBytes; no threats found.
> How do I get rid of this notification? After the first notice in November, I
> thought it was taken care of, but it started popping up again on December
> 1st and every day since. I'm sure the PC is clean; just can't convince
> Defender of it.

Perhaps you can (re)create the "folder that no longer exists" and then
exclude that folder in Microsoft Defender Antivrus scans.

-> Windows Security -> Virus & threat protection -> Virus & threat
protection settings -> Manage settings -> Exclusions -> Add or remove
exclusions -> + Add an exclusion -> Folder -> ...

BTW, I seem to have a similar situation for some 'threats' in absent
files (in my case expired backups on my NAS), but 1) I can't remember
getting any nasty notifications for those (but I must confess I don't
pay much attention to notifications, because I get way too many normal
ones) and 2) in 'Protection history' it says:

"We can't find this threat any more, please run
Microsoft Defender Antivirus (offline scan)"

I don't see how an offline scan would fix this issue, but you never
know. Did you try to do an offline scan?

Virus & threat protection -> Current threats -> Scan options ->
* Microsoft Defender Antivirus (offline scan) -> Scan now

SC Tom <sc@tom.net> wrote:

> "Backdoor:Win32/Bladabindi!ml"

Have you gone into every web browser in your system to purge their
locally cached data, like cached pages? In addition, you may have to
delete Defender's history to get rid of a pest that it may have already
disinfected.

https://www.partitionwizard.com/partitionmagic/windows-defender-identifies-the-same-threat-repeatedly.html

The malware is described here, and lots of other places:

https://malwarefixes.com/threats/backdoorwin32-bladabindiml/

I wouldn't bother installing to run any of the the suggested software,
or I'd get the software direct from the author sites instead of whatever
this site doles to you. Defender is already finding the pest, so you
want to remove it, or remove whatever is triggering Defender that the
pest exists. If you've ran the backdoor, doesn't matter in which folder
it was originally found. It infects the registry, and several system
files.

There are config tools for Defender that will reveal a lot more settings
than what are presented in Defender's GUI panel. I haven't used any,
but have read about them, like:

https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-microsoft-defender-antivirus-features?view=o365-worldwide

Many 3rd-party config tools use the policy editor (gpedit.msc is not
available in Home editions of Windows, but all policies are registry
entries) or Powershell cmdlets, like:

ConfigureDefender
https://www.majorgeeks.com/files/details/configuredefender.html
https://www.bleepingcomputer.com/news/microsoft/windows-10-defenders-hidden-features-revealed-by-this-free-tool/
https://github.com/AndyFul/ConfigureDefender

Some other Defender tweakers are listed at:

https://www.oldergeeks.com/downloads/category.php?id=237

Be careful as you could so throttle your system as to be unusable. When
usurping the role of sysadmin, it's your responsibility to know what
you're doing. I remember using xxx which suggesting changing to FIPS
from SSL, but then all web browsers failed on SSL/TLS connects.

If you do install additional anti-malware tools, you'll have to decide
whether to rely on their on-demand scanner instead of Defender, or to
use the new tool as a secondary opinion scanner (disable its on-demand
scanner to only use its manual scanner). While the article mentions
Sophos (which I've used their Intercept-X on my Android phone), I'd
first try MalwareBytes AntiMalware (MBAM). When installing, or soon
after installing if the installer doesn't offer the option, disable its
on-demand (real-time) scanner to use only as a 2nd-opinion manual
scanner. I know many folks prefer more features or protections than
what Defender provides. At one time, Defender was only an anti-spyware
tool, but Microsoft added their Endpoint client to Defender which made
it an anti-malware tool that compares very well against other 3rd-party
choices (see av-comparatives.org). Yet some tools work better than
others against specific pests. You might want to research on
alternative AV tools, like Bitdefender, Just remember the free versions
are missing some features in the payware versions. av-comparatives.org
tests only against the payware versions unless a product only has a
freeware version. While I don't and never have used Kaspersky, the US
gov't banned its use on their computers because it is Russian-ware, but
have never proved it performs any untoward behavior. Free Avast is
adware. All Avast products contain ad platform code. When they
acquired Piriform, they integrated their ad code into CCleaner. Avast
acquired AVG, so selecting AVG means selecting Avast, so you might as
well as use Avast if you choose that author for AV protection. I don't
recall G Data has a free version. It uses their own scanner along with
incorporating Bitdefender. G Data uses a simple (mundane) GUI which
doesn't bury its features unlike having to drill through menues in ESET.
BitDefender Free is super easy to use, but likewise missing lots of
features in its payware version. When visiting av-comparatives.org to
decide on which 3rd-party AV tools to test, it isn't just about pest
coverage although that is very important criteria. You don't want to
use something that wastes lots of your time with false positives. You
want something that impacts little the responsiveness of your system.
Use their various tests (under Consumer) to decide on your criteria
which would be the best choice for you. Also be aware that some
incorporate cloud scanning: unknowns are sent to their server for more
thorough analysis, and that takes time, plus the extra coverage is not
available when offline. When looking at av-comparatives.org's Malware
Protection Test, check which have the highest offline detection rate.
Extra detection via cloud scanning is okay, but you may not always be
online, especially if the malware kills your network connection.
Bitdefender and G Data get the highest offline detection rates.
However, Bitdefender Free may have the same sig database as the payware
version, but the free version may not have all the heuristics detection
of the payware version. Avast/AVG and Avira reach 99% only when online.
Kaspersky, Defender, ESET, Norton, and others are crap when offline, but
reach 99% when online.

