Jump to content

A VirTool:Win32/DefenderTamperingRestore infection, please help!!!


Go to solution Solved by Maurice Naggar,

Recommended Posts

About a week ago I was informed by Windows Defender that I was infected by a Trojan in system32. I panicked and did a complete SSD wipe and installed a fresh copy of Windows soon after. However, after I got the system up and running I noticed that Windows Defender wouldn't run an offline scanner and there was no Virus and Threat update information available so I installed MSERT to check the system. Ran it many times and it found the bad boy from the title every time. I saw that it was a usual procedure on this website to install Malwarebytes, MB Support and FRST64 so I did it and got my results. The MSERT log and MBST results are in the attachment. Maybe I got a little carried away and installed all this software in advance but I wanted to have some reports from the start. Wanted to do a FRST64 scan too and post the log here, but I'll wait for some instructions first. All help is highly appreciated.

P.S. If I did anything wrong I apologize in advance as this is my first tech-related post ever.

mbst-grab-results.zip msert.log

Link to post
Share on other sites

Hello :welcome: 

I will guide you along on looking for remaining malware. Lets keep these principles as we go along.

  • Removing malware can be unpredictable
  • Please don't run any other scans, download, install or uninstall any programs while I'm working with you.
  • Only run the tools I guide you to.
  • Do not run online games while case is on-going. Do not do any free-wheeling web-surfing.
  • The removal of malware isn't instantaneous, please be patient.
  • Cracked or or hacked or pirated programs are not only illegal, but also will make a computer a malware victim. Having such programs installed, is the easiest way to get infected. It is the leading cause of ransomware encryptions. It is at times also big source of current trojan infections. Please uninstall them now, if any are here, before we start the cleaning procedure.
  • Please stick with me until I give you the "all clear".
  • If your system is running Discord, please be sure to Exit out of it while this case is on-going.

Start Malwarebytes. Click Settings ( gear ) icon. Next, lets make real sure that Malwarebytes does NOT register with Windows Security Center

Click the Security Tab. Scroll down to

"Windows Security Center"

Click the selection to the left  for the line "Always register Malwarebytes in the Windows Security Center".
{ We want that to be set as Off   .... be sure that line's  radio-button selection is all the way to the Left.  thanks. }

This will not affect any real-time protection of the Malwarebytes for Windows    😃.

Close Malwarebytes.

>

Patience is advised. I will have more for you to do soon.

Link to post
Share on other sites

Next action step:
Disable ( turn OFF ) Fast Startup

https://www.windowscentral.com/how-disable-windows-10-fast-startup

Then restart the computer

Ste 2

Please run the following custom script. Read all of this before you start. Please Close all open work.

Once the script-run has been completed, please attach the file FIXLOG.TXT to your next reply

Farbar program tool:   FRSTEnglish.exe on Downloads folder

Please download the attached fixlist.txt file and save it to Downloads folder

Fixlist.txt

 

NOTE. It's important that both files, FRSTENGLISH, and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Right-click on  FRSTENGLISH and select

Run as Administrator

and reply YES to allow to proceed

andpress the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Downloads folder (Fixlog.txt) . Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

NOTE-1:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files.  It will also run scans with MS Defender antivirus. It will cleanup the work areas for MS Windows Update ( this machine appears to have problem with updates for Defender). It will queue up a CHKDSK of drive C at the next Reboot, so be sure to not interfere with that, and have Lots of Patience.

Depending on the speed of your computer this fix may take 40 minutes or more.

The system will be rebooted after the fix has run. Attach FIXLOG.txt with next reply.

Link to post
Share on other sites

The ZIP file was created by the run of the script that I had posted in my reply. That is ok. It is not a danger. What I do need, is the report file name FIXLOG.txt that is in the same folder from where you did the run of FRST. Please look for it. Attach it in your new reply. Look for the Fixlog.txt that is on the folder Downloads.

Link to post
Share on other sites

No. Do just this. 

The support tool mb-support-1.8.7.918.exe is on the Downloads folder. 

This is a report only. Launch mb-support-1.8.7.918.exe

Once you start it click Advanced >>> then   Gather Logs

 Have patience till the run has finished.

Upload an archive once it is done. Attach the mbst-grab-results.zip from the Desktop.

  • Please attach  mbst-grab-results.zip    to your reply
Link to post
Share on other sites

Thank you for the new ZIP report. I can tell that the last custom run did succeed. Whereas before, the Windows System Restore service was off; now it is on. I can also see that Microsoft Defender antivirus is on, enabled, and its services running. I also see that the last Malwarebytes scan run is good.

[  Do a custom scan with Microsoft Defender Antivirus ]

Just want to do a visual check in Windows Security to see (visually) that Microsoft Defender is on , and to do a Custom scan.

From the Windows Start menu, select Settings, then select Update and Security.

Next, look at the left-side menu & select Windows Security

Next, In Windows Security section: Click on the grey button Open Windows Security

Now, click on the shield Virus and threat protection

Look to see that Microsoft Defender is shown & available for use.

On the next display, look at all the options.  Look down the list and see "Check for Updates" .

You should click on that to have the system check for updates for Windows Defender.  Watch & wait for that to complete.

Please also note that the Scan options (all) can be displayed by clicking on Scan options.   Click that & select CUSTOM scan & then pick the C drive  & have it go forward.

Once it has started the scan phase, you can go take a long break. 

Step 2

As a next step, I suggest the following:

This is for a scan with ESET Onlinescanner (free). ESET is a well-respected, well-known entity and tool.

This here you can start & once it is under way, you can leave the machine alone & let it run over-night. No need to keep watch once it starts the actual scan run.

Next, This will be a check with ESET Onlinescanner for viruses, other malware, adwares, & potentially unwanted applications.

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

It will start a download of "esetonlinescanner.exe"

  • Save the file to your system, such as the Downloads folder, or else to the Desktop.
  • Go to the saved file, and double click it to get it started.

 

  • When presented with the initial ESET options, click on "Computer Scan".
  • Next, when prompted by Windows, allow it to start by clicking Yes
  • When prompted for scan type, Click on FULL scan  
  • Look at & tick ( select ) the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"
  • and click on Start scan button.

Have patience. The entire process may take an hour or more. There is an initial update download.
There is a progress window display. You may step away from machine &. Let it be. That is, once it is under way, you should leave it running. It will run for several hours.

  • At screen "Detections occurred and resolved" click on blue button "View detected results"
  • On next screen, at lower left, click on blue "Save scan log"
  • View where file is to be saved. Provide a meaningful name for the "File name:"
  • On last screen, set to Off (left) the option for Periodic scanning
  • Click "save and continue"
  • Please attach the report file so I can review
Link to post
Share on other sites

  • Solution

Alright. Thanks. 

Please run the following new custom script. Read all of this before you start. Please Close all open work.

Once the script-run has been completed, please attach the file FIXLOG.TXT to your next reply

Farbar program tool:   FRSTEnglish.exe on Downloads folder

Please download the attached fixlist.txt file and save it to Downloads folder

Fixlist.txt

 

NOTE. It's important that both files, FRSTENGLISH, and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Right-click on  FRSTENGLISH and select

Run as Administrator

and reply YES to allow to proceed

andpress the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Downloads folder (Fixlog.txt) . Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

Depending on the speed of your computer this fix may take 30 minutes or more.

The system will be rebooted after the fix has run. Attach FIXLOG.txt with next reply.

Link to post
Share on other sites

Thank you ! The run is very good. The report from Windows indicates that Microsoft Defender is up-to-date & current and all its protections on.
Indications are that this system is in a good state.
Do a Windows Update run just to do a look.
I would suggest to insure that this pc is all up-to-date with Windows O.S. security updates & cumulative updates on Windows. select the Windows Start  button, and then go to Settings  > Update & Security  > Windows Update . and click Check for Updates.
Have patience.

