First let me start by saying this is my first post, I've used the site for the past few years to troubleshoot minor issues and find answers or suggestions without drilling the forums with the typical DURR HOW DO I DO THIS posts, nothing personal, everyone starts somewhere, but fine line between being lazy...This is why I've decided to make a first post. Any suggestions or opinions you may have are readily appreciated.
I've encountered a handful of malware infections before, but I have never had any experience with an infection causing system and program instability, or Registry issues, and I have not been able to find a logical thorough explanation on how to identify problems in the Registry. What I'm looking for is a way that I can identify what is normal, and what is not, as far as keys and values, and if any changes that malware, virus, or an unauthorized user had recently changed stick out like a sore thumb when compared to the defaults that the programs ran when they were stable.
I will list my specs first and be as thorough as I can, to minimize the amount of questions you may have, so you know where I'm coming from (and why I shouldn't be experiencing performance issues based on some hardware specs), then I will list the issues that I'm experiencing:
home built pc (been running great since January '15)
HARDWARE
-CPU: AMD fx6300 six-core 3.5GHz
-GPU: EVGA GeForce GTX 970 SC ACX 2.0
*Also have a Gsync monitor to help with gaming performance by disabling unnecessary settings like VSync, previously most next generation titles would play on very high to maxed quality, maintaining from 60 FPS+ on the most taxing games like Titanfall, Dying Light, Far Cry 4, Battlefield, etc. (point being games were NOT choppy and was very smooth, minimum latency)
-Audio: ASUS Xonar DSX Sound Card
-Motherboard: AsRock 990fx Killer
-RAM: 16Gb 1333mHz DDR3
-PSU: EVGA Supernova 750W
Storage:
-512Gb Samsung 850 Evo M.2 SSD (primary c boot drive)
-256Gb Samsung 850 Evo Sata 6Gb/s SDD
-1Tb WD Blue HDD
-2.5 Tb Seagate Backup Slim External Backup Drive
Software
Operating System: Windows 7 64bit
Antivirus and Malware: Bitdefender Total Security 2015; Malwarebytes Premium (Paid, not free)
Backup and Recovery: Seagate Dashboard Agent
Disk Imaging: Acronis True Image 2015 (when cloning data when I added another SSD, or making identical copies of flash drives, micro sdhc cards)
Usually use this PC to normal tasks like emails, youtube, a quick google search or shopping, but have more of a performance oriented machine for things like occasional video editing and uploading, gaming, or multitasking. Point being... I know the performance and speed capabilities of the machine, and also installed a new ASUS Gigabit router about a month, so you understand that the internet speed isn't causing the problem. The Issue is not underpowered or hardware related, I've run memory diagnostics and other tools, and the occurrences that were taking place were just too odd to be driver, hardware or network related.
I never trust foreign unsecure websites for downloads or any obvious crap, but I would occasionally go to a website for an emulator download or something random like that, but I knew Bitdefender was not very permissive for threats... aggressiveness (Detection) settings were moderately configured and always had it running, ran a scan several times a week at least, optimised every startup as a habit because it was quick, always kept up to date, as it update automatically. Occasionally if i was suspicious, I would make sure chrome, all applications and programs were fully closed, and I would run a Malwarebytes Premium scan to remove anything in case it slipped past Bitdefender's engine. The only time Malwarebytes found any threats, was when I first purchased it back in April, It found like a Trojan Dropper and some bogus files, and just recently, yesterday evening.
5 DAYS AGO
The Issues I was having were rather strange, as Youtube is a pretty secure site, I was getting about 2 unknown video ad overlays OVER TOP of the youtube video that was playing, plus a third video ad in the bottom left corner...all with audio causing massive hysteria when I was trying to watch a video...haha But also had my chrome browser randomly get redirected a few times...chrome popping up at idle, on it's own, video ads popping up on the desktop randomly... all when I personally had chrome closed (all windows and closed it from the taskbar) was closed, and disabled to run from startup, so literally random as heck. Internet explorer is never used, and disabled from startup, no processes ever showed internet explorer running...PHISHY. Pun intended.
