locked
Trojan:Win32/Powessere.G . . . False Positive (?) RRS feed

  • Question

  • I just updated to Win 10 version 1903:

    Microsoft Windows
    Version 1903 (OS Build 18362.329)
    © 2019 Microsoft Corporation. All rights reserved.

    09/05/19 All updates are current . . . With Avast and all Startups disabled, and just the OS running, I see that Win Defender finds this:

    - - - - - - - - - - - - - - - - - - - - - -

    Threat found - action needed.
    Severe
    09/05/19 2:11 PM

    Status: Active
    Active threats have not been remediated and are running on your device.

    Threat detected: Trojan:Win32/Powessere.G
    Alert level: Severe
    Date: 09/05/19 2:11 PM
    Category: Trojan
    Details: This program is dangerous and executes commands from an attacker.

    Learn more

    Affected items:
    CmdLine: C:\Windows\System32\mshta.exe javascript:{new
    ActiveXObject(lnternetExplorer.Application).PutProperty('309414',window);windo
    w.resizeTo(500,200);window.moveTo(1030,620)}

    - - - - - - - - - - - - - - - - - - - - - -

    I think I saw it popping up before, but the Windows screens seem so disconnected to me, that it's hard to figure out what's going on.

    The computer was not having any noticeable issues, so I just assumed that something was taking care of it.

    With the new version 1903, which I would think should not have any virus - I needed to look into it.

    - - - - - - - - - - - - - - - - - - - - - -

    I run Avast and Malwarebytes weekly.  They rarely find anything.

    ESET and ADWCleaner found some things (that have been on my system for a while), but not the above.

    (Why did ADWCleaner find anything?  I thought it had been combined into Malwarebytes (10/21/16).  I'll have to start running that again, also - weekly)

    I see that others have asked about it.  I believe that it's a false positive (please see below).  Can you verify?

    - - - - - - - - - - - - - - - - - - - - - -

    Trojan:Win32/Powessere.G virus - Microsoft Community . . . Just basic advice to run a malware cleaner . . . https://answers.microsoft.com/en-us/protect/forum/all/trojanwin32powessereg-virus/29c65397-8e25-4814-9949-9d5c2d4351e6

    Trojan:WinPowessere.H - Microsoft Community . . . CLUE (the same thing):  mshta.exe . . . https://answers.microsoft.com/en-us/protect/forum/all/trojanwinpowessereh/25a5c7db-67ed-4259-b50e-2a6a39031aea

    How to remove Trojan.Poweliks virus (Removal Guide) - Malwaretips . . . These did not fix it, or find it . . . ESET Online Virus Scan, ESET Poweliks Cleaner tool, Malwarebytes, HitmanPro, Emsisoft Emergency Kit . . . Also tried:  Avast, ADWCleaner, Norton Rescue Tools, Kaspersky Removal Tool . . . https://malwaretips.com/blogs/remove-poweliks-virus/

    - - - - - - - - - - - - - - - - - - - - - -

    NEED HELP FINDING SOURCE OF BLOCKED SITES - Resolved Malware Removal Logs - Malwarebytes Forums . . . TRY THIS:  Delete cache and profile, Re-install or Reset browser to Default Settings . . . CLUE:  Notice that it only affects Chrome . . . https://forums.malwarebytes.com/topic/222842-need-help-finding-source-of-blocked-sites/

    Serious virus, trojan , malware ,ransomware - Page 2 - Resolved Malware Removal Logs - Malwarebytes Forums . . . TRY THIS:  Look at the Autoruns with Sysinternals Autoruns . . . I did a search for "mshta.exe", but it did not appear . . . I did a search for "explorer", and see that IE does some "Add-in" startups . . . CLUE:  Notice that it only affects IE . . . https://forums.malwarebytes.com/topic/237337-serious-virus-trojan-malware-ransomware/page/2/

