[ng15]

I just read a post in this forum titled "Arestocrat Virus/Malware/Spyware". I attempted to follow the instructions in that post, but was unsuccessful in removing the virus/malware. I am operating Windows XP on a Lenovo ThinkPad. Is there some direction that can be provided as to how to remove it?

[Advertisements]

Hello

Lets see if we can get this to run

• Download OTLPE from either location and save it to your desktop:
  
  http://oldtimer.geek...om/OTLPEStd.exe
  http://ottools.noahd...et/OTLPEStd.exe
  
• Double click the OTLPENet icon on your desktop
• "Do you want to burn the CD?" choose Yes
• ImgBurn will automatically extract and load the OTLPE Iso to be burned to CD
• Place a blank CD in your CD-Rom
• Click to start the burn process
• You will see a dialog "Operation successfully completed"
• Boot the non-working computer using the boot CD you just created
• In order to do so, the computer must be set to boot from the CD first
  
  Note : For information click here
  
• Your system should now display a REATOGO-X-PE desktop.
• Double-click on the OTLPE icon.
• Select the Windows folder of the infected drive if it asks for a location
• When asked "Do you wish to load the remote registry", select Yes
• When asked "Do you wish to load remote user profile(s) for scanning", select Yes
• Ensure the box "Automatically Load All Remaining Users" is checked and press "OK"
• OTL should now start.
• Push
• When finished, the file will be saved in drive C:\OTL.txt
• Copy this file to your USB drive.
• Please post the contents of the C:\OTL.txt file in your next reply.

Gringo

[gringo_pr]

Hello

Lets see if we can get this to run

• Download OTLPE from either location and save it to your desktop:
  
  http://oldtimer.geek...om/OTLPEStd.exe
  http://ottools.noahd...et/OTLPEStd.exe
  
• Double click the OTLPENet icon on your desktop
• "Do you want to burn the CD?" choose Yes
• ImgBurn will automatically extract and load the OTLPE Iso to be burned to CD
• Place a blank CD in your CD-Rom
• Click to start the burn process
• You will see a dialog "Operation successfully completed"
• Boot the non-working computer using the boot CD you just created
• In order to do so, the computer must be set to boot from the CD first
  
  Note : For information click here
  
• Your system should now display a REATOGO-X-PE desktop.
• Double-click on the OTLPE icon.
• Select the Windows folder of the infected drive if it asks for a location
• When asked "Do you wish to load the remote registry", select Yes
• When asked "Do you wish to load remote user profile(s) for scanning", select Yes
• Ensure the box "Automatically Load All Remaining Users" is checked and press "OK"
• OTL should now start.
• Push
• When finished, the file will be saved in drive C:\OTL.txt
• Copy this file to your USB drive.
• Please post the contents of the C:\OTL.txt file in your next reply.

Gringo

[ng15]

Thanks, Gringo, but I opened OTLPE in the REATOGO-X-PE desktop but get the message "RunScanner Error: Target is not windows 2000 or later".

[gringo_pr]

Try this please. You will need a USB drive.

Download http://unetbootin.so...dows-latest.exe & http://noahdfear.net.../xpud-0.9.2.iso to the desktop of your clean computer

• Insert your USB drive
• Press Start > My Computer > right click your USB drive > choose Format > Quick format
• Double click the unetbootin-xpud-windows-387.exe that you just downloaded
• Press Run then OK
• Select the DiskImage option then click the browse button located on the right side of the textbox field.
• Browse to and select the xpud-0.9.2.iso file you downloaded
• Verify the correct drive letter is selected for your USB device then click OK
• It will install a little bootable OS on your USB device
• Once the files have been written to the device you will be prompted to reboot ~ do not reboot and instead just Exit the UNetbootin interface
• After it has completed do not choose to reboot the clean computer simply close the installer
• Next download http://noahdfear.net...loads/driver.sh to your USB
• Remove the USB and insert it in the sick computer
• Boot the Sick computer
• Press F12 and choose to boot from the USB
• Follow the prompts
• A Welcome to xPUD screen will appear
• Press File
• Expand mnt
• sda1,2...usually corresponds to your HDD
• sdb1 is likely your USB
• Click on the folder that represents your USB drive (sdb1 ?)
• Confirm that you see driver.sh that you downloaded there
• Press Tool at the top
• Choose Open Terminal
• Type bash driver.sh
• Press Enter
• After it has finished a report will be located on your USB drive named report.txt
• Remove the USB drive and insert back in your working computer and navigate to report.txt
  
  Please note - all text entries are case sensitive

Copy and paste the report.txt for my review

[ng15]

I've checked to make sure driver.sh is on the USB, but when I type "bash driver.sh" into the terminal prompt, I get the message "No such file or directory" But I do see an icon for sdrive.

[gringo_pr]

Download http://noahdfear.net/downloads/rst.sh to the USB drive

• Boot the Sick computer with the USB drive again
• Press File
• Expand mnt
• Expand your USB (sdb1)
• Confirm that you see rst.sh that you downloaded there
• Press Tool at the top
• Choose Open Terminal
• Type bash rst.sh
• Press Enter
• After it has finished a report will be located at sdb1 named enum.log
• Plug that USB back into the clean computer and open it

Please note: If you have an ethernet connection you can access the internet by way of xPUD (Firefox). You can perform all these steps on your sick computer. When you download the download will reside in the Download folder. It can be found under the File tab also. You can similarly access our thread by way of this OS too so you can send the logs that way.

Please also note - all text entries are case sensitive

Copy and paste the enum.log for my review

[gringo_pr]

Greetings


I have not heard from you in a couple of days so I am coming by to check on you to see if you are having problems or you just need some more time.

Also to remind you that it is very important that we finish the process completely so as to not get reinfected. I will let you know when we are complete and I will ask to remove our tools




Gringo

[gringo_pr]

Hello

48 Hour bump

It has been more than 48 hours since my last post.

• do you still need help with this?
• do you need more time?
• are you having problems following my instructions?
  
• if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo

[gringo_pr]

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.