computer stuck on FBI moneypak virus screen [Solved]
Started by
Maya_k
, Jul 30 2012 08:02 PM
This topic is locked
#76
Posted 03 September 2012 - 08:50 PM
Maya_k
- Topic Starter
-
- Member
-
- 85 posts
Member
#77
Posted 03 September 2012 - 08:52 PM
CompCav
-
- Expert
-
- 12,454 posts
Member 5k
We need to search for one file:
services.exe*
- Restart your computer like you did before to start FRST and get to this screen:
- Type the following into the search box:
services.exe*
- Press the Search button.
- Once it completes, a message will pop up indicating that the search is completed.
- It will make a log (Search.txt) on the flash drive. Please copy and paste it to your reply.
#78
Posted 03 September 2012 - 09:09 PM
Maya_k
- Topic Starter
-
- Member
-
- 85 posts
Member
Here is the searct.txt
Farbar Recovery Scan Tool Version: 02-09-2012 03
Ran by SYSTEM at 2012-09-03 22:00:02
Running from F:\
================== Search: "services.exe*" ===================
C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_d14b3973ca6acc56\services.exe
[2010-07-16 21:59] - [2009-04-10 22:27] - 0279552 ____A (Microsoft Corporation) D4E6D91C1349B7BFB3599A6ADA56851B
C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_cf5fc067cd49010a\services.exe
[2008-01-20 18:25] - [2008-01-20 18:25] - 0279040 ____A (Microsoft Corporation) 2B336AB6286D6C81FA02CBAB914E3C6C
C:\Windows\winsxs\x86_microsoft-windows-s..ontroller.resources_31bf3856ad364e35_6.0.6000.16386_en-us_67c6851b290a1ced\services.exe.mui
[2006-11-02 04:40] - [2006-11-02 04:40] - 0017920 ____A (Microsoft Corporation) 1626EACF0E7E59F85C59DDDD27C4169C
C:\Windows\System32\en-US\services.exe.mui
[2006-11-02 04:40] - [2006-11-02 04:40] - 0017920 ____A (Microsoft Corporation) 1626EACF0E7E59F85C59DDDD27C4169C
C:\ComboFix\services.exe.ND_
[2012-08-01 20:27] - [2012-08-01 20:27] - 0000014 ____A () FE5FA426A55F4129162E83DBE20864A8
=== End Of Search ===
Farbar Recovery Scan Tool Version: 02-09-2012 03
Ran by SYSTEM at 2012-09-03 22:00:02
Running from F:\
================== Search: "services.exe*" ===================
C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_d14b3973ca6acc56\services.exe
[2010-07-16 21:59] - [2009-04-10 22:27] - 0279552 ____A (Microsoft Corporation) D4E6D91C1349B7BFB3599A6ADA56851B
C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_cf5fc067cd49010a\services.exe
[2008-01-20 18:25] - [2008-01-20 18:25] - 0279040 ____A (Microsoft Corporation) 2B336AB6286D6C81FA02CBAB914E3C6C
C:\Windows\winsxs\x86_microsoft-windows-s..ontroller.resources_31bf3856ad364e35_6.0.6000.16386_en-us_67c6851b290a1ced\services.exe.mui
[2006-11-02 04:40] - [2006-11-02 04:40] - 0017920 ____A (Microsoft Corporation) 1626EACF0E7E59F85C59DDDD27C4169C
C:\Windows\System32\en-US\services.exe.mui
[2006-11-02 04:40] - [2006-11-02 04:40] - 0017920 ____A (Microsoft Corporation) 1626EACF0E7E59F85C59DDDD27C4169C
C:\ComboFix\services.exe.ND_
[2012-08-01 20:27] - [2012-08-01 20:27] - 0000014 ____A () FE5FA426A55F4129162E83DBE20864A8
=== End Of Search ===
#79
Posted 03 September 2012 - 09:16 PM
CompCav
-
- Expert
-
- 12,454 posts
Member 5k
I will need to prepare a fix and will have it for you tomorrow.
Regards,
CompCav
Regards,
CompCav
#80
Posted 03 September 2012 - 09:25 PM
Maya_k
- Topic Starter
-
- Member
-
- 85 posts
Member
Thank you so much!! Night!
#81
Posted 04 September 2012 - 01:35 PM
CompCav
-
- Expert
-
- 12,454 posts
Member 5k
Download the enclosed file.
fixlist.txt 1.83KB
218 downloads
Save it in the USB drive.
Insert the USB drive into the ailing computer. Run FRST as you did before, except that this time around click on the Fix button.
The tool will make a log on the flashdrive (Fixlog.txt) please post it it your reply.