    Windows defender false positive - forced to allow threat - Windows 10 Forums . . . - WD identifies the mshta call as a Trojan . . . - I can only run the script if I 'allow the threat' and I cannot achieve the same by using WD's exclusions but would prefer to do so . . . - I suspect that the current fault is a result of an IE ActiveX issue [IE is, in effect, in 'extended support' & functional issues are not addressed so the fault itself will not be fixed] . . . - The focus of my thread is intended to be the use of WD's exclusions . . . I have not found a way to exclude the active files rather than allowing the threat. I would like to understand why I had to do it the way I did but it is just an academic exercise now that I have decided to replace the batch-vbs-hta tool . . . https://www.tenforums.com/antivirus-firewalls-system-security/115214-windows-defender-false-positive-forced-allow-threat.html

    Win Defender does not see "Powessere.G" with Avast on . . . only if Avast off (All IE Add-ons can be enabled or disabled)

    - - - - - - - - - - - - - - - - - - - - - -
    Friday, September 6, 2019 2:46 PM

All replies

  • It shows the location, so are you seeing the file there? (make sure hidden and system hidden files are being viewed).

    Try run full scan with Windows Defender and run scan with Windows Defender Offline and see what is the result.

    Sunday, September 8, 2019 3:26 PM
  • - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    . . . It shows the location, so are you seeing the file there? (make sure hidden and system hidden files are being viewed).

    Yes, I can see mshta.exe . . . It is not hidden

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    . . . Try run full scan with Windows Defender and run scan with Windows Defender Offline and see what is the result.

    - - - - - - - - - - - - - - - - - - - - - -

    Avast / Menu / Settings / Troubleshooting

    . . . [un-check] Enable Self-Defense . . . I have recently just been un-checking this one, and all non-MS Startups, through CCLeaner and msconfig, so only the OS is running (when I do Win update) . . . and then been seeing the Powessere.G notification

    . . . [un-check] Enable hardware-assisted virtualization . . . Maybe I should un-check this one too? Maybe it's the one conflicting with WD?

    - - - - - - - - - - - - - - - - - - - - - -

    09/08/19 The WD Full scan found 0 threats . . . 27 mins, 56 sec . . . 2,213,453 files scanned

    Why does Avast still pop up (at the end of the WD scan), and say "You're protected"

    Then, Avast turns off WD, and won't let me turn it back on
    . . . AvastWscReporter in msconfig . . . un-check it, click ok, and it re-checks itself
    . . . un-check it, then just Restart . . . and it stays un-loaded?
    . . . No, Avast still won't let me use WD, alone

    - - - - - - - - - - - - - - - - - - - - - -

    What if I select to do the offline scan?
    . . . Avast will not let me run it
    . . . and, I am unable to disable AvastWscReporter

    - - - - - - - - - - - - - - - - - - - - - -

    How to fix:

    Enable Avast / Restart . . . then Disable it / Restart . . . then run WD Offline

    After some struggling - and alot of clicking around:
    . . . I think I was still unable to enable WD Real-time protection
    . . . But, somehow, I was eventually able to run a WD Offline scan

    09/08/19 WD Offline ran, but I don't see where the results are - even in the Event Viewer
    . . . also, Avast has disabled all the WD settings again

    09/08/19 The WD Quick scan found 0 threats . . . 4 mins, 8 sec . . . 29,366 files scanned

    - - - - - - - - - - - - - - - - - - - - - -

    09/09/19 The WD Quick scan found 0 threats . . . 4 mins, 18 sec . . . 29,577 files scanned

    . . . and, I'm not getting the Trojan notification now - Maybe they fixed it

    - - - - - - - - - - - - - - - - - - - - - -

    Focus Assist has to be on "Priority only" . . . not "Alarms only" ?
    . . . I'm not sure
    . . . I have it back on "Priority", and I'm not getting the Trojan warning now

    - - - - - - - - - - - - - - - - - - - - - -

    Avast needs to make it so that you can manually, completely, disable it - It makes it so WD cannot function

    I'm not seeing the Trojan notification now - maybe they fixed it

    Win Defender is "too" simplified, and the screens are all over the place - You should be able to choose views based on your screen size (27" vs. 4") - I have 27", so I can see a lot at one time, and it does me no good in this case.