When you install AV software, and providing it generates the registry
key that has Windows authorizes it as a replacement, it will replace
Defender (which you can still use as a manual scanner). The new AV
replaces Defender. There are compatibility registry settings the
3rd-party AV software must establish to replace Defender, but I'm not
going to research those again.

You have have to restore the system files that it infects. The
malwarefixes article mentions explorer.exe (File Explorer and desktop
GUI manager), iexplore.exe (you really should've removed Internet
Explorer long ago), several web browsers (firefox.exe, chrome.exe,
opera.exe, safari.exe). You won't find the injected code when searching
on registry or file system entries.

Do you use a backup program? If so, do you schedule it to run
periodically, like every day? If so, how long is the retention on your
backups (how far do they go back)? Backups that are manually instigated
by a user are almost guaranteed to never get done, or at so coarse a
granularity and irregularly that they are rather useless for restoring
the system back to a prior known state. If you do backups, you may have
to walk back through them until a Defender scan no longer finds the
pest, and so the executable files will not have been infected yet.

If you don't do backups (which to me indicates an irresponsible or lazy
user), and also protect them against ransomware, then you'll have to try
to mend your system. However, once infected, disinfection can be
difficult if not impossible. You could try to run the System File
Checker (sfc.exe) to replace any Windows system files.

sfc.exe /scannow

This is run in a console window (cmd.exe). If ran using Win+R, the
shell unloaded immediately after the program exits, so you can't see any
error or status messages. Run "sfc /?" to get some help on using sfc,
or read:

https://support.microsoft.com/en-au/topic/use-the-system-file-checker-tool-to-repair-missing-or-corrupted-system-files-79aa86cb-ca52-166a-92a3-966e85d4094e

which suggests you first try using DISM (Deployment Image Servicing and
Management), like running:

dism.exe /Online /Cleanup-image /Restorehealth

If you've disabled Windows Update (which I have), you have to reenable
it to run DISM.

However, those won't help with the other infected files, like the web
browsers (I don't know if explorer.exe is considered a system file, but
it used for both the File Explorer tool and as the desktop GUI manager).
For Defender to be effective, it must run its actions (Remove,
Quarantine/move) with System privileges; else, user-mode actions can
easily fail. There are lots of tricks a-holes use to protect their
folders and registry entries, like using non-printable characters in the
folder or registry entry names. File Explorer won't show the
characters, but the actions the user requests of it will use only the
displayable characters. The same for regedit.exe. There are hex
editors that will show the non-printable characters (in the hex values
pane) for both the file system and registry which will allow you to edit
based on the real name instead of the displayed name. I doubt you want
to delve into hex editing of the file system looking for non-printable
chars in file/folder names or registry entries, or dig into .exe files
hunting for pest code.

If you save backups, walk back through them until Defender no longer
alerts to the pest. Or try DISM and sfc to restore, at least, the
Windows system files, and then you'll have to do step on your current
web browser installs by doing new installs using installers you get from
the author sites.

SC Tom wrote:
> Win11x64 running Defender
> Back in November, defender found "Backdoor:Win32/Bladabindi!ml" in a
> folder that no longer exists (it was an old game trainer). I have tried
> to Quarantine it, Remove it, and Allow on device, but it keeps popping
> up that it's still there.
> I have searched the PC and the registry for any instance of the file and
> the backdoor name, but nothing shows up. I have done every scan listed
> in Defender with the result of "0 threat(s) found".
> Ran SuperantiSpyware and MalwareBytes; no threats found.
> How do I get rid of this notification? After the first notice in
> November, I thought it was taken care of, but it started popping up
> again on December 1st and every day since. I'm sure the PC is clean;
> just can't convince Defender of it.
>
> TIA!
> SCTom

It sounds like you are using Windows to scan Windows while Windows is
active. That often does not work with many modern viruses.
What did the Kaspersky boot from Linux USB scan show?

