Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: BSOD's on user account, auto reboots & auto logs-in to Admin account

16 Sep 2015   #1
NEURO2014

Windows 7 Ultimate x64
 
 
BSOD's on user account, auto reboots & auto logs-in to Admin account

Greetings,

A friend of mine has been having a recurring issue with his computer that's getting worse. I've spent hours going through the forums, but haven't seen anything about this, so I'm posting here. Any help would be greatly appreciated.

ISSUE:
He uses his computer with a password protected user account, while rarely logging in/off the password protected Admin account. For months, while working in his user account, his computer will BSOD at random times whenever he has IE11 or Chrome open. He's got malware causing him issues, BUT:

In the last few weeks, when it reboots after a BSOD, it will automatically login to his Admin account on its own, without him entering his Admin password. WTH?

I've never even heard of something like this and not sure where to start. He ran Malwarebytes and sent me an email tonight (below) that listed what was found. Over the last couple of years, he seems to be a magnet for downloading PUPs, PUMs, malware, adware, viruses, etc., that I've had to help him through.

His computer is custom built:
Windows 7 Home x64 - All service packs, auto updates turned on & current
Core i5
8GB RAM
ATI video card
AV = MSE
Also runs MalwareBytes free

His email last night:

"I received a BSOD while logged onto my user account side with Chrome and Outlook open. I went to watch TV for an hour and when I came back to the computer I must have had a BSOD and I was logged onto the Admin side. This is the second or third time this has happened like this."

"While on the Admin side I ran CC Cleaner and Malwarebytes. Attached is a document that Malwarebytes found 16 threats. I have no idea what they mean or if any of those could be causing my BSOD issues. When you get some time, please take a look at them and see what you can determine. Appreciate it."

==============================

Here's the list of items Malwarebytes found when he ran it as Admin. I looked them up and he's got serious problems.

But what concerns me is how his computer is rebooting, after a BSOD, and logging into his Admin account on its own without him entering the password.

I've edited the list to remove his Admin account name so that it = XXX.

Malwarebytes Anti-Malware
www.malwarebytes.org
Scan Date: 9/15/2015
Scan Time: 10:50 PM
Logfile: Detected Threats.txt
Administrator: Yes


version: 2.1.8.1057
Malware Database: v2015.09.16.02
Rootkit Database: v2015.08.16.01
License: Free
Malware Protection: Disabled
Malicious website Protection: Disabled
self-protection: Disabled


os: windows 7 service Pack 1
CPU: x64
File system: NTFS
User: XXX-Admin

Scan Type: Threat Scan
Result: completed
objects scanned: 416994
Time Elapsed: 18 min, 3 sec

Memory: Enabled
startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(NO malicious items detected)

Modules: 0
(NO malicious items detected)

Registry Keys: 8

PUM.security.Hijack.Disablechromeupdates, HKLM\SOFTWARE\POLICIES\GOOGLE\UPDATE, ,
[e8aa58d8315a8fa79406a7celce826da],


PUP.optional.superoptimizer,
HKLM\SOFTWARE\wow6432NODE\{6791A2F3-FC80-475C-A002-COl4AF797E9C}, ,
[eba7220e9bfOa78f67eebffa986cOef2],


PUM.security.Hijack.Disablechromeupdates,
HKLM\SOFTWARE\WOW6432NODE\POLICIES\GOOGLE\UPDATE, ,
[365ce947e4a7cb6b31693f36848017e9],


PUP.optional.superoptimizer,
HKU\S-1-5-18\SOFTWARE\APPDATALOW\{1146AC44-2F03-4431-B4FD-889BC837521F}, ,
[7a1884acf99248ee9db3cfeaa75d4cb4],


PUP.optional.superoptimizer,
HKU\S-1-5-21-3365049250-3450353988-219791501-1000\SOFTWARE\APPDATALOW\{1146AC44-2F03
-4431-B4FD-889BC837521F}, , [bad89d93cebdb581c38dcfeaba4a9a66],


