Moneypac malware won't allow booting in safe mode

[amonwill]

Hello. I work at an office that has a computer that somehow got some malware on it called moneypac and it doesn't allow me to use my computer, go to task manager or any of the normal solutions. Usually I just mosey along to safe mode and fix up the computer with a malware remover like malwarebytes, but this new malware does not allow me to boot in safe mode. As soon as I log in the computer force reboots. I noticed another user on this forum had the same problem and the problem was helped using some logs from Farbar Recovery Scan Tool while booting to an OTLPE CD. In the interest of saving time I have already performed the a scan as well as a search for services.exe and I have those logs ready should they be required (this was before I read the forum guidelines). I would be very grateful if you informed me on how to proceed. Thank you.

[SuperDave]

Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
*************************************************************************
Please post those logs and tell me how you performed the scans.

[amonwill]

I can't access anything on the infected computer. I am accessing these forums from a different computer. When the infected computer boots up normally, a full screen ad from moneypac appears and will not let me leave. I cannot access keyboard shortcuts or options for my computer. I can only turn my computer off manually from here. When I boot up in safe mode, the computer automatically reboots immediately after displaying the desktop. I obtained the scans that I have by following the instructions of DragonMaster Jay in this thread: http://www.computerhope.com/forum/index.php?topic=134248.0 which I will paste below for your convienence. The scans I got are also copy and pasted below that. Thank you for your help with this issue.

Instructions that I followed

OTLPE + Farbar Recovery Scan Tool

Download OTLPENet.exe to your desktop
Download Farbar Recovery Scan Tool and save it to a flash drive.
Ensure that you have a blank CD in the drive
Double click OTLPENet.exe and this will then open imgburn  to burn the file to CD
Reboot your system using the boot CD you just created.
Note : If you do not know how to set your computer to boot from CD follow the steps here
As the CD needs to detect your hardware and load the operating system, I would recommend a nice cup of tea whilst it loads 
Your system should now display a Reatogo desktop.
Note : as you are running from CD it is not exactly speedy
Insert the flash drive with FRST on it
Locate the flash drive and run FSRT
The tool will start to run.

When the tool opens click Yes to disclaimer.
Press Scan button. It will do its scan and save a log on your flash drive.
Close out of the message after that, then type in the text services.exe in to the "Search:" text box. Then, press the Search file(s) button, just as below:

When done searching, FRST makes a log, Search.txt, on the C:\ drive or on your flash drive.
Type exit in the Command Prompt window and reboot the computer normally
FRST will make a log (FRST.txt) on the flash drive and also the search.txt logfile, please copy and paste the logs in your reply.

FRST.txt

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 21-01-2013 02
Ran by SYSTEM at 23-01-2013 10:02:12
Running from D:\
Microsoft Windows XP   (X86) OS Language: English(US)
The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe [1044480 2008-07-15] (Analog Devices, Inc.)
HKLM\...\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [128296 2008-05-23] (CyberLink Corp.)
HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [946352 2012-12-03] (Adobe Systems Incorporated)
HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [254696 2011-06-09] (Sun Microsystems, Inc.)
HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [931200 2012-03-26] (Microsoft Corporation)
HKLM\...\Run: [DictionaryBoss Search Scope Monitor] "C:\PROGRA~1\DICTIO~2\bar\1.bin\v4srchmn.exe" /m=2 /w /h [42536 2012-08-09] (MindSpark)
HKLM\...\Run: [DictionaryBoss Browser Plugin Loader] C:\PROGRA~1\DICTIO~2\bar\1.bin\v4brmon.exe [30096 2012-08-09] (VER_COMPANY_NAME)
HKLM\...\Run: [AntiMalware] "C:\Documents and Settings\All Users\Application Data\AntiMalware.exe" [33272 2013-01-22] (Microsoft Corporation)
HKLM\...\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

