Windows Defender found "VirTool:Win32"

[guibin]

I downloaded and installed a windows update (2024-07 Cumulative Update Preview for Windows 11 Version 23H2 for x64-based Systems (KB5040527)) and restarted my PC as instructed, then Windows Defender detected something call "VirTool:Win32". See attached screenshots. When I opened Windows Defender, it looks like it was turned off. I turned it back and did some scans with Windows Defender and Malwarebytes, but it didn't find anything. I also attached a screenshot of what my Windows Defender currently shows. Did I get a virus somehow or did the windows update do something to Windows Defender that caused this?

When I try to run FRST64 tool, Windows Defender stopped it. Should I let it run anyways?

Malwarebytes Scan Report 2024-07-26 200631.txt

[AdvancedSetup]

Hello @guibin

 

Please make the following change in Malwarebytes if you're using the Premium or Trial version

• Please open Malwarebytes. Click on the small gear icon to open the Settings and go to the General tab.
• Then turn off "Always register Malwarebytes in the Windows Security Center"
• Restart the computer

 

Then after the restart, please run the following

 

Scan with SecurityCheck by glax24
https://forums.malwarebytes.com/topic/307301-scan-with-securitycheck-by-glax24/

Scan with FSS Farbar Service Scanner
https://forums.malwarebytes.com/topic/306736-scan-with-fss-farbar-service-scanner/

Scan with Farbar Recovery Scan Tool
https://forums.malwarebytes.com/topic/306601-scan-with-farbar-recovery-scan-tool/

 

Thanks

 

 

 

 

[guibin]

17 minutes ago, AdvancedSetup said:

Hello @guibin

 

Please make the following change in Malwarebytes if you're using the Premium or Trial version

• Please open Malwarebytes. Click on the small gear icon to open the Settings and go to the General tab.
• Then turn off "Always register Malwarebytes in the Windows Security Center"
• Restart the computer

 

Then after the restart, please run the following

 

Scan with SecurityCheck by glax24
https://forums.malwarebytes.com/topic/307301-scan-with-securitycheck-by-glax24/

Scan with FSS Farbar Service Scanner
https://forums.malwarebytes.com/topic/306736-scan-with-fss-farbar-service-scanner/

Scan with Farbar Recovery Scan Tool
https://forums.malwarebytes.com/topic/306601-scan-with-farbar-recovery-scan-tool/

 

Thanks

 

 

 

 

Please see attached.

Windows Defender also popped up with another alert because I don't use OneDrive. Is this just Windows Defender and Microsoft being heavy-handed?

Addition.txt FRST.txt SecurityCheck log.txt FSS log.txt

[AdvancedSetup]

Yes, Microsoft is simply trying to get EVERYONE into their Cloud infrastructure. You can ignore it.

The logs indicate you may have either an issue causing the alert or you could possibly have a corrupt profile. We'll do some cleaning and see if that helps or not.

 

Application errors:
==================
Error: (07/18/2024 11:59:52 AM) (Source: Microsoft-Windows-User Profiles Service) (EventID: 1502) (User: BRANDON-PC)
Description: Windows cannot load the locally stored profile. Possible causes of this error include insufficient security rights or a corrupt local profile.

 

 

Please run the following steps

 

[ 1 ]

Your DNS Servers: 75.75.75.75 - 75.75.76.76  

Please consider changing your default DNS server settings. Please choose one provider only

DNS is what lets users connect to websites using domain names instead of IP addresses

Pick just one of these 5 providers. And be aware that you need to modify 1 time for IPv4 & a 2nd pass for IPv6

• Quad 9 Public DNS  IPv4  9.9.9.9 and 149.112.112.112  IPv6  2620:fe::fe  and  2620:fe::9  (one of the best for most users)
• Google Public DNS: IPv4   8.8.8.8 and 8.8.4.4   IPv6   2001:4860:4860::8888 and 2001:4860:4860::8844
• Cloudflare: IPv4   1.1.1.1 and 1.0.0.1   IPv6   2606:4700:4700::1111 and 2606:4700:4700::1001
• OpenDNS: IPv4   208.67.222.222 and 208.67.220.220  IPv6  2620:119:35::35 and 2620:119:53::53
• DNSWATCH: IPv4   84.200.69.80 and 84.200.70.40   IPv6  2001:1608:10:25::1c04:b12f and 2001:1608:10:25::9249:d69b

The Ultimate Guide to Changing Your DNS Server
https://www.howtogeek.com/167533/the-ultimate-guide-to-changing-your-dns-server/

Here is a YouTube video on Changing DNS settings if needed

 

[ 2 ]

Please run the following fix

 

Make a new folder on your computer called C:\FIX

Then copy this file to that folder:  C:\Users\guibi\OneDrive\Desktop\FRSTEnglish.exe 

You should then have the following folder and file C:\Fix\FRSTEnglish.exe

Then run the FIX below.

 

NOTE: Please read all of the information below before running this fix.

• NOTICE: This script was written specifically for this user, for use on this particular machine.
• Running this on another machine may cause damage to your operating system that cannot be undone.

Once the fix has been completed, please attach the file FIXLOG.TXT to your next reply

Farbar program:   FRSTEnglish.exe

Save the attached file:  FIXLIST.TXT to this folder C:\FIX

NOTE. It's important that both files, FRSTEnglish.exe, and fixlist.txt are in the same location or the fix will not work.

Please make sure you disable any real-time antivirus or security software before running this script. Once completed, make sure you re-enable it.

 

Run the Farbar program with Admin rights and press the Fix button just once and wait.