PUP.optional.conduit,
HKU\S-1-5-21-3365049250-3450353988-219791501-1000\SOFTWARE\MICROSOFT\INTERNET
EXPLORER\SEARCHSCOPES\{0633EE93-D776-472F-AOFF-E1416B8B2E3A}, ,
[b4de70cOb6d5e2545872b8dlda2ad927],


PUP.optional.w3i,
HKU\S-1-5-21-3365049250-3450353988-219791501-1000\SOFTWARE\MICROSOFT\INTERNET
EXPLORER\SEARCHSCOPES\{CC6EBA73-5154-4D27-A746-76449FE5051A}, ,[4e44131d4843f541189c823d6f9546ba],


PUP.Optional.optimizerpro,
HKU\S-1-5-21-3365049250-3450353988-219791501-1000\SOFTWARE\OPTIMIZER PRO, ,
[702234fcf992c76fd8d403a658acOcf4],
Registry values: 5


PUM.security.Hijack.Disablechromeupdates,
HKLM\SOFTWARE\POLICIES\GOOGLE\UPDATE!DisableAutoupdatecheckscheckboxvalue, 1, ,
[e8aa58d8315a8fa79406a7celce826da]


PUM.security.Hijack.Disablechromeupdates,
HKLM\SOFTWARE\Wow6432NODE\POLICIES\GOOGLE\UPDATEID;sableAutoupdatecheckscheckboxvalu
e, 1, , [365ce947e4a7cb6b31693f36848017e9]


PUP.optional.conduit,
HKU\S-1-5-21-3365049250-3450353988-219791501-1000\SOFTWARE\MICROSOFT\INTERNET
EXPLORER\SEARCHSCOPES\{0633EE93-D776-472f-AOFF-E1416B8B2E3A}luRL,
http://www.bing.com/search?pc=cosP&ptag=D042415-ABAOlA7CCEB2146F8A7F&form=coNBDF&con
logO=CT3330961&q={searchTerms}, , [b4de70cOb6d5e2545872b8d1da2ad927]


PUP.optional.w3i,
HKU\S-1-5-21-3365049250-3450353988-219791501-1000\SOFTWARE\MICROSOFT\INTERNET
EXPLORER\SEARCHSCOPES\{CC6EBA73-5154-4D27-A746-76449FE5051A}!URL,
https://search.yahoo.com/search?p={searchTerms}&ei=uTF-8&fr=w3i&type=w3i_DS,136,O_O,
search,20141250,20028,O,31,O, , [4e44131d4843f541189c823d6f9546ba]


PUP.optional.optimizerpro,
HKU\S-1-5-21-3365049250-3450353988-219791501-1000\SOFTWARE\OPTIMIZER
PRO!AdsBuyNoWURL,
http://www.safeshopgate.com/r?s=121001678&g=8DC53c09-703E-8C3B-6249-8052683A1DEO, ,
[702234fcf992c76fd8d403a658acOcf4]

Registry Data: 0
(NO malicious items detected)

Folders: 2
PUP.optional.opencandy, c:\users\XXX-Admin\AppData\Roaming\opencandy, ,
[fd95b27e5f2ca3934c30e51136cc8878],


PUP.optional.opencandy,
c:\users\XXX-Admin\AppData\Roaming\opencandy\A9DBCB2DAD59470DB28E1FDD7AEBC846, ,
[fd95b27e5f2ca3934c30e51136cc8878],

Files: 1
PUP.optional.opencandy,
c:\Users\XXX-Admin\AppData\Roaming\opencandy\A9DBCB2DAD59470DB28EIFDD7AEBC846\webc
ompanionlnstaller.exe, , [fd95b27e5f2ca3934c30e51136cc8878],
physical Sectors: 0
(NO malicious items detected)


==========================================

I don't have access to his computer, so he email or calls me to describe what's going on and I help him out as best I can. If necessary, he can travel and bring the computer to me for fixing.

Any help or ideas on what could be causing the auto login to his Admin account would be greatly appreciated. I know I have to clean out all the malware he's let on to his computer, but I'm not sure if this will fix the auto login issue. Anyone ever seen something like this before or dealt with it?

Thank You.




My System SpecsSystem Spec
.
16 Sep 2015   #2
Jacee
Microsoft MVP

Windows 7 Ultimate 32bit SP1
 
 

We work for 'free' on this forum.

