Unknown Logon and TakeOwn Virus
Goodmorning everyone, its been a very long time since I've been here, but I have a huge security issue on my Windows 10 install (19033.1), for a long time I just assumed I had BitCoin miners plaguing my system whenever I left it alone and when I ran through all of AppData manually and scheduled various AV searches, I did find a couple miners and it took care of them. Fast forward a few more days and I just so happen to leave my computer idle for a few minutes, the temps rocket up to 75°C and immediately drop when I move the mouse. Fast forward a few more days and I have the genius idea of finally checking the Event Viewer log! Upon searching, I found the Security tab OVERFLOWING with commands and I've never seen anything like this before. What do you guys make of this and how can I save my install without wiping it?
*Rename the file to .evtx*
*Rename the file to .evtx*
1 - 18 of 18 Posts
Joined
·
4,877 Posts
What’s the thing? I have almost no experience dealing with virus’ and troubleshooting.
Joined
·
4,877 Posts
I’d agree if the security log didn’t show that there was a logon process and several dozen ownership processes within 30 seconds.
Joined
·
36,862 Posts
reinstall.
Joined
·
4,877 Posts
That’s my last resort. I consider that a worst case scenario.
Joined
·
4,877 Posts
Damn, I was really hoping that wouldn’t be the case.
Joined
·
39,546 Posts
you'd likely end up stuck in a never ending chase of delete the file, & purge the virus.
bleepingcomputer has a 3rd party tool that supposedly forces all running stuff to quit, making AV more effective at finding & removing, but typically I reformat anything this infected. Specially if its a employer, or customer related.
IE: if you brought this to me, I'd salvage important data (docs, pdfs, xls) reformat, confirm data i removed is clean, then put it back on.
bleepingcomputer has a 3rd party tool that supposedly forces all running stuff to quit, making AV more effective at finding & removing, but typically I reformat anything this infected. Specially if its a employer, or customer related.
IE: if you brought this to me, I'd salvage important data (docs, pdfs, xls) reformat, confirm data i removed is clean, then put it back on.
Joined
·
4,877 Posts
Gotcha, biggest issue I have is that amount of important files is in excess of 300GB’s without enough space to backup elsewhere.
Joined
·
3,805 Posts
It's just that Event 4624:Logon, Event 4672:Special Logon, Event 4798:User Account Management, Event 4799:Security Group Management, all multiple times in the same minute and repeated every 10 to 15 minutes is normal Windows operation.
I've got endless pages of them already, and I downloaded the latest Windows media creation tool direct from Microsoft 12 hours ago and put a clean Windows onto a brand new NVMe drive.
When you do the clean install thinking you've fixed it you're probably going to see exactly the same things in event viewer>security.
Which events do you think shouldn't be there? And how have you determined that they shouldn't be there?
I've got endless pages of them already, and I downloaded the latest Windows media creation tool direct from Microsoft 12 hours ago and put a clean Windows onto a brand new NVMe drive.
When you do the clean install thinking you've fixed it you're probably going to see exactly the same things in event viewer>security.
Which events do you think shouldn't be there? And how have you determined that they shouldn't be there?
Joined
·
4,877 Posts
I wish I had the money for a new NVMe drive. This 512 is too small now.
The red flags for me are all of the notes in those logs which include takeown and impersonate commands.
Joined
·
4,877 Posts
Solved! So last night I spent a good while searching and experimenting with "solutions" from others who had the same issue, but none of them had all of the same symptoms as mine. I finally tracked it down to Group Policies being compromised! So after a few erased entries, everything is fixed, and I'm left banging my head against the wall for it being such a simple fix.
The issue was found under Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignments. In there I found the culprit, it showed up as a random string of numbers and letters. Delete and done.
The issue was found under Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignments. In there I found the culprit, it showed up as a random string of numbers and letters. Delete and done.
Joined
·
6,941 Posts
Thats a major problem right there. If you have such important data that you cant bear to reinstall windows without saving it, you really should already have a backup drive with that stuff saved. A 1TB HDD is extremely cheap. Just mount it inside your computer and plug it in, copy your files over, and then unplug it and let it sit in there. Plug it back in and manually make a backup twice a year or so.
https://www.amazon.com/WD-Blue-1TB-Hard-Drive/dp/B0088PUEPK/?th=1
Edit: Or here is an external 1TB for the same price:
https://www.amazon.com/Seagate-Backup-External-Drive-Portable/dp/B07MXZ22Y1/
Joined
·
585 Posts
compmaster
No antivirus software installed?
I've been using Avast (free only) for 10+ years and I haven't had a problem since.
No antivirus software installed?
I've been using Avast (free only) for 10+ years and I haven't had a problem since.
1 - 18 of 18 Posts
