Jump to content

Windows Defender Tampering Restore malware


Go to solution Solved by Maurice Naggar,

Recommended Posts

My PC is infected with VIRTOOL:Win32\DefenderTamperingRestore malware. The Tamper Protection in enabled in the Windows Security window but the corresponding Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Features TamperProtection has 1 instead of 5 (meaning it is disabled) and cannot be changed. The malware gives the hacker control of my PC. It fools all the AV programs including MBAM. Any real assistance will be much appreciated.

Link to post
Share on other sites

5 minutes ago, Porthos said:

@groucho You also have a topic at bleepin computer.https://www.bleepingcomputer.com/forums/t/776437/windows-defender-tampering-restore-malware/

We can assist you only in one forum.

Thanks, Porthos. I did not know you were exclusive. Do you want me to remove my post from Bleeping Computer? Do you think you can help me? Thanks again and kind regards.

Link to post
Share on other sites

3 minutes ago, groucho said:

Do you want me to remove my post from Bleeping Computer?

That is your choice.

Posting to multiple forums

There have been several occasions where we have found people seeking help here, who are also asking for help at other forums.

  • You should only seek help at one forum.
  • If you have multi-posted, we ask that you select one forum from those where you sought help and ask the others to close your topics.


Although we understand you wish your problems to be addressed as soon as possible, there are reasons why multi-posting causes problems.

 

  • By Multi Posting you are utilizing the time of two (or more) trained helpers.

    Helpers take a long time to train. They need a great deal of expertise and knowledge to be able to safely remove Malware from your computer and because of this are in short supply. We wish to use them to help the maximum number of people, and if they are researching the log of someone who is already being helped, then their time and effort is going to waste.

    Understandably this causes a certain amount of bad feeling.
    • From the helper who has needlessly spent time researching your log and compiling and posting instructions.
    • From others who have to wait longer for their problems to be addressed.

 

  • Advice from two separate helpers can cause problems.

    Different helpers may use different methods to combat your infection. Whilst each in isolation is safe, that may not be so if you follow the advice of both together. Some of the tools we use are very powerful and have to be used in a specific way and in some cases do not combine well with others. By using advice from two different sources, it is possible that tools may be used that do not combine well and you may severely damage your computer, even rendering it inoperable in some circumstances.
Link to post
Share on other sites

Hello :welcome:  @groucho

I will guide you along on looking for remaining malware. Lets keep these principles as we go along.

  • Removing malware can be unpredictable
  • Please don't run any other scans, download, install or uninstall any programs while I'm working with you.
  • Only run the tools I guide you to.
  • Do not run online games while case is on-going. Do not do any free-wheeling web-surfing.
  • The removal of malware isn't instantaneous, please be patient.
  • Cracked or or hacked or pirated programs are not only illegal, but also will make a computer a malware victim. Having such programs installed, is the easiest way to get infected. It is the leading cause of ransomware encryptions. It is at times also big source of current trojan infections. Please uninstall them now, if any are here, before we start the cleaning procedure.
  • Please stick with me until I give you the "all clear".
  • If your system is running Discord, please be sure to Exit out of it while this case is on-going.

I would like a report set for review.   This is a report only.

Please download MALWAREBYTES MBST Support Tool

Once you start it click Advanced >>> then   Gather Logs

 Have patience till the run has finished.

Upload an archive once it is done. Attach the mbst-grab-results.zip from the Desktop.

 

  • Please attach  mbst-grab-results.zip    to your reply
  • The IP block actions by Malwarebytes are keeping the machine safe from potential threats.
  • We do need the support zip reports to see more detail  ( the screen grabs just do not have full details + those screens give no clue as to what processes are running.
Link to post
Share on other sites

Dear Maurice, thank you very much. The logs are attached but I remember running FRST before it did not find anything. This malware is  very insidious. It fools all AV software even FRST. It has installed an Unknown User in the system which appears in Security and Permissions settings and cannot be removed.. It has the number S-1-15-3-1024-315... followed by numerous digits. As you know this malware has locked the TamperProtection into a disabled state in the Registry. I am not sure FRST can help. But I shall follow all your instructions to the letter. Thanks again.

mbst-grab-results.zip

Link to post
Share on other sites

Just strictly remarks & cautions. Doing a report run with Farbar does not make changes; nor is it a 'cure'. Later, I will be guiding you on Custom runs that will be helpful. Do not make changes on your own. Stay out of Regedit. 