The fix may possibly take up to 60 minutes to complete

If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log named Fixlog.txt in the same folder you ran the Farbar program from. Please attach that log on your next reply.

 

1. NOTE:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity.
2. NOTE: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications may be automatically closed.
               Also, make sure you know the passwords for all websites as cookies may possibly be removed in some cases, but not all cases.
3. NOTE: As part of this fix, it will also reset the network to default settings including the firewall. If you have custom firewall rules you need to save please export or save them first before running this fix.

The following directories are emptied:

• Windows Temp
• Users Temp folders
• Edge, IE, FF, Chrome, and Opera caches, HTML5 storages, Cookies and History
• Recently opened files cache
• Discord cache
• Java cache
• Steam HTML cache
• Explorer thumbnail and icon cache
• BITS transfer queue (qmgr*.dat files)
• Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

The system will be rebooted after the fix has run.

fixlist.txt

Thanks

 

[guibin]

With the C:\FIX folder, am I creating it in This PC>Local Disk?

Also, when I restarted my PC, I found this new Network Location in my "This PC" folder. When I try to open it, it says Access Denied. What is this? It wasn't there before.

[AdvancedSetup]

Yes, on This PC -  Local Disk

The network one appears to be another computer on your network.

 

[guibin]

I can't add symbols like : and \ to the folder name. Can the folder just be named FIX as it's already in the C:\ drive?

[AdvancedSetup]

I am not asking you to create a Symbolic link. That is no where in my directions.

 

Please try it this way.

Click on START and type in CMD.EXE and when it shows, right click and select "Run as administrator"

Then type in the following and press the Enter key

MD C:\FIX

Then using File explorer you should be able to now see that C:\Fix folder.

 

Then copy and paste this file there.

C:\Users\guibi\OneDrive\Desktop\FRSTEnglish.exe

 

[guibin]

Please see attached log.

It also seems to have created 2 other logs, "InstalledSoftwareFullList.txt" and "Log-Clear-BrowserCache.txt". Do you want to see those too?

Fixlog.txt

[AdvancedSetup]

Thank you for the log. The fix ran well. I don't really need the other logs at this time. You can go ahead and delete them.

Please RESTART the computer one more time and run the following

 

 

Scan with SecurityCheck by glax24
https://forums.malwarebytes.com/topic/307301-scan-with-securitycheck-by-glax24/

Scan with FSS Farbar Service Scanner
https://forums.malwarebytes.com/topic/306736-scan-with-fss-farbar-service-scanner/

Scan with Farbar Recovery Scan Tool
https://forums.malwarebytes.com/topic/306601-scan-with-farbar-recovery-scan-tool/

 

Thanks

 

 

 

[guibin]

12 minutes ago, AdvancedSetup said:

Thank you for the log. The fix ran well. I don't really need the other logs at this time. You can go ahead and delete them.

Please RESTART the computer one more time and run the following

 

 

Scan with SecurityCheck by glax24
https://forums.malwarebytes.com/topic/307301-scan-with-securitycheck-by-glax24/

Scan with FSS Farbar Service Scanner
https://forums.malwarebytes.com/topic/306736-scan-with-fss-farbar-service-scanner/

Scan with Farbar Recovery Scan Tool
https://forums.malwarebytes.com/topic/306601-scan-with-farbar-recovery-scan-tool/

 

Thanks

 

 

 

Done. Here are the logs for this scan.

Addition.txt FRST.txt FSS.txt SecurityCheck.txt

[AdvancedSetup]

Thank you the logs look pretty good. @guibin

 

Please update the following software

• 7-Zip 23.01 (x64) v.23.01 Warning! Download Update | Uninstall old version and install new one.
• Discord v.1.0.9005 Warning! Download Update
• Google Chrome v.127.0.6533.72 Warning! Download Update

Then RESTART the computer and check for Windows Updates and install any found

Let me know if there are still any signs of an infection or any other unresolved issues

Thanks

 

[guibin]

I've updated those programs. Restarted. Installed a few windows updates (2024-07 Cumulative Update Preview for Windows 11 Version 23H2 for x64-based Systems (KB5040527) and 2024-07 Cumulative Update Preview for .NET Framework 3.5 and 4.8.1 for Windows 11, version 23H2 for x64 (KB5041169)).

I ran some scans with MWB and Windows Security, and both turned up clean. But the scans never found anything to begin with. It was just that alert about VirTool:Win32 that popped up after I installed a windows update this morning.

Was I ever infected or was it a windows glitch? The alert is still in my protection history.

EDIT: Windows Firewall just reacted to FireFox for some reason.

Edited July 27 by guibin
additional info

[AdvancedSetup]

The Fixlog reset your Firewall so some new additions will be noticed typically for a few days and is normal for expected safe programs.

 

The Defender Tamper Restore is due to a change that Microsoft appears to have changed not too long ago. Setting Malwarebytes to register in the Security Center appears to trigger that alert for some users. Most user's don't seem to get that alert but some do and I'm not exactly sure why.

We can clear your Defender History if you want.

 

[guibin]

1 hour ago, AdvancedSetup said:

We can clear your Defender History if you want.

 

Sure, let's do that. Thank you.

[AdvancedSetup]

Save the attached file to your system. Then rename the file from .TXT to .BAT

Then right-click and select "Run as administrator"

ClearWDHistory.bat.txt

 

Then reboot the computer and check if the History of Windows Defender has been cleared

 

 

[AdvancedSetup]

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Tips to help protect from infection

Thanks