Jump to content

Another VirTool:Win32/DefenderTemperingRestore issue


Go to solution Solved by AdvancedSetup,

Recommended Posts

I know from my internet searches on this subject this is a common question and it seems like it might be benign, but I figure it's better to be safe than sorry.

Every time I restart my PC, Windows Defender pops up with this warning about the DefenderTamperingRestore, dated 1/09/2024, but as soon as MalwareBytes loads up this disappears from the Windows Security Center completely. I assume that this is because MWB is turning off something to be the main antivirus - I have the Windows Security Center register option turned on. I run multiple MWB scans per day and nothing ever comes up. I don't have any cracked software or game cheats, but I know these days you don't necessarily have to have downloaded something like that to get malware.

Any help you can give on this subject would be much appreciated.

Link to post
Share on other sites

  • Replies 50
  • Created
  • Last Reply

Top Posters In This Topic

@Bluebomber4evr

Let's get the info to get the process started. Be aware it will take many steps and scans to fully remove pesky malware.

Please respond to all future instructions from your helper in a timely manner.

Please do the following so that we may take a closer look at your system for any possible infections.

Do these 2 steps FIRST so that files and folders are set to SHOW, plus also, Turn OFF Windows Fast Start.
Show-Hidden-Folders-Files-Extensions
https://forums.malwarebytes.com/topic/299345-show-hidden-folders-files-extensions/

Disable-Fast-Startup
https://forums.malwarebytes.com/topic/299350-disable-fast-startup/

Then please restart the computer and do the following.

WARNING: Do Not click the Repair option under Advanced unless requested by a Malwarebytes support agent or authorized helper

NOTE: The tools and the information obtained are safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

  • Download the Malwarebytes Support Tool
  • In your Downloads folder, open the mb-support-x.x.x.xxx.exe file
  • In the User Account Control pop-up window, click Yes to continue the installation
  • Run the MBST Support Tool. The tool also downloads and runs a file called FRSTEnglish. Please allow it to run.
  • In the left navigation pane of the Malwarebytes Support Tool, click Advanced
  • In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine
  • image.png.79d4442a821713608fa60808a98c2e69.png
  • image.png.98d86a6c3017d2bbba48877ea4f6ba45.png
  • A zip file named mbst-grab-results.zip will be saved to the Desktop or on the hidden Public desktop (usually C:\Users\Public\Desktop), please upload that file on your next reply

    Then be patient for the next expert to take your case.

Thank you

Link to post
Share on other sites

  • Root Admin

Hello @Bluebomber4evr

Microsoft appears to have made some change to how Registering in the Security Center affects their Tamper Protection

 

Please make the following change in Malwarebytes if you're using the Premium or Trial version

  • Please open Malwarebytes. Click on the small gear icon to open the Settings and go to the Security tab.
  • Then turn off "Always register Malwarebytes in the Windows Security Center"
  • Restart the computer

image.png.ced4aa64af4718ab767f579cc39014

 

It is highly unlikely that you need to setup exclusions for Windows Defender, however if you experience any issues, please see the following article and setup exclusions
between Malwarebytes and Windows Defender

Malwarebytes for Windows antivirus exclusions list
https://support.malwarebytes.com/hc/en-us/articles/360038522974-Malwarebytes-for-Windows-antivirus-exclusions-list

 

 

That should allow both Windows Defender and Malwarebytes to run alongside each other without issue.

Let me know if that corrects the issue for you or not.

Thank you

 

Link to post
Share on other sites

  • Root Admin

Please run the following again for me now.

Scan with FSS Farbar Service Scanner
https://forums.malwarebytes.com/topic/306736-scan-with-fss-farbar-service-scanner/

Scan with Farbar Recovery Scan Tool
https://forums.malwarebytes.com/topic/306601-scan-with-farbar-recovery-scan-tool/

 

Link to post
Share on other sites

  • Root Admin

No, the computer actually has something that set a disable command for Windows Defender. We need to remove that. Then there are some other signs of infection that need to be cleaned up.

 

The Farbar (FRST) program is located here in your downloads folder:  C:\Users\blueb\Downloads\FRSTEnglish (2).exe   I would recommend you rename it to FRSTEnglish.exe and remove the space and (2) from the name.

Please follow the process below to perform a fix in Safe Mode

 

Start in Safe mode:

  • Press the Windows icon on the keyboard together with the letter I, to get into the Settings.
  • Choose Update and Security.
  • From the menu at the left, choose Recovery.
  • Under the title Advanced startup at the right, choose Restart now.
  • From the window that will appear choose Troubleshoot and then Advanced options.
  • Choose Startup Settings and then Restart.
  • Press number 5, for choosing Safe mode with networking.
  • You will know that you are in Safe mode, if the background is black and Safe mode is written at the four corners of the screen.


