Share via

Rdub2 175 Reputation points

2025-09-04T16:05:45.6666667+00:00

Thursday September 4, 2025 I booted up my PC to find Windows Defender detected malware called "Trojan:Win32/Vigorf.A"

The threat was quarantined:

WindowsDef1

Did a full system scan and Windows Defender has this 2nd message, "remediation incomplete":

WindowsDef2

Apparently it is related to WinRing0 which is a driver OpenRGB uses for fan control. I previously installed OpenRGB before I realized Windows 11 has built-in RGB fan control. I uninstalled OpenRGB, but it apparently uses WinRing0. It's possible the insecure driver remained after uninstall.

I uninstalled OpenRGB 3 weeks ago so I'm not sure why Windows Defender is just now picking up the threat. Haven't downloaded anything shady.

After this I ran MSERT full scan and found no threats.

Is this a false positive? I removed it from the PC by clicking the "Actions" dropdown. Is there anything else I need to do?

Microsoft Security | Microsoft Defender | Other

  1. 2025-09-04T20:08:23.6+00:00

    IScreenshot 2025-09-04 150130

    I just got the same thing just now. I use fan control, which is not working now.
    Screenshot 2025-09-04 150542

    I have the same trojan.
    trojan:Win32/Vigorf.A
    Windows can't seem to remove it, but after 3 or 4 attempts, it does seem to quarantine it.

  2. 2025-09-04T20:10:16.4666667+00:00

    will keep trying to quarantine, and hope malwarebytes finally detects it to remove in safe mode or something

  3. 2025-09-04T20:34:22.6033333+00:00

    I got the same message just now but for a Libre Hardware Monitor file. It's been running on this computer for a year or more, downloaded the official version and haven't re-downloaded anything recently. After I let Microsoft do the the quarantine, I can still run Libre but my CPU temps and power draw readings no longer work. When I close and re-open Libre, the same security message pops up, and briefly flashes the same info but then it goes away and says "no threats". When I click "Protection History" it says "No recent actions" as if it didn't do anything. This seems like a Microsoft problem relating to marking all WinRing applications as unsafe, unless we ALL happened to get infected on the exact same day? Has the bot net been activated?

    Libre HW Monitor Trojan Full Details

  4. 2025-09-04T22:38:37.9433333+00:00

    I'm getting the same, but for file: C:\Program Files\HASS.Agent Satellite Service\Service\HASS.Agent.Satellite.Service.sys

    Which would appear to be the same common controls as those other detections.

  5. 2025-09-05T03:32:24.6866667+00:00

    I received the same. Same file path as the author: C:\WINDOWS\system32\Drivers\WinRing0x64.sys

  6. 2025-09-05T04:40:11.8233333+00:00

    Seems like Microsoft doesn't like us to see and control our CPU temps and RGB on our own pc. I also have SignalRGB (it is working fine) and FanControl two most essential applications for any heavy pc users. FanControl is not able to track my CPU usage and temps since tomorrow. Having same error as you guys that's annoying!! Anyone have any solution yet??

  7. 2025-09-05T19:47:50.69+00:00

    Since today i've also started getting this warnings:

    Trojan:Win32/Vigorf.A C:\Windows\SystemTemp\Tmp761C.tmp
    Trojan:Win32/Vigorf.A C:\Windows\SystemTemp\Tmp3E97.tmp

    And on top of that some games started crashing or just closing without any errors and as others said i also have OpenRGB/MSI Afterburner/RTSS and an app that makes my taskbar transperent.

  8. 2025-09-05T21:31:20.2766667+00:00

    I got this too, but for Overwolf which is known to be safe. My Microsoft defender also gave me the message that the isolation was incomplete after i reset my PC. Is this a false positive or some fort of widespread issue? I haven't been experiencing any issues otherwise.

  9. 2025-09-05T23:45:06.22+00:00

    Same thing happened and I was so scared that I was cooked that I reset my pc 😭

  10. 2025-09-06T00:33:47.9066667+00:00

    I've just received the same prompt. I also have OpenRGB. Is there any remedial action that need to be taken or is it safe enough to either quarantine it or just allow the application?

  11. 2025-09-06T01:28:19.2233333+00:00

    The usual MS Windows Defender nonsense. It is NOT a trojan, it's a vulnerability (WingRing0 which is installed and used by FanControl, it is needed for apps like FanControl/SignalRGB to work and it has ALWAYS been there).