On 12/7/2023 10:11 AM, SC Tom wrote:
> Win11x64 running Defender
> Back in November, defender found "Backdoor:Win32/Bladabindi!ml" in a folder that no longer exists (it was an old game trainer). I have tried to Quarantine it, Remove it, and Allow on device, but it keeps popping up that it's still there.
> I have searched the PC and the registry for any instance of the file and the backdoor name, but nothing shows up. I have done every scan listed in Defender with the result of "0 threat(s) found".
> Ran SuperantiSpyware and MalwareBytes; no threats found.
> How do I get rid of this notification? After the first notice in November, I thought it was taken care of, but it started popping up again on December 1st and every day since. I'm sure the PC is clean; just can't convince Defender of it.
>
> TIA!
> SCTom
>
>

Settings : System : System Components : Windows Security : (Dot Dot Dot) :

Then scroll down to the Terminate/Reset/Remove section.

Select Reset : Reset_Button

and that should blow away the metadata as well as re-download the WD application.

After that, my next step is Repair Install, if a Reset-Reset doesn't work.

*******

I was going to show you a picture of the above, but the same bug I reported
a couple days ago to Feedback Hub, just froze GIMP on me in the middle of edits. Fuck!
Fuck rolling releases.

See? This wouldn't have happened if I was still running WinXP!
because no one would be screwing with the display subsystem as
part of a November Patch Tuesday. Now what do I do ? <Repair Install, coming up>

