Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Arestocrat on Win 7 [Closed]


  • This topic is locked This topic is locked

#1
cnedhogan

cnedhogan

    New Member

  • Member
  • Pip
  • 9 posts
I have the Arestocrat virus on Win 7 Enterprise. I downloaded Farbar on a Flash USB drive and tried to load it on the infected machine using obth Advanced Boot and Safe Mode w/ Command Line. Both options freeze up on a screen saying "Loading Windows Files...Please wait." I don't know how long I am supposed to wait, but after more than 10 minutes I am assuming nothing is going to happen. If I start Wndows normally, then the FBI screen pops up after a few seconds and I can't do anything else. Any new ideas for this scenario?
  • 0

Advertisements


#2
gringo_pr

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,268 posts
Hello

Lets see if we can get this to run

  • Download OTLPE from either location and save it to your desktop:

    http://oldtimer.geek...om/OTLPEStd.exe
    http://ottools.noahd...et/OTLPEStd.exe
  • Double click the OTLPENet icon on your desktop
  • "Do you want to burn the CD?" choose Yes
  • ImgBurn will automatically extract and load the OTLPE Iso to be burned to CD
  • Place a blank CD in your CD-Rom
  • Click Posted Image to start the burn process
  • You will see a dialog "Operation successfully completed"
  • Boot the non-working computer using the boot CD you just created
  • In order to do so, the computer must be set to boot from the CD first

    Note : For information click here
  • Your system should now display a REATOGO-X-PE desktop.
  • Double-click on the OTLPE icon.
  • Select the Windows folder of the infected drive if it asks for a location
  • When asked "Do you wish to load the remote registry", select Yes
  • When asked "Do you wish to load remote user profile(s) for scanning", select Yes
  • Ensure the box "Automatically Load All Remaining Users" is checked and press "OK"
  • OTL should now start.
  • Push Posted Image
  • When finished, the file will be saved in drive C:\OTL.txt
  • Copy this file to your USB drive.
  • Please post the contents of the C:\OTL.txt file in your next reply.

Gringo
  • 0

#3
cnedhogan

cnedhogan

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
I just booted from the OTLPE cd and got to the drive selection. I chose Local Disk (C:), but get a RunScan error message saying "Target is not Windows 2000 or later" and it kicks me back to the Reatogo desktop screen. My computer runs Windows 7 Enterprise, or at least it used to. The other choices for drives to scan were RAMDisk (B:), ReatogoPE (X:) and Shared Documents. Ideas?
  • 0

#4
gringo_pr

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,268 posts
Download the following three programmes to your desktop : (select 32 or 64 bit as appropriate }



1. WiNTBootIc

2. Windows 7 64bit RC or Windows 7 32 bit

3. Farbar Recovery Scan Tool x64 or Farbar Recovery Scan Tool 32bit



Extract wintoboot to your desktop

Insert a USB drive of at least 1GB

Run Wintoboot



Posted Image



Drag and drop the Windows 7 ISO to the programme in the space indicated

Tick the Format box and accept the warnings

Press Do It



You will see it progressing



Posted Image



It will let you know when it is done

Then copy FRST to the same USB



Posted Image





Insert the USB into the sick computer and start the computer. First ensuring that the system is set to boot from USB

Note: If you are not sure how to do that follow the instructions Here



When you reboot you will see this although yours will say windows 7.

Click repair my computer

Posted Image



Select your operating system

Posted Image



Select Command prompt

Posted Image



At the command prompt type the following :



notepad and press Enter.

The notepad opens. Under File menu select Open.

Select "Computer" and find your flash drive letter and close the notepad.

In the command window type e:\frst64.exe and press Enter

Note: Replace letter e with the drive letter of your flash drive.

The tool will start to run.

When the tool opens click Yes to disclaimer.

Posted Image

Press Scan button.

It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
  • 0

#5
cnedhogan

cnedhogan

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
I booted from USB and have a choice f "Use Recovery tools that can help fix problems..." or "Restore your computer using a system image created earlier." Under the first option, My OS was not listed (none shown). What drivers should I try to load, and from where? The USB or from other media? I don't have any of my original pc disks handy, but I can download drivers if I know what I need.
  • 0

#6
gringo_pr

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,268 posts
Hello


My OS was not listed (none shown). what happens if you click next


gringo
  • 0

#7
cnedhogan

cnedhogan

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
I get to the Sys Recovery Options screen. I followed the instructions up until e:\frst64.exe but when I hit Enter it gives an error. Not a recognized command...
  • 0

#8
cnedhogan

cnedhogan

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Wait, I just got it to run. Accessed through Notepad then opened and ran as Administrator. Stay tuned.
  • 0

#9
gringo_pr

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,268 posts
try it without the 64
  • 0

#10
cnedhogan

cnedhogan

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 14-05-2013
Ran by SYSTEM on 14-05-2013 23:54:28
Running from E:\
WIN_7 (X86) OS Language: English(US)
Boot Mode: RecoveryAttention: Could not load system hive.
Attention: System hive is missing.

==================== Registry (Whitelisted) ==================

Attention: Software hive is missing.

ATTENTION: Software hive is not loaded.

