Jump to content

Recommended Posts

I'm working on a machine for a customer (I work for a retail chain that also offers some tech support services), and his machine has a moneypak ransom screen. I was unable to get into safe mode w/command prompt as I normally would in order to start the removal process for this kind of issue.

 

From skimming this forum as I was searching for a possible soultion, I saw that the common process was to run "frst" and post a log if its scan, so I've gone ahead and done that to get things started:

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 23-01-2014
Ran by SYSTEM on MINWINPC on 23-01-2014 11:24:08
Running from F:\
Windows Vista Home Basic (X86) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Recovery
 
The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.
 
 
The only official download link for FRST:
Download link for 32-Bit version:
Download link for 64-Bit Version:
Download link from any site other than Bleeping Computer is unpermitted or outdated.
 
==================== Registry (Whitelisted) ==================
 
HKLM\...\Run: [Windows Defender] - C:\Program Files\Windows Defender\MSASCui.exe [1008184 2008-01-20] (Microsoft Corporation)
HKLM\...\Run: [hpsysdrv] - c:\hp\support\hpsysdrv.exe [65536 2007-04-18] (Hewlett-Packard Company)
HKLM\...\Run: [NvCplDaemon] - C:\Windows\system32\NvCpl.dll [13539872 2008-09-26] (NVIDIA Corporation)
HKLM\...\Run: [NvMediaCenter] - C:\Windows\system32\NvMcTray.dll [92704 2008-09-26] (NVIDIA Corporation)
HKLM\...\Run: [PCMAgent] - c:\Program Files\CyberLink\PowerCinema\PCMAgent.exe [143360 2008-09-15] (CyberLink Corp.)
HKLM\...\Run: [CLMLServer] - c:\Program Files\Cyberlink\PowerCinema\Kernel\CLML\CLMLSvc.exe [196608 2008-09-15] (CyberLink)
HKLM\...\Run: [PlayMovie] - c:\Program Files\CyberLink\PlayMovie\PMVService.exe [172032 2008-08-29] (CyberLink Corp.)
HKLM\...\Run: [hpqSRMon] - C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe [81920 2008-06-01] (Hewlett-Packard)
HKLM\...\Run: [siteRanker] - C:\Program Files\SiteRanker\SiteRankTray.exe [1059328 2013-09-29] (Crawler, LLC)
HKLM\...\Run: [sunJavaUpdateSched] - C:\Program Files\Common Files\Java\Java Update\jusched.exe [254696 2011-06-09] (Sun Microsystems, Inc.)
HKLM\...\Run: [File Helper] - C:\Program Files\File Helper\2.2.0.3\FileHelper.exe [583648 2010-03-03] ()
HKLM\...\Run: [nmctxth] - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe [647216 2009-07-07] (Cisco Systems, Inc.)
HKLM\...\Run: [nmapp] - C:\Program Files\Pure Networks\Network Magic\nmapp.exe [472112 2009-07-08] (Cisco Systems, Inc.)
HKLM\...\Run: [instaLAN] - C:\Program Files\Belkin\Router Setup and Monitor\BelkinSetup.exe [6788944 2009-09-11] (Affinegy, Inc.)
HKLM\...\Run: [] - [x]
HKLM\...\Run: [ApnUpdater] - C:\Program Files\Ask.com\Updater\Updater.exe [1648264 2013-04-25] (Ask)
HKLM\...\Run: [FilmFanatic Browser Plugin Loader] - C:\Program Files\FilmFanatic\bar\1.bin\pabrmon.exe [30096 2011-09-04] (VER_COMPANY_NAME)
HKLM\...\Run: [MapsGalaxy Search Scope Monitor] - C:\Program Files\MapsGalaxy_39\bar\1.bin\39SrchMn.exe [42536 2012-03-14] (MindSpark)
HKLM\...\Run: [MapsGalaxy_39 Browser Plugin Loader] - C:\Program Files\MapsGalaxy_39\bar\1.bin\39brmon.exe [30096 2012-03-14] (VER_COMPANY_NAME)
HKLM\...\Run: [RadioRage Search Scope Monitor] - C:\Program Files\RadioRage_4j\bar\1.bin\4jSrchMn.exe [42536 2012-03-23] (MindSpark)
HKLM\...\Run: [RadioRage_4j Browser Plugin Loader] - C:\Program Files\RadioRage_4j\bar\1.bin\4jbrmon.exe [30096 2012-03-23] (VER_COMPANY_NAME)
HKLM\...\Run: [APSDaemon] - C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [59240 2012-02-20] (Apple Inc.)
HKLM\...\Run: [QuickTime Task] - C:\Program Files\QuickTime\QTTask.exe [421888 2012-04-18] (Apple Inc.)
HKLM\...\Run: [iTunesHelper] - C:\Program Files\iTunes\iTunesHelper.exe [421736 2012-03-27] (Apple Inc.)
HKLM\...\Run: [Adobe Reader Speed Launcher] - C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [41056 2013-05-08] (Adobe Systems Incorporated)
HKLM\...\Run: [Adobe ARM] - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated)
HKLM\...\Run: [shopAtHomeWatcher] - C:\Users\helen777\AppData\Roaming\ShopAtHome\ShopAtHomeHelper\ShopAtHomeWatcher.exe [140944 2013-08-20] (ShopAtHome.com)
HKLM\...\Run: [shopAtHomeUpdater] - C:\Users\helen777\AppData\Roaming\ShopAtHome\ShopAtHomeHelper\ShopAtHomeUpdater.exe [179856 2013-08-20] (ShopAtHome.com)
HKLM\...\RunOnce: [*Restore] - C:\Windows\system32\rstrui.exe /RUNONCE [318464 2008-01-20] (Microsoft Corporation)
HKLM\...\Policies\Explorer: [NoSetActiveDesktop] 0
HKU\Default\...\Run: [HPADVISOR] - C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN
HKU\Default User\...\Run: [HPADVISOR] - C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN
HKU\helen777\...\Run: [Weather] - C:\Program Files\AWS\WeatherBug\Weather.exe [ 2007-08-29] (AWS Convergence Technologies, Inc.)
HKU\helen777\...\Run: [] - [x]
HKU\helen777\...\Run: [RebateInformer] - C:\Program Files\RebateInformer\RebateInf.exe [ 2012-05-04] (Inbox.com, Inc.)
HKU\helen777\...\Run: [swg] - C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [ 2012-06-21] (Google Inc.)
HKU\helen777\...\Run: [Pando] - C:\Program Files\Pando Networks\Pando\Pando.exe [ 2012-05-22] (Pando Networks)
 