Attempt to boot in Normal Mode. If successful, run Combofix as follows:
Download and Install Combofix
Delete your old copy of ComboFix from your desktop.
Download ComboFix from one of the following locations:
Link 1
Link 2
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programs being marked for deletion then reboot, that will cure it.
Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
fixlist.txt 1.83KB
218 downloadsSave it in the USB drive.
Insert the USB drive into the ailing computer. Run FRST as you did before, except that this time around click on the Fix button.
The tool will make a log on the flashdrive (Fixlog.txt) please post it it your reply.
Attempt to boot in Normal Mode. If successful, run Combofix as follows:
Download and Install Combofix
Delete your old copy of ComboFix from your desktop.
Download ComboFix from one of the following locations:
Link 1
Link 2
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
- Double click on ComboFix.exe & follow the prompts.
- Accept the disclaimer and allow to update if it asks
- When finished, it shall produce a log for you.
- Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programs being marked for deletion then reboot, that will cure it.
Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
#82
Posted 04 September 2012 - 02:03 PM
Maya_k
- Topic Starter
-
- Member
-
- 85 posts
Member
Hello,
Here is the fixlog:
Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 02-09-2012 03
Ran by SYSTEM at 2012-09-04 14:47:46 Run:1
Running from F:\
==============================================
HKEY_USERS\AFSHEEN KHAN\Software\Microsoft\Windows\CurrentVersion\Run\\Windows Update Server Value deleted successfully.
C:\Users\AFSHEEN KHAN\f50313d9-5762.exe not found.
C:\Users\AFSHEEN KHAN\AppData\Local\vewcnmov.exe moved successfully.
C:\Windows\Tasks\Thnqb.job moved successfully.
d85819b532b8f062 service deleted successfully.
C:\Users\All Users\lpSv5bowgfReTj moved successfully.
C:\Users\All Users\-lpSv5bowgfReTjr moved successfully.
C:\Users\All Users\-lpSv5bowgfReTj moved successfully.
C:\Windows\System32\Drivers\d85819b532b8f062.sys moved successfully.
C:\Users\All Users\eftt3Gi6riJKnq moved successfully.
C:\Users\All Users\-eftt3Gi6riJKnqr moved successfully.
C:\Users\All Users\-eftt3Gi6riJKnq moved successfully.
C:\Users\All Users\lKoZb6nps1b8zh moved successfully.
C:\Users\All Users\-lKoZb6nps1b8zhr moved successfully.
C:\Users\All Users\-lKoZb6nps1b8zh moved successfully.
C:\Users\AFSHEEN KHAN\Desktop\File_Recovery.lnk moved successfully.
C:\Windows\Installer\{8aae17e6-5e51-4061-d77f-f0b85161e693} moved successfully.
C:\Users\AFSHEEN KHAN\AppData\Local\{8aae17e6-5e51-4061-d77f-f0b85161e693} moved successfully.
C:\Users\Guest\AppData\Local\{8aae17e6-5e51-4061-d77f-f0b85161e693} moved successfully.
C:\Windows\assembly\GAC\Desktop.ini moved successfully.
Could not find C:\Windows\System32\services.exe.
C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_d14b3973ca6acc56\services.exe copied successfully to C:\Windows\System32\services.exe
==== End of Fixlog ====
I tried to boot in normal mode but it didn't work. First time it did a disk check and deleted bunch of files and corrected some. It was going too fast for me to make a note of them. After it was done, it restarted the computer. It gave me an option to either enter repair mode or start normally. I selected the start normally option. It goes as far as the screen where it says Microsoft corporation and after that it restarts.
Here is the fixlog:
Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 02-09-2012 03
Ran by SYSTEM at 2012-09-04 14:47:46 Run:1
Running from F:\
==============================================
HKEY_USERS\AFSHEEN KHAN\Software\Microsoft\Windows\CurrentVersion\Run\\Windows Update Server Value deleted successfully.
C:\Users\AFSHEEN KHAN\f50313d9-5762.exe not found.
C:\Users\AFSHEEN KHAN\AppData\Local\vewcnmov.exe moved successfully.
C:\Windows\Tasks\Thnqb.job moved successfully.
d85819b532b8f062 service deleted successfully.
C:\Users\All Users\lpSv5bowgfReTj moved successfully.
C:\Users\All Users\-lpSv5bowgfReTjr moved successfully.
C:\Users\All Users\-lpSv5bowgfReTj moved successfully.
C:\Windows\System32\Drivers\d85819b532b8f062.sys moved successfully.
C:\Users\All Users\eftt3Gi6riJKnq moved successfully.
