BSOD's on user account, auto reboots & auto logs-in to Admin account


Page 1 of 2 12 LastLast

  1. Posts : 9
    Windows 7 Ultimate x64
       #1

    BSOD's on user account, auto reboots & auto logs-in to Admin account


    Greetings,

    A friend of mine has been having a recurring issue with his computer that's getting worse. I've spent hours going through the forums, but haven't seen anything about this, so I'm posting here. Any help would be greatly appreciated.

    ISSUE:
    He uses his computer with a password protected user account, while rarely logging in/off the password protected Admin account. For months, while working in his user account, his computer will BSOD at random times whenever he has IE11 or Chrome open. He's got malware causing him issues, BUT:

    In the last few weeks, when it reboots after a BSOD, it will automatically login to his Admin account on its own, without him entering his Admin password. WTH?

    I've never even heard of something like this and not sure where to start. He ran Malwarebytes and sent me an email tonight (below) that listed what was found. Over the last couple of years, he seems to be a magnet for downloading PUPs, PUMs, malware, adware, viruses, etc., that I've had to help him through.

    His computer is custom built:
    Windows 7 Home x64 - All service packs, auto updates turned on & current
    Core i5
    8GB RAM
    ATI video card
    AV = MSE
    Also runs MalwareBytes free

    His email last night:

    "I received a BSOD while logged onto my user account side with Chrome and Outlook open. I went to watch TV for an hour and when I came back to the computer I must have had a BSOD and I was logged onto the Admin side. This is the second or third time this has happened like this."

    "While on the Admin side I ran CC Cleaner and Malwarebytes. Attached is a document that Malwarebytes found 16 threats. I have no idea what they mean or if any of those could be causing my BSOD issues. When you get some time, please take a look at them and see what you can determine. Appreciate it."

    ==============================

    Here's the list of items Malwarebytes found when he ran it as Admin. I looked them up and he's got serious problems.

    But what concerns me is how his computer is rebooting, after a BSOD, and logging into his Admin account on its own without him entering the password.

    I've edited the list to remove his Admin account name so that it = XXX.

    Malwarebytes Anti-Malware
    www.malwarebytes.org
    Scan Date: 9/15/2015
    Scan Time: 10:50 PM
    Logfile: Detected Threats.txt
    Administrator: Yes


    version: 2.1.8.1057
    Malware Database: v2015.09.16.02
    Rootkit Database: v2015.08.16.01
    License: Free
    Malware Protection: Disabled
    Malicious website Protection: Disabled
    self-protection: Disabled


    os: windows 7 service Pack 1
    CPU: x64
    File system: NTFS
    User: XXX-Admin

    Scan Type: Threat Scan
    Result: completed
    objects scanned: 416994
    Time Elapsed: 18 min, 3 sec

    Memory: Enabled
    startup: Enabled
    Filesystem: Enabled
    Archives: Enabled
    Rootkits: Enabled
    Heuristics: Enabled
    PUP: Enabled
    PUM: Enabled

    Processes: 0
    (NO malicious items detected)

    Modules: 0
    (NO malicious items detected)

    Registry Keys: 8

    PUM.security.Hijack.Disablechromeupdates, HKLM\SOFTWARE\POLICIES\GOOGLE\UPDATE, ,
    [e8aa58d8315a8fa79406a7celce826da],


    PUP.optional.superoptimizer,
    HKLM\SOFTWARE\wow6432NODE\{6791A2F3-FC80-475C-A002-COl4AF797E9C}, ,
    [eba7220e9bfOa78f67eebffa986cOef2],


    PUM.security.Hijack.Disablechromeupdates,
    HKLM\SOFTWARE\WOW6432NODE\POLICIES\GOOGLE\UPDATE, ,
    [365ce947e4a7cb6b31693f36848017e9],