========================== Services (Whitelisted) =================
 
S2 AffinegyService; C:\Program Files\Belkin\Router Setup and Monitor\BelkinService.exe [563024 2009-09-11] (Affinegy, Inc.)
S2 FilmFanaticService; C:\Program Files\FilmFanatic\bar\1.bin\pabarsvc.exe [42504 2011-09-04] (COMPANYVERS_NAME)
S2 MapsGalaxy_39Service; C:\Program Files\MapsGalaxy_39\bar\1.bin\39barsvc.exe [42504 2012-03-14] (COMPANYVERS_NAME)
S2 N360; C:\Program Files\Norton Security Suite\Engine\21.1.0.18\N360.exe [264360 2013-10-18] (Symantec Corporation)
S2 nmservice; C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe [647216 2009-07-07] (Cisco Systems, Inc.)
S2 RadioRage_4jService; C:\Program Files\RadioRage_4j\bar\1.bin\4jbarsvc.exe [42504 2012-03-23] (COMPANYVERS_NAME)
 
==================== Drivers (Whitelisted) ====================
 
S1 BHDrvx86; C:\Program Files\Norton Security Suite\NortonData\21.1.0.18\Definitions\BASHDefs\20140110.001\BHDrvx86.sys [1098968 2013-12-17] (Symantec Corporation)
S1 ccSet_N360; C:\Windows\system32\drivers\N360\1501000.012\ccSetx86.sys [127064 2013-09-25] (Symantec Corporation)
S1 eeCtrl; C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [376920 2013-12-14] (Symantec Corporation)
S3 EraserUtilRebootDrv; C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [108120 2013-12-16] (Symantec Corporation)
S1 IDSVix86; C:\Program Files\Norton Security Suite\NortonData\21.1.0.18\Definitions\IPSDefs\20140114.001\IDSvix86.sys [394456 2013-12-13] (Symantec Corporation)
S3 NAVENG; C:\Program Files\Norton Security Suite\NortonData\21.1.0.18\Definitions\VirusDefs\20140115.001\NAVENG.SYS [93272 2013-12-16] (Symantec Corporation)
S3 NAVEX15; C:\Program Files\Norton Security Suite\NortonData\21.1.0.18\Definitions\VirusDefs\20140115.001\NAVEX15.SYS [1612376 2013-12-16] (Symantec Corporation)
S2 pnarp; C:\Windows\System32\DRIVERS\pnarp.sys [26672 2009-07-07] (Cisco Systems, Inc.)
S2 purendis; C:\Windows\System32\DRIVERS\purendis.sys [27696 2009-07-07] (Cisco Systems, Inc.)
S1 SRTSP; C:\Windows\system32\drivers\N360\1501000.012\SRTSP.SYS [651352 2013-09-26] (Symantec Corporation)
S1 SRTSPX; C:\Windows\system32\drivers\N360\1501000.012\SRTSPX.SYS [32344 2013-09-09] (Symantec Corporation)
S0 SymDS; C:\Windows\System32\drivers\N360\1501000.012\SYMDS.SYS [367704 2013-09-09] (Symantec Corporation)
S0 SymEFA; C:\Windows\System32\drivers\N360\1501000.012\SYMEFA.SYS [935512 2013-09-26] (Symantec Corporation)
S3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT.SYS [142936 2013-12-16] (Symantec Corporation)
S1 SymIRON; C:\Windows\system32\drivers\N360\1501000.012\Ironx86.SYS [206936 2013-09-26] (Symantec Corporation)
S1 SYMTDIv; C:\Windows\system32\drivers\N360\1501000.012\SYMTDIV.SYS [383576 2013-09-25] (Symantec Corporation)
S3 USB_RNDIS; C:\Windows\System32\DRIVERS\usb8023.sys [15872 2013-02-11] (Microsoft Corporation)
S3 IpInIp; system32\DRIVERS\ipinip.sys [x]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [x]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [x]
 
