How to fix persistent Windows Defender threat detection that no longer exists on the system?

TTown 10 Reputation points
2024-06-10T21:58:17.85+00:00

Hello,

I have a persistent threat detection in Windows Security (Defender AV) that I cannot rid myself of. My system is running Microsoft Windows 10 Pro 10.0.19045.

The threat detected is 'PUA:Win32/AskToolbar', which was hidden inside of an installer called 'CuteWriter.exe'.
The CuteWriter.exe item was permanently deleted from the system immediately, but the threat is still detected by Windows Security (Defender AV) on any and every scan.

Many actions have been run, including quarantine and remove, all reporting a status of success, but the issue persists.
If I rename the folder the file was originally in, a new detection will still show the original file path, as if that path still exists on the disk.
If I introduce a new CuteWriter.exe (a text or typeless file then saved as CuteWriter.exe, for example), the detection still persists.

I have tried following guides to 'clear' detection history, though I have been unable to stop the services required to tamper with the folders that store the threat detection history, even in a clean boot with 'tamper protection' setting disabled. The folder is not meant to be manually accessed, and I am hopeful there is a better way to resolve this.

If anyone has dealt with similar, advice or insight would be much appreciated! I have posted some additional information below. If there is a better format to provide this information in, or if any additional information should be provided, please let me know!

Here is the threat as returned by PowerShell cmdlet 'Get-MpThreat':

CategoryID       : 27
DidThreatExecute : False
IsActive         : True
Resources        : 
RollupStatus     : 1
SchemaVersion    : 1.0.0.0
SeverityID       : 1
ThreatID         : 227072
ThreatName       : PUA:Win32/AskToolbar
TypeID           : 0
PSComputerName   :

Here is the detection history as returned by PowerShell cmdlet 'Get-MpThreatDetection':

ActionSuccess                  : True
AdditionalActionsBitMask       : 0
AMProductVersion               : 4.18.24050.7
CleaningActionID               : 9
CurrentThreatExecutionStatusID : 0
DetectionID                    : {0D072FB7-94AE-416D-91C2-7F59AFFD1362}
DetectionSourceTypeID          : 2
DomainUser                     : NT AUTHORITY\SYSTEM
InitialDetectionTime           : 2/19/2024 9:57:43 AM
LastThreatStatusChangeTime     : 2/19/2024 9:57:43 AM
ProcessName                    : Unknown
RemediationTime                : 
Resources                      : {file:_D:\Old Work Files\Lisa Downloads\CuteWriter.exe}
ThreatID                       : 227072
ThreatStatusErrorCode          : 0
ThreatStatusID                 : 106
PSComputerName                 : 

ActionSuccess                  : True
AdditionalActionsBitMask       : 0
AMProductVersion               : 4.18.24050.7
CleaningActionID               : 9
CurrentThreatExecutionStatusID : 0
DetectionID                    : {CF9A88D6-3244-4ACA-9027-BB24F2BAA2E2}
DetectionSourceTypeID          : 2
DomainUser                     : NT AUTHORITY\SYSTEM
InitialDetectionTime           : 2/11/2024 10:03:48 AM
LastThreatStatusChangeTime     : 2/11/2024 10:03:48 AM
ProcessName                    : Unknown
RemediationTime                : 
Resources                      : {containerfile:_D:\Old Work Files\Lisa Downloads\CuteWriter.exe, file:_D:\Old Work Files\Lisa Downloads\CuteWriter.exe->(inno#000027)}
ThreatID                       : 227072
ThreatStatusErrorCode          : 0
ThreatStatusID                 : 106
PSComputerName                 : 

ActionSuccess                  : True
AdditionalActionsBitMask       : 0
AMProductVersion               : 4.18.24050.7
CleaningActionID               : 9
CurrentThreatExecutionStatusID : 0
DetectionID                    : {D3260B3C-06E8-46B0-A62B-8D2EB0C8068E}
DetectionSourceTypeID          : 2
DomainUser                     : NT AUTHORITY\SYSTEM
InitialDetectionTime           : 2/25/2024 5:06:21 PM
LastThreatStatusChangeTime     : 2/25/2024 5:06:21 PM
ProcessName                    : Unknown
RemediationTime                : 
Resources                      : {file:_D:\Old Work Files\Lisa Downloads\CuteWriter.exe}
ThreatID                       : 227072
ThreatStatusErrorCode          : 0
ThreatStatusID                 : 106
PSComputerName                 : 