4 DAYS AGO
A day later (^considering that was 5 days ago), I ran a Bitdefender Quick Scan and, No threats detected, but there were about 70 archives that could not be scanned because they were "Password Protected Archives, and could not be scanned, Quarantined or Deleted". Upon investigating the paths of those files, a lot were in my backup Seagate drive, and the others had empty folders when looking through my computer. I have NEVER password protected any files or archives, and I've had the seagate backup drive long enough to know that those files were obviously not there before because I would've seen it in the scan, and even if they were, I never password protected them, so my guess was that something was weird... So I opted for a full custom system scan with custom scan, checking everything I could, and set the task to low priority from services, and about half way through the scan... *fart* ...BSOD. Never happened before.
3-2 DAYS AGO
Repeated the last Scan to see if I could repeat the BSOD, I did, Blue screened a couple more times. Never had success with the Full Custom Scan. Rebooted, then tried something different and booted into Bitdefender's own separate Safe Mode Desktop GUI Scan thingy before windows, hitting F8, and selected the option. From there, I ran a (oddly organised file system) scan. How about that, no threats detected, YOUR SYSTEM IS SAFE! I called BS. I was then becoming slightly irritated and concerned...especially when I noticed that certain in Bitdefender were different than what I had them configured to...a bunch of individual rules and exceptions (each by "per" URL basis) that are automatically not scanned by the Bitdefender engine, that I never added in there, and looked pretty bogus, and stuck out like a sore thumb. Removed all of those, found out something keeps unchecking the option inside the Bitdefender window to "Monitor Wi-Fi Connections" and also disabled Bitdefender's Firewall. Fixed all of the odd settings, exited the window and scroll back and forth from the pages to make sure the settings didn't change again, then rebooted. Oddly enough, upon restart the same exact Firewall and Wi-fi options were unchecked and disabled again. Under Events (Still in the Bitdefender Task window), "Safebox status has been changed". WHAT THE KJFHASFHSLFJLAFHJDSF...Joke's on whatever it was, because I never used the "Safebox" (<<another pun) anyways. Glad I didn't!
Yesterday
So having enough weird crap with Bitdefender and not very trusting of it anymore, and I was now getting EXTREMELY choppy gameplay in some of the least taxing titles I had, some were unplayable, then you have things like Titanfall for instance, that just randomly fails at the same exact point every time, and just quits to the desktop, right before the title screen would normally load up. I wish I could find a code, or way to narrow that down or ANYTHING AT ALL because it irritates me the most, because I can't explain or understand what would cause it to just not work all of the sudden. Played no problem like a week and a half ago. This is also after I double checked to make sure my GPU drivers were all up to date, Origin client was up to date, etc... then attempted repairing the game, then uninstalling it completely and reinstalling with Safe Download which took forever, but gave me some time to cool down before I punched through my screen.
I began trying to take matters into my own hands, finding out anything I could and taking notes and writing down any suspicious processes, googling them on my macbook or my cell phone if I wasn't sure which were legitimate windows processes or not. Looking through processes from all users, going back and forth between the process, and what service they ran on, going through the properties, securities, and checking their respective privileges and which users had administrative control of them, checking their services and what their parent/child dependencies were...I narrowed it down to a few things and stopped their processes and deleted the files as a start...but while doing this, also noticed that something disabled the service that allowed windows update, and blocked error reporting services. Odd because I had used them before, and I tested it before starting the service back up, and tried to run a troubleshooting from control panel, and it created an error saying error reporting was disabled. Weird. also found out that Bitdefender's File Shredder option for destroying the files would not work at this point, after I narrowed down the problem to these processes, and their services, then later confirm them with a Malwarebytes Scan afterwards:
spacesondpro.exe C>Program Files (x86)>
wwatcherproxy.exe C>Program Files (x86)>Temp> (<that one wormed through a bunch of crap i found out later with malwarebytes scan showing the same description name as the service)
UTSCI.EXE C>windows>sytem32>
It was odd (but also made a "cliche sort of sense") that a couple of them, especially "wwatcherproxy.exe" wasn't showing any results or info when trying to google them, but "WeWatcherProxy.exe" and "SpaceSoundpro.exe" had red flags all over the place, and were a syllable or off, and one of the services had an underscore stuck in there somewhere. So I stopped all of those processes, wrote down all their file paths for a quick reference, and ran Malwarebytes premium for the first time since like April, since i hadn't had any issues. And here was my worst fear: 15 minutes later the scan completes and shows 129 infected objects. 126 of them were listed as Registry Keys. Most were from wwatcherproxy, 2 were as listed being found as Registry Keys, and their descriptions do NOT make me feel comfortable:
PUP.OPTIONAL.WINSOCK.HIJACKTHIS
PUP.OPTIONAL.WINSOCK.HIJACKBOOT
I haven't had to mess with or look at RegEdit yet, and because I wasn't absolutely sure, I didn't want to cause any irreversible damage, or make matters worse than they were by running the risk of deleting something infected that was attached to vital information or keys, I just quarantined all of it and tried to isolate the threat, but it's still there and I can retrieve it if I wanted to. Malwarebytes prompted a couple restarts in a row, did a couple scans afterwards, and system showed up clean.
