Dis-ApplePear Posted January 13, 2023 ID:1549559 Share Posted January 13, 2023 First of all, apologies if this is the wrong section, this is more a question rather than a Malware case (I think), so if needed please move the topic to the corresponding section. Okay, so, I was doing a montly checkup on my PC. Malwarebytes and McAffee didn't find anything strange. But when I ran Microsoft Safety Scanner it found the VirTool:Win32/DefenderTamperingRestore trojan, which it also mentioned that it removed. After that I made a full scan with Malwarebytes (rootkit option enabled), McAfee, Windows Defender and Safety Scanner again and everything was alright. Also my PC never had any strange behaviour or anything odd. Now I tried looking around what this could be about and found all sort of stuff, from people saying it was a deadly doomsday virus to others saying it's a simple false positive that happens when one of my own antivirus disables Windows Defender (an actual microsoft page says this even). While I had disabled the Malwarebytes option that "overrides" Defender time ago I noticed that I indeed had Defender disabled the Periodic Scanning as McAfee was being treated as my main Antivirus. Dunno if I disabled it myself, but I enabled it again before doing the second round of scans I mentioned above and there doesn't seem to be anything strange, all results were clean. Still wanted to ask about Defender Tampering Restore to be sure what it was about. I am aware that many sites, especially where regular users try to take action can have a lot of misinformation. Link to post Share on other sites More sharing options...
1PW Posted January 13, 2023 ID:1549561 Share Posted January 13, 2023 (edited) Hello @Dis-ApplePear and welcome back: Regardless of where you have started your topic, it would be best if a timely set of good logs is made available. While you are waiting for the next qualified/approved malware removal expert helper to weigh in on your topic, and even though you may have run the following Malwarebytes utility, please carefully follow these instructions: Download the Malwarebytes Support Tool. In your Downloads folder, open the mb-support-x.x.x.xxx.exe file. In the User Account Control pop-up window, click Yes to continue the installation. Run the MBST Support Tool. In the left navigation pane of the Malwarebytes Support Tool, click Advanced. In the Advanced Options, click only Gather Logs. A status diagram displays the tool is Getting logs from your computer. A zip file named mbst-grab-results.zip will be saved to the Public desktop, please upload that file in your next reply to this topic. Thank you. Edited January 13, 2023 by 1PW 1 Link to post Share on other sites More sharing options...
Dis-ApplePear Posted January 13, 2023 Author ID:1549563 Share Posted January 13, 2023 Like this? mbst-grab-results.zip 1 Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted January 13, 2023 Root Admin ID:1549564 Share Posted January 13, 2023 Hello @Dis-ApplePear The Microsoft Windows Defender Tamper setting is normal and should be enabled. The logs don't seem to indicate any obvious infection at the moment. Please temporarily disable your McAfee antivirus real-time protection and run the following scan from Microsoft Microsoft Safety Scanner Please make sure you Exit out of any other program you might have open so that the sole task is to run the following scan. That goes especially for web browsers, make sure all are fully exited out of and messenger programs are exited and closed as well STEP 1 Please set File Explorer to SHOW ALL folders, all files, including hidden ones. Use OPTION ONE or TWO of this article https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html STEP 2 I suggest a new scan for viruses & other malware. This may take several hours, depending on the number of files on the system and the speed of the computer. The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. The download links & the how-to-run-the tool are at this link at Microsoft https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download Look on the Scan Options & select the FULL scan. Then start the scan. Have lots of patience. It may take several hours. Once you see it has started, take a long long break; walk away. Do not pay credence if you see some intermediate early flash messages on the screen display. The only things that count are the End result at the end of the run. The scan will take several hours. Leave it alone. It will remove any other remaining threats as it goes along. Take a very long break, do your normal personal errands .....just do not use the computer during this scan. This is likely to run for many hours as previously mentioned ( depending on the number of files on your machine & the speed of the hardware.) The log is named MSERT.log and the log will be at C:\Windows\debug\msert.log Please attach that log with your next reply. It is normal for the Microsoft Safety Scanner to show detections during the scan process. It is scanning for basically all bread crumbs or traces of files and registry entries that "might" be or have been part of some infection or previous infection. That DOES NOT mean the computer is infected. Once the scan has been completed it uploads the log to their Cloud service which then uses Artificial Intelligence to determine if in fact any of the traces are an infection or not. Then it writes into the log on your computer what it found. Link to post Share on other sites More sharing options...
Dis-ApplePear Posted January 14, 2023 Author ID:1549565 Share Posted January 14, 2023 Gotcha, followed your instructions regarding the folders and left the Microsoft Safety Scanner doing a full scan one more time. As you mentioned it takes a few hours to finish, once it's finished I'll upload the log file. Thanks for all the help 1PW and AdvancedSetup. Link to post Share on other sites More sharing options...
Dis-ApplePear Posted January 14, 2023 Author ID:1549604 Share Posted January 14, 2023 Okay, I ran Microsoft Safety Scanner (it says everything ok), but forgot to turn off McAfee before doing so. My bad. Gimme a bit to do it again properly. Link to post Share on other sites More sharing options...
