0

A relative of mine complained of a slow computer. At my suggestion, they rescanned the hard drive. It found issues, but the on-screen information was quite useless so I checked the Event Log. Several messages (Eventlog "Description") looked like the following:

Microsoft Defender Antivirus ϋśèď сľöüδ ргοτэсŧιőň тο ġěţ ąðδίŧΐŏńάľ ѕеςųгĩŧý ΐиŧéľŀìģεπčз.%п %ţĊµгѓėńт ѕē¢цřîţў íňŧėŀłĭġέʼnĉε Věřśΐǿл:%ь1.383.16.0%л %тЅëςμŗíτŷ ïйťзļľιğέʼnĉé Ŧŷрз:%в%π %ŧÛśэŕ:%ь%ñ %τĈűяяēητ Ēⁿġìņë Vзřѕĩøл:%в1.1.20000.2%η %ŧĈĺǿцđ ρŗöţ℮ςτìôʼn ìηтęļĺíģĕлċ℮ Ŧўрĕ:%ъUpdate beveiligingsinformatie%й %тΡĕѓŝіśţэņçё Ραťђ:%вC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\data\9eb9fca7e49b6d97d02ab25cfca6a5588304ca6b%ň %ťČľōũð ρґõτеčťįòń íñŧęļĺīĝéπčέ Vеґѕιōñ:%в0.0.0.0%п %τČłôùđ ρřōťęčτїоⁿ ĩʼnŧêļļĩģέñ¢έ Çòmφīŀαŧîøп Ŧįmёѕтдмр:%ъ15-2-2023 20:32:47%π %ťРėřśįŝтέйċè Ĺĩmîť Ţýφé:%ъDuur%ή %ţРêяşìѕţēņčё Łіmĭť:%в288000000

This leads me to think that Defender has been tampered with. Googling the message did not work. I think this is intentional: the character replacement policy is probably unique for this computer.

Is there any specific malware that can cause this? And does anyone understand why it uses this elaborate scheme to obfuscate the log messages?

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="Microsoft-Windows-Windows Defender" Guid="{11cd958a-c507-4ef3-b3f2-5fd9dfbd2c78}" /> 
  <EventID>2010</EventID> 
  <Version>0</Version> 
  <Level>4</Level> 
  <Task>0</Task> 
  <Opcode>0</Opcode> 
  <Keywords>0x8000000000000000</Keywords> 
  <TimeCreated SystemTime="2023-02-15T20:32:46.1221954Z" /> 
  <EventRecordID>27828</EventRecordID> 
  <Correlation /> 
  <Execution ProcessID="3784" ThreadID="2432" /> 
  <Channel>Microsoft-Windows-Windows Defender/Operational</Channel> 
  <Computer>Vaantjes</Computer> 
  <Security UserID="S-1-5-18" /> 
  </System>
- <EventData>
  <Data Name="Product Name">Microsoft Defender Antivirus</Data> 
  <Data Name="Product Version">4.18.2301.6</Data> 
  <Data Name="Current security intelligence Version">1.383.16.0</Data> 
  <Data Name="Unused" /> 
  <Data Name="Unused2" /> 
  <Data Name="Unused3" /> 
  <Data Name="Unused4" /> 
  <Data Name="Domain" /> 
  <Data Name="User" /> 
  <Data Name="SID" /> 
  <Data Name="Security intelligence Type Index">0</Data> 
  <Data Name="Security intelligence Type" /> 
  <Data Name="Unused5" /> 
  <Data Name="Unused6" /> 
  <Data Name="Current Engine Version">1.1.20000.2</Data> 
  <Data Name="Unused7" /> 
  <Data Name="Unused8" /> 
  <Data Name="Unused9" /> 
  <Data Name="Unused10" /> 
  <Data Name="Unused11" /> 
  <Data Name="Unused12" /> 
  <Data Name="Cloud protection intelligence Type Index">1</Data> 
  <Data Name="Cloud protection intelligence Type">Update beveiligingsinformatie</Data> 
  <Data Name="Persistence Path">C:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\data\9eb9fca7e49b6d97d02ab25cfca6a5588304ca6b</Data> 
  <Data Name="Cloud protection intelligence Version">0.0.0.0</Data> 
  <Data Name="Cloud protection intelligence Compilation Timestamp">15-2-2023 20:32:47</Data> 
  <Data Name="Persistence Limit Type Index">2</Data> 
  <Data Name="Persistence Limit Type">Duur</Data> 
  <Data Name="Persistence Limit Value">288000000</Data> 
  </EventData>
  </Event>
Improve this question
4
  • 1
    The “de-diacritic’d” message is normal, I also have it: “Microsoft Defender Antivirus used cloud protection to get additional security intelligence.” Dunno about the rest, sorry.
    – Daniel B
    Commented Feb 16, 2023 at 8:14
  • 2
    it may be pseudo localization, which means you've received some development version for locale testing. But scan your PC first to make sure
    – phuclv
    Commented Feb 16, 2023 at 8:24
  • @phuclv: Thanks! That might be a benign explanation.
    – jdv-Jan de Vaan
    Commented Feb 16, 2023 at 11:00
  • 1
    See also this answer To fix the issue change your language to en-us
    – Blindspots
    Commented Feb 17, 2023 at 3:55

0

Reset to default

You must log in to answer this question.

Browse other questions tagged .