Paul

"VanguardLH" <V@nguard.LH> wrote in message
news:1w93w40kxdw3.dlg@v.nguard.lh...
> SC Tom <sc@tom.net> wrote:
>
>> "Backdoor:Win32/Bladabindi!ml"
>
> Have you gone into every web browser in your system to purge their
> locally cached data, like cached pages? In addition, you may have to
> delete Defender's history to get rid of a pest that it may have already
> disinfected.
>
> https://www.partitionwizard.com/partitionmagic/windows-defender-identifies-the-same-threat-repeatedly.html
>
> The malware is described here, and lots of other places:
>
> https://malwarefixes.com/threats/backdoorwin32-bladabindiml/
>
> I wouldn't bother installing to run any of the the suggested software,
> or I'd get the software direct from the author sites instead of whatever
> this site doles to you. Defender is already finding the pest, so you
> want to remove it, or remove whatever is triggering Defender that the
> pest exists. If you've ran the backdoor, doesn't matter in which folder
> it was originally found. It infects the registry, and several system
> files.
>
> There are config tools for Defender that will reveal a lot more settings
> than what are presented in Defender's GUI panel. I haven't used any,
> but have read about them, like:
>
> https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-microsoft-defender-antivirus-features?view=o365-worldwide
>
> Many 3rd-party config tools use the policy editor (gpedit.msc is not
> available in Home editions of Windows, but all policies are registry
> entries) or Powershell cmdlets, like:
>
> ConfigureDefender
> https://www.majorgeeks.com/files/details/configuredefender.html
> https://www.bleepingcomputer.com/news/microsoft/windows-10-defenders-hidden-features-revealed-by-this-free-tool/
> https://github.com/AndyFul/ConfigureDefender
>
> Some other Defender tweakers are listed at:
>
> https://www.oldergeeks.com/downloads/category.php?id=237
>
> Be careful as you could so throttle your system as to be unusable. When
> usurping the role of sysadmin, it's your responsibility to know what
> you're doing. I remember using xxx which suggesting changing to FIPS
> from SSL, but then all web browsers failed on SSL/TLS connects.
>
> If you do install additional anti-malware tools, you'll have to decide
> whether to rely on their on-demand scanner instead of Defender, or to
> use the new tool as a secondary opinion scanner (disable its on-demand
> scanner to only use its manual scanner). While the article mentions
> Sophos (which I've used their Intercept-X on my Android phone), I'd
> first try MalwareBytes AntiMalware (MBAM). When installing, or soon
> after installing if the installer doesn't offer the option, disable its
> on-demand (real-time) scanner to use only as a 2nd-opinion manual
> scanner. I know many folks prefer more features or protections than
> what Defender provides. At one time, Defender was only an anti-spyware
> tool, but Microsoft added their Endpoint client to Defender which made
> it an anti-malware tool that compares very well against other 3rd-party
> choices (see av-comparatives.org). Yet some tools work better than
> others against specific pests. You might want to research on
> alternative AV tools, like Bitdefender, Just remember the free versions
> are missing some features in the payware versions. av-comparatives.org
> tests only against the payware versions unless a product only has a
> freeware version. While I don't and never have used Kaspersky, the US
> gov't banned its use on their computers because it is Russian-ware, but
> have never proved it performs any untoward behavior. Free Avast is
> adware. All Avast products contain ad platform code. When they
> acquired Piriform, they integrated their ad code into CCleaner. Avast
> acquired AVG, so selecting AVG means selecting Avast, so you might as
> well as use Avast if you choose that author for AV protection. I don't
> recall G Data has a free version. It uses their own scanner along with
> incorporating Bitdefender. G Data uses a simple (mundane) GUI which
> doesn't bury its features unlike having to drill through menues in ESET.
> BitDefender Free is super easy to use, but likewise missing lots of
> features in its payware version. When visiting av-comparatives.org to
> decide on which 3rd-party AV tools to test, it isn't just about pest
> coverage although that is very important criteria. You don't want to
> use something that wastes lots of your time with false positives. You
> want something that impacts little the responsiveness of your system.
> Use their various tests (under Consumer) to decide on your criteria
> which would be the best choice for you. Also be aware that some
> incorporate cloud scanning: unknowns are sent to their server for more
> thorough analysis, and that takes time, plus the extra coverage is not
> available when offline. When looking at av-comparatives.org's Malware
> Protection Test, check which have the highest offline detection rate.
> Extra detection via cloud scanning is okay, but you may not always be
> online, especially if the malware kills your network connection.
> Bitdefender and G Data get the highest offline detection rates.
> However, Bitdefender Free may have the same sig database as the payware
> version, but the free version may not have all the heuristics detection
> of the payware version. Avast/AVG and Avira reach 99% only when online.
> Kaspersky, Defender, ESET, Norton, and others are crap when offline, but
> reach 99% when online.
>
> When you install AV software, and providing it generates the registry
> key that has Windows authorizes it as a replacement, it will replace
> Defender (which you can still use as a manual scanner). The new AV
> replaces Defender. There are compatibility registry settings the
> 3rd-party AV software must establish to replace Defender, but I'm not
> going to research those again.
>
> You have have to restore the system files that it infects. The
> malwarefixes article mentions explorer.exe (File Explorer and desktop
> GUI manager), iexplore.exe (you really should've removed Internet
> Explorer long ago), several web browsers (firefox.exe, chrome.exe,
> opera.exe, safari.exe). You won't find the injected code when searching
> on registry or file system entries.
>
> Do you use a backup program? If so, do you schedule it to run
> periodically, like every day? If so, how long is the retention on your
> backups (how far do they go back)? Backups that are manually instigated
> by a user are almost guaranteed to never get done, or at so coarse a
> granularity and irregularly that they are rather useless for restoring
> the system back to a prior known state. If you do backups, you may have
> to walk back through them until a Defender scan no longer finds the
> pest, and so the executable files will not have been infected yet.
>
> If you don't do backups (which to me indicates an irresponsible or lazy
> user), and also protect them against ransomware, then you'll have to try
> to mend your system. However, once infected, disinfection can be
> difficult if not impossible. You could try to run the System File
> Checker (sfc.exe) to replace any Windows system files.
>
> sfc.exe /scannow
>
> This is run in a console window (cmd.exe). If ran using Win+R, the
> shell unloaded immediately after the program exits, so you can't see any
> error or status messages. Run "sfc /?" to get some help on using sfc,
> or read:
>
> https://support.microsoft.com/en-au/topic/use-the-system-file-checker-tool-to-repair-missing-or-corrupted-system-files-79aa86cb-ca52-166a-92a3-966e85d4094e
>
> which suggests you first try using DISM (Deployment Image Servicing and
> Management), like running:
>
> dism.exe /Online /Cleanup-image /Restorehealth
>
> If you've disabled Windows Update (which I have), you have to reenable
> it to run DISM.
>
> However, those won't help with the other infected files, like the web
> browsers (I don't know if explorer.exe is considered a system file, but
> it used for both the File Explorer tool and as the desktop GUI manager).
> For Defender to be effective, it must run its actions (Remove,
> Quarantine/move) with System privileges; else, user-mode actions can
> easily fail. There are lots of tricks a-holes use to protect their
> folders and registry entries, like using non-printable characters in the
> folder or registry entry names. File Explorer won't show the
> characters, but the actions the user requests of it will use only the
> displayable characters. The same for regedit.exe. There are hex
> editors that will show the non-printable characters (in the hex values
> pane) for both the file system and registry which will allow you to edit
> based on the real name instead of the displayed name. I doubt you want
> to delve into hex editing of the file system looking for non-printable
> chars in file/folder names or registry entries, or dig into .exe files
> hunting for pest code.
>
> If you save backups, walk back through them until Defender no longer
> alerts to the pest. Or try DISM and sfc to restore, at least, the
> Windows system files, and then you'll have to do step on your current
> web browser installs by doing new installs using installers you get from
> the author sites.