ActionSuccess                  : True
AdditionalActionsBitMask       : 0
AMProductVersion               : 4.18.24050.7
CleaningActionID               : 9
CurrentThreatExecutionStatusID : 0
DetectionID                    : {BC4B1E5D-7FD6-4F25-AE46-B4BF787ED331}
DetectionSourceTypeID          : 2
DomainUser                     : NT AUTHORITY\SYSTEM
InitialDetectionTime           : 2/11/2024 10:29:48 AM
LastThreatStatusChangeTime     : 2/11/2024 10:29:48 AM
ProcessName                    : Unknown
RemediationTime                : 
Resources                      : {file:_D:\Old Work Files\Lisa Downloads\CuteWriter.exe}
ThreatID                       : 227072
ThreatStatusErrorCode          : 0
ThreatStatusID                 : 106
PSComputerName                 : 

ActionSuccess                  : True
AdditionalActionsBitMask       : 0
AMProductVersion               : 4.18.24050.7
CleaningActionID               : 9
CurrentThreatExecutionStatusID : 0
DetectionID                    : {564A5A74-E555-4433-93BD-A2B8E803948C}
DetectionSourceTypeID          : 2
DomainUser                     : NT AUTHORITY\SYSTEM
InitialDetectionTime           : 2/21/2024 10:24:23 AM
LastThreatStatusChangeTime     : 2/21/2024 10:24:23 AM
ProcessName                    : Unknown
RemediationTime                : 
Resources                      : {file:_D:\Old Work Files\Lisa Downloads\CuteWriter.exe}
ThreatID                       : 227072
ThreatStatusErrorCode          : 0
ThreatStatusID                 : 106
PSComputerName                 : 

ActionSuccess                  : True
AdditionalActionsBitMask       : 0
AMProductVersion               : 4.18.24050.7
CleaningActionID               : 9
CurrentThreatExecutionStatusID : 0
DetectionID                    : {B4079B89-AEB6-45D9-AA3E-4244EC4A3C24}
DetectionSourceTypeID          : 2
DomainUser                     : NT AUTHORITY\SYSTEM
InitialDetectionTime           : 2/20/2024 4:31:00 PM
LastThreatStatusChangeTime     : 2/20/2024 4:31:00 PM
ProcessName                    : Unknown
RemediationTime                : 
Resources                      : {file:_D:\Old Work Files\Lisa Downloads\CuteWriter.exe}
ThreatID                       : 227072
ThreatStatusErrorCode          : 0
ThreatStatusID                 : 106
PSComputerName                 : 

ActionSuccess                  : True
AdditionalActionsBitMask       : 0
AMProductVersion               : 4.18.24050.7
CleaningActionID               : 3
CurrentThreatExecutionStatusID : 0
DetectionID                    : {00000000-0000-0000-0000-000000000000}
DetectionSourceTypeID          : 1
DomainUser                     : 
InitialDetectionTime           : 
LastThreatStatusChangeTime     : 5/13/2024 1:56:16 PM
ProcessName                    : 
RemediationTime                : 5/13/2024 1:56:16 PM
Resources                      : {containerfile:_D:\Old Work Files\Lisa Downloads\CuteWriter.exe, file:_D:\Old Work Files\Lisa Downloads\CuteWriter.exe, file:_D:\Old Work Files\Lisa Downloads\CuteWriter.exe->(inno#000027)}
ThreatID                       : 227072
ThreatStatusErrorCode          : -2142207965
ThreatStatusID                 : 4
PSComputerName                 : 

ActionSuccess                  : True
AdditionalActionsBitMask       : 0
AMProductVersion               : 4.18.24050.7
CleaningActionID               : 9
CurrentThreatExecutionStatusID : 0
DetectionID                    : {11E1633B-4B55-41FC-B263-D10A3579597A}
DetectionSourceTypeID          : 2
DomainUser                     : NT AUTHORITY\SYSTEM
InitialDetectionTime           : 2/23/2024 1:51:27 PM
LastThreatStatusChangeTime     : 2/23/2024 1:51:27 PM
ProcessName                    : Unknown
RemediationTime                : 
Resources                      : {file:_D:\Old Work Files\Lisa Downloads\CuteWriter.exe}
ThreatID                       : 227072
ThreatStatusErrorCode          : 0
ThreatStatusID                 : 106
PSComputerName                 : 

ActionSuccess                  : True
AdditionalActionsBitMask       : 0
AMProductVersion               : 4.18.24050.7
CleaningActionID               : 9
CurrentThreatExecutionStatusID : 0
DetectionID                    : {C4B25523-589A-4073-ABEB-694A0F1A893D}
DetectionSourceTypeID          : 2
DomainUser                     : NT AUTHORITY\SYSTEM
InitialDetectionTime           : 2/11/2024 10:26:32 AM
LastThreatStatusChangeTime     : 2/11/2024 10:26:32 AM
ProcessName                    : Unknown
RemediationTime                : 
Resources                      : {file:_D:\Old Work Files\Lisa Downloads\CuteWriter.exe}
ThreatID                       : 227072
ThreatStatusErrorCode          : 0
ThreatStatusID                 : 106
PSComputerName                 : 