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Monday, September 9, 2019 12:55 PM
  • 09/10/19 . . . This took some effort to figure this out

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    SUMMARY:  Win Defender Finds, Blocks, and Removes Powessere.G . . . but Powessere.G keeps coming back . . . even after running the Offline Scan, which is designed to get something like this

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    Full Scan, 28 mins, 0 Found . . . but after a Restart, it Finds, Blocks, and Removes Powessere.G again

    Quick Scan, 4 mins, 0 Found . . . but Powessere.G comes back

    Offline Scan, 14 mins . . . Where does it show the results?  That would be useful.  A couple of places, please see below . . . It detects and removes Powessere.G, but, it keeps coming back

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    DISM and SFC showed errors . . . chkntfs c: - I see that this SSD is not dirty . . . apparently, these errors were all just with Win Defender . . . Completely un-install Avast, then run DISM and SFC to fix

    Problems starting Windows Defender in Windows 8/8.1/10 - Microsoft Community . . . backup settings, un-install Avast . . . https://answers.microsoft.com/en-us/protect/forum/all/problems-starting-windows-defender-in-windows/808253bb-db89-4db9-a4e5-1c91a86489e9

    Use the System File Checker tool to repair missing or corrupted system files . . . Un-install Avast . . . Safe Mode / Removal Tool . . . Run DISM . . . Run SFC . . . https://support.microsoft.com/en-us/help/929833/use-the-system-file-checker-tool-to-repair-missing-or-corrupted-system

    One of the AV programs I ran earlier must have corrupted Win Defender
    . . . It seems like the removal of Emsisoft (EEK) or Norton Power Eraser might have done it
    . . . Why?  I had to get a removal tool for EEK, and Power Eraser is said to be aggressive

    I de-installed Avast, completely, with the Avast cleaner

    I re-ran DISM and SFC . . . and they fixed Win Defender . . . no error messages seen now
    . . . New for me:  Assume that AV cleaning will mess up something . . . then be ready to do the above

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    Where are windows 10 defender offline scan logs/results? . . . https://serverfault.com/questions/816870/where-are-windows-10-defender-offline-scan-logs-results

    The log showing the offline scan run seems to be stored in a file below

    C:\Windows\Microsoft Antimalware\Support

    using the naming scheme MPLog-<date>-<time>.log (e.g. MPLog-20181217-055720.log).
    You can tell that it is an offline scan log by the following line somewhere at the beginning:
    2018-12-17T04:57:20.837Z [PlatUpd] Service launched successfully from:

    [check] Hidden items

    C:\ProgramData\Microsoft\Windows Defender\Offline Scanner

    Usually the log contains a lot of lines with the string Internal signature match:subtype=Lowfi,
    but these don't seem to be real virus detections:
    They don't show up in Threat History and virustotal.com finds nothing ("No engines detected this file").

    According to Moderator/Microsoft Agent Justine Pel in a thread in the Microsoft Community Forums,
    the log files are intended for submitting Windows Defender errors to Microsoft,
    therefore I suspect the Internal match entries are included for debugging purposes only:

    Those logs are usually use for submission of errors or problems with Windows Defender.
    Our Windows Defender team are the one who are capable of providing the exact meaning of those lines.

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    MPLog-<date>-<time>.log
    MPLog-20181217-055720.log

    You can tell that it is an offline scan log by the following line somewhere at the beginning:

    2018-12-17T04:57:20.837Z [PlatUpd] Service launched successfully from:

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    I don't see MPLog . . . What if I search this Windows Defender folder for the keyword "log"?
    Five appear.  Sort by "Date created" and take a look:

    History.Log
    Detections.log
    MPDetection-20190903-143407.log
    MPLog-20190903-143407.log
    Unknown.Log

    This looks like it, it contains detections.  It is not in the "Offline Scanner" folder:

    C:\ProgramData\Microsoft\Windows Defender\Support\MPDetection-20190903-143407.log