After that:

Please do the following to run a FRST fix.

NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system

  • Select the entire contents of the code box below, from the "Start::" line to "End::", including both lines. Right-click and select "Copy ". No need to paste anything to anywhere.

 

Start::
HKLM\SOFTWARE\Microsoft\Windows Defender: [DisableAntiSpyware] Restriction
HKLM\SOFTWARE\Microsoft\Windows Defender: [DisableAntiVirus] Restriction
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate: Restriction
GroupPolicy: Restriction
End::

 

  • Right-click on FRSTEnglish in your Downloads folder, to run it as administrator. When the tool opens, click "yes" to the disclaimer.
  • Press the Fix button once and wait.
  • FRST will process fixlist.txt
  • When finished, it will produce a log fixlog.txt in your Downloads folder or where you have the Farbar program located.
  • Attach that log in your next reply.
 
Thank you
 
 
Link to post
Share on other sites

So even though I selected safe mode with networking, I didn't have networking in safe mode. I copied the lines of text to a notepad file and saved it to my desktop, rebooted to safe mode, copied the text and ran the FRST fix. The log is attached below.

I had to reboot back into normal mode to get network connectivity, and the Windows Defender warning popped up again, even after running the fix.

Fixlog.txt

Link to post
Share on other sites

  • Root Admin

Something put it back.

Please run the following @Bluebomber4evr

 

Dr.Web CureIt!

Please download the Dr.Web CureIt! anti-virus utility
https://free.drweb.com/

 

You will need to send them an email to obtain a link to download the scanner, please do so

  • The downloaded file will normally have a unique name such as:  q7a9tr4p.exe
  • Close all open applications and locate the downloaded file and double-click to run it
  • The program will take a moment to launch and bring up the License and Update screen
  • Place a check mark to agree to the terms and then click on the Continue button
  • Click the underlined link Select objects for scanning
  • On the top left click the Scanning objects that should automatically check all objects
  • Click the small wrench and make sure there is a check on Automatically apply actions to threats
  • Then click the large button on bottom right Start scanning
  • Once the scan has completed there will be a link named Open report click that and a log named cureit.log should open in Notepad
  • The log is saved in the folder named Doctor Web in the top of your user profile folders
  • Please attach that log on your next reply

 

 

 

Link to post
Share on other sites

  • Root Admin

Okay, let's try another scanner then.

 

Please download and run the following Kaspersky Virus Removal Tool 2020 and save it to your Desktop.

(Kaspersky Virus Removal Tool version 20.0.10.0 was released on November 9, 2021)

Download: Kaspersky Virus Removal Tool

https://devbuilds.s.kaspersky-labs.com/devbuilds/KVRT/latest/full/KVRT.exe

How to run a scan with Kaspersky Virus Removal Tool 2020
https://support.kaspersky.com/15674

How to run Kaspersky Virus Removal Tool 2020 in the advanced mode
https://support.kaspersky.com/15680

How to restore a file removed during Kaspersky Virus Removal Tool 2020 scan
https://support.kaspersky.com/15681

 


Select the  image.png  Windows Key and R Key together, the "Run" box should open.

user posted image

Drag and Drop KVRT.exe into the Run Box.

user posted image

C:\Users\{your user name}\DESKTOP\KVRT.exe will now show in the run box.

image.png

add -dontencrypt   Note the space between KVRT.exe and -dontencrypt

C:\Users\{your user name}\DESKTOP\KVRT.exe -dontencrypt should now show in the Run box.
 
image.png


That addendum to the run command is very important, when the scan does eventually complete the resultant report is normally encrypted, with the extra command it is saved as a readable file.

Reports are saved here C:\KVRT2020_Data\Reports and look similar to this report_20210123_113021.klr
Right-click direct onto that report, select > open with > Notepad. Save that file and attach it to your reply.

To start the scan select OK in the "Run" box.

A EULA window will open, tick all confirmation boxes then select "Accept"

image.png

In the new window select "Change Parameters"

image.png

In the new window ensure all selection boxes are ticked, then select "OK" The scan should now start...

user posted image

When complete if entries are found there will be options, if "Cure" is offered leave as is. For any other options change to "Delete" then select "Continue"

user posted image

When complete, or if nothing was found select "Close"

image.png

Attach the report information as previously instructed...
 
Thank you
 
 

 

 

Link to post
Share on other sites

  • Root Admin
  • Solution

Just stop the scan then. No need to do anything with it.

Please temporarily uninstall Malwarebytes and restart the computer.

Get me a new, fresh set of scan logs from Farbar to see what they say now.