Upon quarantining the infected Registry Keys, Windows is "somewhat" stable, but some things seem buggy. As Bitdefender was getting BUG REPORT messages that caused it to shut down, then few hours later it was spamming me with CRITICAL SYSTEM ERROR messages, and now this morning in the midst of typing this (able to use chrome and type etc at least), it is not responding at all, and the icon on the far bottom right corner that was once red, is now greyed out. Oh and apparently I get error messages when I try to initiate a system restore as well, which I really want to avoid unless it's the absolute last resort...
Anyways sorry for all the talk, the main points I was looking for advice on regarding all of this would be:
-Is there any good overview or explanation for identifying (and how to understand and determine differences) from a legitimate Registry Key, from one that was either recently changed or should not be there? Like how to really understand what is going on, and if the bad files keys etc stick out like a sore thumb in any way. And if it's repairable at all that way, since my system restore is not working.
-Anything to look for in Event Viewer or someone that has a good resource where I can find out what all the ID numbers and event numbers mean...any that I would keep an eye out for that would indicate any unauthorized logons, or a particular sign that someone was trying to access and plant files remotely?
I might remember some other questions later and post back, but I'm going to leave all of that there because my brain is kinda fried right now. Like I said, any opinions, resources or advice you have is appreciated, if you need any more information to help determine anything, let me know and I'll get back as quickly as possible.
Thanks
I've encountered a handful of malware infections before, but I have never had any experience with an infection causing system and program instability, or Registry issues, and I have not been able to find a logical thorough explanation on how to identify problems in the Registry. What I'm looking for is a way that I can identify what is normal, and what is not, as far as keys and values, and if any changes that malware, virus, or an unauthorized user had recently changed stick out like a sore thumb when compared to the defaults that the programs ran when they were stable.
I will list my specs first and be as thorough as I can, to minimize the amount of questions you may have, so you know where I'm coming from (and why I shouldn't be experiencing performance issues based on some hardware specs), then I will list the issues that I'm experiencing:
home built pc (been running great since January '15)
HARDWARE
-CPU: AMD fx6300 six-core 3.5GHz
-GPU: EVGA GeForce GTX 970 SC ACX 2.0
*Also have a Gsync monitor to help with gaming performance by disabling unnecessary settings like VSync, previously most next generation titles would play on very high to maxed quality, maintaining from 60 FPS+ on the most taxing games like Titanfall, Dying Light, Far Cry 4, Battlefield, etc. (point being games were NOT choppy and was very smooth, minimum latency)
-Audio: ASUS Xonar DSX Sound Card
-Motherboard: AsRock 990fx Killer
-RAM: 16Gb 1333mHz DDR3
-PSU: EVGA Supernova 750W
Storage:
-512Gb Samsung 850 Evo M.2 SSD (primary c boot drive)
-256Gb Samsung 850 Evo Sata 6Gb/s SDD
-1Tb WD Blue HDD
-2.5 Tb Seagate Backup Slim External Backup Drive
Software
Operating System: Windows 7 64bit
Antivirus and Malware: Bitdefender Total Security 2015; Malwarebytes Premium (Paid, not free)
Backup and Recovery: Seagate Dashboard Agent
Disk Imaging: Acronis True Image 2015 (when cloning data when I added another SSD, or making identical copies of flash drives, micro sdhc cards)
Usually use this PC to normal tasks like emails, youtube, a quick google search or shopping, but have more of a performance oriented machine for things like occasional video editing and uploading, gaming, or multitasking. Point being... I know the performance and speed capabilities of the machine, and also installed a new ASUS Gigabit router about a month, so you understand that the internet speed isn't causing the problem. The Issue is not underpowered or hardware related, I've run memory diagnostics and other tools, and the occurrences that were taking place were just too odd to be driver, hardware or network related.
