Jump to content

I cannot remove “virtool:win32\defendertamperingrestore” and I need help


Go to solution Solved by Maurice Naggar,

Recommended Posts

Hello. I really need your help.

I had decided to look on my task manager program and I had seen an unusual process occurring. Unusual because it had a very specific installation date - very different from the others, who had the same date - and there were some reports on the internet saying it could be something suspicious. It was recommended to do a scan on the computer with Microsoft Safety Scanner, so that was something I decided to do as well. It scanned almost my entire computer, for some reason it stopped when the loading bar had already 2/3 of it completed. It detected 2 infected files. The program informed the scanning was done immediately and there was 1 malicious file deleted, which was the defendertamperingrestore one. Fine. Then I went to enable Tamper Protection on Windows Defender. It asked me to restart my PC to apply it. Did it. Tamper Protection was activated, however it had the warning sign still as if I hadn’t actually enabled it.

I did not repeat any scanning because I knew there is this possibility that this malware has not been removed from this PC.

 

Some notes:

- I have used this device for exactly 1 year; I had done a system restore about two weeks ago, and no files were kept. That one suspicious process running had been informed to be installed on Feb 11th 2023.

- I have a history of downloading pirate games in this device, and I knew there was the possibility of installing something considered suspicious - therefore did not consider it could actually be.

- When i start my computer, it seems like something is running because of the cooler sound and brief loading pointer.

- I had decided to system restore this computer because I was worried something suspicious was installed since my Microsoft account keeps getting several unsuccessful entries.

- This computer comes previously installed with McAfee however I had not selected any preferences nor executed any scans.

I hope these infos were clear enough. I am not so much aware of the language of this field so if there’s the possibility of providing more detailed steps, I would appreciate it so much. I really need your help removing it because this device is used for work, study and personal purposes. At this point I am very very desperate and anxious. If anyone can help me, please.

Thank you.

Link to post
Share on other sites

Hello @liz2509 and :welcome::

While you are waiting for the next qualified/approved malware removal expert helper to weigh in on your topic, and even though you may have run the following Malwarebytes utility, or its subsets, please carefully follow these instructions:

  1. Download the Malwarebytes Support Tool.
  2. In your Downloads folder, open the mb-support-x.x.x.xxx.exe file.
  3. In the User Account Control (UAC) pop-up window, click Yes to continue the installation.
  4. Run the MBST Support Tool.
  5. In the left navigation pane of the Malwarebytes Support Tool, click Advanced.
  6. In the Advanced Options, click only Gather Logs. A status diagram displays the tool is Getting logs from your computer.
  7. A zip file named mbst-grab-results.zip will be saved to the Public desktop, please attach that file in your next reply to this topic. Please do NOT copy and paste.

For the short time between when you post the diagnostic logs, and when your helper weighs in, please take no further self-directed remedial actions that will invalidate the diagnostic logs you will have sent.

Thank you.

Link to post
Share on other sites

Hello :welcome:  @liz2509

I will guide you along on looking for remaining malware. Lets keep these principles as we go along.

Please do the Gather logs with the Support tool and attach the Zip file ( as per preceding reply ).

  • Please don't run any other scans, download, install or uninstall any programs while I'm working with you.
  • Only run the tools I guide you to.
  • Do not run online games while case is on-going. Do not do any free-wheeling web-surfing.
  • The removal of malware isn't instantaneous, please be patient.
  • Cracked or or hacked or pirated programs are not only illegal, but also will make a computer a malware victim. Having such programs installed, is the easiest way to get infected. It is the leading cause of ransomware encryptions. It is at times also big source of current trojan infections. Please uninstall them now, if any are here, before we start the cleaning procedure.
  • Please stick with me until I give you the "all clear".
  • If your system is running Discord, please be sure to Exit out of it while this case is on-going.

You made mention of history of getting suspicious or hacked or cracked programs. It is a bitter lesson that all too many finally realize. I would urge you highly to stay far away from hack / cracked software of any sort. Whether a so called free program or free game, or whatever.
Hidden risks in pirated software
https://news.microsoft.com/apac/2019/01/08/hidden-risks-in-pirated-software/

Why You Shouldn't Use Pirated Software
https://www.computer.org/publications/tech-news/trends/why-you-shouldnt-use-pirated-software

Torrenting & filesharing. Try to not do that, as a general security matter. All it takes is one malicious file to lead to tragedy & loss.
https://informationsecuritybuzz.com/articles/torrenting-know-risks-take/

DON'T FALL FOR THE MONEY-SAVING LURE OF CRACKED SOFTWARE
https://scambusters.org/crackedsoftware.html

Link to post
Share on other sites

Thanks. Now the first steps. There will be many more. Take these actions so that Windows 11 is set to show all hidden files and folders.
Open File Explorer from the taskbar.