SC Tom <sc@tom.net> wrote:

> I found a command line to run that would delete the history folder
> (C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\)
> since I couldn't access it, or change the security settings to do so,
> and of course it said "That folder doesn't exist".

No idea what you ran at the command line. Probably doesn't do the
security changes in the correct order. I was able to go to:

C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service

in File Explorer. C:\ProgramData is a hidden folder, but that does not
prevent you from navigating into it. Instead of entering the entire
navpath to the Service folder, walk through each folder one at a time.
First enter C:\ProgramData in the address bar. Click in the address bar
to change from showing tokens to showing the comnplete path. Then
append Microsoft. Repeat until you've walked into the Service folder.

I was logged in under a Windows account that has admin privileges.
Under there, I was also able to go into the DetectionHistory subfolder.
I didn't bother to delete it. However, it may have permissions that you
have to change to delete it. Lots of admin functions require you are
logged in under an admin account (a Windows account under the
Administrators security group). When I right click on the Service
folder, Properties, Security tab, its security settings are:

Group or user names:
SYSTEM
<myaccount>
Administrators
TrustedInstaller
Permissions (same for each group/account):
Full control

Click the Advanced button to see the owner of the folder:
Owner = SYSTEM

If your Windows account is not listed with full control permissions, or
you are not logged in under an account in the Administrators security
group, then you likely won't have full control which allows delete.
First, login using a Windows account in the Administrators security
group (i.e., an account with admin privileges). Second, if the
Administrators security group is not listed as having full control, you
have to check if you can take ownership of the folder. Go into the
Advanced panel, and click Change, and select your own admin account.
Click Apply. Do not attempt to perform more security functions. Do
them one at a time. After changing the owner to yourself, click Apply
and then OK to walk back to the prior panel (Security tab in
Properties), and click Advanced again. That ensures the owner change
got effected. In the Permissions tab, and since you are now the owner
of the folder, add your own admin account, click Apply and OK. Back in
the Properties/Security tab, change permissions for your account to
grant full control. Click Apply and Ok. The DetectionHistory subfolder
should now appear under the Services folder. Delete it; however, you
may have to also change owner and permissions as described before you
can delete. You might want to rename instead of delete. If the bogus
alert from Defender disappears, you can then delete the renamed folder.

If when navigating the above navpath one folder at a time you get to
where you don't have security access to the folder, or entering it
doesn't move into it (it could have the hidden file attribute), you have
to take ownership and change accounts/permissions to the parent folder.
I have seen where not having permissions means a folder is not seen
until you take ownership (to your account or to the Administrators
security group), apply that change, add your account or Administrators
security group (which you should be logged into, anyway), and take full
control, and apply, and then refresh the view in File Explorer, because
then you'll have Read permissions, and write and delete permissions.

But don't bother with all of that until if and when the bogus alert
appears from Defender. Maybe restarting the service was all that was
needed. Since you managed to stop/start a service using sc.exe at a
command line or using services.msc, looks like you were logged in under
an admin-level Windows account.

On 12/8/23 10:46 AM, this is what VanguardLH wrote:
> No idea what you ran at the command line. Probably doesn't do the
> security changes in the correct order. I was able to go to:
>
> C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service
>
> in File Explorer. C:\ProgramData is a hidden folder, but that does not
> prevent you from navigating into it. Instead of entering the entire
> navpath to the Service folder, walk through each folder one at a time.
> First enter C:\ProgramData in the address bar. Click in the address bar
> to change from showing tokens to showing the comnplete path. Then
> append Microsoft. Repeat until you've walked into the Service folder.

