FBI Moneypak... Cannot resolve by myself. PLEASE HELP! :/

[Psychotic]

I have to get further information, please be patient with me.

[Magius]

Any updates?

[Psychotic]

Nope, not yet. I sent messages to other helpers but they have to check the possibilities, first.

I´ll reply here immediately if I get any hints.

[Psychotic]

Are you able to run this:

 

 

Please download Gmer from here by clicking on the "Download EXE" Button.

• Double click on the randomly named GMER.exe. If asked to allow gmer.sys driver to load, please consent.
• If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
• In the right panel, you will see several boxes that have been checked. Uncheck the following ...
  
  • Sections
  • IAT/EAT
  • Show All ( should be unchecked by default )
    

  [*]Leave everything else as it is. [*]Close all other running programs as well as your Browser. [*]Click the Scan button & wait for it to finish. [*]Once done click on the Save.. button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post. [*]Save it where you can easily find it, such as your desktop. [*]Please post the content of the ark.txt here.
  

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

[Magius]

I will add it to the desktop through live cd then try and work around screen lock will post back in a bit

[Magius]

That is a NO GO. Still screen lock.  can't break through long enough to run anything.

[Psychotic]

Ok, I have another idea.

Please give me some minutes.

[Psychotic]

Got another hint, process the following with FRST.

REG: reg query "HKCR\*\shellex\ContextMenuHandlers\{28949824-6737-0594-0930-223283753445}" /sREG: reg query "HKCR\CLSID\{28949824-6737-0594-0930-223283753445}" /sREG: reg query "HKCR\CLSID\{28949824-6737-0594-0930-223283753445}\InProcServer32" /sREG: reg query "HKCR\CLSID\{750fdf0e-2a26-11d1-a3ea-080036587f03}\InProcServer32" /s

[Magius]

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 19-06-2013

Ran by SYSTEM at 2013-06-19 13:39:50 Run:10

Running from D:\

Boot Mode: Recovery

==============================================

========= reg query "HKCR\*\shellex\ContextMenuHandlers\{28949824-6737-0594-0930-223283753445}" /s =========

Error: The system was unable to find the specified registry key or value

========= End of Reg: =========

========= reg query "HKCR\CLSID\{28949824-6737-0594-0930-223283753445}" /s =========

Error: The system was unable to find the specified registry key or value

========= End of Reg: =========

========= reg query "HKCR\CLSID\{28949824-6737-0594-0930-223283753445}\InProcServer32" /s =========

Error: The system was unable to find the specified registry key or value

========= End of Reg: =========

========= reg query "HKCR\CLSID\{750fdf0e-2a26-11d1-a3ea-080036587f03}\InProcServer32" /s =========

! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\CLSID\{750fdf0e-2a26-11d1-a3ea-080036587f03}\InProcServer32

ThreadingModel REG_SZ Apartment

<NO NAME> REG_EXPAND_SZ cscui.dll

========= End of Reg: =========

==== End of Fixlog ====

[Psychotic]

C:\WINDOWS\TempC:\Dokumente und Einstellungen\sdemilio\Lokale Einstellungen\Temp

Next one...

[Magius]

I translated it over surprised I didnt mess it up since ive been at this for 15 hiours now

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 19-06-2013Ran by SYSTEM at 2013-06-19 13:49:08 Run:11Running from D:\Boot Mode: Recovery==============================================C:\WINDOWS\Temp => Moved successfully.C:\Documents and Settings\sdemilio\Local Settings\Temp => Moved successfully.==== End of Fixlog ====

[Psychotic]

That´s indeed my fault.

Please restart, hit F8 several Times, deactivate automatic restart on system failure and boot windows.

 

Tell me what happens. When facing the Bluescreen, give me the exact error messages (without the standard message in the middle)

[Magius]

well, I boot into windows normally, except still with lock screen.  I can't choose deactivate, then safe mode, or i would try that.

[Psychotic]

But when booting into safe mode, you get a bluescreen, or not?

[Magius]

huzzah. there we go. tried it a couple times and it stayed.

***STOP: 0x0000007B (0xB9CCF524 , 0xC0000034 , 0x00000000 , 0x00000000)

[Psychotic]

Do you have the XP disk or how do you boot into recovery environment?

[Magius]

I use OTLPE or Hiren's

[Psychotic]

you got pm

[Psychotic]

Try this please. You will need a USB drive.

Download http://unetbootin.sourceforge.net/unetbootin-xpud-windows-latest.exe & http://noahdfear.net/downloads/bootable/xPUD/xpud-0.9.2.iso to the desktop of your clean computer

• Insert your USB drive
• Press Start > My Computer > right click your USB drive > choose Format > Quick format
• Double click the unetbootin-xpud-windows-387.exe that you just downloaded
• Press Run then OK
• Select the DiskImage option then click the browse button located on the right side of the textbox field.
• Browse to and select the xpud-0.9.2.iso file you downloaded
• Verify the correct drive letter is selected for your USB device then click OK
• It will install a little bootable OS on your USB device
• Once the files have been written to the device you will be prompted to reboot ~ do not reboot and instead just Exit the UNetbootin interface
• After it has completed do not choose to reboot the clean computer simply close the installer
• Next download http://noahdfear.net/downloads/driver.sh to your USB
• Remove the USB and insert it in the sick computer
• Boot the Sick computer
• Press F12 and choose to boot from the USB
• Follow the prompts
• A Welcome to xPUD screen will appear
• Press File
• Expand mnt
• sda1,2...usually corresponds to your HDD
• sdb1 is likely your USB
• Click on the folder that represents your USB drive (sdb1 ?)
• Confirm that you see driver.sh that you downloaded there
• Press Tool at the top
• Choose Open Terminal
• Type bash driver.sh
• Press Enter
• After it has finished a report will be located on your USB drive named report.txt
• Remove the USB drive and insert back in your working computer and navigate to report.txt

  Please note - all text entries are case sensitive

Copy and paste the report.txt for my review

[Magius]

No grldr.. tried twice making it same error both times.. maybe run as admin...  nope not working

[Psychotic]

You have to get a xp disk to try fixing the issue via repair install.

[Magius]

Found my old student media XP pro disc. loading it up right now.  Repair Installation does not mess with documents right? i never bothered with the option.

[Magius]

administrator password locked out. already tried changing via command... this is just plain ridiculous.  whoever thought up this ransomware needs to be tied up by their toes

[Magius]

Thanks for your help so far.  I'll toss something your way later on.  I am going to give this back and tell him he needs to just backup and reinstall windows.  I have to take this dang thing back in a little bit since he is leaving shortly for business. oh well.  Really do appreciate the help I got.

[Magius]

poppin back in, im still around for a bit in case we can figure something out