ActionSuccess                  : True
AdditionalActionsBitMask       : 0
AMProductVersion               : 4.18.24050.7
CleaningActionID               : 9
CurrentThreatExecutionStatusID : 0
DetectionID                    : {27D38B8E-90DB-477D-8A9C-7D5AEC0D0307}
DetectionSourceTypeID          : 2
DomainUser                     : NT AUTHORITY\SYSTEM
InitialDetectionTime           : 2/27/2024 3:05:12 PM
LastThreatStatusChangeTime     : 2/27/2024 3:05:12 PM
ProcessName                    : Unknown
RemediationTime                : 
Resources                      : {file:_D:\Old Work Files\Lisa Downloads\CuteWriter.exe}
ThreatID                       : 227072
ThreatStatusErrorCode          : 0
ThreatStatusID                 : 1
PSComputerName                 : 

ActionSuccess                  : True
AdditionalActionsBitMask       : 0
AMProductVersion               : 4.18.24050.7
CleaningActionID               : 10
CurrentThreatExecutionStatusID : 0
DetectionID                    : {9E1DB1C3-5F48-40EE-AF76-1B41D19E25F1}
DetectionSourceTypeID          : 1
DomainUser                     : WKST-S\Jack
InitialDetectionTime           : 2/10/2024 4:42:25 PM
LastThreatStatusChangeTime     : 2/10/2024 9:05:43 PM
ProcessName                    : Unknown
RemediationTime                : 2/10/2024 9:05:43 PM
Resources                      : {containerfile:_D:\Old Work Files\Lisa Downloads\CuteWriter.exe, file:_D:\Old Work Files\Lisa Downloads\CuteWriter.exe->(inno#000027)}
ThreatID                       : 227072
ThreatStatusErrorCode          : 0
ThreatStatusID                 : 6
PSComputerName                 : 

ActionSuccess                  : True
AdditionalActionsBitMask       : 0
AMProductVersion               : 4.18.24050.7
CleaningActionID               : 9
CurrentThreatExecutionStatusID : 0
DetectionID                    : {08C15197-FB9D-41E9-B319-FD38C6E3F916}
DetectionSourceTypeID          : 2
DomainUser                     : NT AUTHORITY\SYSTEM
InitialDetectionTime           : 2/20/2024 1:23:17 PM
LastThreatStatusChangeTime     : 2/20/2024 1:23:17 PM
ProcessName                    : Unknown
RemediationTime                : 
Resources                      : {file:_D:\Old Work Files\Lisa Downloads\CuteWriter.exe}
ThreatID                       : 227072
ThreatStatusErrorCode          : 0
ThreatStatusID                 : 106
PSComputerName                 : 

ActionSuccess                  : True
AdditionalActionsBitMask       : 0
AMProductVersion               : 4.18.24050.7
CleaningActionID               : 9
CurrentThreatExecutionStatusID : 0
DetectionID                    : {E460368C-1AE3-4B9E-AA8D-19BD7DD35B8B}
DetectionSourceTypeID          : 2
DomainUser                     : NT AUTHORITY\SYSTEM
InitialDetectionTime           : 2/22/2024 9:43:48 AM
LastThreatStatusChangeTime     : 2/22/2024 9:43:48 AM
ProcessName                    : Unknown
RemediationTime                : 
Resources                      : {file:_D:\Old Work Files\Lisa Downloads\CuteWriter.exe}
ThreatID                       : 227072
ThreatStatusErrorCode          : 0
ThreatStatusID                 : 106
PSComputerName                 :

Thank you

  • TTown
Windows
Windows
A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.
5,360 questions
Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,902 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. TTown 10 Reputation points
    2024-09-27T13:15:03.6133333+00:00

    I managed to resolve this using LesFerch's ClearDefenderHistory. Link here: https://github.com/LesFerch/ClearDefenderHistory

    It creates a scheduled task to wipe Defender's cached history as NT AUTHORITY\SYSTEM once at next startup. This resolved my issue, as the threat detection has not returned since.
    Hopefully this helps somebody, though I would caution to only use this if you are certain the threat is no longer active on your system, and is most certainly being misreported. This will only help in clearing the detection history.

    1 person found this answer helpful.
    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.