You can simply cut and paste that path into explorer and go there in one step. No need to 'browse'.
--
Linux Mint 21.2 Cinnamon
Al

Big Al <Bears@invalid.com> wrote:

> On 12/8/23 10:46 AM, this is what VanguardLH wrote:
>> No idea what you ran at the command line. Probably doesn't do the
>> security changes in the correct order. I was able to go to:
>>
>> C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service
>>
>> in File Explorer. C:\ProgramData is a hidden folder, but that does not
>> prevent you from navigating into it. Instead of entering the entire
>> navpath to the Service folder, walk through each folder one at a time.
>> First enter C:\ProgramData in the address bar. Click in the address bar
>> to change from showing tokens to showing the comnplete path. Then
>> append Microsoft. Repeat until you've walked into the Service folder.
>
> You can simply cut and paste that path into explorer and go there in one step. No need to 'browse'.

I figured that is what he did, but at the command prompt, and one of the
folders in the navpath was inaccessible, so the whole path was unusable.
While logged in under an admin account, I had no problem visited each
folder in the path which also means going direct to the full path.
Either the OP wasn't using an admin account, or there are permissions on
some of the folders that do not grant him access, and why I mentioned
walking the path instead of jumping direct to the target.

On 12/8/23 03:11 PM, this is what VanguardLH wrote:
> Big Al <Bears@invalid.com> wrote:
>
>> On 12/8/23 10:46 AM, this is what VanguardLH wrote:
>>> No idea what you ran at the command line. Probably doesn't do the
>>> security changes in the correct order. I was able to go to:
>>>
>>> C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service
>>>
>>> in File Explorer. C:\ProgramData is a hidden folder, but that does not
>>> prevent you from navigating into it. Instead of entering the entire
>>> navpath to the Service folder, walk through each folder one at a time.
>>> First enter C:\ProgramData in the address bar. Click in the address bar
>>> to change from showing tokens to showing the comnplete path. Then
>>> append Microsoft. Repeat until you've walked into the Service folder.
>>
>> You can simply cut and paste that path into explorer and go there in one step. No need to 'browse'.
>
> I figured that is what he did, but at the command prompt, and one of the
> folders in the navpath was inaccessible, so the whole path was unusable.
> While logged in under an admin account, I had no problem visited each
> folder in the path which also means going direct to the full path.
> Either the OP wasn't using an admin account, or there are permissions on
> some of the folders that do not grant him access, and why I mentioned
> walking the path instead of jumping direct to the target.
Tis true, I keep forgetting about permissions. I deal with it so little.
--
Linux Mint 21.2 Cinnamon
Al

On 08/12/2023 16:11, Big Al wrote:
> On 12/8/23 10:46 AM, this is what VanguardLH wrote:
>> No idea what you ran at the command line.  Probably doesn't do the
>> security changes in the correct order.  I was able to go to:
>>
>> C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service
>>
>> in File Explorer.  C:\ProgramData is a hidden folder, but that does not
>> prevent you from navigating into it.  Instead of entering the entire
>> navpath to the Service folder, walk through each folder one at a time.
>> First enter C:\ProgramData in the address bar.  Click in the address bar
>> to change from showing tokens to showing the comnplete path.  Then
>> append Microsoft.  Repeat until you've walked into the Service folder.
>
> You can simply cut and paste that path into explorer and go there in one
> step.  No need to 'browse'.

IMO, 'Copy & paste' is better than 'cut & paste' as it leaves the
original in place, unless of course you want the original removed.