Select View > Show > Hidden items.

Select ViewShowFile name extensions

  • This computer came from the factory with McAfee VirusScan ? yes or no ?

Have you paid for a license for McAfee VirusScan, or do you regularly use McAfee VirusScan ? yes or no ?
The first time McAfee VirusScan was installed it would in fact have turned off all real-time protections of Microsoft Defender antivirus.
That is in fact normal anytime any non-Microsoft antivirus is installed. If you do not use McAfee VirusScan then go ahead and Uninstall it  See this Microsoft Support link

  • Next first step, is to "Turn OFF ( to DISABLE) the "fast startup" of Windows 11

See https://www.windowscentral.com/software-apps/windows-11/how-to-enable-or-disable-fast-startup-on-windows-11

When that is done, be sure to do ( from Start menu) one Power >> Shutdown >> Restart.
Having "fast startup" can complicate our efforts to fix problems.
 

Link to post
Share on other sites

@Maurice Naggar Yes, this computer came with McAfee LiveSafe from the factory. 

I have not paid it, it is actually a free trial version. It is installed automatically and I have never directly used it in the sense of actually accessing it and selecting any tools or tasks from McAfee, however, it is active on my computer and it does scans of my files and what I download on the Internet, since it always pops up with a message telling me. I have just loaded McAfee now and it says my antivirus protection is on, and the 'tracker remover' is as well. 

With that in mind, should I still uninstall McAfee?

I have disabled the fast startup option now and I am going to do the restart. 

 

 

Link to post
Share on other sites

IF you are not paying for Mcafee then Yes you should Uninstall it and then do a Windows Restart.  and tell me when this is done. With the upcoming tasks & other steps I will guide you on, this pc will have all protections of Microsoft Defender ( it is free and comes with Microsoft Windows).

Link to post
Share on other sites

When you are ready, here are the next steps.

( 1 )


Malwarebytes can detect and remove most malware with no further actions required for free.

Please download, install, update Malwarebytes
https://support.malwarebytes.com/hc/en-us/articles/360038479134-Download-and-install-Malwarebytes-for-Windows

and do a Threat Scan with Malwarebytes https://support.malwarebytes.com/hc/en-us/articles/360038984773
and post back the log as shown below.
Then, locate the Scan run report;  export out a copy;  & then attach in with your  reply.
See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4

( 2 )


Start Malwarebytes. Click Settings ( gear ) icon. Next, lets make real sure that Malwarebytes does NOT register with Windows Security Center

Click the Security Tab. Scroll down to

"Windows Security Center"

Click the selection to the left  for the line "Always register Malwarebytes in the Windows Security Center".
{ We want that to be set as Off   .... be sure that line's  radio-button selection is all the way to the Left.  thanks. }

This will not affect any real-time protection of the Malwarebytes for Windows    😃.

Close Malwarebytes.

>

( 3 )


Let's do one scan with Malwarebytes Adwcleaner to check for adwares. Just before pressing that "scan" button, be sure that Chrome & Edge, or other web browser are Closed.

It will not take much time,

First download & save it
guide & download link

Then be sure to close all web browsers after the download & before launching the tool.

Then go to where the EXE file is saved. Start Adwcleaner.  Then do a scan with Adwcleaner

Guide article

Attach the clean log from Adwcleaner when all completed.

Link to post
Share on other sites

There were many items detected by Malwarebytes that you did not TICK so that they would be actually removed.

Do a new scan with Malwarebytes for Windows.

Do a Check for Update using the Malwarebytes Settings >> General tab.

See this Support Guide https://support.malwarebytes.com/hc/en-us/articles/360042187934-Check-for-updates-in-Malwarebytes-for-Windows

When it shows a new version available, Accept it and let it proceed forward.  Be sure it succeeds.

If prompted to do a Restart, just please follow all directions.

Let me know how that goes.    Next, the Malwarebytes sca

Next, click the small x on the Settings line to go to the main Malwarebytes Window.   Next click the blue button marked Scan.

 

When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.

>>>>>>      👉      You can actually click the topmost left  check-box  on the very top line to get ALL lines  ticked   ( all selected).         <<<<     💢

 

MB4_scan_tick_ALL.jpg.d5c4071c62ed66534301fbb217b93bc0.jpg

Please double verify you have that TOP  check-box tick marked.   and that then, all lines have a tick-mark

 

Then click on Quarantine  button.

