Persistent Virus Issue After Multiple Clean Installations

Question

Hello,

I unintentionally downloaded a virus that seems to be associated with XAMPP, causing my computer's applications, including Windows programs, to attempt connections to malicious IPs, which Malwarebytes has been blocking. Despite formatting my C: drive and deleting D: drive partitions followed by another format of C:, the issue persists, with Malwarebytes continuing to block these requests from regular PC files to malicious IPs.

I have performed multiple clean installations the same way, and each time, Malwarebytes keeps blocking these IPs. Malwarebytes and Windows Defender scans show no viruses, but the Microsoft Safety Scanner reported at least three infected files. However, it only removes one, named VirTool:Win32/DefenderTamperingRestore. Subsequent scans reveal three viruses, but only that one gets deleted (even in safe mode and safe mode with networking). I downloaded Windows directly from the Microsoft site and only installed reputable programs like WhatsApp and Steam.

After the last formatting, I immediately ran Microsoft Safety Scanner, which initially detected no viruses. However, just hours later, without downloading anything suspicious, VirTool:Win32/DefenderTamperingRestore reappeared, and Malwarebytes started blocking requests to malicious IPs again. Alarmingly, Malwarebytes is flagging multiple files, including from reputable sources like Steam and system files such as System32/svchost.exe, as attempting these connections.

Unfortunately, I am currently unable to upload images to illustrate this, as I would like to provide a screenshot of Malwarebytes blocking these activities. I am at a loss and urgently need advice on what steps to take next.

Thank you for any assistance you can provide.

Answer 1

Hello,

Welcome to Microsoft support community. We are glad to offer your support.

You are facing a annoying virus issue, which I totally understand your concern and anxiety. For your situation you obviously put a lot of work into it. For better solving your problem, may I ask:

1)  Can you give me some report message of the Malwarebytes, maybe screenshot referring to step 3; I need to inspect your question in detail to come up some insight if possible.

2） For your information, VIrTool:Win32 seems to be a naming code of Malwarebytes, could you tell where the actual file is and the location of that file.

3） You have mentioned that you cannot take screenshot normally, you can take them using mobile phone right.

4） How many important data you have, because at this point it seems a lot of bad things already happened. The thing we could do is remedy the damage and safe you precious data as much as possible.

My suggestion is:

1)  Do you have other spare device you still can work on, because I am not an expert in cybersecurity, but now it seems that you should temporarily put your computer offline to prevent some financial lost maybe. I will update as soon as I get more accurate information for you.

2)  When you trying to delete the three viruses but only one get deleted, what did the software says.

3)  After you remove the virus, can you try stay offline for a while to test if you could prevent the malware from appearing again.

Hope my answer could solve some of your confusion. Feel free to ask me question if you have any additional concern.

Best Regards

Benjamin- MSFT | Microsoft Community Support Specialist