--
Regards
wasbit

"SC Tom" <sc@tom.net> wrote in message news:ukv1m5$1o2im$1@dont-email.me...
>
>
> "VanguardLH" <V@nguard.LH> wrote in message
> news:1w93w40kxdw3.dlg@v.nguard.lh...
>> SC Tom <sc@tom.net> wrote:
>>
>>> "Backdoor:Win32/Bladabindi!ml"
>>
>> Have you gone into every web browser in your system to purge their
>> locally cached data, like cached pages? In addition, you may have to
>> delete Defender's history to get rid of a pest that it may have already
>> disinfected.
>>
>> https://www.partitionwizard.com/partitionmagic/windows-defender-identifies-the-same-threat-repeatedly.html
>>
>> The malware is described here, and lots of other places:
>>
>> https://malwarefixes.com/threats/backdoorwin32-bladabindiml/
>>
>> I wouldn't bother installing to run any of the the suggested software,
>> or I'd get the software direct from the author sites instead of whatever
>> this site doles to you. Defender is already finding the pest, so you
>> want to remove it, or remove whatever is triggering Defender that the
>> pest exists. If you've ran the backdoor, doesn't matter in which folder
>> it was originally found. It infects the registry, and several system
>> files.
>>
>> There are config tools for Defender that will reveal a lot more settings
>> than what are presented in Defender's GUI panel. I haven't used any,
>> but have read about them, like:
>>
>> https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-microsoft-defender-antivirus-features?view=o365-worldwide
>>
>> Many 3rd-party config tools use the policy editor (gpedit.msc is not
>> available in Home editions of Windows, but all policies are registry
>> entries) or Powershell cmdlets, like:
>>
>> ConfigureDefender
>> https://www.majorgeeks.com/files/details/configuredefender.html
>> https://www.bleepingcomputer.com/news/microsoft/windows-10-defenders-hidden-features-revealed-by-this-free-tool/
>> https://github.com/AndyFul/ConfigureDefender
>>
>> Some other Defender tweakers are listed at:
>>
>> https://www.oldergeeks.com/downloads/category.php?id=237
>>
>> Be careful as you could so throttle your system as to be unusable. When
>> usurping the role of sysadmin, it's your responsibility to know what
>> you're doing. I remember using xxx which suggesting changing to FIPS
>> from SSL, but then all web browsers failed on SSL/TLS connects.
>>
>> If you do install additional anti-malware tools, you'll have to decide
>> whether to rely on their on-demand scanner instead of Defender, or to
>> use the new tool as a secondary opinion scanner (disable its on-demand
>> scanner to only use its manual scanner). While the article mentions
>> Sophos (which I've used their Intercept-X on my Android phone), I'd
>> first try MalwareBytes AntiMalware (MBAM). When installing, or soon
>> after installing if the installer doesn't offer the option, disable its
>> on-demand (real-time) scanner to use only as a 2nd-opinion manual
>> scanner. I know many folks prefer more features or protections than
>> what Defender provides. At one time, Defender was only an anti-spyware
>> tool, but Microsoft added their Endpoint client to Defender which made
>> it an anti-malware tool that compares very well against other 3rd-party
>> choices (see av-comparatives.org). Yet some tools work better than
>> others against specific pests. You might want to research on
>> alternative AV tools, like Bitdefender, Just remember the free versions
>> are missing some features in the payware versions. av-comparatives.org
>> tests only against the payware versions unless a product only has a
>> freeware version. While I don't and never have used Kaspersky, the US
>> gov't banned its use on their computers because it is Russian-ware, but
>> have never proved it performs any untoward behavior. Free Avast is
>> adware. All Avast products contain ad platform code. When they
>> acquired Piriform, they integrated their ad code into CCleaner. Avast
>> acquired AVG, so selecting AVG means selecting Avast, so you might as
>> well as use Avast if you choose that author for AV protection. I don't
>> recall G Data has a free version. It uses their own scanner along with
>> incorporating Bitdefender. G Data uses a simple (mundane) GUI which
>> doesn't bury its features unlike having to drill through menues in ESET.
>> BitDefender Free is super easy to use, but likewise missing lots of
>> features in its payware version. When visiting av-comparatives.org to
>> decide on which 3rd-party AV tools to test, it isn't just about pest
>> coverage although that is very important criteria. You don't want to
>> use something that wastes lots of your time with false positives. You
>> want something that impacts little the responsiveness of your system.
>> Use their various tests (under Consumer) to decide on your criteria
>> which would be the best choice for you. Also be aware that some
>> incorporate cloud scanning: unknowns are sent to their server for more
>> thorough analysis, and that takes time, plus the extra coverage is not
>> available when offline. When looking at av-comparatives.org's Malware
>> Protection Test, check which have the highest offline detection rate.
>> Extra detection via cloud scanning is okay, but you may not always be
>> online, especially if the malware kills your network connection.
>> Bitdefender and G Data get the highest offline detection rates.
>> However, Bitdefender Free may have the same sig database as the payware
>> version, but the free version may not have all the heuristics detection
>> of the payware version. Avast/AVG and Avira reach 99% only when online.
>> Kaspersky, Defender, ESET, Norton, and others are crap when offline, but
>> reach 99% when online.
>>
>> When you install AV software, and providing it generates the registry
>> key that has Windows authorizes it as a replacement, it will replace
>> Defender (which you can still use as a manual scanner). The new AV
>> replaces Defender. There are compatibility registry settings the
>> 3rd-party AV software must establish to replace Defender, but I'm not
>> going to research those again.
>>
>> You have have to restore the system files that it infects. The
>> malwarefixes article mentions explorer.exe (File Explorer and desktop
>> GUI manager), iexplore.exe (you really should've removed Internet
>> Explorer long ago), several web browsers (firefox.exe, chrome.exe,
>> opera.exe, safari.exe). You won't find the injected code when searching
>> on registry or file system entries.
>>
>> Do you use a backup program? If so, do you schedule it to run
>> periodically, like every day? If so, how long is the retention on your
>> backups (how far do they go back)? Backups that are manually instigated
>> by a user are almost guaranteed to never get done, or at so coarse a
>> granularity and irregularly that they are rather useless for restoring
>> the system back to a prior known state. If you do backups, you may have
>> to walk back through them until a Defender scan no longer finds the
>> pest, and so the executable files will not have been infected yet.
>>
>> If you don't do backups (which to me indicates an irresponsible or lazy
>> user), and also protect them against ransomware, then you'll have to try
>> to mend your system. However, once infected, disinfection can be
>> difficult if not impossible. You could try to run the System File
>> Checker (sfc.exe) to replace any Windows system files.
>>
>> sfc.exe /scannow
>>
>> This is run in a console window (cmd.exe). If ran using Win+R, the
>> shell unloaded immediately after the program exits, so you can't see any
>> error or status messages. Run "sfc /?" to get some help on using sfc,
>> or read:
>>
>> https://support.microsoft.com/en-au/topic/use-the-system-file-checker-tool-to-repair-missing-or-corrupted-system-files-79aa86cb-ca52-166a-92a3-966e85d4094e
>>
>> which suggests you first try using DISM (Deployment Image Servicing and
>> Management), like running:
>>
>> dism.exe /Online /Cleanup-image /Restorehealth
>>
>> If you've disabled Windows Update (which I have), you have to reenable
>> it to run DISM.
>>
>> However, those won't help with the other infected files, like the web
>> browsers (I don't know if explorer.exe is considered a system file, but
>> it used for both the File Explorer tool and as the desktop GUI manager).
>> For Defender to be effective, it must run its actions (Remove,
>> Quarantine/move) with System privileges; else, user-mode actions can
>> easily fail. There are lots of tricks a-holes use to protect their
>> folders and registry entries, like using non-printable characters in the
>> folder or registry entry names. File Explorer won't show the
>> characters, but the actions the user requests of it will use only the
>> displayable characters. The same for regedit.exe. There are hex
>> editors that will show the non-printable characters (in the hex values
>> pane) for both the file system and registry which will allow you to edit
>> based on the real name instead of the displayed name. I doubt you want
>> to delve into hex editing of the file system looking for non-printable
>> chars in file/folder names or registry entries, or dig into .exe files
>> hunting for pest code.
>>
>> If you save backups, walk back through them until Defender no longer
>> alerts to the pest. Or try DISM and sfc to restore, at least, the
>> Windows system files, and then you'll have to do step on your current
>> web browser installs by doing new installs using installers you get from
>> the author sites.
>
> I ran SFC and all was good; no errors found.
> I found a command line to run that would delete the history folder
> (C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\) since I
> couldn't access it, or change the security settings to do so, and of
> course it said "That folder doesn't exist".
> There was another suggestion to go into Services and "reset" the Defender
> services. Did that, and so far today, I have not gotten any notifications.
> I'll see if that fixed it or not later; I'll be away from the PC for a
> while today so it can stew over what it wants to do :-)
>