C:\Users\All Users\-eftt3Gi6riJKnqr moved successfully.
C:\Users\All Users\-eftt3Gi6riJKnq moved successfully.
C:\Users\All Users\lKoZb6nps1b8zh moved successfully.
C:\Users\All Users\-lKoZb6nps1b8zhr moved successfully.
C:\Users\All Users\-lKoZb6nps1b8zh moved successfully.
C:\Users\AFSHEEN KHAN\Desktop\File_Recovery.lnk moved successfully.
C:\Windows\Installer\{8aae17e6-5e51-4061-d77f-f0b85161e693} moved successfully.
C:\Users\AFSHEEN KHAN\AppData\Local\{8aae17e6-5e51-4061-d77f-f0b85161e693} moved successfully.
C:\Users\Guest\AppData\Local\{8aae17e6-5e51-4061-d77f-f0b85161e693} moved successfully.
C:\Windows\assembly\GAC\Desktop.ini moved successfully.
Could not find C:\Windows\System32\services.exe.
C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_d14b3973ca6acc56\services.exe copied successfully to C:\Windows\System32\services.exe
==== End of Fixlog ====
I tried to boot in normal mode but it didn't work. First time it did a disk check and deleted bunch of files and corrected some. It was going too fast for me to make a note of them. After it was done, it restarted the computer. It gave me an option to either enter repair mode or start normally. I selected the start normally option. It goes as far as the screen where it says Microsoft corporation and after that it restarts.
#83
Posted 04 September 2012 - 02:12 PM
CompCav
-
- Expert
-
- 12,454 posts
Member 5k
I thought it might do that but that means the first part of the fix worked and now we need to do the second part. Please be patient as I prepare the second part!
Compcav
Compcav
#84
Posted 04 September 2012 - 02:15 PM
Maya_k
- Topic Starter
-
- Member
-
- 85 posts
Member
Oh, alright. Thank you!!
#85
Posted 04 September 2012 - 04:32 PM
CompCav
-
- Expert
-
- 12,454 posts
Member 5k
- Download ListParts to a USB flash drive.
- Plug the USB drive into the infected machine.
Then boot using your recovery CD to the command prompt again and run List Parts.
- Back in the command window ....
- Type e:/listparts.exe and hit Enter (where e: is replaced by the drive letter for your USB drive)
- ListParts will start to run.
- Press the Scan button.
- When finished scanning it will make a log Result.txt on the flash drive.
- Close the command window.
- Post me the Result.txt log please.
#86
Posted 04 September 2012 - 04:40 PM
Maya_k
- Topic Starter
-
- Member
-
- 85 posts
Member
Hello,
Here is the result.txt
ListParts by Farbar Version: 10-08-2012
Ran by SYSTEM (administrator) on 04-09-2012 at 17:39:15
Windows Vista (X86)
Running From: F:\
Language: 0409
************************************************************
========================= Memory info ======================
Percentage of memory in use: 11%
Total physical RAM: 3003.36 MB
Available physical RAM: 2658.59 MB
Total Pagefile: 2787.36 MB
Available Pagefile: 2652.32 MB
Total Virtual: 2047.88 MB
Available Virtual: 1996.57 MB
======================= Partitions =========================
1 Drive c: () (Fixed) (Total:291.7 GB) (Free:74.36 GB) NTFS ==>[System with boot components (obtained from reading drive)]
2 Drive d: (2007.11.03_2329) (CDROM) (Total:0.12 GB) (Free:0 GB) UDF
3 Drive e: (Recovery) (Fixed) (Total:6.39 GB) (Free:0.84 GB) NTFS ==>[System with boot components (obtained from reading drive)]
4 Drive f: (UNTITLED) (Removable) (Total:1.89 GB) (Free:1.75 GB) FAT32
5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 298 GB 993 KB
Disk 1 Online 1937 MB 0 B
Partitions of Disk 0:
===============
Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 6540 MB 1024 KB
Partition 2 Primary 292 GB 6541 MB
Partition 3 Primary 1360 KB 298 GB
======================================================================================================
Disk: 0
Partition 1
Type : 27
Hidden: Yes
Active: No
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 E Recovery NTFS Partition 6540 MB Healthy Hidden
======================================================================================================
Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 0 C NTFS Partition 292 GB Healthy
======================================================================================================
Disk: 0
Partition 3
Type : 17 (Suspicious Type)
Hidden: Yes
Active: Yes
There is no volume associated with this partition.