MB4_scan_all_Quarantine2.jpg.6c45445994d4125c0b617ac7c5551e03.jpg

 


Then, locate the Scan run report;  export out a copy;  & then attach in with your  reply.
See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4

Link to post
Share on other sites

  • Solution

Yes, that is normal.

Please run this special purpose custom script. Read all of this before you start. Please Close all open work.

Please download the attached fixlist.txt file and save it to Downloads folder   

Fixlist.txt < - - -

NOTE. It's important that both files, FRSTENGLISH.exe, and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

IF the FRST/FRSTENGLISH ( Farbar FRST) issues a error message when you start this tak-run, then Please Stop and let me know the "error exception message", then wait for me to make a new reply.

Use File Explorer to go to the Downloads folder

RIGHT-Click on   FRSTENGLISH and select

RUN as Administrator

and reply YES to allow it to go forward to start.

That is important so that this run has Elevated Administrator rights !!

NEXT press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Downloads folder (Fixlog.txt) . 

Note: If the tool warned you about an outdated version please download and run the updated version.

The system will be rebooted after the fix has run. Attach FIXLOG.txt with next reply.

Link to post
Share on other sites

Good morning, good day to you. The custom script run is very good. The last traces of McAfee leftovers are removed. The main point is that Microsoft Defender antivirus is up-to-date & running & has all its protections ON.

[  Do a custom scan with Microsoft Defender Antivirus ]

Just want to do a visual check in Windows Security to see (visually) that Microsoft Defender is on , and to do a Custom scan.

From the Windows Start menu, select Settings, then select Update and Security.

Next, look at the left-side menu & select Windows Security

Next, In Windows Security section: Click on the grey button Open Windows Security

Now, click on the shield Virus and threat protection

Look to see that Microsoft Defender is shown & available for use.

On the next display, look at all the options.  Look down the list and see "Check for Updates" .

You should click on that to have the system check for updates for Windows Defender.  Watch & wait for that to complete.

Please also note that the Scan options (all) can be displayed by clicking on Scan options.   Click that & select CUSTOM scan & then pick the C drive  & have it go forward.

Once it has started the scan phase, you can go take a long break.   Let me know the results.

Link to post
Share on other sites

@Maurice Naggar Hello!

The Windows Defender still has a warning sign saying my “device protection” (when it comes to “core isolation”) and “apps & browser control”* are both deactivated. I have searched for any updates for virus and threat protection and it says it is up to date.

I have done a custom scan and it says nothing was detected. Took 30 minutes and scanned around 365.000 files.

 

*I am not sure if these are the exact names in English because my computer is registered in another language, but I believe it is comprehensible. 

 

 

Link to post
Share on other sites

Your Windows O S is Windows 11 Home Single Language Version 22H2 22621. I tend to think the "core isolation" and the other issue are simply Windows 11 things. That those are not from a actual "infection". I am aware that the "apps & browser control" is a issue that has been seen on Windows 11 systems, but that is not a "infection" related matter. I want to suggest you do some research on the commnunity Elevenforum board https://www.elevenforum.com/

Link to post
Share on other sites

Oh I see. However I still worry because of the context of it all. I had a system restore and these protection/control tools were deactivated for some reason since the first day of restore. Also the fact that the “tamperingrestore” file was found and related to W. Defender and the amount of infected files found even though I hadn’t really downloaded anything on my PC after the restore makes me very confused and worried ☹️

 

Link to post
Share on other sites

Hello. Good morning. I hope you are doing well. I've read your last notes. I understand what you say. I would suggest to "unpack" the different pieces.
First, the old message from Microsoft Safety Scanner about “virtool:win32\defendertamperingrestore”.
The wording can be overly scary. The only issue at the base of that message is one single setting on one registry key. By itself, the message is NOT intended to equate to meaning the actual finding of a malicious malware. The registry value is not a malicious payload by itself.
Anyhow, bottom line, IS that we have cleared away any residue of that factor. After running the custom Fixlist, Windows is reporting that Microsoft Defender is all fine, in good normal condition. Matter of fact it reports
IsTamperProtected    : True
Tamper protection is ON. Not only that, but the definitions are UP-TO-DATE
+ all protections of Microsoft Defender are ON.

The other new "issues" you listed in the last 2 posts are not indicators of a malware nor a infection. They are commonly encountered.
I am recommending you visit and look at some Windows 11 forums that commonly deal with unique conditions of Windows 11.
I am not aware of forums that speak Português.
However Elenforum is a reliable Windows forum ( one of several). I am suggesting you check these articles and posts at Elevenforum.


