Jump to content

VirTool: Win32 / DefenderTamperingRestore and Removed! What's?


Recommended Posts

Good afternoon

I tried Microsoft Safety Scanner because I had used Revo Uninstaller Portable and I had no faith in it but software was corrupted and I was unable to remove it (attempt still failed)
In the report I am attaching, it is noted
VirTool: Win32 / DefenderTamperingRestore and Removed!
Can anyone tell me what is it?
Is it possible to check if my PC is still infected?
Are there risks in using with Home Banking, Tax?

 

Thanks

 

Attach logs:

 

Malwarebytes_Report.txt

mbst-grab-results.zip

msert.log

Edited by MAXBAR1
Changed and simplified request
Link to post
Share on other sites

  • Root Admin

Hello @MAXBAR1

I'm not sure what has happened. We'll scan to ensure no infection and see if we're able to repair this

 

Please run the following steps and post back the logs as an attachment when ready.

STEP 01

  • If you're already running Malwarebytes then open Malwarebytes and check for updates. Then click on the Scan tab and select Threat Scan and click on Start Scan button.
  • If you don't have Malwarebytes installed yet please download it from here and install it.
  • Once installed then open Malwarebytes and select Scan and let it run.
  • Once the scan is completed click on the View Report button, then the Export button and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
  • If Malwarebytes won't run then please skip to the next step and let me know in your next reply.

STEP 02

Please download AdwCleaner by Malwarebytes and save the file to your Desktop.

  • Right-click on the program and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Accept the Terms of use.
  • Wait until the database is updated.
  • Click Scan Now.
  • When finished, please click Clean & Repair.
  • Your PC should reboot now if any items were found.
  • After reboot, a log file will be opened. Attach or Copy its content into your next reply.

 

RESTART THE COMPUTER Before running Step 3

STEP 03
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a checkmark here.
  • Please attach the Additions.txt log to your reply as well.

 

Thanks

Link to post
Share on other sites

  • Root Admin

Did you set this policy on your system on purpose?

HKLM\...\Policies\Explorer: [SettingsPageVisibility] hide:easeofaccess-speechrecognition;speech;windowsinsider;easeofaccess-highcontrast;maps;sync;crossdevice;holographic-audio;gaming-broadcasting;gaming-gamebar;gaming-gamedvr;gaming-gamemode;gaming-tru (the data entry has 27 more characters).

You also have this setting which is not standard. Did you add a persistent route on purpose?

HKLM\System\...\Parameters\PersistentRoutes: [169.254.0.0,255.255.0.0,192.168.1.12,1]

 

Edited by AdvancedSetup
updated information
Link to post
Share on other sites

9 hours ago, AdvancedSetup said:

Is this a Business Computer?

Platform: Windows 10 Enterprise LTSC 2019 Version 1809 17763.1217 (X64) Language: Italiano (Italia)

 

No, it’s a license buyed on Amazon

Purchase made for not having the half-yearly upgrades.  These and the Store that installs you automatically Unsolicited apps together with non-removable Flash are the worst features of Windows 10

9 hours ago, AdvancedSetup said:

Did you set this policy on your system on purpose?

HKLM\...\Policies\Explorer: [SettingsPageVisibility] hide:easeofaccess-speechrecognition;speech;windowsinsider;easeofaccess-highcontrast;maps;sync;crossdevice;holographic-audio;gaming-broadcasting;gaming-gamebar;gaming-gamedvr;gaming-gamemode;gaming-tru (the data entry has 27 more characters).

You also have this setting which is not standard. Did you add a persistent route on purpose?

HKLM\System\...\Parameters\PersistentRoutes: [169.254.0.0,255.255.0.0,192.168.1.12,1]

 

I need more clarification on what these two settings you mentioned do as I have not acted on the registry directly but I made changes that could have caused all this.  Based on what you tell me, I will be able to answer you more completely

 

Among the software that I used to safeguard myself a bit in relation to the data collected by Microsoft I used the one that can be downloaded here: https://wpd.app

I therefore need to know if they are dangerous changes

Edited by MAXBAR1
Added information
Link to post
Share on other sites

  • Root Admin
3 hours ago, MAXBAR1 said:

No, it’s a license buyed on Amazon

Just a note that any sales of Windows 10 Enterprise from Amazon are illegal. I'm not here to be the license police for Microsoft. Just letting you know that you were sold an illegal license.