If you are charging him money to 'fix' his PC with our advice/help, then you're circumventing the use of our forum for your own gain.

If the above doesn't apply, then please have your friend join our forum, so we can directly help him.
My System SpecsSystem Spec
17 Sep 2015   #3
NEURO2014

Windows 7 Ultimate x64
 
 

Quote   Quote: Originally Posted by Jacee View Post
We work for 'free' on this forum.

If you are charging him money to 'fix' his PC with our advice/help, then you're circumventing the use of our forum for your own gain.

If the above doesn't apply, then please have your friend join our forum, so we can directly help him.
Jacee...where in anything that I wrote did I say I was charging him to fix his computer? I clearly stated that he's a friend of mine and that I fix his computer for him when he has problems. Just like the rest of us help friends with computer problems. I've never charged him to fix his computer...if anything, he gives me a bottle of 12 year old scotch as a 'Thank You'. So please retract or amend your response to correct your mis-reading of my post.

If you're knowledgeable about this issue and able to help, I'd be glad to hear your thoughts.
My System SpecsSystem Spec
.

17 Sep 2015   #4
Jacee
Microsoft MVP

Windows 7 Ultimate 32bit SP1
 
 

I wasn't trying to offend you..... thank you for answering my question, and I apologize to you.

The pup's and pum's found by Malwarebytes, all need to be checked, and then click "Remove Selected".

Next, download TFC by Old Timer TFC - Temp File Cleaner by OldTimer Download - Geeks to Go Forum and save it to your desktop.
Save any unsaved work. TFC will close ALL open programs including your browser! It will temporarily remove all desktop shortcuts while it scans.
Double-click on TFC.exe to run it. If you are using Vista/Windows 7 right-click on the file and choose Run As Administrator.
Click the Start button to begin the cleaning process and let it run uninterrupted to completion.

Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.

Next, flush the DNS cache and restore MS's Hosts file:

Copy and paste these lines in Note pad.

@Echo on
pushd\windows\system32\drivers\etc
attrib -h -s -r hosts
echo 127.0.0.1 localhost>HOSTS
attrib +r +h +s hosts
popd
ipconfig /release
ipconfig /renew
ipconfig /flushdns
netsh winsock reset all
netsh int ip reset all
shutdown -r -t 1
del %0


Save as flush.bat to your desktop. Right
click on the flush.bat file to run it as Administrator. The computer will reboot itself once again.

After doing all of the above:
Scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push
My System SpecsSystem Spec
17 Sep 2015   #5
NEURO2014

Windows 7 Ultimate x64
 
 

Thank you Jacee. I appreciate your understanding. I'm just a business owner in Las Vegas, have adored Windows since getting my first computer with Win 3.1, tinker around with Windows as a hobby, occasionally build a computer for myself or friends & family, and help them when they have problems. You know the story...you become the unofficial 911 tech support for them once you touch their computers. I've been a member of the Seven, Eight, and Ten forums for years, though in 2014, something got botched with my Seven account and I had to remake it, starting fresh.

Thank you also for the info on cleaning out the malware. I'll give it all a try and let you know how it goes.

Any ideas about the issue of him being in his user account, then the computer rebooting after a BSOD and logging into his rarely used Admin account by bypassing his password? That one concerns me...never even heard of something like that before and seems rather extreme for common PUPs & PUMs to do. I don't follow the malware world stuff closely for new developments and just read up on them when something goes wrong. Is this a new thing that's common...and brings into question the hardness of Windows security. Or is there something else going on that's more dire?

Thanks.
My System SpecsSystem Spec
17 Sep 2015   #6
Jacee
Microsoft MVP

Windows 7 Ultimate 32bit SP1
 
 

I 'think' what ever he's downloaded may have taken over his Administrator's account.

