Share via

Window's Defender is saying that I have a severe risk on my computer that is affecting a file that I don't have anymore?

Anonymous
2024-02-24T21:37:21+00:00

Recently I've been playing the game Everhood and one of the achievements is to get a total of 150,000 jump rolls (which involves pressing the jump button and a left or right button at the same time). However, I have a busy life and I didn't have the time to sit down and tap a series of buttons 150,000 times. So I did some research on programs that can execute macros and found a program called "AutoHotKey Store Edition" on the Microsoft Store. I downloaded it, set up the macro that I needed, and left it on whenever I wasn't doing anything important with my computer. I got the achievement, everything was fine, and I uninstalled "Autohotkey Store Edition" and deleted the script and emptied my recycle bin.

Flashforward to a few days later, and I notice that Windows Defender found a severe risk on my computer. No big deal, I tell it to get rid of the risk. But when I reload it, it says the risk is still there. I look at the details of the risk and find the following information (I inserted an image, but in case that doesn't show up, here is what it says).

Trojan:Win32/Wacactac.B!ml

Alert Level: Severe

Status: Active

Date: 2/17/2024 6:57 PM

Category: Trojan

Details: This program is dangerous and executes commands from an attacker

Affected Items: file: C:\Users\bkb90\OneDrive\Desktop\everhood.ahk.exe

The thing is, the macro file I used was called everhood.ahk. And I deleted it. So I began doing a variety of things to try and fix this situation. These all included:

  • Telling Windows Defender to remove the program
  • Telling Windows Defender to quarantine the program
  • Doing an offline scan
  • Restarting the computer and doing an offline scan again
  • Going through "This PC" files and seeing if the file still somehow existed (it does not)
  • Looking up the threat in "This PC" files (it wasn't there)
  • Tried telling Windows Defender to remove/quarantine the program again
  • Putting the computer into safety mode (which I did by doing windows+r, typing in "msconfig" and then clicking on the "Boot" tab then checking on Safety Mode), then restarting the computer to look for either the severe file or the affected file. I found neither.

And now, after putting the computer into safety mode, the dang thing seems to have multiplied (Should be shown as the second image, but if it doesn't show up, then it is shown as "Trojan:Win32/Wacactac.B!ml 2/17/2024 6:57 PM (Active)" in three separate notifications). I have no idea what to do. I thought everything would be fine since I downloaded this program off of Microsoft Store, but it seems I am terribly wrong. I would appreciate any help I can get and I'm ready to respond to any question anyone may have about this situation.

Windows for home | Windows 10 | Security and privacy

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question.

0 comments

5 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2024-02-25T23:18:12+00:00

    You can try this procedure using the Command Prompt.

    1-Click on Start, search for Command Prompt

    2-Right-click on that and select "Run as Administrator"

    3-Paste this command and press Enter to enter the history folder:

    CD C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\

    4-Type this command and press Enter to check if you are in the right folder:

    DIR

    5-You should see a response like this in the image below.

    6-If you are in the right folder, paste this command and press Enter:

    del *.*

    7-You will be asked: " Are you sure (Y/N)?", type Y and press enter

    8-When finished, close the Command Prompt and go to Step 2.

    Was this answer helpful?

    0 comments
  2. _AW_ 67,431 Reputation points Volunteer Moderator
    2024-02-25T01:37:45+00:00

    Follow my instructions, changing permissions won't work.

    Was this answer helpful?

    0 comments
  3. Anonymous
    2024-02-25T00:53:38+00:00

    Hey Robinson! I seem to have run into a new problem.

    Every time I try to do part 2 of Step 1 my file system tells me that it can't find the folder. And when I navigate through my files manually, my system won't let me get into the Scans folder. It's citing that I "Don't have permission". Which is weird because A) I'm the only one who uses this computer and B) I checked, I have admin permissions on for myself. Whenever I try to give myself permissions, it tells me I've been denied that, and in order to get permissions I need to get to the security tab. Here are images of what happened after I clicked on that link. First it showed me this first image, and I pressed advanced.

    It then brings me to this screen. Where I press "Continue"

    And then the system shows me this screen. And from there I have no idea what to do.

    Was this answer helpful?

    0 comments
  4. _AW_ 67,431 Reputation points Volunteer Moderator
    2024-02-24T23:25:43+00:00

    If Windows Defender continues to alert about the non-existent file then this is a bug, where Windows Defender flags things because of their presence in detection history.

    To resolve the issue use one of these methods:

    1. First boot into safe mode:

    https://support.microsoft.com/en-us/windows/start-your-pc-in-safe-mode-in-windows-92c27cff-db89-8644-1ce4-b3e5e56fe234

    Delete the DetectionHistory folder from:

    C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory

    Restart your computer.

    Note: To see the ProgramData folder and subfolders,  make sure you are showing hidden files and folders.

    • Windows 10: In File Explorer, select the View tab > check (tick) Hidden items
    • Windows 11: In File Explorer, select View > Show > check Hidden items
    1. Use the tool I wrote specifically to delete detection history. There's no need to boot to safe mode, just unzip and run.

    https://1drv.ms/u/s!AqQnVFhmcB_wnjF63snXqEvSZyOh?e=42ACHv

    Was this answer helpful?

    0 comments
  5. Anonymous
    2024-02-24T23:13:57+00:00

    Hi, Bryn. I'm Robinson, and I’m happy to help you today.

    This could be a problem in the Windows Defender protection history when a threat is already removed and keeps showing the alert. Clearing the Windows Defender history should fix this problem.

    Step 1:

    1-Right-click on Start and click on Run

    2-Type: C:\ProgramData\Microsoft\Windows Defender\Scans\History and click on OK

    3-Open the Service folder, select all files inside it and delete them

    4-Close the file explorer

    Step 2:

    1-Click on Start, search for Windows Security, and click on that

    2-Click on Virus & Threat protection then click on Manage settings

    3-Toggle the button to Off and then to On again, for Real-Time protection and Cloud-delivered protection

    Then perform a Windows Defender offline scan, you can see how to do it at this link.

    https://support.microsoft.com/en-us/windows/hel...

    I hope this information helps. If you have any questions or the problem persists, please let me know and I'll be glad to assist you further.

    Was this answer helpful?

    0 comments