I need more clarification on what these two settings you mentioned do as I have not acted on the registry directly but I made changes that could have caused all this.  Based on what you tell me, I will be able to answer you more completely

These setting force a certain type of display value. I don't have a link for it as I'm not sure where it came from.

The persistent route is very rare to see a home user set. It basically sets a route to a location that normally is not automatically set on the current network to allow access to some device. I would recommend we remove it if you did not set it.

 

I  would also recommend you uninstall Bonjour

What exactly is mDNSResponder.exe?

https://www.groovypost.com/howto/howto/what-is-mdnsresponder-exe-and-why-is-it-running/

MDNSResponder, also known as Bonjour, is Apple’s native zero-configuration networking process for Mac that was ported over to Windows and associated with MDNSNSP.DLL.  On a Mac or iOS device, this program is used for networking nearly everything.  On Windows, this process is only necessary for sharing libraries via iTunes and other Mac applications like the Apple TV that were ported to Windows.  Bonjour allows different computers running iTunes to communicate with each other regardless of network configuration, this is because it enables automatic network discovery.

What Is mDNSResponder.exe / Bonjour and How Can I Uninstall or Remove It?
https://www.howtogeek.com/howto/6456/what-is-mdnsresponder.exe-bonjour-and-how-can-i-uninstall-or-remove-it/

 

Link to post
Share on other sites

Being an illegal license, I did not know it, considering that there is nothing on the PC (zero data), I format it immediately and I start to use Windows 10 Home again (license supplied as standard with the PC). Too bad there is no similar version of Windows 10 that does not have half-yearly updates and stores for home users.

I'd like to ask you to analyze the logs of my dad's PC that I attach. It has Windows 10 Home sold with the PC but the changes below have been made.

Malwarebytes Father.txt

AdwCleaner[S00].txt

FRST.txt

Addition.txt

Normally when I prepare PCs I use these two tools that I attach

The first one is WPD and you download it from The real privacy dashboard for Windows 

The second is a tool that you download from Win10-Initial-Setup-Script  (its configuration preset can be changed at will)

I attach the last version of the two tools in two zipped files so that you can check them and clarify my ideas

They are mostly used for privacy (the first) and to disable / uninstall windows features (the second)

WPD

latest.zip

Win10 Initial Setup Script

Win10-Initial-Setup-Script-3.9.zip

I would like to know if the two tools can lead to problems, especially of security as it can happen that the PCs I have prepared (also for friends and family) are used for Home Banking, Tax, Work

I await your response regarding the logs and the two tools

Thanks for everything

Good day

Massimiliano

Link to post
Share on other sites

  • Root Admin

The logs in general look good. A very basic and clean install of Widows with not much running on it period.

There appears to be some sort of policy set that you may or may not want.
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION

 

As for the tools, I've not used either one before myself and it would probably take days to actually review in order to give personal advice which I'm sorry, I just don't have time to do.

In general though most of these tools attempt to stop telemetry or items that some users find annoying. Most don't do negative things to security - though some could by accident, but being a public tool if someone finds something like that wrong they usually report it as well.

Reviewing the Event Logs is really your best indicator if something is going on with the system as it logs most things both good and bad.

 

Link to post
Share on other sites

In the meantime, thank you for what you managed to do.
Returning to the first PC that I cleaned up, after the installation I ran the script that I attached before.
I know you can't parse the script.
But I ask you to look at the logs that I am attaching to you.

Malwarebytes New.txt

AdwCleaner[S00].txt

FRST.txt

Addition.txt

I also enclose the list of things I made the script perform (it's just a list of functions that can be viewed in a few minutes); I ask you if you can take a look; If there is something in this list that you feel better not to do, I am ready to reinstall completely the PC by eliminating the items that you will not recommend.

Here is the preset list

Default.txt   (Normally the extension of this file is .preset but it was not accepted therefore I renamed it to .txt being a text file)

Thanks so much

Good day

Massimiliano

Link to post
Share on other sites

  • Root Admin

DisableDefender
DisableDefenderCloud
(don't agree here unless you're running another full antivirus product, Defender is good and free so why not use it alongside Malwarebytes)

DisableCtrldFolderAccess (good if used correctly but no big deal not using it)

Disabling DisableRemoteAssistance only prevents you from sending a request to someone to help you via remote. It does not have the same security issues as running RDP. But if you have no intention of ever using okay to disable.