BootExecute:

========================== Services (Whitelisted) =================


==================== Drivers (Whitelisted) ====================


==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========


==================== One Month Modified Files and Folders ========


==================== Known DLLs (Whitelisted) ============


==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe IS MISSING <==== ATTENTION!.
C:\Windows\System32\winlogon.exe IS MISSING <==== ATTENTION!.
C:\Windows\System32\svchost.exe IS MISSING <==== ATTENTION!.
C:\Windows\System32\services.exe IS MISSING <==== ATTENTION!.
C:\Windows\System32\User32.dll IS MISSING <==== ATTENTION!.
C:\Windows\System32\userinit.exe IS MISSING <==== ATTENTION!.
C:\Windows\System32\Drivers\volsnap.sys IS MISSING <==== ATTENTION!.
C:\Windows\system32\codeintegrity\Bootcat.cache IS MISSING <==== ATTENTION!.
C:\Windows\System32\winsrv.dll IS MISSING <==== ATTENTION!.

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: <===== ATTENTION!
HKLM\...\exefile\DefaultIcon: <===== ATTENTION!
HKLM\...\exefile\open\command: <===== ATTENTION!

==================== Restore Points =========================


==================== Memory info ===========================

Percentage of memory in use: 10%
Total physical RAM: 3893.83 MB
Available physical RAM: 3470.71 MB
Total Pagefile: 3892.11 MB
Available Pagefile: 3470.59 MB
Total Virtual: 2047.88 MB
Available Virtual: 1962.62 MB

==================== Drives ================================

Drive e: () (Removable) (Total:3.68 GB) (Free:3.49 GB) NTFS
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 233 GB) (Disk ID: FFDD3528)
Partition 1: (Active) - (Size=233 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (MBR Code: Windows 7 or 8) (Size: 4 GB) (Disk ID: C3072E18)
Partition 1: (Active) - (Size=4 GB) - (Type=07 NTFS)

==================== End Of Log ============================
  • 0

Advertisements


#11
gringo_pr

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,268 posts
Hello


That does not look correct, I want you to rerun it but this time when you get to this part

I get to the Sys Recovery Options screen. I followed the instructions up until e:\frst64.exe but when I hit Enter it gives an error. Not a recognized command... I want you to use e:\frst.exe (without the 64)
  • 0

#12
cnedhogan

cnedhogan

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Just ran again without the 64. Looks like the same thing. Is this just because I did not select an OS before running the scan?
---------------------------

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 14-05-2013
Ran by SYSTEM on 15-05-2013 00:32:57
Running from E:\
WIN_7 (X86) OS Language: English(US)
Boot Mode: RecoveryAttention: Could not load system hive.
Attention: System hive is missing.

==================== Registry (Whitelisted) ==================

Attention: Software hive is missing.

ATTENTION: Software hive is not loaded.

BootExecute:

========================== Services (Whitelisted) =================


==================== Drivers (Whitelisted) ====================


==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========


==================== One Month Modified Files and Folders ========


==================== Known DLLs (Whitelisted) ============


==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe IS MISSING <==== ATTENTION!.
C:\Windows\System32\winlogon.exe IS MISSING <==== ATTENTION!.
C:\Windows\System32\svchost.exe IS MISSING <==== ATTENTION!.
C:\Windows\System32\services.exe IS MISSING <==== ATTENTION!.
C:\Windows\System32\User32.dll IS MISSING <==== ATTENTION!.
C:\Windows\System32\userinit.exe IS MISSING <==== ATTENTION!.
C:\Windows\System32\Drivers\volsnap.sys IS MISSING <==== ATTENTION!.
C:\Windows\system32\codeintegrity\Bootcat.cache IS MISSING <==== ATTENTION!.
C:\Windows\System32\winsrv.dll IS MISSING <==== ATTENTION!.

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: <===== ATTENTION!
HKLM\...\exefile\DefaultIcon: <===== ATTENTION!
HKLM\...\exefile\open\command: <===== ATTENTION!

==================== Restore Points =========================


==================== Memory info ===========================

Percentage of memory in use: 10%
Total physical RAM: 3893.83 MB
Available physical RAM: 3480.95 MB
Total Pagefile: 3892.11 MB
Available Pagefile: 3482.77 MB
Total Virtual: 2047.88 MB
Available Virtual: 1950.62 MB

==================== Drives ================================

Drive e: () (Removable) (Total:3.68 GB) (Free:3.49 GB) NTFS
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 233 GB) (Disk ID: FFDD3528)
Partition 1: (Active) - (Size=233 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (MBR Code: Windows 7 or 8) (Size: 4 GB) (Disk ID: C3072E18)
Partition 1: (Active) - (Size=4 GB) - (Type=07 NTFS)

==================== End Of Log ============================
  • 0

#13
gringo_pr

gringo_pr

    Trusted Helper

  • Malware Removal
  • 7,268 posts
Hello


OK lets try something - when you get to the system recovery options I want you to select system restore and lets see if we can restore to before you gat this virus

Untitled.png



Gringo
  • 0

#14
cnedhogan

cnedhogan

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
I tried that, and it doesn't work because I have to select an OS on the previous screen, and there are none listed. If I knew what drivers to load and where to find them, I should be able to take care of that. Can you help with that part?
  • 0

#15
cnedhogan

cnedhogan

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Is it possible that the Win 7 ISO file I downloaded and copied to the USB drive is not working correctly? If you have another trusted site for a download, I can do that all over again...Let me know what you think.

As a last resort, I do have a full system image and file backup on an external hard drive that I should be able to reimage with. But it is almost 9 months old, and I do not want to lose that much data unless there are no other options.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP