Closed Need throughout investigation for malicious activity on pc

[Julcard 0]

For months ive been wiping my ssd and reinstalled windows, because I keep experiencing something weird with my pc constantly. Now latest was some black box flashing in lower right corner in browser when i was looking at emsisoft webpage, the site is reputable so thats not issue. Also I noticed that my downloads folder had changed its view settings to "large icon", previously it was set to "details" which is the default, and I have not changed that myself. I cant find anything from various virus scanners.

Also I noticed some weird event logs in the event viewer, where unknown process does some registry changes.

Here are also farbar logs for analyzing.

Shortcut.txt

Addition.txt

FRST.txt

[Julcard 0]

Event log has lots of event ID 1530 things, one of them has following details:

 

Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. No user action is required.  

 DETAIL -
 33 user registry handles leaked from \Registry\User\S-1-5-21-1776908731-2155016529-3854037204-1001:
Process 820 (\Device\HarddiskVolume2\Windows\System32\winlogon.exe) has opened key \REGISTRY\USER\S-1-5-21-1776908731-2155016529-3854037204-1001
Process 2980 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1776908731-2155016529-3854037204-1001
Process 2980 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1776908731-2155016529-3854037204-1001
Process 2980 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1776908731-2155016529-3854037204-1001
Process 2980 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1776908731-2155016529-3854037204-1001
Process 2980 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1776908731-2155016529-3854037204-1001\Software\Microsoft\SystemCertificates\CA
Process 92 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-1776908731-2155016529-3854037204-1001\System\GameConfigStore\Parents
Process 2980 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1776908731-2155016529-3854037204-1001\Software\Policies\Microsoft\SystemCertificates
Process 2980 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1776908731-2155016529-3854037204-1001\Software\Policies\Microsoft\SystemCertificates
Process 2980 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1776908731-2155016529-3854037204-1001\Software\Policies\Microsoft\SystemCertificates
Process 2980 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1776908731-2155016529-3854037204-1001\Software\Policies\Microsoft\SystemCertificates
Process 2980 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1776908731-2155016529-3854037204-1001\Software\Microsoft\SystemCertificates\trust
Process 92 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-1776908731-2155016529-3854037204-1001\System\GameConfigStore
Process 2948 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-1776908731-2155016529-3854037204-1001\Software\Policies\Microsoft\Windows\CloudContent
Process 2856 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-1776908731-2155016529-3854037204-1001\Software\Microsoft\Windows\CurrentVersion\Uninstall
Process 2940 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-1776908731-2155016529-3854037204-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Process 4700 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-1776908731-2155016529-3854037204-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Process 2948 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-1776908731-2155016529-3854037204-1001\Software\Microsoft\Windows\CurrentVersion\Privacy
Process 2980 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1776908731-2155016529-3854037204-1001\Software\Microsoft\SystemCertificates\TrustedPeople
Process 2940 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-1776908731-2155016529-3854037204-1001\Software\Microsoft\Internet Explorer\Main\FeatureControl
Process 4700 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-1776908731-2155016529-3854037204-1001\Software\Microsoft\Internet Explorer\Main\FeatureControl
Process 2948 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-1776908731-2155016529-3854037204-1001\Software\Policies\Microsoft\Windows\DataCollection
Process 2940 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-1776908731-2155016529-3854037204-1001\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
Process 4700 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-1776908731-2155016529-3854037204-1001\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
Process 2940 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-1776908731-2155016529-3854037204-1001\Software\Microsoft\Internet Explorer\Main
Process 4700 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-1776908731-2155016529-3854037204-1001\Software\Microsoft\Internet Explorer\Main
Process 2980 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1776908731-2155016529-3854037204-1001\Software\Microsoft\SystemCertificates\Root
Process 2980 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1776908731-2155016529-3854037204-1001\Software\Microsoft\SystemCertificates\Disallowed
Process 708 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1776908731-2155016529-3854037204-1001\Software\Microsoft\Windows NT\CurrentVersion\Fonts
Process 92 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-1776908731-2155016529-3854037204-1001\System\GameConfigStore\Children
Process 2940 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-1776908731-2155016529-3854037204-1001\Software\Microsoft\Internet Explorer\Security
Process 4700 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-1776908731-2155016529-3854037204-1001\Software\Microsoft\Internet Explorer\Security
Process 2980 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1776908731-2155016529-3854037204-1001\Software\Microsoft\SystemCertificates\SmartCardRoot

 

[Julcard 0]

Here is another example

 

Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. No user action is required.  