How do I resolve this core isolation warning ? 

A old or incompatible printer driver, for example, can be at the root source that triggers these types of situations.

 Enable or Disable Core Isolation Memory Integrity in Windows 11

As I noted previously, "Apps and browser control" of some Windows 11 systems can go astray.
Apps & Browser Control - Action recommended

App & Browser control section is completely missing from windows security center

Possibly if you search your Windows 11 on "Potentially unwanted app blocking" and set that to OFF it may help resolve some issue you are currently seeing.

Yellow triangle in Windows Security


 

Link to post
Share on other sites

@Maurice NaggarOh, I see. It could make sense since my computer reported the printer driver was outdated before I took the system restore. I will take a look on these forums. Are there any new steps? Is my computer safe to be used now? I felt so worried I just simply stopped using it and logged off every single account I had. Do you have any recommendation as what I should do from now on, do I use malwarebytes as my antivirus now and microsoft defender? Do scans from time to time in both?

Thank you

Link to post
Share on other sites

on 

Quote

my computer reported the printer driver was outdated

Find that printer driver and remove it.

Yes, it is safe to use the computer.

I  would appreciate these 2 reports: Temporarily disable Microsoft SmartScreen to download the next tools.

Download   Farbar's Service Scanner utility

and Save to your Desktop.

Right-Click on fss.exe and select Run As Administrator.

Answer Yes to ok when prompted.

If your firewall then puts out a prompt, again, allow it to run.

Once FSS is on-screen, be sure the following items are check-marked:

  • Internet Services
    Windows Firewall
    System Restore
    Security Center/Action Center
    Windows Update
    Windows Defender
    Other services

  

Click on "Scan".

It will create a log (FSS.txt) in the same directory the tool is run.   Please attach that file.  

 

( 2 )

I would recommend getting a readout report as to update status of some key apps.
Download SecurityCheck by glax24 from here

and save the tool on the desktop.

                   If Windows's  SmartScreen block that with a message-window, then
                         Click on the MORE INFO spot and over-ride that and allow it to proceed.

                             This tool is safe.   Smartscreen is overly sensitive.

Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"   and reply YES to allow to run & go forward
Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file.  Attach it with your next reply.
You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

When all done, you may go back to turn ON the EDGE Smartscreen protection.

Link to post
Share on other sites

@Maurice Naggar Hello! Sorry it took me longer to reply you.

I went to Windows Update to check if my printer driver had a problem and there was not anything there. And there are some updates as well that are being processed while I’m writing this. So, do you know exactly how I can find out if my driver is outdated and how to remove? 
 

I didn’t follow these steps yet because I don’t know how relevant it is for me to exclude this driver/if it causes any impact on the following steps

Link to post
Share on other sites

Hi. My question to you would be. Just what is the model & make of the printer that you actually have? If needed, check the support website of manufacturer of the printer for the latest driver. The principle to follow is to get hardware driver from the hardware maker.

Link to post
Share on other sites

Let us see about running a tool to report on your hardware, hoping to see what printer is reported. 

Please download HWiNFO the Professional System Information and Diagnostics program.
HWiNFO Portable for Windows

Unzip the program to its own folder such as: C:\HWiNFO
Go to the new folder and locate the file C:\HWiNFO\HWiNFO64.exe and double-click to run it.
Click the RUN button.
Ignore the update, click close.
Click on Save Report and choose HTML and click Next, then Finish
By default, it will create a new report named COMPUTER.HTM in the same folder as the program. C:\HWiNFO
Please zip that file and attach it to your next reply

 

(  2  )

 

Please run this special purpose custom script. Read all of this before you start.This is a very quick run to get more detail about printer (s). It does not make changes. This is only a report.

Please download the attached fixlist.txt file and save it to Downloads folder   

Fixlist.txt < - - -

NOTE. It's important that both files, FRSTENGLISH.exe, and fixlist.txt are in the same location or the fix will not work.

Use File Explorer to go to the Downloads folder

RIGHT-Click on   FRSTENGLISH and select

RUN as Administrator

and reply YES to allow it to go forward to start.

That is important so that this run has Elevated Administrator rights !!

NEXT press the Fix button just once and wait, though this will finish quickly.
The tool will make a log on the Downloads folder (Fixlog.txt) . 

Note: If the tool warned you about an outdated version please download and run the updated version.

Attach FIXLOG.txt with next reply.

Edited by Maurice Naggar
added second report
Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.