I never trust foreign unsecure websites for downloads or any obvious crap, but I would occasionally go to a website for an emulator download or something random like that, but I knew Bitdefender was not very permissive for threats... aggressiveness (Detection) settings were moderately configured and always had it running, ran a scan several times a week at least, optimised every startup as a habit because it was quick, always kept up to date, as it update automatically. Occasionally if i was suspicious, I would make sure chrome, all applications and programs were fully closed, and I would run a Malwarebytes Premium scan to remove anything in case it slipped past Bitdefender's engine. The only time Malwarebytes found any threats, was when I first purchased it back in April, It found like a Trojan Dropper and some bogus files, and just recently, yesterday evening.
5 DAYS AGO
The Issues I was having were rather strange, as Youtube is a pretty secure site, I was getting about 2 unknown video ad overlays OVER TOP of the youtube video that was playing, plus a third video ad in the bottom left corner...all with audio causing massive hysteria when I was trying to watch a video...haha But also had my chrome browser randomly get redirected a few times...chrome popping up at idle, on it's own, video ads popping up on the desktop randomly... all when I personally had chrome closed (all windows and closed it from the taskbar) was closed, and disabled to run from startup, so literally random as heck. Internet explorer is never used, and disabled from startup, no processes ever showed internet explorer running...PHISHY. Pun intended.
4 DAYS AGO
A day later (^considering that was 5 days ago), I ran a Bitdefender Quick Scan and, No threats detected, but there were about 70 archives that could not be scanned because they were "Password Protected Archives, and could not be scanned, Quarantined or Deleted". Upon investigating the paths of those files, a lot were in my backup Seagate drive, and the others had empty folders when looking through my computer. I have NEVER password protected any files or archives, and I've had the seagate backup drive long enough to know that those files were obviously not there before because I would've seen it in the scan, and even if they were, I never password protected them, so my guess was that something was weird... So I opted for a full custom system scan with custom scan, checking everything I could, and set the task to low priority from services, and about half way through the scan... *fart* ...BSOD. Never happened before.
3-2 DAYS AGO
Repeated the last Scan to see if I could repeat the BSOD, I did, Blue screened a couple more times. Never had success with the Full Custom Scan. Rebooted, then tried something different and booted into Bitdefender's own separate Safe Mode Desktop GUI Scan thingy before windows, hitting F8, and selected the option. From there, I ran a (oddly organised file system) scan. How about that, no threats detected, YOUR SYSTEM IS SAFE! I called BS. I was then becoming slightly irritated and concerned...especially when I noticed that certain in Bitdefender were different than what I had them configured to...a bunch of individual rules and exceptions (each by "per" URL basis) that are automatically not scanned by the Bitdefender engine, that I never added in there, and looked pretty bogus, and stuck out like a sore thumb. Removed all of those, found out something keeps unchecking the option inside the Bitdefender window to "Monitor Wi-Fi Connections" and also disabled Bitdefender's Firewall. Fixed all of the odd settings, exited the window and scroll back and forth from the pages to make sure the settings didn't change again, then rebooted. Oddly enough, upon restart the same exact Firewall and Wi-fi options were unchecked and disabled again. Under Events (Still in the Bitdefender Task window), "Safebox status has been changed". WHAT THE KJFHASFHSLFJLAFHJDSF...Joke's on whatever it was, because I never used the "Safebox" (<<another pun) anyways. Glad I didn't!