    Powessere.G is detected, then Service stops with exit code 0x0

    2019-09-03T18:34:07.036Z Service started - Windows Defender Antivirus (77BDAF73-B396-481F-9042-AD358843EC24)
    2019-09-03T18:34:08.170Z Version: Product 4.18.1907.4 Service 4.18.1907.4 Engine 1.1.16200.1 AS 1.299.1319.0 AV 1.299.1319.0
    2019-09-03T18:34:24.060Z DETECTION Trojan:Win32/Powessere.G CmdLine:C:\Windows\System32\mshta.exe javascript:{new ActiveXObject(InternetExplorer.Application).PutProperty('309414',window);window.resizeTo(500,200);window.moveTo(1030,620)}
    2019-09-03T18:34:30.442Z Version: Product 4.18.1907.4 Service 4.18.1907.4 Engine 1.1.16300.1 AS 1.299.1319.0 AV 1.299.1319.0
    2019-09-03T18:34:46.830Z Version: Product 4.18.1907.4 Service 4.18.1907.4 Engine 1.1.16300.1 AS 1.301.430.0 AV 1.301.430.0
    2019-09-03T19:13:41.506Z Service stopped with exit code 0x0
    2019-09-09T20:37:43.475Z Service started - Windows Defender Antivirus (77BDAF73-B396-481F-9042-AD358843EC24)
    2019-09-09T20:37:44.631Z Service stopped with exit code 0x0
    2019-09-09T20:45:45.254Z Service started - Windows Defender Antivirus (77BDAF73-B396-481F-9042-AD358843EC24)
    2019-09-09T20:45:47.379Z Version: Product 4.18.1907.4 Service 4.18.1907.4 Engine 1.1.16300.1 AS 1.301.893.0 AV 1.301.893.0
    2019-09-09T20:46:06.590Z Service stopped with exit code 0x0
    2019-09-09T21:53:33.065Z Service started - Windows Defender Antivirus (77BDAF73-B396-481F-9042-AD358843EC24)
    2019-09-09T21:53:34.424Z Version: Product 4.18.1907.4 Service 4.18.1907.4 Engine 1.1.16300.1 AS 1.301.893.0 AV 1.301.893.0
    2019-09-09T21:53:57.948Z DETECTION Trojan:Win32/Powessere.G CmdLine:C:\Windows\System32\mshta.exe javascript:{new ActiveXObject(InternetExplorer.Application).PutProperty('309414',window);window.resizeTo(500,200);window.moveTo(1030,620)}
    2019-09-09T22:20:30.960Z Version: Product 4.18.1907.4 Service 4.18.1907.4 Engine 1.1.16300.1 AS 1.301.895.0 AV 1.301.895.0
    2019-09-09T22:26:31.606Z Service stopped with exit code 0x0
    2019-09-10T00:27:24.416Z Service started - Windows Defender Antivirus (77BDAF73-B396-481F-9042-AD358843EC24)
    2019-09-10T00:27:25.484Z Version: Product 4.18.1907.4 Service 4.18.1907.4 Engine 1.1.16300.1 AS 1.301.895.0 AV 1.301.895.0
    2019-09-10T00:27:50.199Z DETECTION Trojan:Win32/Powessere.G CmdLine:C:\Windows\System32\mshta.exe javascript:{new ActiveXObject(InternetExplorer.Application).PutProperty('309414',window);window.resizeTo(500,200);window.moveTo(1030,620)}
    2019-09-10T01:02:10.041Z Service stopped with exit code 0x0

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    Where are windows 10 defender offline scan logs/results? . . . https://serverfault.com/questions/816870/where-are-windows-10-defender-offline-scan-logs-results

    Right-click on the Start button and choose Event Viewer. Then navigate to Applications and Services Logs > Microsoft > Windows > Windows Defender > Operational:

    See . . . Level:  "Warning" . . . most are . . . Level:  "Information"

    It is Detected, and Removed

    - - - - -

    Windows Defender Antivirus has detected malware or other potentially unwanted software.
     For more information please see the following:
    https://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Powessere.G&threatid=2147725444&enterprise=0
         Name: Trojan:Win32/Powessere.G
         ID: 2147725444
         Severity: Severe
         Category: Trojan
         Path: CmdLine:_C:\Windows\System32\mshta.exe javascript:{new ActiveXObject(InternetExplorer.Application).PutProperty('309414',window);window.resizeTo(500,200);window.moveTo(1030,620)}
         Detection Origin: Unknown
         Detection Type: Concrete
         Detection Source: System
         User: NT AUTHORITY\SYSTEM
         Process Name: Unknown
         Security intelligence Version: AV: 1.301.945.0, AS: 1.301.945.0, NIS: 1.301.945.0
         Engine Version: AM: 1.1.16300.1, NIS: 1.1.16300.1