HKU\Admin.MEDFLOW\...\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe [15360 2008-04-14] (Microsoft Corporation)
HKU\roomB2\...\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe [15360 2008-04-14] (Microsoft Corporation)
HKU\roomB2\...\Winlogon: [Shell] explorer.exe,C:\Documents and Settings\roomB2\Application Data\skype.dat [45568 2010-12-09] ()
HKU\roomb4\...\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe [15360 2008-04-14] (Microsoft Corporation)
HKU\roomb4\...\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background [3882312 2008-12-02] (Microsoft Corporation)
Winlogon\Notify\WgaLogon: WgaLogon.dll (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.252 206.13.28.12
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
ShortcutTarget: Windows Search.lnk -> C:\Program Files\Windows Desktop Search\WindowsSearch.exe (Microsoft Corporation)

==================== Services (Whitelisted) ===================

2 DictionaryBossService; C:\PROGRA~1\DICTIO~2\bar\1.bin\v4barsvc.exe [42504 2012-08-09] (COMPANYVERS_NAME)
2 Eventlog; C:\Windows\System32\services.exe [110592 2009-02-06] (Microsoft Corporation)
3 FontCache3.0.0.0; c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe

2 JavaQuickStarterService; "C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf"

2 MsMpSvc; "c:\Program Files\Microsoft Security Client\MsMpEng.exe"

4 NetTcpPortSharing; c:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe

==================== Drivers (Whitelisted) ====================

3 HDAudBus; C:\Windows\System32\DRIVERS\HDAudBus.sys [144384 2008-04-14] (Windows (R) Server 2003 DDK provider)
3 k57w2k; C:\Windows\System32\DRIVERS\k57xp32.sys [176640 2008-07-15] (Broadcom Corporation)
0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [171064 2012-03-20] (Microsoft Corporation)
0 SFAUDIO; C:\Windows\System32\drivers\sfaudio.sys [24064 2008-07-15] (Sonic Focus, Inc)
4 Abiosdsk; 

4 Atdisk; 

1 Changer; 

1 lbrtfdc; 

1 PCIDump; 

3 PDCOMP; 

3 PDFRAME; 

3 PDRELI; 

3 PDRFRAME; 

4 Simbad; 

3 WDICA; 

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2013-01-22 19:26 - 2013-01-22 19:26 - 00090112 ____A C:\Windows\Minidump\Mini012213-02.dmp
2013-01-22 19:22 - 2013-01-22 19:22 - 00090112 ____A C:\Windows\Minidump\Mini012213-01.dmp
2013-01-22 19:22 - 2013-01-22 19:22 - 00000000 ____D C:\Windows\Minidump
2013-01-22 19:14 - 2013-01-23 12:53 - 00000004 ____A C:\Documents and Settings\roomB2\Application Data\skype.ini
2013-01-22 15:01 - 2013-01-22 15:01 - 00033272 ____A (Microsoft Corporation) C:\Documents and Settings\All Users\Application Data\AntiMalware.exe
2013-01-16 10:40 - 2013-01-16 10:41 - 00009507 ____A C:\Windows\KB2799329-IE8.log
2013-01-10 10:57 - 2013-01-10 10:57 - 00000000 __HDC C:\Windows\$NtUninstallKB2757638$
2013-01-10 10:56 - 2013-01-10 10:57 - 00008039 ____A C:\Windows\KB2757638.log
2013-01-02 14:31 - 2013-01-02 14:31 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\CyberLink


