Windows 10: A strange login. Or an attack?

Discus and support A strange login. Or an attack? in AntiVirus, Firewalls and System Security to solve the problem; I do not no what happened but today I started my pc, and suddenly the name of my network had been changed. Or the name of my modem. After rebooting my... Discussion in 'AntiVirus, Firewalls and System Security' started by DonnaldQuist, Oct 15, 2018.

  1. DONNALDQUIST
    DonnaldQuist Win User

    A strange login. Or an attack?


    I do not no what happened but today I started my pc, and suddenly the name of my network had been changed. Or the name of my modem. After rebooting my modem to default settings I logged in witn my Microsoft account. Wich should me the only way to start windows. But after I checked the events that occurred on my pc I saw a strange event. I am not a IT specialist and not even a amature but this is what I found. Please explain what I should do. And excuse the poor grammar. I,m dutch and English I sn't my language.




    - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    - <System>
    <Provider Name="Microsoft-Windows-User Profiles Service" Guid="{89B1E9F0-5AFF-44A6-9B44-0A07A7CE5845}" />
    <EventID>1530</EventID>
    <Version>0</Version>
    <Level>4</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000000000</Keywords>
    <TimeCreated SystemTime="2018-10-15T16:02:33.107134300Z" />
    <EventRecordID>3610</EventRecordID>
    <Correlation />
    <Execution ProcessID="1296" ThreadID="4848" />
    <Channel>Application</Channel>
    <Computer>Doggytop</Computer>
    <Security UserID="S-1-5-18" />
    </System>
    - <EventData Name="EVENT_HIVE_LEAK">
    <Data Name="Detail">42 user registry handles leaked from \Registry\User\S-1-5-21-3599373940-2952038636-1933688023-1001: Process 1044 (\Device\HarddiskVolume4\Windows\System32\winlogon.exe) has opened key \REGISTRY\USER\S-1-5-21-3599373940-2952038636-1933688023-1001 Process 908 (\Device\HarddiskVolume4\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3599373940-2952038636-1933688023-1001\System\GameConfigStore\Parents Process 3608 (\Device\HarddiskVolume4\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3599373940-2952038636-1933688023-1001\Software\Microsoft\CommsAPHost\Test Process 908 (\Device\HarddiskVolume4\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3599373940-2952038636-1933688023-1001\System\GameConfigStore Process 2380 (\Device\HarddiskVolume4\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3599373940-2952038636-1933688023-1001\Software\Policies\Microsoft\Windows\CloudContent Process 10552 (\Device\HarddiskVolume4\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3599373940-2952038636-1933688023-1001\Software\Microsoft\Windows\CurrentVersion\PushNotifications Process 8440 (\Device\HarddiskVolume4\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3599373940-2952038636-1933688023-1001\Software\Microsoft\Windows\CurrentVersion\Uninstall Process 3608 (\Device\HarddiskVolume4\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3599373940-2952038636-1933688023-1001\Software\Microsoft\Windows\CurrentVersion\Explorer Process 10552 (\Device\HarddiskVolume4\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3599373940-2952038636-1933688023-1001\Software\Microsoft\Windows\CurrentVersion\Explorer Process 10552 (\Device\HarddiskVolume4\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3599373940-2952038636-1933688023-1001\Software\Microsoft\Windows\CurrentVersion\CloudStore\Store\Cache\DefaultAccount\$quietmoment1$windows.data.notifications.quietmoment\Current Process 11688 (\Device\HarddiskVolume4\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3599373940-2952038636-1933688023-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings Process 10552 (\Device\HarddiskVolume4\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3599373940-2952038636-1933688023-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings Process 2380 (\Device\HarddiskVolume4\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3599373940-2952038636-1933688023-1001\Software\Microsoft\Windows\CurrentVersion\Privacy Process 10552 (\Device\HarddiskVolume4\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3599373940-2952038636-1933688023-1001\Software\Microsoft\Windows\CurrentVersion\CloudStore\Store\Cache\DefaultAccount\$microsoft.quiethoursprofile.alarmsonly$windows.data.notifications.quiethoursprofile\Current Process 10552 (\Device\HarddiskVolume4\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3599373940-2952038636-1933688023-1001\Software\Microsoft\Windows\CurrentVersion\CloudStore\Store\Cache\DefaultAccount\$microsoft.quiethoursprofile.alarmsonly$windows.data.notifications.quiethoursprofile\Current Process 10552 (\Device\HarddiskVolume4\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3599373940-2952038636-1933688023-1001\Software\Microsoft\Windows\CurrentVersion\CloudStore\Store\Cache\DefaultAccount\$$windows.data.notifications.quiethourssettings\Current Process 10552 (\Device\HarddiskVolume4\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3599373940-2952038636-1933688023-1001\Software\Microsoft\Windows\CurrentVersion\CloudStore Process 10552 (\Device\HarddiskVolume4\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3599373940-2952038636-1933688023-1001\Software\Microsoft\Windows\CurrentVersion\CloudStore Process 10552 (\Device\HarddiskVolume4\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3599373940-2952038636-1933688023-1001\Software\Microsoft\Windows\CurrentVersion\CloudStore Process 10552 (\Device\HarddiskVolume4\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3599373940-2952038636-1933688023-1001\Software\Microsoft\Windows\CurrentVersion\CloudStore Process 10552 (\Device\HarddiskVolume4\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3599373940-2952038636-1933688023-1001\Software\Microsoft\Windows\CurrentVersion\CloudStore Process 10552 (\Device\HarddiskVolume4\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3599373940-2952038636-1933688023-1001\Software\Microsoft\Windows\CurrentVersion\CloudStore Process 10552 (\Device\HarddiskVolume4\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3599373940-2952038636-1933688023-1001\Software\Microsoft\Windows\CurrentVersion\CloudStore Process 10552 (\Device\HarddiskVolume4\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3599373940-2952038636-1933688023-1001\Software\Microsoft\Internet Explorer\Main\FeatureControl Process 11688 (\Device\HarddiskVolume4\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3599373940-2952038636-1933688023-1001\Software\Microsoft\Internet Explorer\Main\FeatureControl Process 10552 (\Device\HarddiskVolume4\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3599373940-2952038636-1933688023-1001\Software\Microsoft\Windows\CurrentVersion\CloudStore\Store\Cache\DefaultAccount\$quietmoment0$windows.data.notifications.quietmoment\Current Process 2380 (\Device\HarddiskVolume4\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3599373940-2952038636-1933688023-1001\Software\Policies\Microsoft\Windows\DataCollection Process 11688 (\Device\HarddiskVolume4\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3599373940-2952038636-1933688023-1001\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings Process 10552 (\Device\HarddiskVolume4\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3599373940-2952038636-1933688023-1001\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings Process 3608 (\Device\HarddiskVolume4\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3599373940-2952038636-1933688023-1001\Software\Microsoft\Internet Explorer\Main Process 11688 (\Device\HarddiskVolume4\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3599373940-2952038636-1933688023-1001\Software\Microsoft\Internet Explorer\Main Process 10552 (\Device\HarddiskVolume4\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3599373940-2952038636-1933688023-1001





