Possibly compromised

Here we go again.

I was running openoffice and it crashed all the time. Nothing worked so i installed libreoffice. But also this program was closing to desktop.
Then i was watching norton recent history log.
Also after using a few seconds also norton disappeared. Tray icon and all. Seconds later the tray icon is back. Trying to scan happend again. Nothing malicious found. Adw cleaner nothing found. Windows safety scanner always got closed during scan. But it worked in safe mode.
It found vitualtool32malware tampering or something similar. In my experience it always find that. So thats not the problem.

Months ago there was a moment norton did not work. Not that i noticed.

And in windows logs. Last months i see weird things.
Like when i login i see “user logon” but in last 2 months also “special logon” microsoft management auditing.
Also

  • security management group
  • security change state
  • other system events
  • process creation
  • user group management

All frequently in recent months.

i use my pc with a public connection whitout any sharing.

The strange thing is there is no remote acces, wifi turned off. And no cable. Yet norton says i am connected when i start pc. Does not take long before every app i use got turned off

Tried the cmd and powershell command as admin. Sfc scannow and dism. But nothing gets gets scanned. When i closed the pc. I saw windows was closing a program with the letters Gypsy or something similar. Dont know if this a legit program. Its only the second time i see it.

Hello @Maxi24

fwiw ~ Google search guess:
https://learn.microsoft.com/en-us/purview/audit-log-enable-disable

Befor i saw these posts. I did reset my pc to factory settings. Everything seems to work. However my pc fails to download and install the latest windows version. Also firefox fail to install and crashes all the time. However did not have any problems with other programs…yet

Reset PC?
Meaning, you’re now W10 and you were W11?

Nah…i bought this with win 11. Also it went back to the manufacturer for a fix at one point. So it set me back to september 23

Okay

When you factory restored the PC did the restore include ANY malware or antiviral trial subscriptions that may have been also restored and installed?

Have you checked for the latest version, and/or, updated the system BIOS since restore? My concern is that malware may be written into the system BIOS/UEFI. If that is the case its very bad, that cannot be removed without a successful BIOS re-flash update. *Please note that flashing the BIOS has its risks, consult your OEM prior to doing an update to your BIOS.

SA

Good points. I actual euh never flash bios. Scared to do. I am kinda hoping it was faulty software or bad win update. Then got paranoid on all those logs were i dont know the meaning.

I scanned with all mwb, adw, norton, windef, safety scanner. Nada.

Okay i am seriously scre**** something is wrong.
I think cant use norton cant reinstall, cant properly install various things norton, firefox, updates

In task manager periodically some process is running i never seen before. Dont know what. And remote procudure call is turning on.

@Maxi24 If you somehow can get a screenshot of your task manager screen to post here, that would be a huge plus for us to review exactly what you are seeing and the processes running.

One thing of note that I didn’t see posted here earlier is, is your version of Windows 11 running in S mode? And are you logging into Windows with admin privileges account either local or under Microsoft credentials?

Also. When you said that you see: “special logon” Microsoft management auditing. Here is what that means in terms from Microsoft.

https://answers.microsoft.com/en-us/windows/forum/all/event-viewer-shows-special-logon-when-pc-was-shut/5b37f816-1f26-49a4-a2f6-f0b9c9b75b22

SA

You also said:

Please remove ALL the A/V solutions you have installed and reboot. Defender cannot be removed so ignore that. Then reboot in safe mode, without networking. Check your task manager again for processes that look out of place. Download Rkill on another device and run on the affected computer to see what, if any malicious processes are found and please let us know those results.

SA

Hello @Maxi24
Please post progress

Please review: Malwarebytes Help

Ok update. I put it back in factory setting. But could barely install some programs. Windows update latest version could not be installed. Webbrowser crashed every time, norton could not be started. Some progress error gave corrupted file.

Then a clean windows install. At first glance everything seems to work. However. Now the nvidia driver won’t install. Changed the ssd but this seems not the issue. System seems to work with another gpu. So it might be a faulty gpu…i send it to manufacturer.

1 Like