==================== One Month Modified Files and Folders ========

2013-01-23 12:32 - 2009-10-10 14:50 - 00000128 ____A C:\Windows\System32\config\netlogon.ftl
2013-01-23 12:25 - 2008-04-25 16:28 - 01500459 ____A C:\Windows\WindowsUpdate.log
2013-01-23 10:46 - 2012-04-26 10:05 - 00000384 ___AH C:\Windows\Tasks\Microsoft Antimalware Scheduled Scan.job
2013-01-23 10:37 - 2009-12-16 15:12 - 00000062 __ASH C:\Documents and Settings\roomB2\Local Settings\desktop.ini
2013-01-23 10:37 - 2008-04-25 11:16 - 00002206 ____A C:\Windows\System32\wpa.dbl
2013-01-23 10:36 - 2008-04-25 16:32 - 00000062 __ASH C:\Documents and Settings\NetworkService\Local Settings\desktop.ini
2013-01-23 10:36 - 2008-04-25 16:32 - 00000062 __ASH C:\Documents and Settings\LocalService\Local Settings\desktop.ini
2013-01-23 10:36 - 2008-04-25 16:32 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-01-23 10:36 - 2008-04-25 04:25 - 00000159 ____A C:\Windows\wiadebug.log
2013-01-23 10:36 - 2008-04-25 04:25 - 00000049 ____A C:\Windows\wiaservc.log
2013-01-23 10:36 - 2008-04-25 04:17 - 00000000 ____D C:\Windows\security
2013-01-23 10:01 - 2013-01-23 10:01 - 00000000 ____D C:\FRST
2013-01-22 19:32 - 2008-04-25 16:32 - 00032634 ____A C:\Windows\SchedLgU.Txt
2013-01-22 19:28 - 2009-12-16 15:12 - 00000178 ___SH C:\Documents and Settings\roomB2\ntuser.ini
2013-01-22 19:26 - 2013-01-22 19:26 - 00090112 ____A C:\Windows\Minidump\Mini012213-02.dmp
2013-01-22 19:26 - 2009-10-10 14:52 - 00000000 __SHD C:\Windows\CSC
2013-01-22 19:22 - 2013-01-22 19:22 - 00090112 ____A C:\Windows\Minidump\Mini012213-01.dmp
2013-01-22 19:22 - 2013-01-22 19:22 - 00000000 ____D C:\Windows\Minidump
2013-01-22 15:01 - 2013-01-22 15:01 - 00033272 ____A (Microsoft Corporation) C:\Documents and Settings\All Users\Application Data\AntiMalware.exe
2013-01-22 12:34 - 2010-03-15 14:43 - 00000410 ____A C:\Windows\BRWMARK.INI
2013-01-18 17:17 - 2010-01-05 16:59 - 00000000 ____D C:\Documents and Settings\roomB2\Application Data\Eyemaginations.LUMA
2013-01-16 10:41 - 2013-01-16 10:40 - 00009507 ____A C:\Windows\KB2799329-IE8.log
2013-01-16 10:41 - 2009-10-22 13:30 - 00000000 ____D C:\Windows\ie8updates
2013-01-16 10:41 - 2009-04-23 14:21 - 00106258 ____A C:\Windows\updspapi.log
2013-01-16 10:41 - 2008-04-25 04:22 - 01608649 ____A C:\Windows\iis6.log
2013-01-16 10:41 - 2008-04-25 04:22 - 01442651 ____A C:\Windows\FaxSetup.log
2013-01-16 10:41 - 2008-04-25 04:22 - 00700162 ____A C:\Windows\ocgen.log
2013-01-16 10:41 - 2008-04-25 04:22 - 00661037 ____A C:\Windows\tsoc.log
2013-01-16 10:41 - 2008-04-25 04:22 - 00486718 ____A C:\Windows\comsetup.log
2013-01-16 10:41 - 2008-04-25 04:22 - 00448810 ____A C:\Windows\msmqinst.log
2013-01-16 10:41 - 2008-04-25 04:22 - 00294562 ____A C:\Windows\ntdtcsetup.log
2013-01-16 10:41 - 2008-04-25 04:22 - 00250792 ____A C:\Windows\netfxocm.log
2013-01-16 10:41 - 2008-04-25 04:22 - 00099180 ____A C:\Windows\MedCtrOC.log
2013-01-16 10:41 - 2008-04-25 04:22 - 00079404 ____A C:\Windows\ocmsn.log
2013-01-16 10:41 - 2008-04-25 04:22 - 00072202 ____A C:\Windows\tabletoc.log
2013-01-16 10:41 - 2008-04-25 04:22 - 00071891 ____A C:\Windows\msgsocm.log
2013-01-16 10:41 - 2008-04-25 04:22 - 00001374 ____A C:\Windows\imsins.log
2013-01-16 10:40 - 2009-04-23 14:21 - 00000000 ___HD C:\Windows\$hf_mig$
2013-01-10 11:15 - 2008-04-25 16:34 - 00000000 ____D C:\Windows\Microsoft.NET
2013-01-10 11:07 - 2008-04-25 04:22 - 00614030 ____A C:\Windows\System32\PerfStringBackup.INI
2013-01-10 10:57 - 2013-01-10 10:57 - 00000000 __HDC C:\Windows\$NtUninstallKB2757638$
2013-01-10 10:57 - 2013-01-10 10:56 - 00008039 ____A C:\Windows\KB2757638.log
2013-01-10 10:57 - 2008-04-25 04:22 - 00001374 ____A C:\Windows\imsins.BAK
2013-01-06 00:34 - 2009-04-23 14:21 - 06009856 ____C (Microsoft Corporation) C:\Windows\System32\dllcache\mshtml.dll
2013-01-06 00:34 - 2008-04-25 11:16 - 06009856 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-01-04 10:45 - 2009-12-16 15:12 - 00000000 ____D C:\Documents and Settings\roomB2\Local Settings\Application Data\PowerDVD DX
2013-01-02 14:31 - 2013-01-02 14:31 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\CyberLink
2012-12-24 13:18 - 2008-04-25 04:21 - 00096664 ____A C:\Windows\System32\FNTCACHE.DAT