    \Software\Microsoft\Internet Explorer\Main Process 3608 (\Device\HarddiskVolume4\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3599373940-2952038636-1933688023-1001\Software\Microsoft\ActiveSync\Partners Process 10552 (\Device\HarddiskVolume4\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3599373940-2952038636-1933688023-1001\Software\Microsoft\Windows\CurrentVersion\CloudStore\Store\Cache\DefaultAccount\$quietmoment2$windows.data.notifications.quietmoment\Current Process 3608 (\Device\HarddiskVolume4\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3599373940-2952038636-1933688023-1001\Software\Microsoft\Unified Store\HighWaterMarks\C:_Users_TV-CH_AppData_Local_Comms_UnistoreDB_store.vol Process 10552 (\Device\HarddiskVolume4\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3599373940-2952038636-1933688023-1001\Software\Microsoft\Windows\CurrentVersion\CloudStore\Store\Cache\DefaultAccount\$quietmoment3$windows.data.notifications.quietmoment\Current Process 8252 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-3599373940-2952038636-1933688023-1001\Software\Microsoft\Windows NT\CurrentVersion\Fonts Process 908 (\Device\HarddiskVolume4\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3599373940-2952038636-1933688023-1001\System\GameConfigStore\Children Process 3608 (\Device\HarddiskVolume4\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3599373940-2952038636-1933688023-1001\Software\Microsoft\Internet Explorer\Security Process 11688 (\Device\HarddiskVolume4\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3599373940-2952038636-1933688023-1001\Software\Microsoft\Internet Explorer\Security Process 10552 (\Device\HarddiskVolume4\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3599373940-2952038636-1933688023-1001\Software\Microsoft\Internet Explorer\Security Process 10552 (\Device\HarddiskVolume4\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-3599373940-2952038636-1933688023-1001\Software\Microsoft\Windows\CurrentVersion\PushNotifications\wpnidm</Data>
    </EventData>
    </Event>

    :)
     
    DonnaldQuist, Oct 15, 2018
    #1
  2. ARUN B J
    Arun B J Win User

    Can't login to new computer w/Windows 10

    Hi,

    Thank you for your reply.


    • Are you able to login to Microsoft Account on Web?

    • Have you installed any language pack?
    I suggest you to follow the steps below and check if it helps.

