Julcard 0 Posted June 7, 2017 Report Share Posted June 7, 2017 For months ive been wiping my ssd and reinstalled windows, because I keep experiencing something weird with my pc constantly. Now latest was some black box flashing in lower right corner in browser when i was looking at emsisoft webpage, the site is reputable so thats not issue. Also I noticed that my downloads folder had changed its view settings to "large icon", previously it was set to "details" which is the default, and I have not changed that myself. I cant find anything from various virus scanners. Also I noticed some weird event logs in the event viewer, where unknown process does some registry changes. Here are also farbar logs for analyzing. Shortcut.txt Addition.txt FRST.txt Link to post Share on other sites
Julcard 0 Posted June 7, 2017 Author Report Share Posted June 7, 2017 Event log has lots of event ID 1530 things, one of them has following details: Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. No user action is required. DETAIL - 33 user registry handles leaked from \Registry\User\S-1-5-21-1776908731-2155016529-3854037204-1001: Process 820 (\Device\HarddiskVolume2\Windows\System32\winlogon.exe) has opened key \REGISTRY\USER\S-1-5-21-1776908731-2155016529-3854037204-1001 Process 2980 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1776908731-2155016529-3854037204-1001 Process 2980 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1776908731-2155016529-3854037204-1001 Process 2980 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1776908731-2155016529-3854037204-1001 Process 2980 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1776908731-2155016529-3854037204-1001 Process 2980 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1776908731-2155016529-3854037204-1001\Software\Microsoft\SystemCertificates\CA Process 92 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-1776908731-2155016529-3854037204-1001\System\GameConfigStore\Parents Process 2980 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1776908731-2155016529-3854037204-1001\Software\Policies\Microsoft\SystemCertificates Process 2980 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1776908731-2155016529-3854037204-1001\Software\Policies\Microsoft\SystemCertificates Process 2980 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1776908731-2155016529-3854037204-1001\Software\Policies\Microsoft\SystemCertificates Process 2980 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1776908731-2155016529-3854037204-1001\Software\Policies\Microsoft\SystemCertificates Process 2980 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1776908731-2155016529-3854037204-1001\Software\Microsoft\SystemCertificates\trust Process 92 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-1776908731-2155016529-3854037204-1001\System\GameConfigStore Process 2948 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-1776908731-2155016529-3854037204-1001\Software\Policies\Microsoft\Windows\CloudContent Process 2856 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-1776908731-2155016529-3854037204-1001\Software\Microsoft\Windows\CurrentVersion\Uninstall Process 2940 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-1776908731-2155016529-3854037204-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings Process 4700 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-1776908731-2155016529-3854037204-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings Process 2948 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-1776908731-2155016529-3854037204-1001\Software\Microsoft\Windows\CurrentVersion\Privacy Process 2980 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1776908731-2155016529-3854037204-1001\Software\Microsoft\SystemCertificates\TrustedPeople Process 2940 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-1776908731-2155016529-3854037204-1001\Software\Microsoft\Internet Explorer\Main\FeatureControl Process 4700 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-1776908731-2155016529-3854037204-1001\Software\Microsoft\Internet Explorer\Main\FeatureControl Process 2948 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-1776908731-2155016529-3854037204-1001\Software\Policies\Microsoft\Windows\DataCollection Process 2940 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-1776908731-2155016529-3854037204-1001\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings Process 4700 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-1776908731-2155016529-3854037204-1001\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings Process 2940 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-1776908731-2155016529-3854037204-1001\Software\Microsoft\Internet Explorer\Main Process 4700 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-1776908731-2155016529-3854037204-1001\Software\Microsoft\Internet Explorer\Main Process 2980 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1776908731-2155016529-3854037204-1001\Software\Microsoft\SystemCertificates\Root Process 2980 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1776908731-2155016529-3854037204-1001\Software\Microsoft\SystemCertificates\Disallowed Process 708 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1776908731-2155016529-3854037204-1001\Software\Microsoft\Windows NT\CurrentVersion\Fonts Process 92 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-1776908731-2155016529-3854037204-1001\System\GameConfigStore\Children Process 2940 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-1776908731-2155016529-3854037204-1001\Software\Microsoft\Internet Explorer\Security Process 4700 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-1776908731-2155016529-3854037204-1001\Software\Microsoft\Internet Explorer\Security Process 2980 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1776908731-2155016529-3854037204-1001\Software\Microsoft\SystemCertificates\SmartCardRoot Link to post Share on other sites
