Ankit

Here is the required FRST log which i wasn't able to post yesterday. FRST-27 may 15.txt

no no, my computer is working fine. I just want to be sure everything is fine. After reinstalling Windows, for example, Google chrome is not installing. The installer just displays that an error occurred and the installer failed to start. Sometimes, my pc just hangs for a second or two. And btw, that line in checkup.txt which says that fragmentation on drive C is 6%, is that fine or my hdd is gonna die soon?

Oh! don't know how the FRST.txt file failed to upload... I will post it ASAP(tomorrow, as i'm replying from my phone), I'm sorry for the delay.

Okay, here are the logs you needed. --FRST-- The log is too big so i have attached the file. --Addition-- Additional scan result of Farbar Recovery Scan Tool (x86) Version: 22-05-2015 01 Ran by Ankit at 2015-05-27 22:09:33 Running from C:\Documents and Settings\Ankit\My Documents\Downloads Boot Mode: Normal ========================================================== ==================== Accounts: ============================= Administrator (S-1-5-21-1801674531-1409082233-1177238915-500 - Administrator - Enabled) Ankit (S-1-5-21-1801674531-1409082233-1177238915-1003 - Administrator - Enabled) => %SystemDrive%\Documents and Settings\Ankit Guest (S-1-5-21-1801674531-1409082233-1177238915-501 - Limited - Disabled) HelpAssistant (S-1-5-21-1801674531-1409082233-1177238915-1000 - Limited - Disabled) SUPPORT_388945a0 (S-1-5-21-1801674531-1409082233-1177238915-1002 - Limited - Disabled) ==================== Security Center ======================== (If an entry is included in the fixlist, it will be removed.) ==================== Installed Programs ====================== (Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.) Acrobat.com (HKLM\...\{287ECFA4-719A-2143-A09B-D6A12DE54E40}) (Version: 1.6.65 - Adobe Systems Incorporated) Adobe AIR (HKLM\...\Adobe AIR) (Version: 1.5.0.7220 - Adobe Systems Inc.) Adobe Reader 9.1 (HKLM\...\{AC76BA86-7AD7-1033-7B44-A91000000001}) (Version: 9.1.0 - Adobe Systems Incorporated) Age of Empires III (HKLM\...\InstallShield_{7B9CC60A-9B81-46A3-A953-76B6BF9EEC97}) (Version: 1.00.0000 - Microsoft Game Studios) Age of Empires III (Version: 1.00.0000 - Microsoft Game Studios) Hidden DIABLO II (HKLM\...\DIABLO_II) (Version: - ) FlashGet3.7 (HKLM\...\FlashGet3.7) (Version: 3.7.0.1220 - http://www.FlashGet.com) GIMP 2.6.12-2 (HKLM\...\WinGimp-2.0_is1) (Version: 2.6.12 - The GIMP Team) Google Update Helper (Version: 1.3.25.11 - Google Inc.) Hidden Intel® Graphics Media Accelerator Driver (HKLM\...\HDMI) (Version: - ) IrfanView (remove only) (HKLM\...\IrfanView) (Version: 4.38 - Irfan Skiljan) Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (HKLM\...\{f65db027-aff3-4070-886a-0d87064aabb1}) (Version: 12.0.30501.0 - Microsoft Corporation) Opera Stable 29.0.1795.60 (HKLM\...\Opera 29.0.1795.60) (Version: 29.0.1795.60 - Opera Software ASA) Realtek AC'97 Audio (HKLM\...\{FB08F381-6533-4108-B7DD-039E11FBC27E}) (Version: 5.19 - Realtek Semiconductor Corp.) TA:Kingdoms Switcher 1.0 (HKLM\...\049C3549-EA86-4628-BBE1-8C5AB5F6FE1A_is1) (Version: TA:Kingdoms Switcher - pocket_geek) TechPowerUp GPU-Z (HKLM\...\TechPowerUp GPU-Z) (Version: - TechPowerUp) Total Annihilation: Kingdoms version 4.1bb (HKLM\...\{D87064BA-DF94-4B71-B87A-2815C4353103}_is1) (Version: 4.1bb - DeeKay - All TA:K Downloads) VLC media player (HKLM\...\VLC media player) (Version: 2.2.1 - VideoLAN) WebFldrs XP (Version: 9.50.7523 - Microsoft Corporation) Hidden WinRAR 5.21 (32-bit) (HKLM\...\WinRAR archiver) (Version: 5.21.0 - win.rar GmbH) ==================== Custom CLSID (Whitelisted): ========================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) ==================== Restore Points ========================= 21-05-2015 23:43:44 System Checkpoint 22-05-2015 00:01:52 Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 22-05-2015 12:28:56 Installed Realtek AC'97 Audio 22-05-2015 13:10:29 Update to an unsigned driver 22-05-2015 17:38:03 Installed Age of Empires III 22-05-2015 17:52:33 Installed Age of Empires III 25-05-2015 14:30:53 Installed Adobe Reader 9.1. 