Dis-ApplePear Posted January 14, 2023 Author ID:1549677 Share Posted January 14, 2023 Alright, did it properly this time. Sorry for the delay. (It says that everything is fine again) So... the whole VirTool:Win32/DefenderTamperingRestore that the Security Scanner identified as a Trojan at first, what was it exactly? You mentioned that the setting was normal and should be enabled, I get that, but what was it? And, oh yeah, nothing's gonna happen for having had my antivirus disabled during the couple of hours the Security Scanner was working correct (that included the Firewall)? I didn't use the PC and just let the scanner work and disconnected it from the internet in the meantime. msert.log Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted January 16, 2023 Root Admin ID:1549804 Share Posted January 16, 2023 Microsoft added the Tamper Protection service to one of the newer updates to Windows 10 a while back. It is designed to help keep malware or other security products from disabling Windows Defender without properly doing so. SecurityCheck by glax24 I would like you to run a tool named SecurityCheck to inquire about the current security update status of some applications. Download SecurityCheck by glax24: https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe If Microsoft SmartScreen blocks the download, click through to save the file This tool is safe. Smartscreen is overly sensitive. If SmartScreen blocks the file from running click on More info and Run anyway Right-click with your mouse on the Securitycheck.exe and select "Run as administrator" and reply YES to allow to run & go forward Wait for the scan to finish. It will open a text file named SecurityCheck.txt Close the file. Attach it with your next reply. You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt Thank you Link to post Share on other sites More sharing options...
Dis-ApplePear Posted January 16, 2023 Author ID:1549825 Share Posted January 16, 2023 (edited) Alright, here it is. I didn't have any problems installing or running the program, Smartscreen didn't say anything. I noticed that the SecurityCheck says that "McAfee Firewall Core Service (mfefire) - The service has stopped" but the Firewall option of McAfee is On and currently working. SecurityCheck.txt Edited January 16, 2023 by Dis-ApplePear A bit of additonal info. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted January 16, 2023 Root Admin ID:1549837 Share Posted January 16, 2023 I wouldn't be too worried about the report. It is not always 100% accurate. Please uninstall, update, or otherwise address the following as appropriate for your system. Adobe Acrobat Reader DC - Español v.20.013.20064 Warning! Download Update | ^Please run Acrobat Reader DC and go Help - Check for updates...^ Adobe Creative Cloud v.5.4.1.534 Warning! Download Update Discord v.0.0.310 Warning! Download Update WinRAR 5.91 (64-bit) v.5.91.0 Warning! Download Update Zoom v.5.11.1 (6602) Warning! Download Update iTunes v.12.12.4.1 Warning! Download Update | ^Please use Apple Software Update tool.^ ---------------------------- [ UnwantedApps ] ----------------------------- Bonjour v.3.1.0.1 Then restart the computer and check for Windows Updates and install any security updates found. Let me know how the computer is running after all of this and if there are still any signs of infection or other issues. 1 Link to post Share on other sites More sharing options...
Dis-ApplePear Posted January 17, 2023 Author ID:1550113 Share Posted January 17, 2023 Okay, updated the programs. Adobe was a nightmare (Reader sneak installed two McAfee programs that were a pain to uninstall) and got rid of Bonjour. My PC is working well, nothing strange. To be fair, it never showed any strange behaviour nor issues aside detecting the Defender Tampering Restore the first time around which never did again (decided to run Safety Scanner one more time and everything is clean). From what I am getting, the Defender Tampering Restore was added in the Windows Update at some point and is normal, but it was mistakenly identified as a Trojan by Security Scanner, correct? I'll attach the latest Security Check log as well. SecurityCheck.txt Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted January 17, 2023 Root Admin ID:1550118 Share Posted January 17, 2023 Yes, Microsoft did add the Tamper setting in a newer version of Windows via Updates. From my understanding both malware and in some cases even legit security programs change that setting and disable it. Microsoft re-enables the Tamper Protection The log looks good. There are still some McAfee elements on the system but you may have wanted or installed those on purpose. If not I can help you to remove those too, let me know. Link to post Share on other sites More sharing options...
Dis-ApplePear Posted January 18, 2023 Author ID:1550334 Share Posted January 18, 2023 (edited) Okay, so, my PC is clean according to all the reports, correct? There has never been weird behaviour or anything and now it's cleared up that the "virus" that was found was essentially a false positive. But just want to make sure. Regarding McAfee, yeah, would be good to do a final cleanup if necessary. My main antivirus is McAfee Livesafe so most elements must be from that, and I'd rather to leave those, but if there are some remaining that snuck in or still remain after Adobe installed stuff without permission. IIRC, the ones that snuck in with Adobe were McAfee Safe Connect and McAfee Security Scan Plus both which I managed to remove from my PC (I think no trace remains). BTW, man, thanks a lot for all your patience and help here. Edited January 18, 2023 by Dis-ApplePear Link to post Share on other sites More sharing options...