======================================================================================================
Partitions of Disk 1:
===============
Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 1937 MB 1024 B
======================================================================================================
Disk: 1
Partition 1
Type : 0B
Hidden: No
Active: No
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 F UNTITLED FAT32 Removable 1937 MB Healthy
======================================================================================================
****** End Of Log ******
Here is the result.txt
ListParts by Farbar Version: 10-08-2012
Ran by SYSTEM (administrator) on 04-09-2012 at 17:39:15
Windows Vista (X86)
Running From: F:\
Language: 0409
************************************************************
========================= Memory info ======================
Percentage of memory in use: 11%
Total physical RAM: 3003.36 MB
Available physical RAM: 2658.59 MB
Total Pagefile: 2787.36 MB
Available Pagefile: 2652.32 MB
Total Virtual: 2047.88 MB
Available Virtual: 1996.57 MB
======================= Partitions =========================
1 Drive c: () (Fixed) (Total:291.7 GB) (Free:74.36 GB) NTFS ==>[System with boot components (obtained from reading drive)]
2 Drive d: (2007.11.03_2329) (CDROM) (Total:0.12 GB) (Free:0 GB) UDF
3 Drive e: (Recovery) (Fixed) (Total:6.39 GB) (Free:0.84 GB) NTFS ==>[System with boot components (obtained from reading drive)]
4 Drive f: (UNTITLED) (Removable) (Total:1.89 GB) (Free:1.75 GB) FAT32
5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 298 GB 993 KB
Disk 1 Online 1937 MB 0 B
Partitions of Disk 0:
===============
Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 6540 MB 1024 KB
Partition 2 Primary 292 GB 6541 MB
Partition 3 Primary 1360 KB 298 GB
======================================================================================================
Disk: 0
Partition 1
Type : 27
Hidden: Yes
Active: No
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 E Recovery NTFS Partition 6540 MB Healthy Hidden
======================================================================================================
Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 0 C NTFS Partition 292 GB Healthy
======================================================================================================
Disk: 0
Partition 3
Type : 17 (Suspicious Type)
Hidden: Yes
Active: Yes
There is no volume associated with this partition.
======================================================================================================
Partitions of Disk 1:
===============
Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 1937 MB 1024 B
======================================================================================================
Disk: 1
Partition 1
Type : 0B
Hidden: No
Active: No
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 F UNTITLED FAT32 Removable 1937 MB Healthy
======================================================================================================
****** End Of Log ******
#87
Posted 04 September 2012 - 05:00 PM
CompCav
-
- Expert
-
- 12,454 posts
Member 5k
- Download the attached file to a USB flash drive.
fix.txt 27bytes
224 downloads - Plug the USB drive into the infected machine.
Then boot using your recovery CD to the command prompt again and run List Parts.
- Back in the command window ....
- Type e:/listparts.exe and hit Enter (where e: is replaced by the drive letter for your USB drive)
- ListParts will start to run.
- Press the Fix button.
- ListParts will process the script in Fix.txt
- A log Result.txt will be saved to the flash drive.
- Close the command window.
- Post me the Result.txt log please and try to boot into normal mode.
#88
Posted 04 September 2012 - 06:52 PM
Maya_k
- Topic Starter
-
- Member
-
- 85 posts
Member
Hello,
I ran the program. Instead of a result.txt I got a PLfixlog. I am not sure if it did that because I already had a result.txt from earlier. Here is what it was in the PLfixlog:
Script used: "Disk=0 Partition=1 active"
I ran the program. Instead of a result.txt I got a PLfixlog. I am not sure if it did that because I already had a result.txt from earlier. Here is what it was in the PLfixlog:
Script used: "Disk=0 Partition=1 active"
#89
Posted 04 September 2012 - 07:36 PM
CompCav
-
- Expert
-
- 12,454 posts
Member 5k
Can it boot into normal mode now?
#90
Posted 04 September 2012 - 08:04 PM
Maya_k
- Topic Starter
-
- Member
-
- 85 posts
Member
The first time I turned it on, it went into system restore. This time it went all the way up to the screen where it gives you different options. I restarted the computer to try to start windows normally. But now it's just doing the same thing as before: restarting once it reaches the Microsoft Corporation window. As I was typing this, it went into system restore and a window popped up:
"Your computer was unable to start
startup Repair is checking your system for problems..."
Another window has popped up saying
"Do you want to restore your computer using System Restore?
Startup Repair can try to restore your computer to an earlier point in time when it worked correctly"
I can click on restore or cancel. Please advise.
"Your computer was unable to start
startup Repair is checking your system for problems..."
Another window has popped up saying
"Do you want to restore your computer using System Restore?
Startup Repair can try to restore your computer to an earlier point in time when it worked correctly"
I can click on restore or cancel. Please advise.
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users
As Featured On:
Sign In
Create Account