On 07/12/2023 15:11, SC Tom wrote:
> Win11x64 running Defender
> Back in November, defender found "Backdoor:Win32/Bladabindi!ml" in a
> folder that no longer exists (it was an old game trainer). I have tried
> to Quarantine it, Remove it, and Allow on device, but it keeps popping
> up that it's still there.
> I have searched the PC and the registry for any instance of the file and
> the backdoor name, but nothing shows up. I have done every scan listed
> in Defender with the result of "0 threat(s) found".
> Ran SuperantiSpyware and MalwareBytes; no threats found.
> How do I get rid of this notification? After the first notice in
> November, I thought it was taken care of, but it started popping up
> again on December 1st and every day since. I'm sure the PC is clean;
> just can't convince Defender of it.

1) Check it's not a hidden or system directory.

2) Try to clear any corruption of virus definitions:
Start an elevated cmd prompt and type:

cd /d "C:\Program Files\Windows Defender"
MpCmdRun -RemoveDefinitions
MpCmdRun -RemoveDefinitions -Engine

Now wait a minute or two for the up-to-date engine to reinstall then type:

MpCmdRun -SignatureUpdate

You will probably get an error if the Engine hasn't finished
reinstalling. It doesn't matter, just wait some more and try that last
command again.

--
Brian Gregory (in England).