BSOD's on user account, auto reboots & auto logs-in to Admin account

Greetings,

A friend of mine has been having a recurring issue with his computer that's getting worse. I've spent hours going through the forums, but haven't seen anything about this, so I'm posting here. Any help would be greatly appreciated.

ISSUE:
He uses his computer with a password protected user account, while rarely logging in/off the password protected Admin account. For months, while working in his user account, his computer will BSOD at random times whenever he has IE11 or Chrome open. He's got malware causing him issues, BUT:

In the last few weeks, when it reboots after a BSOD, it will automatically login to his Admin account on its own, without him entering his Admin password. WTH?

I've never even heard of something like this and not sure where to start. He ran Malwarebytes and sent me an email tonight (below) that listed what was found. Over the last couple of years, he seems to be a magnet for downloading PUPs, PUMs, malware, adware, viruses, etc., that I've had to help him through.

His computer is custom built:
Windows 7 Home x64 - All service packs, auto updates turned on & current
Core i5
8GB RAM
ATI video card
AV = MSE
Also runs MalwareBytes free

His email last night:

"I received a BSOD while logged onto my user account side with Chrome and Outlook open. I went to watch TV for an hour and when I came back to the computer I must have had a BSOD and I was logged onto the Admin side. This is the second or third time this has happened like this."

"While on the Admin side I ran CC Cleaner and Malwarebytes. Attached is a document that Malwarebytes found 16 threats. I have no idea what they mean or if any of those could be causing my BSOD issues. When you get some time, please take a look at them and see what you can determine. Appreciate it."

==============================

Here's the list of items Malwarebytes found when he ran it as Admin. I looked them up and he's got serious problems.

But what concerns me is how his computer is rebooting, after a BSOD, and logging into his Admin account on its own without him entering the password.

I've edited the list to remove his Admin account name so that it = XXX.

Malwarebytes Anti-Malware
www.malwarebytes.org
Scan Date: 9/15/2015
Scan Time: 10:50 PM
Logfile: Detected Threats.txt
Administrator: Yes

version: 2.1.8.1057
Malware Database: v2015.09.16.02
Rootkit Database: v2015.08.16.01
License: Free
Malware Protection: Disabled
Malicious website Protection: Disabled
self-protection: Disabled

os: windows 7 service Pack 1
CPU: x64
File system: NTFS
User: XXX-Admin

Scan Type: Threat Scan
Result: completed
objects scanned: 416994
Time Elapsed: 18 min, 3 sec

Memory: Enabled
startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(NO malicious items detected)

Modules: 0
(NO malicious items detected)

Registry Keys: 8

PUM.security.Hijack.Disablechromeupdates, HKLM\SOFTWARE\POLICIES\GOOGLE\UPDATE, ,
[e8aa58d8315a8fa79406a7celce826da],

PUP.optional.superoptimizer,
HKLM\SOFTWARE\wow6432NODE\{6791A2F3-FC80-475C-A002-COl4AF797E9C}, ,
[eba7220e9bfOa78f67eebffa986cOef2],

PUM.security.Hijack.Disablechromeupdates,
HKLM\SOFTWARE\WOW6432NODE\POLICIES\GOOGLE\UPDATE, ,
[365ce947e4a7cb6b31693f36848017e9],

PUP.optional.superoptimizer,
HKU\S-1-5-18\SOFTWARE\APPDATALOW\{1146AC44-2F03-4431-B4FD-889BC837521F}, ,
[7a1884acf99248ee9db3cfeaa75d4cb4],

PUP.optional.superoptimizer,
HKU\S-1-5-21-3365049250-3450353988-219791501-1000\SOFTWARE\APPDATALOW\{1146AC44-2F03
-4431-B4FD-889BC837521F}, , [bad89d93cebdb581c38dcfeaba4a9a66],

PUP.optional.conduit,
HKU\S-1-5-21-3365049250-3450353988-219791501-1000\SOFTWARE\MICROSOFT\INTERNET
EXPLORER\SEARCHSCOPES\{0633EE93-D776-472F-AOFF-E1416B8B2E3A}, ,
[b4de70cOb6d5e2545872b8dlda2ad927],

PUP.optional.w3i,
HKU\S-1-5-21-3365049250-3450353988-219791501-1000\SOFTWARE\MICROSOFT\INTERNET
EXPLORER\SEARCHSCOPES\{CC6EBA73-5154-4D27-A746-76449FE5051A}, ,[4e44131d4843f541189c823d6f9546ba],

PUP.Optional.optimizerpro,
HKU\S-1-5-21-3365049250-3450353988-219791501-1000\SOFTWARE\OPTIMIZER PRO, ,
[702234fcf992c76fd8d403a658acOcf4],
Registry values: 5

PUM.security.Hijack.Disablechromeupdates,
HKLM\SOFTWARE\POLICIES\GOOGLE\UPDATE!DisableAutoupdatecheckscheckboxvalue, 1, ,
[e8aa58d8315a8fa79406a7celce826da]

PUM.security.Hijack.Disablechromeupdates,
HKLM\SOFTWARE\Wow6432NODE\POLICIES\GOOGLE\UPDATEID;sableAutoupdatecheckscheckboxvalu
e, 1, , [365ce947e4a7cb6b31693f36848017e9]

PUP.optional.conduit,
HKU\S-1-5-21-3365049250-3450353988-219791501-1000\SOFTWARE\MICROSOFT\INTERNET
EXPLORER\SEARCHSCOPES\{0633EE93-D776-472f-AOFF-E1416B8B2E3A}luRL,
http://www.bing.com/search?pc=cosP&ptag=D042415-ABAOlA7CCEB2146F8A7F&form=coNBDF&con
logO=CT3330961&q={searchTerms}, , [b4de70cOb6d5e2545872b8d1da2ad927]

