New
#1
BSOD's on user account, auto reboots & auto logs-in to Admin account
Greetings,
A friend of mine has been having a recurring issue with his computer that's getting worse. I've spent hours going through the forums, but haven't seen anything about this, so I'm posting here. Any help would be greatly appreciated.
ISSUE:
He uses his computer with a password protected user account, while rarely logging in/off the password protected Admin account. For months, while working in his user account, his computer will BSOD at random times whenever he has IE11 or Chrome open. He's got malware causing him issues, BUT:
In the last few weeks, when it reboots after a BSOD, it will automatically login to his Admin account on its own, without him entering his Admin password. WTH?
I've never even heard of something like this and not sure where to start. He ran Malwarebytes and sent me an email tonight (below) that listed what was found. Over the last couple of years, he seems to be a magnet for downloading PUPs, PUMs, malware, adware, viruses, etc., that I've had to help him through.
His computer is custom built:
Windows 7 Home x64 - All service packs, auto updates turned on & current
Core i5
8GB RAM
ATI video card
AV = MSE
Also runs MalwareBytes free
His email last night:
"I received a BSOD while logged onto my user account side with Chrome and Outlook open. I went to watch TV for an hour and when I came back to the computer I must have had a BSOD and I was logged onto the Admin side. This is the second or third time this has happened like this."
"While on the Admin side I ran CC Cleaner and Malwarebytes. Attached is a document that Malwarebytes found 16 threats. I have no idea what they mean or if any of those could be causing my BSOD issues. When you get some time, please take a look at them and see what you can determine. Appreciate it."
==============================
Here's the list of items Malwarebytes found when he ran it as Admin. I looked them up and he's got serious problems.
But what concerns me is how his computer is rebooting, after a BSOD, and logging into his Admin account on its own without him entering the password.
I've edited the list to remove his Admin account name so that it = XXX.
Malwarebytes Anti-Malware
www.malwarebytes.org
Scan Date: 9/15/2015
Scan Time: 10:50 PM
Logfile: Detected Threats.txt
Administrator: Yes
version: 2.1.8.1057
Malware Database: v2015.09.16.02
Rootkit Database: v2015.08.16.01
License: Free
Malware Protection: Disabled
Malicious website Protection: Disabled
self-protection: Disabled
os: windows 7 service Pack 1
CPU: x64
File system: NTFS
User: XXX-Admin
Scan Type: Threat Scan
Result: completed
objects scanned: 416994
Time Elapsed: 18 min, 3 sec
Memory: Enabled
startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
Processes: 0
(NO malicious items detected)
Modules: 0
(NO malicious items detected)
Registry Keys: 8
PUM.security.Hijack.Disablechromeupdates, HKLM\SOFTWARE\POLICIES\GOOGLE\UPDATE, ,
[e8aa58d8315a8fa79406a7celce826da],
PUP.optional.superoptimizer,
HKLM\SOFTWARE\wow6432NODE\{6791A2F3-FC80-475C-A002-COl4AF797E9C}, ,
[eba7220e9bfOa78f67eebffa986cOef2],
PUM.security.Hijack.Disablechromeupdates,