 DETAIL -
 5 user registry handles leaked from \Registry\User\S-1-5-21-1776908731-2155016529-3854037204-1001_Classes:
Process 2444 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1776908731-2155016529-3854037204-1001_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.sechealthui_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\trust
Process 2444 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1776908731-2155016529-3854037204-1001_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.sechealthui_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\CA
Process 2444 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1776908731-2155016529-3854037204-1001_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.sechealthui_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\Root
Process 2444 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1776908731-2155016529-3854037204-1001_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.sechealthui_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\TrustedPeople
Process 2444 (<Unknown>) has opened key \REGISTRY\USER\S-1-5-21-1776908731-2155016529-3854037204-1001_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.sechealthui_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\Disallowed

 

[Julcard 0]

This is not your typical infected pc-problem, as no virus scan can find anything but still I keep experiences all kinds of weird things, few months ago someone tried to log in to my email even though no virus scans showed nothing for an example. Something always seems to come regardless of how many times i secure erase my ssd and reinstall windows.

I am not irresponsible pc user, i have my antivirus and antimalware programs running and up todate, and scan with supplementary softwares all the time. I dont even surf around in the web that much, i mostly use sites like youtube, reddit, and other well reputable sites.

[Kevin Zoll 309]

Your logs do not show any malware or malicious activity.  I see that Zemana AntiMalware is installed and does not appear to be active.  Uninstall ZAM and see if that makes a difference.

[Julcard 0]

I am using emsisoft and malwarebytes, zemana is for on demand scan

 

Also what are those entries of unknown process doing registry changes??

[Kevin Zoll 309]

It is an unknown process so no telling what is doing the modifications and why.  EAM and MBAM provide quite a bit of protection and having a third AV is counterproductive.  Even with the AV set as on-demand, it is still loading processes and services at startup that can create conflicts.

[Julcard 0]

Yeah but since its unknown, we should really investigate what it is, it could be malware. Also those unknown process things have happened even when Zemana was not installed.

[Kevin Zoll 309]

No amount of investigation will turn up what is causing those errors. If it is causing system crashes then the debug logs would help determine what is going on.  If it was malware there would be some sign of it in your logs.  No one has written a piece of malware that can completely hide from the system.  There are always visible traces of the malware in the file system and memory.

The Event log is full of errors and most of the time they can be ignored.  Windows 10 is a fault tolerant OS and does a pretty good job of recovering from errors caused by programs behaving badly.  Worst case the program crashes or causes a system crash.

[Julcard 0]

If I copied the whole application event log, could you deduce atleast something about whats going on with these? There are timestamps in these event ids that match to others related to some security thing. I am honestly REALLY stressed about these considering ive been experiencing alot of weird stuff going on with my pc for like a year, especially when at some point definitely was spying on me based on whats has happened to me. If this is malware, this is something really serious and high level intrusion.

You are my only hope at this point.

[Kevin Zoll 309]

You can send me the entire event log.  But it may take me some time to read the whole thing.

[Julcard 0]

Can i send it in PM, i dont know if it contains sensitive information.

Also i checked the Security tab in event viewer, i can see long list of account log on and giving priviledges to account, the interval between these logons is few minutes.

[Kevin Zoll 309]

Yes, you can send it to me in a PM.  Zip the log before attaching it.

[Kevin Zoll 309]

Thread closed.