    PUP.optional.superoptimizer,
    HKU\S-1-5-18\SOFTWARE\APPDATALOW\{1146AC44-2F03-4431-B4FD-889BC837521F}, ,
    [7a1884acf99248ee9db3cfeaa75d4cb4],


    PUP.optional.superoptimizer,
    HKU\S-1-5-21-3365049250-3450353988-219791501-1000\SOFTWARE\APPDATALOW\{1146AC44-2F03
    -4431-B4FD-889BC837521F}, , [bad89d93cebdb581c38dcfeaba4a9a66],


    PUP.optional.conduit,
    HKU\S-1-5-21-3365049250-3450353988-219791501-1000\SOFTWARE\MICROSOFT\INTERNET
    EXPLORER\SEARCHSCOPES\{0633EE93-D776-472F-AOFF-E1416B8B2E3A}, ,
    [b4de70cOb6d5e2545872b8dlda2ad927],


    PUP.optional.w3i,
    HKU\S-1-5-21-3365049250-3450353988-219791501-1000\SOFTWARE\MICROSOFT\INTERNET
    EXPLORER\SEARCHSCOPES\{CC6EBA73-5154-4D27-A746-76449FE5051A}, ,[4e44131d4843f541189c823d6f9546ba],


    PUP.Optional.optimizerpro,
    HKU\S-1-5-21-3365049250-3450353988-219791501-1000\SOFTWARE\OPTIMIZER PRO, ,
    [702234fcf992c76fd8d403a658acOcf4],
    Registry values: 5


    PUM.security.Hijack.Disablechromeupdates,
    HKLM\SOFTWARE\POLICIES\GOOGLE\UPDATE!DisableAutoupdatecheckscheckboxvalue, 1, ,
    [e8aa58d8315a8fa79406a7celce826da]


    PUM.security.Hijack.Disablechromeupdates,
    HKLM\SOFTWARE\Wow6432NODE\POLICIES\GOOGLE\UPDATEID;sableAutoupdatecheckscheckboxvalu
    e, 1, , [365ce947e4a7cb6b31693f36848017e9]


    PUP.optional.conduit,
    HKU\S-1-5-21-3365049250-3450353988-219791501-1000\SOFTWARE\MICROSOFT\INTERNET
    EXPLORER\SEARCHSCOPES\{0633EE93-D776-472f-AOFF-E1416B8B2E3A}luRL,
    http://www.bing.com/search?pc=cosP&ptag=D042415-ABAOlA7CCEB2146F8A7F&form=coNBDF&con
    logO=CT3330961&q={searchTerms}, , [b4de70cOb6d5e2545872b8d1da2ad927]


    PUP.optional.w3i,
    HKU\S-1-5-21-3365049250-3450353988-219791501-1000\SOFTWARE\MICROSOFT\INTERNET
    EXPLORER\SEARCHSCOPES\{CC6EBA73-5154-4D27-A746-76449FE5051A}!URL,
    https://search.yahoo.com/search?p={searchTerms}&ei=uTF-8&fr=w3i&type=w3i_DS,136,O_O,
    search,20141250,20028,O,31,O, , [4e44131d4843f541189c823d6f9546ba]


    PUP.optional.optimizerpro,
    HKU\S-1-5-21-3365049250-3450353988-219791501-1000\SOFTWARE\OPTIMIZER
    PRO!AdsBuyNoWURL,
    http://www.safeshopgate.com/r?s=121001678&g=8DC53c09-703E-8C3B-6249-8052683A1DEO, ,
    [702234fcf992c76fd8d403a658acOcf4]

    Registry Data: 0
    (NO malicious items detected)

    Folders: 2
    PUP.optional.opencandy, c:\users\XXX-Admin\AppData\Roaming\opencandy, ,
    [fd95b27e5f2ca3934c30e51136cc8878],


    PUP.optional.opencandy,
    c:\users\XXX-Admin\AppData\Roaming\opencandy\A9DBCB2DAD59470DB28E1FDD7AEBC846, ,
    [fd95b27e5f2ca3934c30e51136cc8878],

    Files: 1
    PUP.optional.opencandy,
    c:\Users\XXX-Admin\AppData\Roaming\opencandy\A9DBCB2DAD59470DB28EIFDD7AEBC846\webc
    ompanionlnstaller.exe, , [fd95b27e5f2ca3934c30e51136cc8878],
    physical Sectors: 0
    (NO malicious items detected)


    ==========================================

    I don't have access to his computer, so he email or calls me to describe what's going on and I help him out as best I can. If necessary, he can travel and bring the computer to me for fixing.

    Any help or ideas on what could be causing the auto login to his Admin account would be greatly appreciated. I know I have to clean out all the malware he's let on to his computer, but I'm not sure if this will fix the auto login issue. Anyone ever seen something like this before or dealt with it?

    Thank You.

      My Computer


  2. Posts : 8,608
    Windows 7 Ultimate 32bit SP1
       #2

    We work for 'free' on this forum.

    If you are charging him money to 'fix' his PC with our advice/help, then you're circumventing the use of our forum for your own gain.

    If the above doesn't apply, then please have your friend join our forum, so we can directly help him.
      My Computer


  3. Posts : 9
    Windows 7 Ultimate x64
    Thread Starter
       #3

    Jacee said:
    We work for 'free' on this forum.

    If you are charging him money to 'fix' his PC with our advice/help, then you're circumventing the use of our forum for your own gain.

    If the above doesn't apply, then please have your friend join our forum, so we can directly help him.
    Jacee...where in anything that I wrote did I say I was charging him to fix his computer? I clearly stated that he's a friend of mine and that I fix his computer for him when he has problems. Just like the rest of us help friends with computer problems. I've never charged him to fix his computer...if anything, he gives me a bottle of 12 year old scotch as a 'Thank You'. So please retract or amend your response to correct your mis-reading of my post.

    If you're knowledgeable about this issue and able to help, I'd be glad to hear your thoughts.
      My Computer


  4. Posts : 8,608
    Windows 7 Ultimate 32bit SP1
       #4

    I wasn't trying to offend you..... thank you for answering my question, and I apologize to you.

    The pup's and pum's found by Malwarebytes, all need to be checked, and then click "Remove Selected".

    Next, download TFC by Old Timer TFC - Temp File Cleaner by OldTimer Download - Geeks to Go Forum and save it to your desktop.
    Save any unsaved work. TFC will close ALL open programs including your browser! It will temporarily remove all desktop shortcuts while it scans.
    Double-click on TFC.exe to run it. If you are using Vista/Windows 7 right-click on the file and choose Run As Administrator.
    Click the Start button to begin the cleaning process and let it run uninterrupted to completion.

    Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.

    Next, flush the DNS cache and restore MS's Hosts file:

    Copy and paste these lines in Note pad.

    @Echo on
    pushd\windows\system32\drivers\etc
    attrib -h -s -r hosts
    echo 127.0.0.1 localhost>HOSTS
    attrib +r +h +s hosts
    popd
    ipconfig /release
    ipconfig /renew
    ipconfig /flushdns
    netsh winsock reset all
    netsh int ip reset all
    shutdown -r -t 1
    del %0


    Save as flush.bat to your desktop. Right
    click on the flush.bat file to run it as Administrator. The computer will reboot itself once again.

    After doing all of the above:
    Scan your machine with ESET OnlineScan
    1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
      ESET OnlineScan
    2. Click the button.
    3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
      1. Click on to download the ESET Smart Installer. Save it to your desktop.
      2. Double click on the icon on your desktop.
    4. Check
    5. Click the button.
    6. Accept any security warnings from your browser.
    7. Check
    8. Push the Start button.
    9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    10. When the scan completes, push
    11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    12. Push the button.
    13. Push
      My Computer


  5. Posts : 9
    Windows 7 Ultimate x64
    Thread Starter
       #5

    Thank you Jacee. I appreciate your understanding. I'm just a business owner in Las Vegas, have adored Windows since getting my first computer with Win 3.1, tinker around with Windows as a hobby, occasionally build a computer for myself or friends & family, and help them when they have problems. You know the story...you become the unofficial 911 tech support for them once you touch their computers. I've been a member of the Seven, Eight, and Ten forums for years, though in 2014, something got botched with my Seven account and I had to remake it, starting fresh.