==================== NetSvcs (Whitelisted) ===================
 
 
==================== One Month Created Files and Folders ========
 
2014-01-23 11:23 - 2014-01-23 11:23 - 00000000 ____D C:\FRST
2014-01-23 08:38 - 2014-01-23 08:38 - 00000000 ____D C:\Windows\LastGood
2014-01-19 21:07 - 2014-01-23 07:52 - 00000000 _____ C:\ProgramData\veo9jwd.odd
 
==================== One Month Modified Files and Folders =======
 
2014-01-23 11:23 - 2014-01-23 11:23 - 00000000 ____D C:\FRST
2014-01-23 10:28 - 2009-01-06 18:36 - 00000000 ____D C:\users\helen777
2014-01-23 10:28 - 2006-11-02 03:18 - 00000000 ____D C:\Windows\System32\spool
2014-01-23 10:28 - 2006-11-02 03:18 - 00000000 ____D C:\Windows\System32\Msdtc
2014-01-23 10:28 - 2006-11-02 02:22 - 44040192 _____ C:\Windows\System32\config\software_previous
2014-01-23 10:28 - 2006-11-02 02:22 - 23068672 _____ C:\Windows\System32\config\system_previous
2014-01-23 10:27 - 2006-11-02 03:18 - 00000000 ____D C:\Windows\registration
2014-01-23 08:38 - 2014-01-23 08:38 - 00000000 ____D C:\Windows\LastGood
2014-01-23 08:38 - 2012-08-28 18:26 - 00000212 _____ C:\Windows\setupact.log
2014-01-23 08:38 - 2006-11-02 04:45 - 00003616 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2014-01-23 08:38 - 2006-11-02 04:45 - 00003616 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2014-01-23 07:55 - 2006-11-02 02:22 - 38010880 _____ C:\Windows\System32\config\components_previous
2014-01-23 07:55 - 2006-11-02 02:22 - 00262144 _____ C:\Windows\System32\config\security_previous
2014-01-23 07:55 - 2006-11-02 02:22 - 00262144 _____ C:\Windows\System32\config\sam_previous
2014-01-23 07:55 - 2006-11-02 02:22 - 00262144 _____ C:\Windows\System32\config\default_previous
2014-01-23 07:52 - 2014-01-19 21:07 - 00000000 _____ C:\ProgramData\veo9jwd.odd
2014-01-22 09:18 - 2008-11-25 10:22 - 01763093 _____ C:\Windows\WindowsUpdate.log
2014-01-22 09:01 - 2011-05-30 21:07 - 00000000 ____D C:\Users\helen777\AppData\Local\CrashDumps
2014-01-22 08:56 - 2010-03-11 10:13 - 00000000 ____D C:\Program Files\Ask.com
2014-01-22 08:22 - 2012-08-11 15:46 - 01409830 _____ C:\Windows\PFRO.log
2014-01-19 20:44 - 2009-06-04 14:07 - 00000000 ____D C:\Program Files\SiteRanker
2014-01-18 18:44 - 2011-09-04 14:21 - 00000000 ____D C:\Program Files\RebateInformer
2014-01-16 18:33 - 2013-07-22 00:01 - 00000000 ____D C:\Windows\System32\MRT
2013-12-24 17:08 - 2009-01-08 22:20 - 00000000 ____D C:\Users\helen777\AppData\Local\WeatherBug
 
Files to move or delete:
====================
C:\ProgramData\123478687123.dat
C:\ProgramData\veo9jwd.odd
 