    It is considered a 'security' risk, but it's not a risk to the average PC user/gamer/etc. Only those downloading pirate software, going on 'dodgy' websites, things like that are actually at risk. Even then, whatever virus they downloaded would have to get past their anti-virus software to be able to take advantage of the vulnerability. The vulnerability has always been part of Fan Control, it's not just been added to FanControl or any other software that Windows has flagged, Windows Defender has just had an update that makes it flag the vulnerability.

    I've been a PC tech for over 30 years (including employment for 17 years by two of the biggest investment banks in the world), I knew about the vulnerability before installing FanControl.

    It didn't concern me then, it doesn't concern me now. If you're not a shady person that does shady things, you'll be just fine. I just Whitelisted it, no more pop-ups.

  12. 2025-09-06T02:06:45.9833333+00:00

  13. 2025-09-06T10:38:42.67+00:00

    I had this pop up this morning for PBO2 Tuner, a tool used to undervolt and underclock your CPU cores. Have used it since 2022 with no issue. Running a Ryzen 7 5800x3D.

    User's image

  14. 2025-09-06T15:54:38.9566667+00:00

    Just happened to me, since this has been out a couple days someone might be trying to use the vulnerability as a few remote access programs

  15. 2025-09-06T15:57:07.8966667+00:00

    If someone were to see this post and try to exploit the vulnerability would Windows Security stop them? There were some mysterious remote access programs running in my task manager when this trojan was quarantined (twice) and now im doing an offline scan for the rascal who's trying to steal my pc

  16. 2025-09-07T06:53:52.81+00:00

    Starting 9/4/2025 I started seeing the same warning related to Winring0 in OpenHardwareMonitorLib.sys. I had seen this in mid March and fixed it by uninstalling HWMonitor. After reading many of the comments here I decided to uninstall Nuc SW Studio, then I removed the defender exclusion I had put on OpenHardwareMonitorLib.sys, rebooted and checked the file... yes it is there and its date is the time of reboot... and NUCSoftwareStudioService is still running... but... now defender isn't flagging it even if I force it to scan that file... strange, I think. I noticed that the defender definitions were updated today, I wonder if they changed to allow this, but I think a more likely explanation is that when you uninstall the NUC SW Studio then reboot, NUCSoftwareStudioService.exe builds a new OpenHardwareMonitorLib.sys without Winring0.

  17. 2025-09-07T14:29:49.4766667+00:00

    Good catch but how do you deal with it. I found NUC software the root cause as well but just "allowed" the perceived threat as I find no way to update.

  18. 2025-09-11T01:39:34.4633333+00:00

    To MShep49: It is better to create an "exclusion" for the file than to allow the malware as that will allow the trojan in any file. Did you try uninstalling NUC SW studio? It is easy to uninstall and I had never actually used it.

  19. 2025-09-20T05:49:15.3533333+00:00

    For those keeping track of where it might be used.
    Add Gigabyte Control Center to the list.

    Easy fix is going into the Windows Defender settings and just adding the entire folder as an exemption.
    Fixed it for me from annoyingly popping up.

  20. 2025-09-20T09:26:26.8466667+00:00

    I had the same issue since today, 20. September 2025, directly after "Cumulative Update for Windows 11 Insider Preview (KB5065786) (26220.6690)".

    I had allow the "Trojan:Win32 Vigorf.A" found by Microsoft Defender on my PC without anny following problems.

  21. 2025-10-04T16:20:38.77+00:00

    Vigorf.A is a name given by anti-malware software to potentially malicious programs, which can be a trojan that steals information or a hacktool used to bypass software licensing. This type of malware is detected by antivirus programs like Microsoft Defender Antivirus and Trend Micro, and it is recommended to have your system scanned and cleaned to remove it. 

    What is Vigorf.A?

    • Trojan:

    Vigorf.A can be a trojan, a type of malware that can perform various harmful actions, such as installing other malware, recording keystrokes, stealing browsing history, or granting remote access to your PC for a malicious hacker. 

    • Hacktool:

    It can also be identified as a hacktool, which is software used to "crack" programs to run without a valid license or product key. However, the use of hacktools is risky as they are often associated with other malware. 