    Step 1: I suggest you to select the appropriate language in login screen at the bottom right corner and check if it helps.

    Steps 2: Use On-screen keyboard in the login screen to login and check if it helps.

    Hope this helps. If the issue remains unresolved, please get back to us and we would be happy to help.
     
    Arun B J, Oct 15, 2018
    #2
  3. DAVEM121
    DaveM121 Win User
    About Ransomware attack

    Here is Microsoft's Customer Guidance on the Ransomware Attack:

    • In March, we released a security update which addresses the vulnerability that these attacks are exploiting. Those who have Windows Update enabled are protected against attacks on this vulnerability. For those organizations who have not yet applied the
      security update, we suggest you immediately deploy Microsoft Security Bulletin MS17-010.

    • For customers using Windows Defender, we released an update earlier today which detects this threat as Ransom:Win32/WannaCrypt.
      As an additional “defense-in-depth” measure, keep up-to-date anti-malware software installed on your machines. Customers running anti-malware software from any number of security companies can confirm with their provider, that they are protected.

    • This attack type may evolve over time, so any additional defense-in-depth strategies will provide additional protections. (For example, to further protect against SMBv1 attacks, customers
      should consider blocking legacy protocols on their networks).

    For the full article,
    Click HERE
     
    DaveM121, Oct 15, 2018
    #3
  4. DF IS BUSY
    DF is BUSY Win User

    A strange login. Or an attack?

    Router DoS Attack Logs

    wow OP, that is a huge list and range of IPs

    you should nslookup each one to see whats up with those.

    my router logged 2 "dos attacks" like a few days. it was amazon, my ISP and some other place i forgot. strange, but they stopped already
     
    DF is BUSY, Oct 15, 2018
    #4
Thema:

A strange login. Or an attack?

Loading...

  1. A strange login. Or an attack? - Similar Threads - strange login attack

  2. login from strange location

    in Windows 10 Gaming
    login from strange location: Microsoft login is from a strange location but I can't get into my account unless I agree to strange location. What do I do??? My PC seems registered to the strange location India...

  3. login from strange location

    in Windows 10 Software and Apps
    login from strange location: Microsoft login is from a strange location but I can't get into my account unless I agree to strange location. What do I do??? My PC seems registered to the strange location India...

  4. Strange login prompt

    in Windows Hello & Lockscreen
    Strange login prompt: Since the most recent update end of Aug 2021? my PC asks me for a PIN or password every time I power up. This used to not happen. I've tried to disable this feature and can't. Before asking me to sign in, it says something bizarre like "We're sorry but you cannot be connected...

  5. Attack

    in AntiVirus, Firewalls and System Security
    Attack: I NEED TO SHUT DOWN MY SCHOOL SERVER. HELP? contact me for I.p address and details lets make it happen. https://answers.microsoft.com/en-us/protect/forum/all/attack/982fa328-11d5-4f29-ab80-a7caccd52143

  6. Strange Cortana Login Issue

    in Windows 10 Software and Apps
    Strange Cortana Login Issue: Until yesterday I was using v 1909 on my desktop PC and Cortana worked fine with my main MS account I have been using for years. I just upgraded to v2004 and now get the message below when I try to login to Cortana with my usual MS account. Why doesn't this work? I have a...

  7. Strange Login Keyboard Issue

    in Windows 10 Ask Insider
    Strange Login Keyboard Issue: Not sure where I should post this but I'm really confused. Earlier I restarted to update Windows10 and it got stuck at 90% for around 2 hours. I reluctantly restarted my computer during the update. When it booted up everything was fine after it said it was reverting the...

  8. Strange login problem!

    in User Accounts and Family Safety
    Strange login problem!: Hey guys, my computer was working normally up to this morning when it restarted itself and now I cannot pass the lockscreen! The thing is the password is working but I always get back to the same screen where I have to enter password over and over again. I have lots of...

  9. Strange login problem!

    in Windows 10 Support
    Strange login problem!: Hey guys, my computer was working normally up to this morning when it restarted itself and now I cannot pass the lockscreen! The thing is the password is working but I always get back to the same screen where I have to enter password over and over again. I have lots of...

  10. Strange login problem developed

    in User Accounts and Family Safety
    Strange login problem developed: When I turn the computer on 1st thing of a morning and login all goes well , system boots up to the desktop then after about 60 seconds screen goes black with just the cursor there for about a minute or 2 and then the login screen comes back up again, after I login again...

Users found this page by searching for:

  1. hkcu quiethourssettings

    ,

  2. what is Unified Store HighWaterMarks C:_Users_My username_AppData_Local_Comms_UnistoreDB_store.vol

    ,

  3. unified store highwatermarks