Overclock.net banner
1 - 8 of 8 Posts

· DTR Enthusiast
Joined
·
4,877 Posts
Discussion Starter · #1 ·
Goodmorning everyone, its been a very long time since I've been here, but I have a huge security issue on my Windows 10 install (19033.1), for a long time I just assumed I had BitCoin miners plaguing my system whenever I left it alone and when I ran through all of AppData manually and scheduled various AV searches, I did find a couple miners and it took care of them. Fast forward a few more days and I just so happen to leave my computer idle for a few minutes, the temps rocket up to 75°C and immediately drop when I move the mouse. Fast forward a few more days and I have the genius idea of finally checking the Event Viewer log! Upon searching, I found the Security tab OVERFLOWING with commands and I've never seen anything like this before. What do you guys make of this and how can I save my install without wiping it?


*Rename the file to .evtx*
 

Attachments

· DTR Enthusiast
Joined
·
4,877 Posts
Discussion Starter · #3 ·
"how do you fix the thing without doing the thing that fixes the thing?" - bigkahuna360, 2019
What’s the thing? I have almost no experience dealing with virus’ and troubleshooting.
 

· DTR Enthusiast
Joined
·
4,877 Posts
Discussion Starter · #5 ·
Windows 10 does maintenance, defragmenting and stuff in background when u dont use the computer for sometime. It stops doing it when computer is used again, like moving the mouse. This can cause pretty high CPU usage for 1 core sometimes.
I’d agree if the security log didn’t show that there was a logon process and several dozen ownership processes within 30 seconds.
 

· DTR Enthusiast
Joined
·
4,877 Posts
Discussion Starter · #7 ·

· DTR Enthusiast
Joined
·
4,877 Posts
Discussion Starter · #9 ·
you're at worse case.

wipe is only way to confirm clean if its as bad as you say it is.

i mean, you could always go pay a repair shop to not fix it, but tell you its fixed, if that makes you feel better.
Damn, I was really hoping that wouldn’t be the case.
 

· DTR Enthusiast
Joined
·
4,877 Posts
Discussion Starter · #11 ·
you'd likely end up stuck in a never ending chase of delete the file, & purge the virus.

bleepingcomputer has a 3rd party tool that supposedly forces all running stuff to quit, making AV more effective at finding & removing, but typically I reformat anything this infected. Specially if its a employer, or customer related.

IE: if you brought this to me, I'd salvage important data (docs, pdfs, xls) reformat, confirm data i removed is clean, then put it back on.
Gotcha, biggest issue I have is that amount of important files is in excess of 300GB’s without enough space to backup elsewhere.
 

· DTR Enthusiast
Joined
·
4,877 Posts
Discussion Starter · #14 ·
It's just that Event 4624:Logon, Event 4672:Special Logon, Event 4798:User Account Management, Event 4799:Security Group Management, all multiple times in the same minute and repeated every 10 to 15 minutes is normal Windows operation.

I've got endless pages of them already, and I downloaded the latest Windows media creation tool direct from Microsoft 12 hours ago and put a clean Windows onto a brand new NVMe drive.

When you do the clean install thinking you've fixed it you're probably going to see exactly the same things in event viewer>security.

Which events do you think shouldn't be there? And how have you determined that they shouldn't be there?
I wish I had the money for a new NVMe drive. This 512 is too small now.

The red flags for me are all of the notes in those logs which include takeown and impersonate commands.
 

· DTR Enthusiast
Joined
·
4,877 Posts
Discussion Starter · #15 ·
Solved! So last night I spent a good while searching and experimenting with "solutions" from others who had the same issue, but none of them had all of the same symptoms as mine. I finally tracked it down to Group Policies being compromised! So after a few erased entries, everything is fixed, and I'm left banging my head against the wall for it being such a simple fix.

The issue was found under Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignments. In there I found the culprit, it showed up as a random string of numbers and letters. Delete and done.
 
1 - 8 of 8 Posts
This is an older thread, you may not receive a response, and could be reviving an old thread. Please consider creating a new thread.
Top