    - - - - -

    Windows Defender Antivirus has taken action to protect this machine from malware or other potentially unwanted software.
     For more information please see the following:
    https://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Powessere.G&threatid=2147725444&enterprise=0
         Name: Trojan:Win32/Powessere.G
         ID: 2147725444
         Severity: Severe
         Category: Trojan
         Path: CmdLine:_C:\Windows\System32\mshta.exe javascript:{new ActiveXObject(InternetExplorer.Application).PutProperty('309414',window);window.resizeTo(500,200);window.moveTo(1030,620)}
         Detection Origin: Unknown
         Detection Type: Concrete
         Detection Source: System
         User: NT AUTHORITY\SYSTEM
         Process Name: Unknown
         Action: Remove
         Action Status:  No additional actions required
         Error Code: 0x00000000
         Error description: The operation completed successfully.
         Security intelligence Version: AV: 1.301.945.0, AS: 1.301.945.0, NIS: 1.301.945.0
         Engine Version: AM: 1.1.16300.1, NIS: 1.1.16300.1

    - - - - -

    Malware keeps coming back . . . https://support.microsoft.com/en-us/help/4466982/windows-10-troubleshoot-problems-with-detecting-and-removing-malware

    If the same malware keeps infecting your PC, use Windows Defender Offline to look for and remove recurring malware. Windows Defender Offline is a scanning tool that works outside of Windows, allowing it to catch and clean infections that hide themselves when Windows is running.

    - - - - -

    Submit undetected malware

    If you believe Windows Defender Antivirus is not detecting a malicious file, obtain a copy of that file and submit it to us for analysis. We will try our best to quickly review that file and update our solutions as appropriate.

    https://www.microsoft.com/en-us/wdsi/filesubmission/

    I'll give them a copy of the URL to this page.

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    Do I need to manually update Win Defender before a scan, or does it automatically do that?  No way to tell.

    Looking at the Protection history when Avast is "on", Win Defender appears to be disabled, because it doesn't say anything about Powessere.G
    Yet, you can set Win Defender to do a periodic scan (while Avast is "on") . . . I wonder if it would find Powessere.G

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    • Edited by mb1285 Tuesday, September 10, 2019 7:21 PM
    Tuesday, September 10, 2019 7:16 PM
  • 09/10/19

    We have removed the detection.  Please follow the steps below to clear cached detection and obtain the latest malware definitions.

    1. Open command prompt as administrator and change directory to c:\Program Files\Windows Defender
    2. Run “MpCmdRun.exe -removedefinitions -dynamicsignatures”
    3. Run "MpCmdRun.exe -SignatureUpdate"

    Alternatively, the latest definition is available for download here: https://www.microsoft.com/en-us/wdsi/definitions

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    09/10/19

    Hello:

    Any idea why I can't get this to run? . . . Please see errors below.

    From an Admin Command Prompt . . . Either with . . . all non-MS startups disabled . . . or in Safe Mode?

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    Service Version: 4.18.1907.4
    Engine Version: 1.1.16300.1
    AntiSpyware Signature Version: 1.301.1024.0
    AntiVirus Signature Version: 1.301.1024.0

    Starting Dynamic Signature removal.Failed! Error 0x80070005

    Service Version: 4.18.1907.4
    Engine Version: 1.1.16300.1
    AntiSpyware Signature Version: 1.301.1024.0
    AntiVirus Signature Version: 1.301.1024.0
    CmdTool: Failed with hr = 0x80070005. Check C:\Users\USER~1\AppData\Local\Temp\MpCmdRun.log for more information

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -


    MpCmdRun.log


    -------------------------------------------------------------------------------------
    MpCmdRun: Command Line: MpCmdRun.exe  -removedefinitions -dynamicsignatures
     Start Time: ‎Tue ‎Sep ‎10 ‎2019 16:53:05

    MpEnsureProcessMitigationPolicy: hr = 0x1
    Start: MpRemoveDefinitions(0)
    ERROR: MpRollbackSignature failed with hr=80070005
    MpCmdRun: End Time: ‎Tue ‎Sep ‎10 ‎2019 16:53:05
    -------------------------------------------------------------------------------------


