Hey everyone, I opened up firefox on my computer and an ad immediately popped up. Now I knew straight ahead that was a potential symptom of adware so I went into windows defender and attempted to scan my computer when I noticed that my entire C: drive was excluded from the scan and every scan for as long as I could tell. I went into Event Viewer to see if I could narrow down the time where the edits initially started but it spans back months of incomplete scans and edits. Edits such as:
Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value:
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\MpEngine\MpEngineRing = 0x4
Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value:
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\MpEngine\MpCampRing = 0x4
Those popped up after every scan^^
Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Diagnostics\LastKnownGoodPlatformLocation = C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Diagnostics\LastKnownGoodPlatformLocation = C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23100.2009-0
Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Features\Controls\54 = 0x1
New value:
Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: Default\ProductAppDataPath = C:\ProgramData\Microsoft\Windows Defender
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\ProductAppDataPath = C:\ProgramData\Microsoft\Windows Defender
Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\ServiceStartStates = 0x1
New value: Default\ServiceStartStates = 0x0
These popped up only once from what I could glean^^
The one that freaked me out (Cant find it rn) was an entry that looked like someone had deleted a log.
I am using a ROG Zephyrus G14, I am looking to remove this virus off my computer. None of my scans picked up anything. If y’all need any more information I’d be happy to provide it. Thanks!
I’m going to recommend going nuclear.
Get a thumb drive, make a windows 11 bootable drive out of it, boot the computer off that, and reinstall windows.
My reasoning is that you’ve done good detective work, identified the symptoms, and found out there is an issue. I agree with your findings and conclusions about them.
Thing is, this could be anything at this point. The only 99% sure way to fix this is blowing it all away and starting over.
Make sure you have backups of your files. You will be deleting EVERYTHING off the computer.