Edited by Maurice Naggar
Link to post
Share on other sites

Next steps. Please  set File Explorer to SHOW ALL folders, all files, including Hidden ones.  Use OPTION ONE or TWO of this article
Please use thuis guide https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html

[ 2 ]

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. 

The download links & the how-to-run-the tool are at this link at Microsoft 

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Look on Scan Options & select  FULL scan  .

Then start the scan. Have lots of patience. Once you start the scan & you see it started, then leave it be.  

  • Once you see it has started, take a long long break;  walk away.  Do not pay credence if you see some intermediate early flash messages on screen display.  The only things that count are the End result at the end of the run.
  • Again, any on-screen display about repeat 'infection' is not to be relied on.  Ignore those.
  • We only rely on the end result that is on the log-report-file.

 

This is likely to run for many hours   ( depending on number of files on your machine & the speed of hardware.)

The log is named MSERT.log  

the log will be at  

Windows\debug\msert.log

Please attach that log with your reply. We will do more later.

Link to post
Share on other sites

Thanks. I know MSRT and MSERT. Unfortunately, MSRT finds nothing, while MSERT does find some infected files during the scan but at the end says it has found nothing. The most recent MSERT.log is attached. The reason it failed to submit its report to the Microsoft server is that I had disconnected the PC from the router to prevent the hacker from interfering with MSERT.

msert.log

Link to post
Share on other sites

The Safety Scanner log could not have been a FULL scan. 

I need you to do exactly as listed before. Do a new download of the tool. Save it. Then run a FULL scan so it checks all of the system. Then attach the log.

Also, this sub-forum is only for Windows.  any other operating system needs to be in the proper sub-forum. I do not do iPhones.

Edited by Maurice Naggar
reised comment
Link to post
Share on other sites

Many thanks, Maurice. I assure you the previous MSERT.log file was a full MSERT scan that I ran today. This is a new PC with only the very basic software on it. However, just as you say, I have just restarted my PC and re-downloaded MSERT (ver. 1.373.1055.0) and am running a full scan again, this time with the PC online. It has found 2 infected files, but does not say which ones. From my experience, MSERT either finds 2 or more files infected during the scan but then stops half way, before the green progress bar completes, and says it has not found anything, as in this case. I'm attaching the very latest log file. You can see the result is n the  bottom part of the file. I fear that this malware is fooling MSERT just as it does other malware detection software. Thanks again, and I apologize for any misunderstanding on my part.

msert.log

Link to post
Share on other sites

Next, 2 tasks.

Take these actions so that Windows 11 is set to show all hidden files and folders.
Open File Explorer from the taskbar.

Select View > Show > Hidden items.

Step 2:

Next, a custom script to do  checks & selected  cleanups. 

We will use FRSTENGLISH.exe  on the C:\Users\Avner\Downloads\ folder to run a custom script.    The system will be rebooted after the script has run.

This custom script is for  Groucho  only / for this machine only.

This custom script has some specific things, plus some general aspect to help the system overall.  Hoping it will not exceed 60 minutes in execute time.

This next run will do some checks using Windows SFC & DISM. It will also do some scans with Microsoft Defender antivirus. It will clear temporary files. It will clear Chrome & Edge browser cache files.

  • Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this.
  • If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached,  please disconnect any of those.
  • Please save the (attached file named) FIXLIST.txt   to the   Downloads   folder

Fixlist.txt             <<< - - - - -

Then, Start the Windows Explorer and then, go  to the Downloads    folder.


RIGHT click on FRSTENGLISH.exe    and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

  • IF you get a block message from Windows about this tool......

               click line More info information on that screen
               and click button Run anyway on next screen.

  • on the FRST window:

Click the Fix button just once, and wait.

frst-fix.jpg.f6a25291b39a03d418acc9a3b7136900.jpg

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. 

Please attach the FIXLOG.txt with your next reply later, at your next opportunity. 

Link to post
Share on other sites

1 hour ago, groucho said:

The hacker is preventing me from posting to your other forum for iPhone

Follow the instruction given to you in that topic. As for this topic be patient, Maurice is a volunteer and is not here every second of the day'

 

Edited by Porthos
Link to post
Share on other sites

Thanks for the Fixlog.
Windows Resource Protection found corrupt files and successfully repaired them.
That is one benefit from the custom Fix run.