Root Admin Solution AdvancedSetup Posted January 18, 2023 Root Admin Solution ID:1550338 Share Posted January 18, 2023 Nope, if you're running McAfee as your main antivirus then all is good. Just the Tamper reset which I wouldn't say is a false positive but no issue either. Let's go ahead and do some clean-up work and remove the tools and logs we've run. Please download KpRm by kernel-panik and save it to your desktop. right-click kprm_(version).exe and select Run as Administrator. Read and accept the disclaimer. When the tool opens, ensure all boxes under Actions are checked. Under Delete Quarantines select Delete Now, then click Run. Once complete, click OK. A log will open in Notepad titled kprm-(date).txt. Please attach that file to your next reply. (not compulsory) Recommend using a Password Manager for all websites, etc. that require a password. Never use the same password on more than one site.https://www.howtogeek.com/240255/password-managers-compared-lastpass-vs-keepass-vs-dashlane-vs-1password/ Make sure you're backing up your files https://forums.malwarebytes.com/topic/136226-backup-software/ Keep all software up to date - PatchMyPC - https://patchmypc.com/home-updater#download Keep your Operating System up to date and current at all times - https://support.microsoft.com/en-us/windows/windows-update-faq-8a903416-6f45-0718-f5c7-375e92dddeb2 Further tips to help protect your computer data and improve your privacy: https://forums.malwarebytes.com/topic/258363-tips-to-help-protect-from-infection/ Please consider installing the following Content Blockers for your Web browsers if you haven't done so already. This will help improve overall security Malwarebytes Browser Guard Google Chrome: https://chrome.google.com/webstore/detail/malwarebytes-browser-guar/ihcjicgdanjaechkgeegckofjjedodee Microsoft Edge: https://support.malwarebytes.com/hc/en-us/articles/4413298736787-Install-Malwarebytes-Browser-Guard-on-Microsoft-Edge-browser Mozilla Firefox: https://addons.mozilla.org/en-US/firefox/addon/malwarebytes/ uBlock Origin Google Chrome: https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm Microsoft Edge: https://microsoftedge.microsoft.com/addons/detail/ublock-origin/odfafepnkmbhccpbejgmiehpchacaeak Mozilla Firefox: https://addons.mozilla.org/en-US/firefox/addon/ublock-origin Further reading if you like to keep up on the malware threat scene: Malwarebytes Blog https://blog.malwarebytes.com/ Hopefully, we've been able to assist you with correcting your system issues. Thank you for using Malwarebytes 1 Link to post Share on other sites More sharing options...
Dis-ApplePear Posted January 22, 2023 Author ID:1550967 Share Posted January 22, 2023 Alright, did so- KpRm essentially cleans the logs and removes all the programs I used during this process to scan and clean my PC correct? Smartscreen was actually wary of this one, this time around. I actually did it twice, once following the procedure we were doing so far and later once again after trying Safety Scanner one more time for what I describe below: Before using KpRm for the second time, I made a test of sorts on my end. I manually disabled Defender and ran the Microsoft Safety Scanner to see if anything happened and yup, it actually detected the VirTool:Win32/DefenderTamperingRestore as a Trojan again. Defender was disabled the first time this detection happened (the instance that prompted me to make this thread). My take here is that any time Defender is disabled for one or another reason, Tampering Restore will kick in to try to enable it and Safety Scanner will detect it as a Trojan. Though I still don't quite get why. I mean, if Tampering Restore is officially part of an update and Safety Scanner being a Microsoft product, shouldn't Safety Scanner recognize it (I did download the newest version of the page, so I don't think it was because Safety Scanner wasn't updated). Another thing that I am wondering about is that Tampering doesn't reactivate Defender, if Windows Defender is disabled I have to manually enable it myself. Sorry for keep dragging this, but I simply want to know. It was the reason I made this topic after all. Though I really appreciate all the help to ensure my PC is clean. Here are the logs of the KpRm (before and after this last Safety Scanner) as requested and the last Safety Scanner, just in case. And, really man, thanks for all your help and patience. msert.log kprm-20230121205933.txt kprm-20230122114935.txt Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted January 23, 2023 Root Admin ID:1551032 Share Posted January 23, 2023 Please see the following if you want to learn more about the Windows Tamper Protection. https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection?view=o365-worldwide Link to post Share on other sites More sharing options...
Dis-ApplePear Posted January 23, 2023 Author ID:1551038 Share Posted January 23, 2023 Will do, thanks. The read is being helpful so far. Just to bring this to an end. The final logs I sent look clear? PC is working well and all and we were good so far with the procedures. Sorry for dragging this. This is the last stretch, promise. Link to post Share on other sites More sharing options...
Dis-ApplePear Posted January 24, 2023 Author ID:1551314 Share Posted January 24, 2023 Hey, just wanted to mention that everything works alright and no issues. Thanks a lot, AdvancedSetup for all your help and especially all your patience with all of this. Even if Tamper wasn't really an issue, this also helped to update everything and ensure the PC was alright. Really, thanks man. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted January 24, 2023 Root Admin ID:1551361 Share Posted January 24, 2023 Glad we could help. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Please review the following to help you better protect your computer and privacy Tips to help protect from infection Thank you Link to post Share on other sites More sharing options...
Recommended Posts