[bigkahuna360]

Goodmorning everyone, its been a very long time since I've been here, but I have a huge security issue on my Windows 10 install (19033.1), for a long time I just assumed I had BitCoin miners plaguing my system whenever I left it alone and when I ran through all of AppData manually and scheduled various AV searches, I did find a couple miners and it took care of them. Fast forward a few more days and I just so happen to leave my computer idle for a few minutes, the temps rocket up to 75°C and immediately drop when I move the mouse. Fast forward a few more days and I have the genius idea of finally checking the Event Viewer log! Upon searching, I found the Security tab OVERFLOWING with commands and I've never seen anything like this before. What do you guys make of this and how can I save my install without wiping it?


*Rename the file to .evtx*

 

[The Pook]

"how do you fix the thing without doing the thing that fixes the thing?" - bigkahuna360, 2019

 

[bigkahuna360]

"how do you fix the thing without doing the thing that fixes the thing?" - bigkahuna360, 2019

What’s the thing? I have almost no experience dealing with virus’ and troubleshooting.

 

[makkara]

Windows 10 does maintenance, defragmenting and stuff in background when u dont use the computer for sometime. It stops doing it when computer is used again, like moving the mouse. This can cause pretty high CPU usage for 1 core sometimes.

 

[bigkahuna360]

Windows 10 does maintenance, defragmenting and stuff in background when u dont use the computer for sometime. It stops doing it when computer is used again, like moving the mouse. This can cause pretty high CPU usage for 1 core sometimes.

I’d agree if the security log didn’t show that there was a logon process and several dozen ownership processes within 30 seconds.

 

[The Pook]

What’s the thing? I have almost no experience dealing with virus’ and troubleshooting.

reinstall.

 

[bigkahuna360]

reinstall.

That’s my last resort. I consider that a worst case scenario.

 

[skupples]

you're at worse case.

wipe is only way to confirm clean if its as bad as you say it is.

i mean, you could always go pay a repair shop to not fix it, but tell you its fixed, if that makes you feel better.

 

[bigkahuna360]

you're at worse case.

wipe is only way to confirm clean if its as bad as you say it is.

i mean, you could always go pay a repair shop to not fix it, but tell you its fixed, if that makes you feel better.

Damn, I was really hoping that wouldn’t be the case.

 

[skupples]

you'd likely end up stuck in a never ending chase of delete the file, & purge the virus.

bleepingcomputer has a 3rd party tool that supposedly forces all running stuff to quit, making AV more effective at finding & removing, but typically I reformat anything this infected. Specially if its a employer, or customer related.

IE: if you brought this to me, I'd salvage important data (docs, pdfs, xls) reformat, confirm data i removed is clean, then put it back on.

 

[bigkahuna360]

you'd likely end up stuck in a never ending chase of delete the file, & purge the virus.

bleepingcomputer has a 3rd party tool that supposedly forces all running stuff to quit, making AV more effective at finding & removing, but typically I reformat anything this infected. Specially if its a employer, or customer related.

IE: if you brought this to me, I'd salvage important data (docs, pdfs, xls) reformat, confirm data i removed is clean, then put it back on.

Gotcha, biggest issue I have is that amount of important files is in excess of 300GB’s without enough space to backup elsewhere.

 

[skupples]

that is most definitely an issue... also seems like that likely includes lots of media, which technically is non-essential, unless its the only existing copy.

 

[Darren9]

It's just that Event 4624:Logon, Event 4672:Special Logon, Event 4798:User Account Management, Event 4799:Security Group Management, all multiple times in the same minute and repeated every 10 to 15 minutes is normal Windows operation.

I've got endless pages of them already, and I downloaded the latest Windows media creation tool direct from Microsoft 12 hours ago and put a clean Windows onto a brand new NVMe drive.

When you do the clean install thinking you've fixed it you're probably going to see exactly the same things in event viewer>security.

Which events do you think shouldn't be there? And how have you determined that they shouldn't be there?

 

[bigkahuna360]

It's just that Event 4624:Logon, Event 4672:Special Logon, Event 4798:User Account Management, Event 4799:Security Group Management, all multiple times in the same minute and repeated every 10 to 15 minutes is normal Windows operation.

I've got endless pages of them already, and I downloaded the latest Windows media creation tool direct from Microsoft 12 hours ago and put a clean Windows onto a brand new NVMe drive.

When you do the clean install thinking you've fixed it you're probably going to see exactly the same things in event viewer>security.

Which events do you think shouldn't be there? And how have you determined that they shouldn't be there?

I wish I had the money for a new NVMe drive. This 512 is too small now.

The red flags for me are all of the notes in those logs which include takeown and impersonate commands.

 

[bigkahuna360]

Solved! So last night I spent a good while searching and experimenting with "solutions" from others who had the same issue, but none of them had all of the same symptoms as mine. I finally tracked it down to Group Policies being compromised! So after a few erased entries, everything is fixed, and I'm left banging my head against the wall for it being such a simple fix.

The issue was found under Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignments. In there I found the culprit, it showed up as a random string of numbers and letters. Delete and done.

 

[skupples]

good work, hopefully it doesn't creep back in.

 

[EniGma1987]

Gotcha, biggest issue I have is that amount of important files is in excess of 300GB’s without enough space to backup elsewhere.

Thats a major problem right there. If you have such important data that you cant bear to reinstall windows without saving it, you really should already have a backup drive with that stuff saved. A 1TB HDD is extremely cheap. Just mount it inside your computer and plug it in, copy your files over, and then unplug it and let it sit in there. Plug it back in and manually make a backup twice a year or so.
https://www.amazon.com/WD-Blue-1TB-Hard-Drive/dp/B0088PUEPK/?th=1




Edit: Or here is an external 1TB for the same price:
https://www.amazon.com/Seagate-Backup-External-Drive-Portable/dp/B07MXZ22Y1/

 

[compmaster]

compmaster

No antivirus software installed?
I've been using Avast (free only) for 10+ years and I haven't had a problem since.