==================== Known DLLs (Whitelisted) =================


==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points (XP) =====================

RP: -> 2013-01-23 10:38 - 028672 _restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP838

RP: -> 2013-01-22 10:43 - 028672 _restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP837

RP: -> 2013-01-21 10:42 - 028672 _restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP836

RP: -> 2013-01-18 10:37 - 028672 _restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP835

RP: -> 2013-01-17 10:45 - 028672 _restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP834

RP: -> 2013-01-16 10:41 - 028672 _restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP833

RP: -> 2013-01-16 10:40 - 028672 _restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP832

RP: -> 2013-01-15 10:37 - 028672 _restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP831

RP: -> 2013-01-14 10:55 - 028672 _restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP830

RP: -> 2013-01-14 01:30 - 028672 _restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP829

RP: -> 2013-01-13 10:55 - 028672 _restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP828

RP: -> 2013-01-13 04:45 - 028672 _restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP827

RP: -> 2013-01-13 01:58 - 028672 _restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP826

RP: -> 2013-01-12 10:55 - 028672 _restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP825

RP: -> 2013-01-12 01:24 - 028672 _restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP824

RP: -> 2013-01-11 10:47 - 028672 _restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP823

RP: -> 2013-01-10 11:07 - 028672 _restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP822

RP: -> 2013-01-10 10:55 - 028672 _restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP821

RP: -> 2013-01-09 10:46 - 028672 _restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP820

RP: -> 2013-01-08 10:41 - 028672 _restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP819

RP: -> 2013-01-07 10:45 - 028672 _restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP818

RP: -> 2013-01-07 10:44 - 028672 _restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP817

RP: -> 2013-01-04 10:47 - 028672 _restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP816

RP: -> 2013-01-02 10:37 - 028672 _restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP815

RP: -> 2012-12-27 12:35 - 028672 _restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP814

RP: -> 2012-12-26 11:33 - 028672 _restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP813

RP: -> 2012-12-24 13:33 - 028672 _restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP812

RP: -> 2012-12-21 15:53 - 028672 _restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP811

RP: -> 2012-12-21 10:49 - 028672 _restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP810

RP: -> 2012-12-20 10:50 - 028672 _restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP809

RP: -> 2012-12-19 10:49 - 028672 _restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP808

RP: -> 2012-12-18 10:56 - 028672 _restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP807

RP: -> 2012-12-17 10:46 - 028672 _restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP806

RP: -> 2012-12-14 10:39 - 028672 _restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP805

RP: -> 2012-12-13 10:57 - 028672 _restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP804

RP: -> 2012-12-13 10:55 - 028672 _restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP803

RP: -> 2012-12-12 10:54 - 028672 _restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP802

RP: -> 2012-12-11 10:42 - 028672 _restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP801

RP: -> 2012-12-10 11:02 - 028672 _restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP800