 

Scan with FSS Farbar Service Scanner
https://forums.malwarebytes.com/topic/306736-scan-with-fss-farbar-service-scanner/

Scan with Farbar Recovery Scan Tool
https://forums.malwarebytes.com/topic/306601-scan-with-farbar-recovery-scan-tool/

 

Link to post
Share on other sites

Okay, so I had to work in the office today and just got home, and before I do that, are there any special steps for uninstalling MBAM? I've never had to uninstall it before and I want to make sure I do it correctly.

Also, I have the MBAM browser guard installed on all browsers, do I need to uninstall those too?

And is there anything I need to do in regards to my premium license when reinstalling? I believe my license only covers one machine so I just want to make sure I'm doing that right as well.

Link to post
Share on other sites

  • Root Admin

Just deactivate the program first so that your license usage is reset.

Then from the Control Panel, Programs, Programs and Features you should be able to uninstall the program.

Then restart the computer again and let me know what issues you still see.

Then get me new fresh logs again as well

 

Scan with FSS Farbar Service Scanner
https://forums.malwarebytes.com/topic/306736-scan-with-fss-farbar-service-scanner/

Scan with Farbar Recovery Scan Tool
https://forums.malwarebytes.com/topic/306601-scan-with-farbar-recovery-scan-tool/

 

 

Thank you @Bluebomber4evr

Link to post
Share on other sites

  • Root Admin

You have some broken services and a setting to prevent Windows Defender from running properly.

In order to properly correct these issues you should follow the directions below

 

Repair Install Windows 11 with an In-place Upgrade
https://www.elevenforum.com/t/repair-install-windows-11-with-an-in-place-upgrade.418/

 

Link to post
Share on other sites

So I'm trying to look into this and I'm having some issues.

The first option on elevenforum's instructions looks like the easiest, hassle-free option, but it requires being in the Windows Insider program. Their instructions say that the beta channel has the "fix problems using Windows Update" feature, and since the beta channel is stable (I'm not willing to use the Canary channel or Dev channel because I'm not going to risk stability issues), I signed up for the Windows Insider Beta Channel, but it did not make "fix problems using Windows Update" available upon install/restart. So elevenforum's instructions are out of date.

Downloading an ISO, the second option, apparently only works for the same version/build or better, but now that I am in the Beta channel, I don't have the same build as the ISOs available, and leaving the Windows Insider program does a wipe of all your data, and I'm not willing to do that.

So I'm in a bit of a bind here.

That being said, the logs that I posted last night (and the WD errors listed on them)were made before Windows Defender repaired itself. Windows Defender now says that no actions are needed and I ran a scan within the last hour and it did not detect any threats. The tampering restore entries are no longer listed in the history. I've attached new FarBar scans that I just ran. There are no error entries for Defender past the ones that were generated last night before it was repaired.

My priorities right now are mainly to make sure my system is safe and secure. Ideally I'd like to run MBAM and Windows Defender side-by-side, but if that's not possible at the moment, I can live with Windows Defender alone until such time as both can run together without conflicts.

So, based on these newest logs, do I still need to repair? And what are my options now to do that? Is there a more granular approach to fix the specific broken services that does not involve data loss?

FSS.txt FRST.txt Addition.txt

Link to post
Share on other sites

  • Root Admin

Great, glad those items were fixed. Let's go ahead and have you run the following. The logs no longer indicate the services are broken but there are some other clean up items.

 

 

Please run the following fix

 

NOTE: Please read all of the information below before running this fix.

  • NOTICE: This script was written specifically for this user, for use on this particular machine.
  • Running this on another machine may cause damage to your operating system that cannot be undone.

Once the fix has been completed, please attach the file FIXLOG.TXT to your next reply

Farbar program:   FRSTEnglish.exe

Save the attached file:  FIXLIST.TXT to this folder C:\Users\blueb\Downloads\

NOTE. It's important that both files, FRSTEnglish.exe, and fixlist.txt are in the same location or the fix will not work.

Please make sure you disable any real-time antivirus or security software before running this script. Once completed, make sure you re-enable it.

 

 

Run the Farbar program with Admin rights and press the Fix button just once and wait.

The fix may possibly take up to 60 minutes to complete

If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log named Fixlog.txt in the same folder you ran the Farbar program from. Please attach that log on your next reply.

 

  1. NOTE:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity.
  2. NOTE: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications may be automatically closed.
                Also, make sure you know the passwords for all websites as cookies may possibly be removed in some cases, but not all cases.
  3. NOTE: As part of this fix, it will also reset the network to default settings including the firewall. If you have custom firewall rules you need to save please export or save them first before running this fix.

The following directories are emptied:

  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome, and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Discord cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

The system will be rebooted after the fix has run.

fixlist.txt

Thanks

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.