 
==================== Known DLLs (Whitelisted) ============
 
 
==================== Bamital & volsnap Check =================
 
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
 
==================== EXE ASSOCIATION =====================
 
HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK
 
==================== Restore Points  =========================
 
Restore point made on: 2013-08-02 17:21:55
Restore point made on: 2013-08-04 05:43:16
Restore point made on: 2013-08-06 06:33:19
Restore point made on: 2013-08-06 18:49:04
Restore point made on: 2013-08-09 08:15:20
Restore point made on: 2013-08-19 00:54:03
Restore point made on: 2013-08-20 00:00:42
Restore point made on: 2013-08-21 06:32:08
Restore point made on: 2013-09-02 07:32:34
Restore point made on: 2013-09-11 19:08:18
Restore point made on: 2013-09-12 00:00:44
Restore point made on: 2013-09-16 15:47:14
Restore point made on: 2013-09-18 02:37:42
Restore point made on: 2013-09-24 12:12:39
Restore point made on: 2013-10-10 02:27:53
Restore point made on: 2013-12-01 07:14:13
Restore point made on: 2013-12-05 07:25:55
Restore point made on: 2013-12-13 13:18:14
Restore point made on: 2013-12-16 00:46:05
Restore point made on: 2013-12-16 01:00:15
Restore point made on: 2014-01-16 18:10:16
 
==================== Memory info =========================== 
 
Percentage of memory in use: 20%
Total physical RAM: 1917.88 MB
Available physical RAM: 1531.35 MB
Total Pagefile: 1738.11 MB
Available Pagefile: 1583.06 MB
Total Virtual: 2047.88 MB
Available Virtual: 1975.24 MB
 
==================== Drives ================================
 
Drive c: (COMPAQ) (Fixed) (Total:287.42 GB) (Free:191.87 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
Drive d: (FACTORY_IMAGE) (Fixed) (Total:10.67 GB) (Free:1.45 GB) NTFS ==>[system with boot components (obtained from reading drive)]
Drive e: (LRMCFRE_EN_DVD) (CDROM) (Total:2.49 GB) (Free:0 GB) UDF
Drive f: (USB DISK) (Removable) (Total:1.86 GB) (Free:1.84 GB) FAT
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (Size: 298 GB) (Disk ID: 1549F232)
Partition 1: (Active) - (Size=287 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=11 GB) - (Type=07 NTFS)
 
========================================================
Disk: 1 (Size: 2 GB) (Disk ID: 00000000)
Partition 1: (Not Active) - (Size=2 GB) - (Type=0E)
 
 
LastRegBack: 2014-01-22 08:37
 
==================== End Of Log ============================
Link to post
Share on other sites

Not much showing, give this a try:

Please download the attached fixlist.txt and copy it to your flashdrive.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options. (as you did before)

Run FRST64 or FRST (which ever one you're using) and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

See if the computer boots normally now.

If not...rescan with FRST and post the new log

MrC

Link to post
Share on other sites

That fix got me able to boot into safe mode with a command prompt. I should be good to go from here and clean things up as I usually do. I'll reply here again if anything goes awry in a way I'm not used to, or once the repairs are all done and the machine has a clean bill of health.

 

Thanks a ton for the help!

 

Here's the fixlog text:

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 23-01-2014
Ran by SYSTEM at 2014-01-23 12:53:28 Run:1
Running from F:\
Boot Mode: Recovery
 
==============================================
 
Content of fixlist:
*****************
HKLM\...\Run: [] - [x]
HKLM\...\Run: [RadioRage Search Scope Monitor] - C:\Program Files\RadioRage_4j\bar\1.bin\4jSrchMn.exe [42536 2012-03-23] (MindSpark)
HKLM\...\Run: [RadioRage_4j Browser Plugin Loader] - C:\Program Files\RadioRage_4j\bar\1.bin\4jbrmon.exe [30096 2012-03-23] (VER_COMPANY_NAME)
HKLM\...\RunOnce: [*Restore] - C:\Windows\system32\rstrui.exe /RUNONCE [318464 2008-01-20] (Microsoft Corporation)
HKU\helen777\...\Run: [] - [x]
C:\ProgramData\veo9jwd.odd
C:\ProgramData\123478687123.dat
 
 
*****************
 
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\ => Value deleted successfully.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\RadioRage Search Scope Monitor => Value deleted successfully.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\RadioRage_4j Browser Plugin Loader => Value deleted successfully.
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\\*Restore => Value deleted successfully.
HKU\helen777\Software\Microsoft\Windows\CurrentVersion\Run\\ => Value deleted successfully.
C:\ProgramData\veo9jwd.odd => Moved successfully.
C:\ProgramData\123478687123.dat => Moved successfully.
 
==== End of Fixlog ====
Link to post
Share on other sites

  • Root Admin

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.