RP: -> 2012-12-07 10:41 - 028672 _restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP799

RP: -> 2012-12-06 11:02 - 028672 _restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP798

RP: -> 2012-12-05 10:38 - 028672 _restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP797

RP: -> 2012-12-04 10:48 - 028672 _restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP796

RP: -> 2012-12-03 01:29 - 028672 _restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP795

RP: -> 2012-12-02 10:55 - 028672 _restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP794

RP: -> 2012-12-02 05:00 - 028672 _restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP793

RP: -> 2012-12-02 01:28 - 028672 _restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP792

RP: -> 2012-12-01 10:55 - 028672 _restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP791

RP: -> 2012-12-01 01:14 - 028672 _restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP790

RP: -> 2012-11-30 10:47 - 028672 _restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP789

RP: -> 2012-11-29 10:44 - 028672 _restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP788

RP: -> 2012-11-28 10:45 - 028672 _restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP787

RP: -> 2012-11-27 10:45 - 028672 _restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP786

RP: -> 2012-11-26 10:50 - 028672 _restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP785

RP: -> 2012-11-21 10:41 - 028672 _restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP784

RP: -> 2012-11-20 10:40 - 028672 _restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP783

RP: -> 2012-11-19 10:45 - 028672 _restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP782

RP: -> 2012-11-16 10:52 - 028672 _restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP781

RP: -> 2012-11-15 10:54 - 028672 _restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP780

RP: -> 2012-11-14 19:13 - 028672 _restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP779

RP: -> 2012-11-14 10:38 - 028672 _restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP778

RP: -> 2012-11-13 10:48 - 028672 _restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP777

RP: -> 2012-11-12 10:47 - 028672 _restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP776

RP: -> 2012-11-09 10:46 - 028672 _restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP775

RP: -> 2012-11-08 10:52 - 028672 _restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP774

RP: -> 2012-11-07 10:42 - 028672 _restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP773

RP: -> 2012-11-06 10:43 - 028672 _restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP772

RP: -> 2012-11-05 10:41 - 028672 _restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP771

RP: -> 2012-11-02 09:49 - 028672 _restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP770

RP: -> 2012-11-01 09:43 - 028672 _restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP769

RP: -> 2012-10-31 10:06 - 028672 _restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP768

RP: -> 2012-10-30 09:50 - 028672 _restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP767

RP: -> 2012-10-29 09:42 - 028672 _restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP766

RP: -> 2012-10-26 10:02 - 028672 _restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP765


==================== Memory info ===========================

Percentage of memory in use: 12%
Total physical RAM: 2036.9 MB
Available physical RAM: 1788.5 MB
Total Pagefile: 1867.61 MB
Available Pagefile: 1806.06 MB
Total Virtual: 2047.88 MB
Available Virtual: 2001.54 MB

==================== Partitions =============================

1 Drive b: (RAMDisk) (Fixed) (Total:0.06 GB) (Free:0.06 GB) NTFS
2 Drive c: (OS) (Fixed) (Total:148.97 GB) (Free:115 GB) NTFS ==>[Drive with boot components (Windows XP)]
3 Drive d: (USB DISK) (Removable) (Total:0.96 GB) (Free:0.96 GB) FAT
4 Drive x: (ReatogoPE) (CDROM) (Total:0.43 GB) (Free:0 GB) CDFS

  Disk ###  Status      Size     Free     Dyn  Gpt
  --------  ----------  -------  -------  ---  ---
  Disk 0    Online       149 GB      0 B         

Partitions of Disk 0:
===============

The disk management services could not complete the operation.

