Hello,
I have a persistent threat detection in Windows Security (Defender AV) that I cannot rid myself of. My system is running Microsoft Windows 10 Pro 10.0.19045.
The threat detected is 'PUA:Win32/AskToolbar', which was hidden inside of an installer called 'CuteWriter.exe'.
The CuteWriter.exe item was permanently deleted from the system immediately, but the threat is still detected by Windows Security (Defender AV) on any and every scan.
Many actions have been run, including quarantine and remove, all reporting a status of success, but the issue persists.
If I rename the folder the file was originally in, a new detection will still show the original file path, as if that path still exists on the disk.
If I introduce a new CuteWriter.exe (a text or typeless file then saved as CuteWriter.exe, for example), the detection still persists.
I have tried following guides to 'clear' detection history, though I have been unable to stop the services required to tamper with the folders that store the threat detection history, even in a clean boot with 'tamper protection' setting disabled. The folder is not meant to be manually accessed, and I am hopeful there is a better way to resolve this.
If anyone has dealt with similar, advice or insight would be much appreciated!
I have posted some additional information below. If there is a better format to provide this information in, or if any additional information should be provided, please let me know!
Here is the threat as returned by PowerShell cmdlet 'Get-MpThreat':
CategoryID : 27
DidThreatExecute : False
IsActive : True
Resources :
RollupStatus : 1
SchemaVersion : 1.0.0.0
SeverityID : 1
ThreatID : 227072
ThreatName : PUA:Win32/AskToolbar
TypeID : 0
PSComputerName :
Here is the detection history as returned by PowerShell cmdlet 'Get-MpThreatDetection':
ActionSuccess : True
AdditionalActionsBitMask : 0
AMProductVersion : 4.18.24050.7
CleaningActionID : 9
CurrentThreatExecutionStatusID : 0
DetectionID : {0D072FB7-94AE-416D-91C2-7F59AFFD1362}
DetectionSourceTypeID : 2
DomainUser : NT AUTHORITY\SYSTEM
InitialDetectionTime : 2/19/2024 9:57:43 AM
LastThreatStatusChangeTime : 2/19/2024 9:57:43 AM
ProcessName : Unknown
RemediationTime :
Resources : {file:_D:\Old Work Files\Lisa Downloads\CuteWriter.exe}
ThreatID : 227072
ThreatStatusErrorCode : 0
ThreatStatusID : 106
PSComputerName :
ActionSuccess : True
AdditionalActionsBitMask : 0
AMProductVersion : 4.18.24050.7
CleaningActionID : 9
CurrentThreatExecutionStatusID : 0
DetectionID : {CF9A88D6-3244-4ACA-9027-BB24F2BAA2E2}
DetectionSourceTypeID : 2
DomainUser : NT AUTHORITY\SYSTEM
InitialDetectionTime : 2/11/2024 10:03:48 AM
LastThreatStatusChangeTime : 2/11/2024 10:03:48 AM
ProcessName : Unknown
RemediationTime :
Resources : {containerfile:_D:\Old Work Files\Lisa Downloads\CuteWriter.exe, file:_D:\Old Work Files\Lisa Downloads\CuteWriter.exe->(inno#000027)}
ThreatID : 227072
ThreatStatusErrorCode : 0
ThreatStatusID : 106
PSComputerName :
ActionSuccess : True
AdditionalActionsBitMask : 0