    -------------------------------------------------------------------------------------
    MpCmdRun: Command Line: mpcmdrun.exe  /?
     Start Time: ‎Tue ‎Sep ‎10 ‎2019 16:54:21

    MpEnsureProcessMitigationPolicy: hr = 0x1
    MpCmdRun: End Time: ‎Tue ‎Sep ‎10 ‎2019 16:54:21
    -------------------------------------------------------------------------------------


    -------------------------------------------------------------------------------------
    MpCmdRun: Command Line: MpCmdRun.exe  -RemoveDefinitions -DynamicSignatures
     Start Time: ‎Tue ‎Sep ‎10 ‎2019 16:55:54

    MpEnsureProcessMitigationPolicy: hr = 0x1
    Start: MpRemoveDefinitions(0)
    ERROR: MpRollbackSignature failed with hr=80070005
    MpCmdRun: End Time: ‎Tue ‎Sep ‎10 ‎2019 16:55:54
    -------------------------------------------------------------------------------------


    -------------------------------------------------------------------------------------
    MpCmdRun: Command Line: MpCmdRun.exe  -removedefinitions -dynamicsignatures
     Start Time: ‎Tue ‎Sep ‎10 ‎2019 17:19:28

    MpEnsureProcessMitigationPolicy: hr = 0x1
    Start: MpRemoveDefinitions(0)
    ERROR: MpRollbackSignature failed with hr=80070005
    MpCmdRun: End Time: ‎Tue ‎Sep ‎10 ‎2019 17:19:28
    -------------------------------------------------------------------------------------


    -------------------------------------------------------------------------------------
    MpCmdRun: Command Line: MpCmdRun.exe  -removedefinitions -dynamicsignatures
     Start Time: ‎Tue ‎Sep ‎10 ‎2019 17:29:39

    MpEnsureProcessMitigationPolicy: hr = 0x1
    Start: MpRemoveDefinitions(0)
    ERROR: MpRollbackSignature failed with hr=80070005
    MpCmdRun: End Time: ‎Tue ‎Sep ‎10 ‎2019 17:29:39
    -------------------------------------------------------------------------------------


    -------------------------------------------------------------------------------------
    MpCmdRun: Command Line: MpCmdRun.exe  -removedefinitions -dynamicsignatures
     Start Time: ‎Tue ‎Sep ‎10 ‎2019 17:31:48

    MpEnsureProcessMitigationPolicy: hr = 0x1
    Start: MpRemoveDefinitions(0)
    ERROR: MpRollbackSignature failed with hr=80070005
    MpCmdRun: End Time: ‎Tue ‎Sep ‎10 ‎2019 17:31:48
    -------------------------------------------------------------------------------------


    -------------------------------------------------------------------------------------
    MpCmdRun: Command Line: MpCmdRun.exe  -SignatureUpdate
     Start Time: ‎Tue ‎Sep ‎10 ‎2019 17:32:17

    MpEnsureProcessMitigationPolicy: hr = 0x1
    Start: MpSignatureUpdate()
    Calling MpUpdateStartEx with option 0x1
    Update started
    Search Started (MU/WU update) (Path: Default URL)...
    Update failed with hr: 0x8007043c
    Update completed with hr: 0x8007043c
    ERROR: Signature Update failed with hr=8007043C
    MpCmdRun: End Time: ‎Tue ‎Sep ‎10 ‎2019 17:32:17
    -------------------------------------------------------------------------------------
    Wednesday, September 11, 2019 2:20 PM
  • I looked into this.  It now appears to be fixed - Thank you!  Here's what I did . . . I'll put this on my web page post:

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    TRYING TO DO THIS

    Open command prompt as administrator and change directory to c:\Program Files\Windows Defender . . . Then Run:

    MpCmdRun.exe -removedefinitions -dynamicsignatures

    MpCmdRun.exe -SignatureUpdate

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    TAKE ANOTHER LOOK AT THE COMMANDS.  MAYBE THE SYNTAX IS WRONG?