HKLM\SOFTWARE\WOW6432NODE\POLICIES\GOOGLE\UPDATE, ,
[365ce947e4a7cb6b31693f36848017e9],
PUP.optional.superoptimizer,
HKU\S-1-5-18\SOFTWARE\APPDATALOW\{1146AC44-2F03-4431-B4FD-889BC837521F}, ,
[7a1884acf99248ee9db3cfeaa75d4cb4],
PUP.optional.superoptimizer,
HKU\S-1-5-21-3365049250-3450353988-219791501-1000\SOFTWARE\APPDATALOW\{1146AC44-2F03
-4431-B4FD-889BC837521F}, , [bad89d93cebdb581c38dcfeaba4a9a66],
PUP.optional.conduit,
HKU\S-1-5-21-3365049250-3450353988-219791501-1000\SOFTWARE\MICROSOFT\INTERNET
EXPLORER\SEARCHSCOPES\{0633EE93-D776-472F-AOFF-E1416B8B2E3A}, ,
[b4de70cOb6d5e2545872b8dlda2ad927],
PUP.optional.w3i,
HKU\S-1-5-21-3365049250-3450353988-219791501-1000\SOFTWARE\MICROSOFT\INTERNET
EXPLORER\SEARCHSCOPES\{CC6EBA73-5154-4D27-A746-76449FE5051A}, ,[4e44131d4843f541189c823d6f9546ba],
PUP.Optional.optimizerpro,
HKU\S-1-5-21-3365049250-3450353988-219791501-1000\SOFTWARE\OPTIMIZER PRO, ,
[702234fcf992c76fd8d403a658acOcf4],
Registry values: 5
PUM.security.Hijack.Disablechromeupdates,
HKLM\SOFTWARE\POLICIES\GOOGLE\UPDATE!DisableAutoupdatecheckscheckboxvalue, 1, ,
[e8aa58d8315a8fa79406a7celce826da]
PUM.security.Hijack.Disablechromeupdates,
HKLM\SOFTWARE\Wow6432NODE\POLICIES\GOOGLE\UPDATEID;sableAutoupdatecheckscheckboxvalu
e, 1, , [365ce947e4a7cb6b31693f36848017e9]
PUP.optional.conduit,
HKU\S-1-5-21-3365049250-3450353988-219791501-1000\SOFTWARE\MICROSOFT\INTERNET
EXPLORER\SEARCHSCOPES\{0633EE93-D776-472f-AOFF-E1416B8B2E3A}luRL,
http://www.bing.com/search?pc=cosP&ptag=D042415-ABAOlA7CCEB2146F8A7F&form=coNBDF&con
logO=CT3330961&q={searchTerms}, , [b4de70cOb6d5e2545872b8d1da2ad927]
PUP.optional.w3i,
HKU\S-1-5-21-3365049250-3450353988-219791501-1000\SOFTWARE\MICROSOFT\INTERNET
EXPLORER\SEARCHSCOPES\{CC6EBA73-5154-4D27-A746-76449FE5051A}!URL,
https://search.yahoo.com/search?p={searchTerms}&ei=uTF-8&fr=w3i&type=w3i_DS,136,O_O,
search,20141250,20028,O,31,O, , [4e44131d4843f541189c823d6f9546ba]
PUP.optional.optimizerpro,
HKU\S-1-5-21-3365049250-3450353988-219791501-1000\SOFTWARE\OPTIMIZER
PRO!AdsBuyNoWURL,
http://www.safeshopgate.com/r?s=121001678&g=8DC53c09-703E-8C3B-6249-8052683A1DEO, ,
[702234fcf992c76fd8d403a658acOcf4]
Registry Data: 0
(NO malicious items detected)
Folders: 2
PUP.optional.opencandy, c:\users\XXX-Admin\AppData\Roaming\opencandy, ,
[fd95b27e5f2ca3934c30e51136cc8878],
PUP.optional.opencandy,
c:\users\XXX-Admin\AppData\Roaming\opencandy\A9DBCB2DAD59470DB28E1FDD7AEBC846, ,
[fd95b27e5f2ca3934c30e51136cc8878],
Files: 1
PUP.optional.opencandy,
c:\Users\XXX-Admin\AppData\Roaming\opencandy\A9DBCB2DAD59470DB28EIFDD7AEBC846\webc
ompanionlnstaller.exe, , [fd95b27e5f2ca3934c30e51136cc8878],
physical Sectors: 0
(NO malicious items detected)
==========================================
I don't have access to his computer, so he email or calls me to describe what's going on and I help him out as best I can. If necessary, he can travel and bring the computer to me for fixing.
Any help or ideas on what could be causing the auto login to his Admin account would be greatly appreciated. I know I have to clean out all the malware he's let on to his computer, but I'm not sure if this will fix the auto login issue. Anyone ever seen something like this before or dealt with it?
Thank You.