    Thank you also for the info on cleaning out the malware. I'll give it all a try and let you know how it goes.

    Any ideas about the issue of him being in his user account, then the computer rebooting after a BSOD and logging into his rarely used Admin account by bypassing his password? That one concerns me...never even heard of something like that before and seems rather extreme for common PUPs & PUMs to do. I don't follow the malware world stuff closely for new developments and just read up on them when something goes wrong. Is this a new thing that's common...and brings into question the hardness of Windows security. Or is there something else going on that's more dire?

    Thanks.
      My Computer


  6. Posts : 8,608
    Windows 7 Ultimate 32bit SP1
       #6

    I 'think' what ever he's downloaded may have taken over his Administrator's account.

    If your friend doesn't pay attention to what he's downloading, e-mail phishing, or many other possibilities, then he's quite susceptible to a 'Backdoor Trojan'. This may be the case... I don't know for sure, until you check with him and post the logs, I requested. :)
      My Computer


  7. Posts : 9
    Windows 7 Ultimate x64
    Thread Starter
       #7

    Sorry Jacee...I misread the tail end of your ESET instructions and missed the part about posting the report. And yes, for some reason, he's a magnet for collecting these infestations. Once or twice a year, things get out of control and I have to help him out. He lives in a neighboring city, so I'll send him your instructions and we'll walk through them. If he's comfortable following your instructions, I'll get the report and post it. If not, he'll have to bring his computer to me so I can run through them and post the report.

    Thanks again for the help and I'll let you know how it goes.
      My Computer


  8. Posts : 8,608
    Windows 7 Ultimate 32bit SP1
       #8

    Okay, hope all goes well.
      My Computer


  9. Posts : 9
    Windows 7 Ultimate x64
    Thread Starter
       #9

    Hi Jacee...just letting you know that I might have that ESET report that you requested today or tonight. Both my time & friend's time got whacked all week with work and we haven't been able to hookup, but should be able to today. Sorry for the delay.
      My Computer


  10. Posts : 9
    Windows 7 Ultimate x64
    Thread Starter
       #10

    Hi Jacee,

    We did all the steps you recommended and I've attached the ESET report as a TXT file:

    1. Ran MSE full scan - No threats detected
    2. Ran Malwarebytes - Several threats found and deleted/cleaned all
    3. Ran TFC
    4. Ran the flush.bat file
    5. Ran ESET Online Scan - It found 11 threats that we let it delete. Results are attached as a TXT file.
    He had a couple of programs that were questionable and we uninstalled them: uTorrent (uTorrent.exe) and Any Video Converter (avc-free.exe) because OpenCandy was detected with them.

    We ran ESET for a second time and nothing new was detected. Hopefully, his computer is sanitized now, but the question remains as to what was causing one of the original issues of his computer to randomly BSOD, reboot, and automatically login to his Admin account that is password protected. It only happened randomly whenever he was using IE 11 or Chrome. I'm guessing one of the threats was causing that or the BSODs...but have never seen one be able to login to an Admin account upon rebooting, so I'm lost there.

    Again, we appreciate your time examining this and look forward to hearing what you have to say about it. If there's anything else you want us to do or information you need, let me know.

    Thanks.
    BSOD's on user account, auto reboots & auto logs-in to Admin account Attached Files
      My Computer


 
Page 1 of 2 12 LastLast

  Related Discussions
Our Sites
Site Links
About Us
Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 07:44.
Find Us