If your friend doesn't pay attention to what he's downloading, e-mail phishing, or many other possibilities, then he's quite susceptible to a 'Backdoor Trojan'. This may be the case... I don't know for sure, until you check with him and post the logs, I requested.
My System SpecsSystem Spec
18 Sep 2015   #7
NEURO2014

Windows 7 Ultimate x64
 
 

Sorry Jacee...I misread the tail end of your ESET instructions and missed the part about posting the report. And yes, for some reason, he's a magnet for collecting these infestations. Once or twice a year, things get out of control and I have to help him out. He lives in a neighboring city, so I'll send him your instructions and we'll walk through them. If he's comfortable following your instructions, I'll get the report and post it. If not, he'll have to bring his computer to me so I can run through them and post the report.

Thanks again for the help and I'll let you know how it goes.
My System SpecsSystem Spec
18 Sep 2015   #8
Jacee
Microsoft MVP

Windows 7 Ultimate 32bit SP1
 
 

Okay, hope all goes well.
My System SpecsSystem Spec
25 Sep 2015   #9
NEURO2014

Windows 7 Ultimate x64
 
 

Hi Jacee...just letting you know that I might have that ESET report that you requested today or tonight. Both my time & friend's time got whacked all week with work and we haven't been able to hookup, but should be able to today. Sorry for the delay.
My System SpecsSystem Spec
26 Sep 2015   #10
NEURO2014

Windows 7 Ultimate x64
 
 

Hi Jacee,

We did all the steps you recommended and I've attached the ESET report as a TXT file:
  1. Ran MSE full scan - No threats detected
  2. Ran Malwarebytes - Several threats found and deleted/cleaned all
  3. Ran TFC
  4. Ran the flush.bat file
  5. Ran ESET Online Scan - It found 11 threats that we let it delete. Results are attached as a TXT file.
He had a couple of programs that were questionable and we uninstalled them: uTorrent (uTorrent.exe) and Any Video Converter (avc-free.exe) because OpenCandy was detected with them.

We ran ESET for a second time and nothing new was detected. Hopefully, his computer is sanitized now, but the question remains as to what was causing one of the original issues of his computer to randomly BSOD, reboot, and automatically login to his Admin account that is password protected. It only happened randomly whenever he was using IE 11 or Chrome. I'm guessing one of the threats was causing that or the BSODs...but have never seen one be able to login to an Admin account upon rebooting, so I'm lost there.

Again, we appreciate your time examining this and look forward to hearing what you have to say about it. If there's anything else you want us to do or information you need, let me know.

Thanks.


Attached Files
File Type: txt ESET Report 09252015.txt (3.4 KB, 2 views)
My System SpecsSystem Spec
Reply

 BSOD's on user account, auto reboots & auto logs-in to Admin account




Thread Tools Search this Thread
Search this Thread:

Advanced Search




Similar help and support threads
Thread Forum
User Profile/Account problem (can't login to original admin account)
I'm the only user on this laptop and my admin account was called "HybridPC" and I disabled the windows login screen. (Turn computer on and goes right to desktop). One day the welcome screen popped up out of nowhere and I had to login. I tried disabling the login screen to where it was before and...
General Discussion
Auto-changing user account picture?
Does anyone know of a way, or an app, which would allow me to have my user account picture update every the login / lock screen is displayed? Basically I have a folder full of images that I like to use as my account picture, but instead of changing it every week or whatever, I'd like for it to...
Customization
Auto login, one account, no password: avoid to click account icon?
Hi everyone and merry Christmas! I followed the procedure found on the web, I entered "netplwiz" and did uncheck “Users must enter a user name and password to use this computer". There is no password set. THere is just one user/account which is obviously also the administrator. (the...
General Discussion
my admin account auto-degrades...
Hi, Since a few weeks I am having a strange problem. I run my Win 7 RC off the standard admin account but now since a few weeks this account seems degraded about 75% of the time when I boot. In 3 out of 4 times when I boot I cannot install or uninstall programs or updates, visualize all...
General Discussion
auto login to User account
How do I set up my PC to automatically boot into a certain user account? I have two separate user logins and one has no password on the account and the other has a password. I want to be able to start up my pc and it will go and log into the one with no password without me having to click the...
Performance & Maintenance
How to have Win7 auto open user account
I would like to eliminate user accounts and have win7 automatically open when machine boots up. I only have 1 user account-me- so how can I get rid of it?
Installation & Setup


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd

All times are GMT -5. The time now is 12:54.

Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App