AMProductVersion : 4.18.24050.7
CleaningActionID : 9
CurrentThreatExecutionStatusID : 0
DetectionID : {D3260B3C-06E8-46B0-A62B-8D2EB0C8068E}
DetectionSourceTypeID : 2
DomainUser : NT AUTHORITY\SYSTEM
InitialDetectionTime : 2/25/2024 5:06:21 PM
LastThreatStatusChangeTime : 2/25/2024 5:06:21 PM
ProcessName : Unknown
RemediationTime :
Resources : {file:_D:\Old Work Files\Lisa Downloads\CuteWriter.exe}
ThreatID : 227072
ThreatStatusErrorCode : 0
ThreatStatusID : 106
PSComputerName :
ActionSuccess : True
AdditionalActionsBitMask : 0
AMProductVersion : 4.18.24050.7
CleaningActionID : 9
CurrentThreatExecutionStatusID : 0
DetectionID : {BC4B1E5D-7FD6-4F25-AE46-B4BF787ED331}
DetectionSourceTypeID : 2
DomainUser : NT AUTHORITY\SYSTEM
InitialDetectionTime : 2/11/2024 10:29:48 AM
LastThreatStatusChangeTime : 2/11/2024 10:29:48 AM
ProcessName : Unknown
RemediationTime :
Resources : {file:_D:\Old Work Files\Lisa Downloads\CuteWriter.exe}
ThreatID : 227072
ThreatStatusErrorCode : 0
ThreatStatusID : 106
PSComputerName :
ActionSuccess : True
AdditionalActionsBitMask : 0
AMProductVersion : 4.18.24050.7
CleaningActionID : 9
CurrentThreatExecutionStatusID : 0
DetectionID : {564A5A74-E555-4433-93BD-A2B8E803948C}
DetectionSourceTypeID : 2
DomainUser : NT AUTHORITY\SYSTEM
InitialDetectionTime : 2/21/2024 10:24:23 AM
LastThreatStatusChangeTime : 2/21/2024 10:24:23 AM
ProcessName : Unknown
RemediationTime :
Resources : {file:_D:\Old Work Files\Lisa Downloads\CuteWriter.exe}
ThreatID : 227072
ThreatStatusErrorCode : 0
ThreatStatusID : 106
PSComputerName :
ActionSuccess : True
AdditionalActionsBitMask : 0
AMProductVersion : 4.18.24050.7
CleaningActionID : 9
CurrentThreatExecutionStatusID : 0
DetectionID : {B4079B89-AEB6-45D9-AA3E-4244EC4A3C24}
DetectionSourceTypeID : 2
DomainUser : NT AUTHORITY\SYSTEM
InitialDetectionTime : 2/20/2024 4:31:00 PM
LastThreatStatusChangeTime : 2/20/2024 4:31:00 PM
ProcessName : Unknown
RemediationTime :
Resources : {file:_D:\Old Work Files\Lisa Downloads\CuteWriter.exe}
ThreatID : 227072
ThreatStatusErrorCode : 0
ThreatStatusID : 106
PSComputerName :
ActionSuccess : True
AdditionalActionsBitMask : 0
AMProductVersion : 4.18.24050.7
CleaningActionID : 3
CurrentThreatExecutionStatusID : 0
DetectionID : {00000000-0000-0000-0000-000000000000}
DetectionSourceTypeID : 1
DomainUser :
InitialDetectionTime :
LastThreatStatusChangeTime : 5/13/2024 1:56:16 PM
ProcessName :
RemediationTime : 5/13/2024 1:56:16 PM
Resources : {containerfile:_D:\Old Work Files\Lisa Downloads\CuteWriter.exe, file:_D:\Old Work Files\Lisa Downloads\CuteWriter.exe, file:_D:\Old Work Files\Lisa Downloads\CuteWriter.exe->(inno#000027)}
ThreatID : 227072
ThreatStatusErrorCode : -2142207965
ThreatStatusID : 4
PSComputerName :
ActionSuccess : True
AdditionalActionsBitMask : 0
AMProductVersion : 4.18.24050.7
CleaningActionID : 9
CurrentThreatExecutionStatusID : 0
DetectionID : {11E1633B-4B55-41FC-B263-D10A3579597A}
DetectionSourceTypeID : 2
DomainUser : NT AUTHORITY\SYSTEM
InitialDetectionTime : 2/23/2024 1:51:27 PM