26-05-2015 15:31:33 Update to an unsigned driver 26-05-2015 16:42:25 Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 26-05-2015 17:14:08 Software Distribution Service 3.0 ==================== Hostscontent: ========================== (If needed Hosts: directive could be included in the fixlist to reset Hosts.) 2007-08-11 12:28 - 2007-08-11 12:28 - 00000768 ____A C:\WINDOWS\system32\Drivers\etc\hosts 127.0.0.1 localhost 127.0.0.1 mpa.one.microsoft.com ==================== Scheduled Tasks (Whitelisted) ============= (If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.) Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe Task: C:\WINDOWS\Tasks\Opera scheduled Autoupdate 1432649606.job => C:\Program Files\Opera\launcher.exe ==================== Loaded Modules (Whitelisted) ============== 2008-04-14 10:11 - 2008-04-14 10:11 - 00059904 _____ () C:\WINDOWS\system32\devenum.dll 2008-04-14 10:12 - 2008-04-14 10:12 - 00014336 _____ () C:\WINDOWS\system32\msdmo.dll 2015-05-26 19:43 - 2015-05-18 13:03 - 00479352 _____ () C:\Program Files\Opera\29.0.1795.60\opera_crashreporter.exe ==================== Safe Mode (Whitelisted) =================== (If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.) ==================== EXE Association (Whitelisted) =============== (If an entry is included in the fixlist, the registry item will be restored to default or removed.) ==================== Internet Explorer trusted/restricted =============== (If an entry is included in the fixlist, it will be removed from the registry.) ==================== Other Areas ============================ (Currently there is no automatic fix for this section.) HKU\S-1-5-21-1801674531-1409082233-1177238915-1003\Control Panel\Desktop\\Wallpaper -> C:\Documents and Settings\Ankit\Local Settings\Application Data\Microsoft\Wallpaper1.bmp DNS Servers: 192.168.42.129 ==================== MSCONFIG/TASK MANAGER Error getting == (Currently there is no automatic fix for this section.) ==================== FirewallRules (Whitelisted) =============== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) StandardProfile\AuthorizedApplications: [C:\Program Files\FlashGet Network\FlashGet 3\FlashGet3.exe] => Enabled:Flashget3 StandardProfile\AuthorizedApplications: [C:\Program Files\Opera\opera.exe] => Enabled:Opera Internet Browser ==================== Faulty Device Manager Devices ============= Name: Ethernet Controller Description: Ethernet Controller Class Guid: {4D36E97E-E325-11CE-BFC1-08002BE10318} Manufacturer: Service: Problem: : The drivers for this device are not installed. (Code 28) Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard. ==================== Event log errors: ========================= Application errors: ================== Error: (05/27/2015 10:07:40 PM) (Source: Application Hang) (EventID: 1002) (User: ) Description: Hanging application FRST.exe, version 22.5.2015.1, hang module hungapp, version 0.0.0.0, hang address 0x00000000. Error: (05/22/2015 02:03:33 PM) (Source: crypt32) (EventID: 8) (User: ) Description: Failed auto update retrieval of third-party root list sequence number from: with error: The specified server cannot perform the requested operation. Error: (05/22/2015 02:03:33 PM) (Source: crypt32) (EventID: 8) (User: ) Description: Failed auto update retrieval of third-party root list sequence number from: with error: The specified server cannot perform the requested operation. Error: (05/22/2015 02:03:33 PM) (Source: crypt32) (EventID: 8) (User: ) Description: Failed auto update retrieval of third-party root list sequence number from: with error: This operation returned because the timeout period expired. System errors: ============= Error: (05/27/2015 08:52:36 PM) (Source: Service Control Manager) (EventID: 7000) (User: ) Description: The Google Update Service (gupdate) service failed to start due to the following error: %%2 Error: (05/27/2015 04:34:40 PM) (Source: Service Control Manager) (EventID: 7000) (User: ) Description: The Google Update Service (gupdate) service failed to start due to the following error: %%2 Error: (05/27/2015 11:33:02 AM) (Source: Service Control Manager) (EventID: 7000) (User: ) Description: The Google Update Service (gupdate) service failed to start due to the following error: %%2 Error: (05/27/2015 11:18:03 AM) (Source: Service Control Manager) (EventID: 7000) (User: ) Description: The Google Update Service (gupdate) service failed to start due to the following error: %%2 Error: (05/27/2015 10:12:04 AM) (Source: Service Control Manager) (EventID: 7000) (User: ) Description: The Google Update Service (gupdate) service failed to start due to the following error: %%2 Error: (05/26/2015 09:00:19 PM) (Source: Service Control Manager) (EventID: 7000) (User: ) Description: The Google Update Service (gupdate) service failed to start due to the following error: %%2 Error: (05/26/2015 07:40:57 PM) (Source: Service Control Manager) (EventID: 7000) (User: ) Description: The Google Update Service (gupdate) service failed to start due to the following error: %%2 Error: (05/26/2015 03:12:05 PM) (Source: Service Control Manager) (EventID: 7000) (User: ) Description: The Google Update Service (gupdate) service failed to start due to the following error: %%2 Error: (05/26/2015 10:36:38 AM) (Source: Service Control Manager) (EventID: 7000) (User: ) Description: The Google Update Service (gupdate) service failed to start due to the following error: %%2 Error: (05/25/2015 06:25:32 PM) (Source: Service Control Manager) (EventID: 7000) (User: ) Description: The Google Update Service (gupdate) service failed to start due to the following error: %%2 Microsoft Office: ========================= Error: (05/27/2015 10:07:40 PM) (Source: Application Hang) (EventID: 1002) (User: ) Description: FRST.exe22.5.2015.1hungapp0.0.0.000000000 Error: (05/22/2015 02:03:33 PM) (Source: crypt32) (EventID: 8) (User: ) Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txtThe specified server cannot perform the requested operation. Error: (05/22/2015 02:03:33 PM) (Source: crypt32) (EventID: 8) (User: ) Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txtThe specified server cannot perform the requested operation. Error: (05/22/2015 02:03:33 PM) (Source: crypt32) (EventID: 8) (User: ) Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txtThis operation returned because the timeout period expired. ==================== Memory info =========================== Processor: Intel® Pentium® 4 CPU 2.40GHz Percentage of memory in use: 15% Total physical RAM: 3063.48 MB Available physical RAM: 2585.37 MB Total Pagefile: 4954.16 MB Available Pagefile: 4560.43 MB Total Virtual: 2047.88 MB Available Virtual: 1951.97 MB ==================== Drives ================================ Drive c: () (Fixed) (Total:48.93 GB) (Free:41.73 GB) NTFS ==>[Drive with boot components (Windows XP)] Drive d: () (Fixed) (Total:48.83 GB) (Free:12.14 GB) NTFS Drive e: () (Fixed) (Total:51.29 GB) (Free:46 GB) NTFS ==================== MBR & Partition Table ================== ======================================================== Disk: 0 (MBR Code: Windows XP) (Size: 149.1 GB) (Disk ID: 0000A599) Partition 1: (Active) - (Size=48.9 GB) - (Type=07 NTFS) Partition 2: (Not Active) - (Size=100.1 GB) - (Type=OF Extended) ==================== End of log ============================ --checkup-- Results of screen317's Security Check version 1.002 Windows XP Service Pack 3 x86 Internet Explorer 6 Out of date! ``````````````Antivirus/Firewall Check:`````````````` Windows Firewall Enabled! WMI entry may not exist for antivirus; attempting automatic update. `````````Anti-malware/Other Utilities Check:````````` Adobe Reader 9 Adobe Reader out of Date! ````````Process Check: objlist.exe by Laurent```````` `````````````````System Health check````````````````` Total Fragmentation on Drive C:: 6% ````````````````````End of Log``````````````````````

Eh.. I was again banned for almost two days... why??? on topic, as I was unable to reply here and I urgently needed to have my pc up and running, I used the UBCD disk to load my hdd, search for all known (to me) malware and associated autorun in every partition, pendrive. And then I manually deleted all of them. Formatted the C drive and reinstalled Windows as I did not have any valuable data to lose on it. Now my pc is running fine, no suspicious processes running, but I just want to be sure and want your help in cleaning up my camera too. >> I will NOT run any scanning tools without a green signal from you. Not even MBAM. Even if my system looks clean now. Because these tools disable the operating system. Now what should I do next?

Hello, I'm facing serious problems after being infected with malwares like music.exe, userinit.exe, system.exe, forever.exe, hijack.host etc. It's dreadful. It's everywhere, in my pen drives, camera, phones, memory cards(it doesn't allow me to view usb mass storage contents). Hampering processes and creating chaos! I posted a topic a few months ago regarding the same issue but didn't respond to it as I started preparing up for exams. You can find the topic HERE >> https://forums.malwarebytes.org/index.php?/topic/164858-wormautorun-causing-windows-to-run-into-an-infinite-shutdown-loop-help/?view=getnewpost AdvancedSetup told me to post a new thread. --FIRST PROBLEM-- Step by step.. I followed the steps posted there, built the UBCD4Win, but couldn't backup my data as I don't have a big pen drive or an external hdd. >> So I just formatted the C drive and reinstalled Windows yesterday. >> Then installed MBAM, again. > UPDATED DB, > scanned > traced 10 malwares. > did NOT delete them, for the fear of being not able to boot again as the infected files included system files (but I think they were still quarantined) > did some work. >> ran Farbar Recovery Tool. >> thought of visiting the malwarebytes forums, and an error popped up, saying I'm not allowed to visit this community. Okay. Nice. > ^^this has happened to me many times on and off on many systems and devices. > played some games. >> switched off the pc. > restarted it. > was welcomed with a logon screen WITHOUT any password field. > I clicked the username. > my wallpaper appeared but no GUI, just plain wallpaper. > after a few seconds it returned back to the logon screen and said the user(admin) does not exist! > end. --SECOND PROBLEM-- > Rant incoming... >> Why am I intermittently abandoned/prevented/denied access to these forums, from every kind of device where I log into Gmail even once? Have I broken some rules or i'm blacklisted? Huh? It's depressing to see that i've been blocked from accessing the site when I need it most, and more when I realize that nowhere else I'll get better solutions, easily. I don't come here everyday, and when I do i'm welcomed by an "error number 2000". Gooood... > Rant mode over. --THIRD PROBLEM(SUGGESTION)-- > I'm not sure if this is the correct place to talk about MBAM. But anyways here I go. >> Why does MBAM quarantine/disables system files even when they're infected?, Knowing that this step will render the pc useless afterwords? They're critical files! >> And why does it even offer an option to delete them after scan? > Seriously, people will delete them happily and end up with a half-dead computer. >> Why not just flag the file/location for reviewing later, or suggesting the user to go for support, or warning them about the effects of deleting them, instead of letting them delete in a single click. Thats it! I'm eagerly waiting for a reply. And please don't ban me again as I won't be able to post replies here and the topic will be closed. Thank you for reading and sorry for the rant. mbam%20scan%20results.txt mbam%20log%20may%2020.txt FRST.txt Addition.txt

He has Windows 8.1, will the tool work?

Oh ok I totally missed that! Thanks, It will take some time tho as i'll use my friends' pc.

Um how can I download UBCD4W, to my desktop? It does not start up. Can I run it on another computers?

Nope, it still shuts down.

I think it's due to MBAM deleting userinit.exe

Actually my pc isn't even getting to the desktop, it shuts down in middle of booting up.

Will someone please help me? If you can't/pc is broken atleast tell me, what steps should I take to recover my data.

Hello everyone, this is my first post here. I'm from India so the reply timings may not match. This is going to be a long post. Yesterday I connected my camera to my XP machine, and I saw a folder named avp root or something like this I can't remember, I opened it because the name was similar to mp-root a folder which contains videos. It contained an exe file in the disguise of a folder named Music. I.. double clicked it... I am aware of this and similar files but at that time I wasn't alert. I tried to remove it but it was well past 1:00 AM so I switched off the pc. Today I downloaded the trial version of MBAM and scanned my pc, uh.. without updating the DB. It still detected 10 threats, with the familiar Trojan names (and expected too), Forever.exe, System.exe, Music.exe, and userinit.exe, along with some malicious registries. I know that userinit.exe is a safe executable from ms, but taskmgr showed two instances of it, one on termination opened the explorer(?) and the second one just kept recurring without any effect, so I knew this was a trojan. Forever.exe and music.exe were not running. BTW system.exe and userinit.exe were not using the cpu at all and used 6 MB of ram together. My system was running fine. --I quarantined the threats and allowed MBAM to restart to completely remove the malware, and here is when the real problem started. When I clicked ok, a popup about blocking Autorun popped and the pc turned off, upon restarting, it got to the 'loading your settings' screen showing a blank blue screen(maybe my background, I use a solid blue color with classic theme) but doesn't show any GUI, and immediately shut-down showing the 'saving your settings' screen and this continues endlessly. I noted that sometimes the MBAM blocker pops up for an instant before shut-down.-- Please help me, I can't even boot into safe mode.