Plus, the Microsoft Defender antivirus is now in good shape / is up-to-date / has current definitions / protections are ON.
The custom Fix run is good.
>
Our sole & main goal here is the Windows machine. I will not stop on account of iPhone or posting issue.
If you are reviewing your active typing on the iPhone sub-forum and you see something about << IPS something or other mentioning "spam" >> ignore it and go ahead and apply the post of the reply.
There is no "hacker" / please forgo the paranoia.

>
Make movement & progress on this Windows machine. Lets do these next steps for Windows machine.

I would recommend getting a readout report as to update status of some key apps.

                               This tool is safe.   Smartscreen is overly sensitive.

Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"   and reply YES to allow to run & go forward
Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file.  Attach it with your next reply.
You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

 

<< The following thanks & credits to AdvancedSetup.>>

Do a Factory Reset on your Router if you own it

 

Please ensure that you have the user manual for your router. Then perform a factory reset.

How To Reset Your Router
https://setuprouter.com/networking/how-to-reset-your-router/

 

Depending on one's preferences and the Router's capabilities please consider the following.

  • Disable acceptance of ICMP Pings
  • Change the Default Router password using a Strong Password
  • Use a Strong WiFi password on WPA2  using AES encryption or Enable WPA3 if it is an option.
  • Disable Remote Management
  • Create separate WiFi networks for groups of devices with similar purposes to prevent an entire network of devices from being compromised if a malicious actor is able to gain unauthorized access to one device or network. Example: Keep IoT devices on one network and mobile devices on another.
  • Change the network name (SSID).  Do not use your; Name, Postal address, or other personal information.  Make it unique or whimsical and known to your family/group.
  • Is the Router Firmware up-to-date?  Updating the firmware mitigates exploitable vulnerabilities.
  • Specifically set Firewall rules to BLOCK;   TCP and UDP ports 135 ~ 139, 445, 1234, 3389 and 5555
  • Document passwords created and store them in a safe but accessible location.
Link to post
Share on other sites

The hacker controls my PC and is preventing me from downloading Security Check in my browser. When I try your link my Defender says  malicious software blocked. I have tried another browser and another address and I have the file but it is in Russian. Any idea what I should do? And, BTW, the router is a Fortinet 60 e dsl and I have no idea how to make those changes. I do not have the router manual. Could we possibly use Remote Desktop? Many thanks.

Link to post
Share on other sites

I do not do remote connection fixes. All my help is as a volunteer civilian and all my help is thru this forum. Please cease thinking that there is some "hacker" about. The inability to run SecurityCheck is due to false blocks by either Windows SmartScreen or perhaps a false reputation block by Microsoft Defender itself.

If you can do any of the following, that would be a step forward. If not, lets NOT get into a endless rut.

 

Secure your router by resetting it and then setting a strong password to sign into the router, and a strong wireless key to sign into your network. You can find your router manual by googling the exact model (on bottom) to follow the reset instructions, set the password and wireless key, optimize Security and Performance per these articles:
https://www.lifewire.com/resetting-a-home-network-router-818061
https://www.techradar.com/broadband/how-to-change-your-router-password

>

We need to do more scanning. This here you can start & once it is under way, you can leave the machine alone & let it run over-night. No need to keep watch once it starts the actual scan run. 

Next, This will be a check with ESET Onlinescanner for viruses, other malware, adwares, & potentially unwanted applications.

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

 

It will start a download of "esetonlinescanner.exe"

  • Save the file to your system, such as the Downloads folder, or else to the Desktop.
  • Go to the saved file, and double click it to get it started.

 

  • When presented with the initial ESET options, click on "Computer Scan".
  • Next, when prompted by Windows, allow it to start by clicking Yes
  • When prompted for scan type, Click on Full scan

Look at & tick ( select ) the radio selection "Enable ESET to detect and quarantine potentially unwanted applications" and click on Start scan button.

  • Have patience. The entire process may take an hour or more. There is an initial update download.

There is a progress window display. You may step away from machine &. Let it be.  That is, once it is under way, you should leave it running.  It will run for several hours.

  • At screen "Detections occurred and resolved" click on blue button "View detected results"
  • On next screen, at lower left, click on blue "Save scan log"
  • View where file is to be saved. Provide a meaningful name for the "File name:"
  • On last screen, set to Off (left) the option for Periodic scanning
  • Click "save and continue"
  • Please attach the report file so I can review

 

NOTES: I am not a employee of Malwarebytes. I am just a volunteer. Also know that I have some 5 or 6 other cases that I am working on.

This is not a chat board.

 

 

 

  • Like 2
Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.