Julcard 0 Posted June 7, 2017 Author Report Share Posted June 7, 2017 Here is another example Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. No user action is required. DETAIL - 5 user registry handles leaked from \Registry\User\S-1-5-21-1776908731-2155016529-3854037204-1001_Classes: Process 2444 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1776908731-2155016529-3854037204-1001_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.sechealthui_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\trust Process 2444 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1776908731-2155016529-3854037204-1001_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.sechealthui_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\CA Process 2444 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1776908731-2155016529-3854037204-1001_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.sechealthui_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\Root Process 2444 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1776908731-2155016529-3854037204-1001_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.sechealthui_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\TrustedPeople Process 2444 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1776908731-2155016529-3854037204-1001_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.sechealthui_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\Disallowed Link to post Share on other sites
Julcard 0 Posted June 7, 2017 Author Report Share Posted June 7, 2017 This is not your typical infected pc-problem, as no virus scan can find anything but still I keep experiences all kinds of weird things, few months ago someone tried to log in to my email even though no virus scans showed nothing for an example. Something always seems to come regardless of how many times i secure erase my ssd and reinstall windows. I am not irresponsible pc user, i have my antivirus and antimalware programs running and up todate, and scan with supplementary softwares all the time. I dont even surf around in the web that much, i mostly use sites like youtube, reddit, and other well reputable sites. Link to post Share on other sites
Kevin Zoll 309 Posted June 7, 2017 Report Share Posted June 7, 2017 Your logs do not show any malware or malicious activity. I see that Zemana AntiMalware is installed and does not appear to be active. Uninstall ZAM and see if that makes a difference. Link to post Share on other sites
Julcard 0 Posted June 7, 2017 Author Report Share Posted June 7, 2017 I am using emsisoft and malwarebytes, zemana is for on demand scan Also what are those entries of unknown process doing registry changes?? Link to post Share on other sites
Kevin Zoll 309 Posted June 7, 2017 Report Share Posted June 7, 2017 It is an unknown process so no telling what is doing the modifications and why. EAM and MBAM provide quite a bit of protection and having a third AV is counterproductive. Even with the AV set as on-demand, it is still loading processes and services at startup that can create conflicts. Link to post Share on other sites
Julcard 0 Posted June 7, 2017 Author Report Share Posted June 7, 2017 Yeah but since its unknown, we should really investigate what it is, it could be malware. Also those unknown process things have happened even when Zemana was not installed. Link to post Share on other sites
Kevin Zoll 309 Posted June 7, 2017 Report Share Posted June 7, 2017 No amount of investigation will turn up what is causing those errors. If it is causing system crashes then the debug logs would help determine what is going on. If it was malware there would be some sign of it in your logs. No one has written a piece of malware that can completely hide from the system. There are always visible traces of the malware in the file system and memory. The Event log is full of errors and most of the time they can be ignored. Windows 10 is a fault tolerant OS and does a pretty good job of recovering from errors caused by programs behaving badly. Worst case the program crashes or causes a system crash. Link to post Share on other sites
Julcard 0 Posted June 7, 2017 Author Report Share Posted June 7, 2017 If I copied the whole application event log, could you deduce atleast something about whats going on with these? There are timestamps in these event ids that match to others related to some security thing. I am honestly REALLY stressed about these considering ive been experiencing alot of weird stuff going on with my pc for like a year, especially when at some point definitely was spying on me based on whats has happened to me. If this is malware, this is something really serious and high level intrusion. You are my only hope at this point. Link to post Share on other sites
Kevin Zoll 309 Posted June 7, 2017 Report Share Posted June 7, 2017 You can send me the entire event log. But it may take me some time to read the whole thing. Link to post Share on other sites
Julcard 0 Posted June 7, 2017 Author Report Share Posted June 7, 2017 Can i send it in PM, i dont know if it contains sensitive information. Also i checked the Security tab in event viewer, i can see long list of account log on and giving priviledges to account, the interval between these logons is few minutes. Link to post Share on other sites
Kevin Zoll 309 Posted June 7, 2017 Report Share Posted June 7, 2017 Yes, you can send it to me in a PM. Zip the log before attaching it. Link to post Share on other sites
Kevin Zoll 309 Posted June 12, 2017 Report Share Posted June 12, 2017 Thread closed. Link to post Share on other sites
Recommended Posts