DisableDefragmentation (why? disks still need degragmentation)

DisableIndexing  (why? that seems to be shooting yourself in the foot on Windows 10 since it heavily relies on searches)

DisableChangingSoundScheme (why?)

UninstallXPSPrinter (actually it works like PDF and does a good job but no harm in removing)

 

DNS Servers: 192.168.1.1 would recommend considering some type of secure DNS change

Recommend checking and possibly removing policy depending on what it is
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION

Otherwise in general the logs look good. Couple errors in Event Logs but maybe reboot a couple times and they may be okay.

 

 

Link to post
Share on other sites

6 minutes ago, AdvancedSetup said:

DisableDefender
DisableDefenderCloud
(don't agree here unless you're running another full antivirus product, Defender is good and free so why not use it alongside Malwarebytes)

I delete immediately.    However, I use Malwarebytes Premium

7 minutes ago, AdvancedSetup said:

DisableCtrldFolderAccess (good if used correctly but no big deal not using it)

I delete immediately.

7 minutes ago, AdvancedSetup said:

Disabling DisableRemoteAssistance only prevents you from sending a request to someone to help you via remote. It does not have the same security issues as running RDP. But if you have no intention of ever using okay to disable.

Never used but I only disable RDP (which is more dangerous) and eliminate the other voice (just because I may need it with you)

Quote

DisableDefragmentation (why? disks still need degragmentation)

I had read that it damaged the SSD

I am interested in your opinion

Quote

DisableIndexing  (why? that seems to be shooting yourself in the foot on Windows 10 since it heavily relies on searches)

I had read that it did not provide improvements with the SSD and could deteriorate it

I am interested in your opinion 

Quote

DisableChangingSoundScheme (why?)

I will delete it

Quote

UninstallXPSPrinter (actually it works like PDF and does a good job but no harm in removing)

I prefer to use PDF; it is more standard

Quote

DNS Servers: 192.168.1.1 would recommend considering some type of secure DNS change

It is caused by DHCP; The modem owned by my provider does not allow changing DNS. However I will change it on every PC

Quote

Recommend checking and possibly removing policy depending on what it is
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION

What does this indicate?

I wait for your answers, after which I will correct the preset, reset the PC and configure it according to your advice and then I would like to repeat the logs.

Thanks

Good day

Massimiliano

Link to post
Share on other sites

  • Root Admin

Wasn't aware  you were using an SSD. However, Microsoft Windows 10 will automatically take care of any of it's needs for the drive too.

https://www.howtogeek.com/256859/dont-waste-time-optimizing-your-ssd-windows-knows-what-its-doing/

Turning off Indexing in my opinion is not wise and bad advice by someone. In the Windows XP days and perhaps even in some cases for early Windows 7 it may have not worked well but on Windows 10 it is very important for it to be working well. A new modern SSD drive being harmed? poppy-cock

 

For the policy it may be part of you turning off Windows Defender. Again, I see no reason not to use Windows Defender as a secondary method of protection. It's very low on resource usage and works very well.
https://www.howtogeek.com/225385/what’s-the-best-antivirus-for-windows-10-is-windows-defender-good-enough/

 

 

Link to post
Share on other sites

I have corrected the preset.

On the things you have detected I will only disable RDP (Remote Desktop)

I removed everything else from the preset.

Now I reset the PC.

Soon after I will correct the DNS with OpenDNS.

Then I will collect the logs and post them for a final analysis.

I thank you for everything

A greeting

Massimiliano

Link to post
Share on other sites

All done.
I am attaching the logs. Please take a look
I chose to Disable Remote Desktop and Delete XPS Printer

malwarebytes.txt

AdwCleaner[S00].txt

FRST.txt

Addition.txt

Here is also the Updated Preset. This time it should be fine. If you can, take a look also here.

Default.txt

Thanks for everything

Good day

Massimiliano

Link to post
Share on other sites

  • Root Admin

All the logs look good at this time except it looks like Malwarebytes crashed. Please restart the  computer 2 times with a 5 minute span between reboots. Then run FRST again and post back the new logs.

The logs show no signs of any infection but if  you'd like to double-check then please run the following.

 

Please download and run the following Kaspersky antivirus scanner to remove any found threats

Kaspersky Virus Removal Tool

Let me know if it finds anything or not

Link to post
Share on other sites

  • 5 weeks later...
  • Root Admin

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following for Tips to help protect from infection

Thank you

 

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.