PUP.optional.w3i,
HKU\S-1-5-21-3365049250-3450353988-219791501-1000\SOFTWARE\MICROSOFT\INTERNET
EXPLORER\SEARCHSCOPES\{CC6EBA73-5154-4D27-A746-76449FE5051A}!URL,
https://search.yahoo.com/search?p={searchTerms}&ei=uTF-8&fr=w3i&type=w3i_DS,136,O_O,
search,20141250,20028,O,31,O, , [4e44131d4843f541189c823d6f9546ba]

PUP.optional.optimizerpro,
HKU\S-1-5-21-3365049250-3450353988-219791501-1000\SOFTWARE\OPTIMIZER
PRO!AdsBuyNoWURL,
http://www.safeshopgate.com/r?s=121001678&g=8DC53c09-703E-8C3B-6249-8052683A1DEO, ,
[702234fcf992c76fd8d403a658acOcf4]

Registry Data: 0
(NO malicious items detected)

Folders: 2
PUP.optional.opencandy, c:\users\XXX-Admin\AppData\Roaming\opencandy, ,
[fd95b27e5f2ca3934c30e51136cc8878],

PUP.optional.opencandy,
c:\users\XXX-Admin\AppData\Roaming\opencandy\A9DBCB2DAD59470DB28E1FDD7AEBC846, ,
[fd95b27e5f2ca3934c30e51136cc8878],

Files: 1
PUP.optional.opencandy,
c:\Users\XXX-Admin\AppData\Roaming\opencandy\A9DBCB2DAD59470DB28EIFDD7AEBC846\webc
ompanionlnstaller.exe, , [fd95b27e5f2ca3934c30e51136cc8878],
physical Sectors: 0
(NO malicious items detected)

==========================================

I don't have access to his computer, so he email or calls me to describe what's going on and I help him out as best I can. If necessary, he can travel and bring the computer to me for fixing.

Any help or ideas on what could be causing the auto login to his Admin account would be greatly appreciated. I know I have to clean out all the malware he's let on to his computer, but I'm not sure if this will fix the auto login issue. Anyone ever seen something like this before or dealt with it?

Thank You.

Jacee said:

We work for 'free' on this forum.

If you are charging him money to 'fix' his PC with our advice/help, then you're circumventing the use of our forum for your own gain.

If the above doesn't apply, then please have your friend join our forum, so we can directly help him.

Jacee...where in anything that I wrote did I say I was charging him to fix his computer? I clearly stated that he's a friend of mine and that I fix his computer for him when he has problems. Just like the rest of us help friends with computer problems. I've never charged him to fix his computer...if anything, he gives me a bottle of 12 year old scotch as a 'Thank You'. So please retract or amend your response to correct your mis-reading of my post.

If you're knowledgeable about this issue and able to help, I'd be glad to hear your thoughts.

Thank you Jacee. I appreciate your understanding. I'm just a business owner in Las Vegas, have adored Windows since getting my first computer with Win 3.1, tinker around with Windows as a hobby, occasionally build a computer for myself or friends & family, and help them when they have problems. You know the story...you become the unofficial 911 tech support for them once you touch their computers. I've been a member of the Seven, Eight, and Ten forums for years, though in 2014, something got botched with my Seven account and I had to remake it, starting fresh.

Thank you also for the info on cleaning out the malware. I'll give it all a try and let you know how it goes.

Any ideas about the issue of him being in his user account, then the computer rebooting after a BSOD and logging into his rarely used Admin account by bypassing his password? That one concerns me...never even heard of something like that before and seems rather extreme for common PUPs & PUMs to do. I don't follow the malware world stuff closely for new developments and just read up on them when something goes wrong. Is this a new thing that's common...and brings into question the hardness of Windows security. Or is there something else going on that's more dire?

Thanks.

Sorry Jacee...I misread the tail end of your ESET instructions and missed the part about posting the report. And yes, for some reason, he's a magnet for collecting these infestations. Once or twice a year, things get out of control and I have to help him out. He lives in a neighboring city, so I'll send him your instructions and we'll walk through them. If he's comfortable following your instructions, I'll get the report and post it. If not, he'll have to bring his computer to me so I can run through them and post the report.

Thanks again for the help and I'll let you know how it goes.

Hi Jacee...just letting you know that I might have that ESET report that you requested today or tonight. Both my time & friend's time got whacked all week with work and we haven't been able to hookup, but should be able to today. Sorry for the delay.

Hi Jacee,

We did all the steps you recommended and I've attached the ESET report as a TXT file:

1. Ran MSE full scan - No threats detected
2. Ran Malwarebytes - Several threats found and deleted/cleaned all
3. Ran TFC
4. Ran the flush.bat file
5. Ran ESET Online Scan - It found 11 threats that we let it delete. Results are attached as a TXT file.

He had a couple of programs that were questionable and we uninstalled them: uTorrent (uTorrent.exe) and Any Video Converter (avc-free.exe) because OpenCandy was detected with them.

We ran ESET for a second time and nothing new was detected. Hopefully, his computer is sanitized now, but the question remains as to what was causing one of the original issues of his computer to randomly BSOD, reboot, and automatically login to his Admin account that is password protected. It only happened randomly whenever he was using IE 11 or Chrome. I'm guessing one of the threats was causing that or the BSODs...but have never seen one be able to login to an Admin account upon rebooting, so I'm lost there.

Again, we appreciate your time examining this and look forward to hearing what you have to say about it. If there's anything else you want us to do or information you need, let me know.

Thanks.