LastThreatStatusChangeTime : 2/23/2024 1:51:27 PM
ProcessName : Unknown
RemediationTime :
Resources : {file:_D:\Old Work Files\Lisa Downloads\CuteWriter.exe}
ThreatID : 227072
ThreatStatusErrorCode : 0
ThreatStatusID : 106
PSComputerName :
ActionSuccess : True
AdditionalActionsBitMask : 0
AMProductVersion : 4.18.24050.7
CleaningActionID : 9
CurrentThreatExecutionStatusID : 0
DetectionID : {C4B25523-589A-4073-ABEB-694A0F1A893D}
DetectionSourceTypeID : 2
DomainUser : NT AUTHORITY\SYSTEM
InitialDetectionTime : 2/11/2024 10:26:32 AM
LastThreatStatusChangeTime : 2/11/2024 10:26:32 AM
ProcessName : Unknown
RemediationTime :
Resources : {file:_D:\Old Work Files\Lisa Downloads\CuteWriter.exe}
ThreatID : 227072
ThreatStatusErrorCode : 0
ThreatStatusID : 106
PSComputerName :
ActionSuccess : True
AdditionalActionsBitMask : 0
AMProductVersion : 4.18.24050.7
CleaningActionID : 9
CurrentThreatExecutionStatusID : 0
DetectionID : {27D38B8E-90DB-477D-8A9C-7D5AEC0D0307}
DetectionSourceTypeID : 2
DomainUser : NT AUTHORITY\SYSTEM
InitialDetectionTime : 2/27/2024 3:05:12 PM
LastThreatStatusChangeTime : 2/27/2024 3:05:12 PM
ProcessName : Unknown
RemediationTime :
Resources : {file:_D:\Old Work Files\Lisa Downloads\CuteWriter.exe}
ThreatID : 227072
ThreatStatusErrorCode : 0
ThreatStatusID : 1
PSComputerName :
ActionSuccess : True
AdditionalActionsBitMask : 0
AMProductVersion : 4.18.24050.7
CleaningActionID : 10
CurrentThreatExecutionStatusID : 0
DetectionID : {9E1DB1C3-5F48-40EE-AF76-1B41D19E25F1}
DetectionSourceTypeID : 1
DomainUser : WKST-S\Jack
InitialDetectionTime : 2/10/2024 4:42:25 PM
LastThreatStatusChangeTime : 2/10/2024 9:05:43 PM
ProcessName : Unknown
RemediationTime : 2/10/2024 9:05:43 PM
Resources : {containerfile:_D:\Old Work Files\Lisa Downloads\CuteWriter.exe, file:_D:\Old Work Files\Lisa Downloads\CuteWriter.exe->(inno#000027)}
ThreatID : 227072
ThreatStatusErrorCode : 0
ThreatStatusID : 6
PSComputerName :
ActionSuccess : True
AdditionalActionsBitMask : 0
AMProductVersion : 4.18.24050.7
CleaningActionID : 9
CurrentThreatExecutionStatusID : 0
DetectionID : {08C15197-FB9D-41E9-B319-FD38C6E3F916}
DetectionSourceTypeID : 2
DomainUser : NT AUTHORITY\SYSTEM
InitialDetectionTime : 2/20/2024 1:23:17 PM
LastThreatStatusChangeTime : 2/20/2024 1:23:17 PM
ProcessName : Unknown
RemediationTime :
Resources : {file:_D:\Old Work Files\Lisa Downloads\CuteWriter.exe}
ThreatID : 227072
ThreatStatusErrorCode : 0
ThreatStatusID : 106
PSComputerName :
ActionSuccess : True
AdditionalActionsBitMask : 0
AMProductVersion : 4.18.24050.7
CleaningActionID : 9
CurrentThreatExecutionStatusID : 0
DetectionID : {E460368C-1AE3-4B9E-AA8D-19BD7DD35B8B}
DetectionSourceTypeID : 2
DomainUser : NT AUTHORITY\SYSTEM
InitialDetectionTime : 2/22/2024 9:43:48 AM
LastThreatStatusChangeTime : 2/22/2024 9:43:48 AM
ProcessName : Unknown
RemediationTime :
Resources : {file:_D:\Old Work Files\Lisa Downloads\CuteWriter.exe}
ThreatID : 227072
ThreatStatusErrorCode : 0
ThreatStatusID : 106
PSComputerName :
Thank you