=========================================================
==================== End Of Log ============================


Search.txt

Farbar Recovery Scan Tool (x86) Version: 21-01-2013 02
Ran by SYSTEM at 2013-01-23 10:04:04
Running from D:\

================== Search: "services.exe" ===================

C:\WINDOWS\system32\services.exe
[2008-04-25 11:16] - [2009-02-06 06:11] - 0110592 ____A (Microsoft Corporation) 65df52f5b8b6e9bbd183505225c37315

C:\WINDOWS\system32\dllcache\services.exe
[2009-10-12 05:20] - [2009-02-06 06:11] - 0110592 ____C (Microsoft Corporation) 65df52f5b8b6e9bbd183505225c37315

C:\WINDOWS\$NtUninstallKB956572$\services.exe
[2009-10-13 09:54] - [2008-04-14 07:00] - 0108544 ____C (Microsoft Corporation) 0e776ed5f7cc9f94299e70461b7b8185

C:\WINDOWS\$hf_mig$\KB956572\SP3QFE\services.exe
[2009-10-12 05:20] - [2009-02-06 06:06] - 0110592 ____A (Microsoft Corporation) 020ceaaedc8eb655b6506b8c70d53bb6

=== End Of Search ===

[SuperDave]

FRST Fixlist

Please run the following:

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
2013-01-22 19:26 - 2013-01-22 19:26 - 00090112 ____A C:\Windows\Minidump\Mini012213-02.dmp
2013-01-22 19:22 - 2013-01-22 19:22 - 00090112 ____A C:\Windows\Minidump\Mini012213-01.dmp
2013-01-22 19:22 - 2013-01-22 19:22 - 00000000 ____D C:\Windows\Minidump
2013-01-22 19:26 - 2013-01-22 19:26 - 00090112 ____A C:\Windows\Minidump\Mini012213-02.dmp
2013-01-22 19:22 - 2013-01-22 19:22 - 00090112 ____A C:\Windows\Minidump\Mini012213-01.dmp
2013-01-22 19:22 - 2013-01-22 19:22 - 00000000 ____D C:\Windows\Minidump
end

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now, please enter System Recovery Options then select Command Prompt.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Now restart, let it boot normally and tell me how it went.

[amonwill]

I followed the instructions that you provided however when I rebooted normally there has been no change. The moneypac full screen ad still appears. The fixlog is pasted below.

fixlog.txt

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 21-01-2013 02
Ran by SYSTEM at 2013-01-24 12:51:57 Run:1
Running from D:\

==============================================

C:\Windows\Minidump\Mini012213-02.dmp moved successfully.
C:\Windows\Minidump\Mini012213-01.dmp moved successfully.
C:\Windows\Minidump moved successfully.
C:\Windows\Minidump\Mini012213-02.dmp not found.
C:\Windows\Minidump\Mini012213-01.dmp not found.
C:\Windows\Minidump not found.

==== End of Fixlog ====

[SuperDave]

We will need to try something else more drastic.

We are going to be using a Windows Recovery Environment to help disinfect the system so it may boot again.

Download the OTLPE Standard REATOGO Windows Recovery Environment.

• Place a blank CD-R disc in to your CD burning drive.
• Download OTLPEStd.exe and double-click on it to burn to a CD using an ISO Burner. One can be found here.
  
• Reboot your system using the boot CD you just created.
• Note : If you do not know how to set your computer to boot from CD follow the steps here
  
• Your system should now display a REATOGO-X-PE desktop.
• Double-click on the OTLPE icon.
  
• When asked "Do you wish to load the remote registry", select Yes
  
• When asked "Do you wish to load remote user profile(s) for scanning", select Yes
  
• Ensure the box "Automatically Load All Remaining Users" is checked and press OK
  
• OTL should now start. Change the following settings
  
• Change Drivers to Non-Microsoft
  
• Press Run Scan to start the scan.
  
• When finished, the file will be saved  in drive C:\_OTL\MovedFiles
  
• Copy this file to your USB drive if you do not have internet connection on this system
• Please post the contents of the OTL.txt file in your reply.
  

[amonwill]

I am unable to follow the step that asks me to change Drivers to Non-Microsoft. The program also did not ask me if I wished to load the remote registry when I first opened it. I uploaded a picture of the program as it looked immediately after OTL started. Is it under another option?

[SuperDave]

I'll try this tomorrow on my computer and get back to you. I've used this program once before but I've never experienced this problem. I'll be back.

[SuperDave]

I tried my recovery disk and I can't simulate the problems you're experiencing. You will have to experiment with the disk and see if you can get the scan started.