Found VirTool:Win32/DefenderTamperingRestore after removing bitcoin miners and backdoor from my PC

[le_travie]

Hi everyone one, a few days ago I noticed my windows defender was turned off, I tried turning it back on but I couldn’t and some of the areas of it returned errors like "This setting is managed by your administrator". I found this suspicious since I am the admin of my PC and I had not turned off my AV. I downloaded MalwareBytes and BitDefender and did some scans and detected some bitcoin miners and a back door that I quarantined and removed (I did not get the names since I sort of panicked a bit).


After I removed the malware my windows defender still could not be started so I was forced to reset my PC. After which I installed Symantec Endpoint Protection. A day later I saw many of SEP's modules were reporting errors, this raised my suspicious again and I removed SEP and scanned with a few other Malware tools (MSERT, MS Malware remover, TDSSKiller, Malware bytes and FRST64). MSERT discovered that I was still infected with VirTool:Win32/DefenderTamperingRestore. This was removed however I still get the "This setting is managed by your admin" messages, so far my bitdefender has not detected anything else though, but I am keeping the PC offline for the time being.

Can you guys help me in confirming that the malware is completely gone from my system?

Continue reading...