    How to Use Windows Defender from the Command Prompt . . . https://www.maketecheasier.com/use-windows-defender-from-command-prompt/

    STILL DOESN'T WORK

    "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -removedefinitions -dynamicsignatures

    BUT THIS WORKED:

    "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -SignatureUpdate

    . . . SIGNATURE UPDATE DIDN'T WORK YESTERDAY . . . MAYBE THE UPDATE SYSTEM WAS DOWN? . . . I SEE THAT MY ADMIN CMD PROMPT IS WORKING, THOUGH

    . . . WHY DOESN'T IT WORK IF THERE'S A SPACE IN BETWEEN:  "Program Files"?

    . . . WHAT ARE ALL THE POSSIBLE COMMANDS?

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    cd "%ProgramFiles%\Windows Defender\"
    cls
    mpcmdrun.exe /?

       -RemoveDefinitions
            Restores the last set of signature definitions

            [-Engine]
            Restores the last saved engine
            Use this option if the latest engine contains a known issue.

            [-All]
            Removes any installed signature and engine files. Use this
            option if you have difficulties trying to update signatures.

            [-DynamicSignatures]
            Removes all Dynamic Signatures.

       -SignatureUpdate
            Checks for new definition updates

            [-UNC [-Path <path>]]
            Performs update directly from UNC file share specified in <path>
            If -Path is not specified, update will be performed directly from the
                 preconfigured UNC location

            [-MMPC]
            Performs update directly from Microsoft Malware Protection Center

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    THIS:

    . . . [-All]
    . . . Use this option if you have difficulties trying to update signatures.

    I might as well restore the Engine, and try definitions from the MMPC, also.

    Probably in this order:  Definitions, Engine, then get Signatures

    I'll try this a couple of times

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    MpCmdRun.exe -RemoveDefinitions -All

    . . . THIS WORKED THE FIRST TIME, BUT THE SECOND TIME:

    . . . Starting engine and signature rollback to none...Failed! Error 0x80070005

    . . . IT FAILS IF THERE'S NOTHING TO ROLLBACK TO - THAT MAKES SENSE - OK

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    1ST TIME

    C:\Program Files\Windows Defender>MpCmdRun.exe -RemoveDefinitions -Engine

    Service Version: 4.18.1907.4
    Engine Version: 1.1.16300.1
    AntiSpyware Signature Version: 1.301.1024.0
    AntiVirus Signature Version: 1.301.1024.0

    Starting engine and signature rollback to last known good engine...
    Done!

    Service Version: 4.18.1907.4
    Engine Version: 1.1.16200.1
    AntiSpyware Signature Version: 1.301.991.0
    AntiVirus Signature Version: 1.301.991.0

    - - - - - -

    2ND TME

    C:\Program Files\Windows Defender>MpCmdRun.exe -RemoveDefinitions -Engine

    Service Version: 4.18.1907.4
    Engine Version: 1.1.16200.1
    AntiSpyware Signature Version: 1.301.1024.0
    AntiVirus Signature Version: 1.301.1024.0

    Starting engine and signature rollback to last known good engine...
    Done!

    Service Version: 4.18.1907.4
    Engine Version: 1.1.16200.1
    AntiSpyware Signature Version: 1.301.1024.0
    AntiVirus Signature Version: 1.301.1024.0

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    MpCmdRun.exe -SignatureUpdate

    C:\Program Files\Windows Defender>MpCmdRun.exe -SignatureUpdate
    Signature update started . . .
    Signature update finished.

    - - - - - -

    MpCmdRun.exe -SignatureUpdate -MMPC

    C:\Program Files\Windows Defender>MpCmdRun.exe -SignatureUpdate -MMPC
    Signature update started . . .
    Signature update finished. No updates needed

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    THEN:

    Settings / Update & Security / Windows Update / Check for updates . . . up to date

    Settings / Update & Security / Windows Update / Windows Security / Virus & threat protection / Virus & threat protection updates - Check for updates / Check for updates . . . behavior is as expected / works, up to date

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    Conclusion:  I'm no longer getting Notification of Powessere.G . . . and Win Defender works as expected

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    How do I clear out the Protection History?

    https://answers.microsoft.com/en-us/protect/forum/all/cannot-clear-full-history-in-windows-defender/7cd17ec3-62b3-47dc-9d2e-7ec9264436ef

    By default, a threat detection will be cleared automatically after 15 days, but you can specify a different delay period (in days) by running this command at the Administrator PowerShell Prompt:

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Wednesday, September 11, 2019 2:21 PM