    What to do if you suspect Vigorf.A on your PC:

    1. Run a full system scan: Perform a comprehensive scan using your antivirus software to detect and remove any hidden files. 
    2. Remove quarantined threats: Follow the instructions to delete any files that your antivirus program has quarantined. 
    3. Be cautious with unknown software: Avoid running suspicious software that could be associated with hacktools or other potentially unwanted programs. Vigorf.A is a name given by anti-malware software to potentially malicious programs, which can be a trojan that steals information or a hacktool used to bypass software licensing. This type of malware is detected by antivirus programs like Microsoft Defender Antivirus and Trend Micro, and it is recommended to have your system scanned and cleaned to remove it.  What is Vigorf.A?
      • Trojan:  Vigorf.A can be a trojan, a type of malware that can perform various harmful actions, such as installing other malware, recording keystrokes, stealing browsing history, or granting remote access to your PC for a malicious hacker. 
      • Hacktool:  It can also be identified as a hacktool, which is software used to "crack" programs to run without a valid license or product key. However, the use of hacktools is risky as they are often associated with other malware. 
      What to do if you suspect Vigorf.A on your PC:
      1. Run a full system scan:  Perform a comprehensive scan using your antivirus software to detect and remove any hidden files. 
      2. Remove quarantined threats:  Follow the instructions to delete any files that your antivirus program has quarantined. 
      3. Be cautious with unknown software:  Avoid running suspicious software that could be associated with hacktools or other potentially unwanted programs. 

    i found this online if it helps u np

  22. 2025-10-05T09:39:20.9066667+00:00

    i just had a admin confirmation promp from my Steelseries GG app about the system monitor from Steelseries a few minutes after approving it ive also recieved a similar virus alert Screenshot_36

    image_2025-10-05_113839451

  23. 2025-10-11T17:36:01.8966667+00:00

    Even on the exclusion list, it always go back to square one with the damn notification with the : Trojan:Win32/Vigorf.A

    C:\WINDOWS\System32\DriverStore\FileRepository\performancedriverextension.inf_amd64_4307518ac694be75................

    I think all this started late Aug or Sept, and if i put a premium Antivirus over Windows Defender, all scans come clean using 4 different top tier Antivirus's. I also have a intel Nuc too, i get annoyed few times a week with WD. Think i might get a paid Antivirus so WD can shut up.

  24. 2025-10-18T03:37:08.6933333+00:00

    I've had this same issue, but mine was flagged in SteelSeries GG and a Microsoft store app where you can see system temps, speed, etc, called Radiograph. After I had uninstalled Radiograph and kept SteelSeries GG, Windows Security said "remediation incomplete", but after a full scan no threats are found- I think it's a bug because of apps accessing hardware data which is similar to malware patterns, mainly the software/file called WinRing0x64.sysScreenshot 2025-10-18 113511

Sign in to comment

  1. 2025-09-06T01:28:58.7533333+00:00

    The usual MS Windows Defender nonsense. It is NOT a trojan, it's a vulnerability (WingRing0 which is installed and used by FanControl, it is needed for apps like FanControl/SignalRGB to work).

    It is considered a 'security' risk, but it's not a risk to the average PC user/gamer/etc. Only those downloading pirate software, going on 'dodgy' websites, things like that are actually at risk. Even then, whatever virus they downloaded would have to get past their anti-virus software to be able to take advantage of the vulnerability. The vulnerability has ALWAYS been part of Fan Control, it's not just been added to FanControl or any other software that Windows has flagged, Windows Defender has just had an update that makes it flag the vulnerability.

    I've been a PC tech for over 30 years (including employment for 17 years by two of the biggest investment banks in the world), I knew about the vulnerability before installing FanControl.

    It didn't concern me then, it doesn't concern me now. If you're not a shady person that does shady things, you'll be just fine. I just Whitelisted it, no more pop-ups.

28 additional answers

  1. REW 45 Reputation points

    2025-09-05T13:48:50.9033333+00:00

    I tracked my issue to Intel NUC Software Studio as the culprit that installed OpenHardwareMonitorLib.sys that then triggered the Trojan:Win32/Vigorf.A alert in Defender. Add that to the list of software that uses Open Hardware Monitor.

    1. 2025-10-11T17:44:45.49+00:00

      i have the same problem, WD drives my nerves even putting on Exclusions, will try the Open Hardware Monitor

    2. 2025-10-11T17:56:27.4066667+00:00

      Yeah i only did the Exclusion by locating the file itself through WD. HW Monitor.. i have no idea what to do with that.

    Sign in to comment

  2. Tofi 25 Reputation points

    2025-09-05T09:55:02.88+00:00

  3. 2025-09-04T20:49:10.7533333+00:00

    Although I also have FanControl installed. PBOTuner is specifically being called out for the vulnerability in my case:

    User's image

  4. 2025-09-04T18:20:32.5366667+00:00

    mine is here: C:\Windows\System32\DriverStore\FileRepository\performancedriverextension.inf_amd64_4307518ac694be75\Service\OpenHardwareMonitorLib.sys

    won't let me delete the file or anything. this must be some sort of problem caused by microsoft updates.

Sign in to answer

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.