I have a problem whereby a terminal appears not to be logging events correctly and occasionally appears to have problems communicating accross the network.
The terminal has previously been infected with a virus which apears to have ‘played’ with the default group policy in the standard user profile. Although, outwardly, the terminal appears to be working normally I still have a nagging feeling that it isn’t quite back to the way it was. It was infected by a user plugging in a USB Stick while the company was using the older version of the AV software…typically a week or so before it was updated.
I have configured the Event logs to Overwrite as required and to be 5056KB in Maximum size. I have also attempted:-
- Disabling the Event Log service & restarting
- Renewing the EVT files in Windows\system32\config directory
- Restarting the event log service and restarting
- Clearing the event log in the Services MMC
- Resetting the Filters to Default in the services MMC
- Using the EVENTCREATE command remotely from a CMD window on the server to force an event creation event.
So far the only operation to have any sort of success is the remote computer EVENTCREATE command from a CMD window on the server. As it stands, the only other time that the computer has managed to create events is while it is being restarted.
Has anyone gotany ideas on how to proceed? I’m thinking that possibly a refresh of the ‘Windows\system32\config\SystemProfile’ folder. I’m also thinking about running a tool such as Malwarebytes but this could be slightly controvertial as the system needs to be running on ‘up-time’ for as long as possible. I’m also wonderign whether anyone knows of any Windows admin tools that allow me to control the event logging options or default security options so that i could get it back to some sort of standard.
What I’m trying to avoid is a complte re-imaging of the terminal. Although this is an option, I dont really want to have to take it if i dont need to.
Many thanks in advance for any suggestions anyone may be able to provide.
Answer
First, you might find better support on ServerFault, as logging is usually more heavily used on servers, despite the particular system in question being a client.
Second, you can never be truly sure that you’ve gotten rid of a virus unless you format the system and reinstall/reimage it. If you know the exact virus and know for sure every file was removed and every change reversed, then I suppose you could be reasonably sure it’s gone; I’m assuming you’re not 100% certain in this case since you we don’t know if this virus messes with system logging and/or what changes it makes.
Attribution
Source : Link , Question Author : Weedfreer , Answer Author : Darth Android