Yesterday
So having enough weird crap with Bitdefender and not very trusting of it anymore, and I was now getting EXTREMELY choppy gameplay in some of the least taxing titles I had, some were unplayable, then you have things like Titanfall for instance, that just randomly fails at the same exact point every time, and just quits to the desktop, right before the title screen would normally load up. I wish I could find a code, or way to narrow that down or ANYTHING AT ALL because it irritates me the most, because I can't explain or understand what would cause it to just not work all of the sudden. Played no problem like a week and a half ago. This is also after I double checked to make sure my GPU drivers were all up to date, Origin client was up to date, etc... then attempted repairing the game, then uninstalling it completely and reinstalling with Safe Download which took forever, but gave me some time to cool down before I punched through my screen.
I began trying to take matters into my own hands, finding out anything I could and taking notes and writing down any suspicious processes, googling them on my macbook or my cell phone if I wasn't sure which were legitimate windows processes or not. Looking through processes from all users, going back and forth between the process, and what service they ran on, going through the properties, securities, and checking their respective privileges and which users had administrative control of them, checking their services and what their parent/child dependencies were...I narrowed it down to a few things and stopped their processes and deleted the files as a start...but while doing this, also noticed that something disabled the service that allowed windows update, and blocked error reporting services. Odd because I had used them before, and I tested it before starting the service back up, and tried to run a troubleshooting from control panel, and it created an error saying error reporting was disabled. Weird. also found out that Bitdefender's File Shredder option for destroying the files would not work at this point, after I narrowed down the problem to these processes, and their services, then later confirm them with a Malwarebytes Scan afterwards:
spacesondpro.exe C>Program Files (x86)>
wwatcherproxy.exe C>Program Files (x86)>Temp> (<that one wormed through a bunch of crap i found out later with malwarebytes scan showing the same description name as the service)
UTSCI.EXE C>windows>sytem32>
It was odd (but also made a "cliche sort of sense") that a couple of them, especially "wwatcherproxy.exe" wasn't showing any results or info when trying to google them, but "WeWatcherProxy.exe" and "SpaceSoundpro.exe" had red flags all over the place, and were a syllable or off, and one of the services had an underscore stuck in there somewhere. So I stopped all of those processes, wrote down all their file paths for a quick reference, and ran Malwarebytes premium for the first time since like April, since i hadn't had any issues. And here was my worst fear: 15 minutes later the scan completes and shows 129 infected objects. 126 of them were listed as Registry Keys. Most were from wwatcherproxy, 2 were as listed being found as Registry Keys, and their descriptions do NOT make me feel comfortable:
PUP.OPTIONAL.WINSOCK.HIJACKTHIS
PUP.OPTIONAL.WINSOCK.HIJACKBOOT
I haven't had to mess with or look at RegEdit yet, and because I wasn't absolutely sure, I didn't want to cause any irreversible damage, or make matters worse than they were by running the risk of deleting something infected that was attached to vital information or keys, I just quarantined all of it and tried to isolate the threat, but it's still there and I can retrieve it if I wanted to. Malwarebytes prompted a couple restarts in a row, did a couple scans afterwards, and system showed up clean.
Upon quarantining the infected Registry Keys, Windows is "somewhat" stable, but some things seem buggy. As Bitdefender was getting BUG REPORT messages that caused it to shut down, then few hours later it was spamming me with CRITICAL SYSTEM ERROR messages, and now this morning in the midst of typing this (able to use chrome and type etc at least), it is not responding at all, and the icon on the far bottom right corner that was once red, is now greyed out. Oh and apparently I get error messages when I try to initiate a system restore as well, which I really want to avoid unless it's the absolute last resort...
Anyways sorry for all the talk, the main points I was looking for advice on regarding all of this would be:
-Is there any good overview or explanation for identifying (and how to understand and determine differences) from a legitimate Registry Key, from one that was either recently changed or should not be there? Like how to really understand what is going on, and if the bad files keys etc stick out like a sore thumb in any way. And if it's repairable at all that way, since my system restore is not working.
-Anything to look for in Event Viewer or someone that has a good resource where I can find out what all the ID numbers and event numbers mean...any that I would keep an eye out for that would indicate any unauthorized logons, or a particular sign that someone was trying to access and plant files remotely?
I might remember some other questions later and post back, but I'm going to leave all of that there because my brain is kinda fried right now. Like I said, any opinions, resources or advice you have is appreciated, if you need any more information to help determine anything, let me know and I'll get back as quickly as possible.
Thanks
Facebook
Twitter
Instagram