Link to post
Share on other sites

I've checked for the updates and the system installed one for Windows Defender. There is only one optional update remaining, don't know if I should install it. It's this one: 2023-01 Cumulative Update Preview for Windows 10 Version 22H2 for x64-based Systems (KB5019275). I don't know if anything else has been tampered with, such as my router. Ever since my last Windows install, I didn't log into my Microsoft account nor the OneDrive service, as I'm afraid it might trigger additional problems or some residual infection may be residing there. I'm in no hurry whatsoever, just a little worried. Thank you.

Link to post
Share on other sites

Note the key-word "PREVIEW". "Cumulative Update Preview for Windows 10".
Preview(s) are optional. We can typically ignore them. The previews are just a early availability of potential fixes that may come out the following month.

As ro the hardware router: You can apply some minimal, basic pro-active steps.
Do what I call a "power off/power on cycle" ....just one time.
systematically power down all your system, and recycle your router, and then power on in order.
It is now a very good idea to reset the router for the internet connection service.  
First, shutdown windows and be sure the power is OFF.

now, Unplug the power plug to the Modem and the Router. Wait for about a minute, please.

now, Plug the power into just the Modem (unless you have a modem/router combo) When all the lights come up, plug in the power to the Router (unless combo of course)

Now, power on the computer and get Windows restarted.   One Windows system at a time.

Then these additional tips ( credit Advancedsetup)

Please ensure that you have the user manual for your router. Then perform a factory reset. NOTE: Do Not reset the router if you don't own it. Check with the company that provides your internet service. Contact their support team.

How To Reset Your Router
https://setuprouter.com/networking/how-to-reset-your-router/

 

Depending on one's preferences and the Router's capabilities please consider the following.

  • Disable acceptance of ICMP Pings
  • Change the Default Router password using a Strong Password
  • Use a Strong WiFi password on WPA2  using AES encryption or Enable WPA3 if it is an option.
  • Disable Remote Management
  • Create separate WiFi networks for groups of devices with similar purposes to prevent an entire network of devices from being compromised if a malicious actor is able to gain unauthorized access to one device or network. Example: Keep IoT devices on one network and mobile devices on another.
  • Change the network name (SSID).  Do not use your; Name, Postal address, or other personal information.  Make it unique or whimsical and known to your family/group.
  • Is the Router Firmware up-to-date?  Updating the firmware mitigates exploitable vulnerabilities.
  • Specifically set Firewall rules to BLOCK;   TCP and UDP ports 135 ~ 139, 445, 1234, 3389 and 5555
  • Document passwords created and store them in a safe but accessible location.
Link to post
Share on other sites

After some talk with my provider's customer support I've got some information regarding the router resetting business. First, ICMP's off the table, as well as all the other IPv6 options. Second, what I have is a combo modem/router and it does offer 2 networks(2.4 and 5G, respectively), with the possibility of adding an additional 2.4G network via a mobile app. Furthermore, the Firewall doesn't have any blocking options per se but different levels of protection (off, low, medium and high) with the first two having all ports allowed, whereas the medium one has a longer list of allowed ports without the ones you specified in your previous message. The highest level of protection offers an even shorter list of allowed ports. Besides these, there are 3 additional Firewall features that can be enabled as well: blocked fragmented IP packets, port scan detection and IP flood detection. All the other options regarding the reset are available. I would appreciate some advice as I am not really sure what to choose out of all these. Thank you.

Link to post
Share on other sites

I would advise basically to follow the advice of your internet service provider. Do what you _can_ of the other advice listed before. What you cannot do, skip that. I would be sure ( at least try) to do 

  • Change the Default Router password using a Strong Password
  • Change the network name (SSID).  Do not use your; Name, Postal address, or other personal information.  Make it unique or whimsical and known to your family/group.
Link to post
Share on other sites

You may if you want. Just be sure to do a new download of MSERT tool from Microsoft. By the way, it (the warning message by MSERT is commonly caused after a user switches from using MS Defender and installs a 3rd-party brand of antivirus. The waring really is about a specific value in one registry entry that turns off one setting. It is not a indication that means a actual presence of a malware. We determine a malware by running one or more security scan tools. I have already had you run ESET Onlinescanner and the actual Microsoft Defender antivirus itself, in addition to running custom-fix.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.