[FL_Issac]

Hello and good day once more!

So a family member recently handed me their netbook saying, the ICE Cybercrime Division of Homeland Security apparently wants a few hundred dollars, fix it.

Taking a look at the netbook, it looks a lot like the arestocrat malware (same scam, different graphics). I tried using the method Essexboy had described to me in the past for the arestocrat malware (forum thread: http://www.geekstogo...e__pid__2295593 ) by taking Xpud, loading it and bash'ing rst.sh to get a list of all restore points and then going back to one of them. My intent was to get it to boot, run OTL and then post here asking for help

Here is where the malware is different. Going back several restore points doesn't seem to make a difference, the malware starts up on reboot anyways even at previous restore points, some as far back as a few months when I know it was in working order.

I haven't been able to load in any form of safemode either, as it will blue screen. It is only booting into the regular mode (in which the malware activates) or to a USB stick I have with xpud on it currently.

Once more I come here with a simple question of, what should I do next?

Thanks in advance,
Issac

[Advertisements]

Hello Issac, Welcome to Malware Removal section of the forum.

My name is SleepyDude I will be helping you with your Computer problem. I know that having a computer with problems can be very frustrating but I will do my best to help you fixing the issue.

Please note I'm currently in training, all my responses will be revised by my Teacher before I post so expect a slight delay between replies. On the bright side, you have two people to examine your problem!

Sometimes this can be a long process, it's very important that you stay with me and follow all my instructions to the letter until I declare your machine is clean.

I have compiled a list of guidelines you must take in consideration so that the helping process goes smooth for you and for me:

• Please perform all steps in the order they are listed in each set of instructions
  
• Don't install/uninstall any software or run any other cleaning tools besides the ones I ask you to use
  
  • Running other programs can interfere with the tools we use and have unpredicted results. Also I need to know what is going on with your machine at any time
• If possible avoid using the computer for other tasks until we finish the cleaning process
  
  • The reason for this is because it can make the malware infection worst and more difficult to clean. Some malware can download updates from the internet when you use the computer
• Please don't attach your logs instead Copy & Paste the information to your post unless specifically instructed to do so
  
• Please read every post completely before doing anything if you have some doubts or questions please ask before continuing

IMPORTANT: At GeeksToGo we do our best to help you solving the problem but sometimes things don't go as planned. To be safe than sorry you should Backup your important data to a safe place, anywhere except on the computer with problems.

The all fixing process need to be executed from a user account with Administrator privileges also some of the tasks need to be executed in Safe Mode, you should save or print the instructions for use when you don't have access to the forum.

Can you tell me which version of Windows is installed on the machine?
Do you have the install CD/DVD for the installed Windows?

[SleepyDude]

Hello Issac, Welcome to Malware Removal section of the forum.

My name is SleepyDude I will be helping you with your Computer problem. I know that having a computer with problems can be very frustrating but I will do my best to help you fixing the issue.

Please note I'm currently in training, all my responses will be revised by my Teacher before I post so expect a slight delay between replies. On the bright side, you have two people to examine your problem!

Sometimes this can be a long process, it's very important that you stay with me and follow all my instructions to the letter until I declare your machine is clean.

I have compiled a list of guidelines you must take in consideration so that the helping process goes smooth for you and for me:

• Please perform all steps in the order they are listed in each set of instructions
  
• Don't install/uninstall any software or run any other cleaning tools besides the ones I ask you to use
  
  • Running other programs can interfere with the tools we use and have unpredicted results. Also I need to know what is going on with your machine at any time
• If possible avoid using the computer for other tasks until we finish the cleaning process
  
  • The reason for this is because it can make the malware infection worst and more difficult to clean. Some malware can download updates from the internet when you use the computer
• Please don't attach your logs instead Copy & Paste the information to your post unless specifically instructed to do so
  
• Please read every post completely before doing anything if you have some doubts or questions please ask before continuing

IMPORTANT: At GeeksToGo we do our best to help you solving the problem but sometimes things don't go as planned. To be safe than sorry you should Backup your important data to a safe place, anywhere except on the computer with problems.

The all fixing process need to be executed from a user account with Administrator privileges also some of the tasks need to be executed in Safe Mode, you should save or print the instructions for use when you don't have access to the forum.

Can you tell me which version of Windows is installed on the machine?
Do you have the install CD/DVD for the installed Windows?

[FL_Issac]

Hello there Sleepydude.

No worries about the training, we all learn sometime

The netbook is running WindowsXP and an install CD was not provided or is not available, I believe they likely rolled it into a separate partition on the hard-drive. It's not my netbook, I'm much safer with my computer haha.

[SleepyDude]

Hi,

Some more questions:
- Does the machine have a CD drive?
- Can you burn a CD in your computer? we need to use it to boot the "bad" computer.

If a CD isn't available do you have a flash drive with size 512MB or bigger?

[FL_Issac]

There is no CD drive.

I do have a 4GB SanDisk flash drive that I am willing to blank and use for whatever purposes.

[SleepyDude]

Ok, lets create a bootable flash drive...

Step 1 - Download files

Create a folder on your Desktop called G2G
Download the following files and save them to the folder G2G

• 7-zip
• OTLPE Standard
• Rufus

Step 2 - Install 7-Zip

Open the G2G folder, and install 7-Zip by executing the file 7z920.exe you have downloaded.

Step 3 - Extract the ISO

On the G2G folder right click the OTLPEStd.exe file and from the Context menu expand the 7-Zip menu and click Extract Here


Step 4 - "Burn" the ISO to the flash drive

• plug the flash drive and make sure it's empty because ALL THE DATA WILL BE DELETED!!
• Execute Rufus by double clicking the file rufus_v1.3.4.exe you have downloaded, and accept any Security Warning if running Windows Vista or Higher.
  
• Check the options: Quick Format and Create a bootable disk using ISO Image
• Click the CD button and select the file OTLPE_New_Std.iso located on the G2G folder
• Click Start and wait for the program to extract the files from the ISO to the flash drive and make it bootable.

Step 5 - Farbar Recovery Scan

Download Farbar Recovery Scan Tool and save it to a flash drive.

Step 6 - Boot the infected system with the flash drive

• Reboot your infected system using the boot USB you just created.
  Note : If you do not know how to set your computer to boot from USB follow the steps here
• As the Program needs to detect your hardware and load the operating system, I would recommend a nice cup of tea whilst it loads
• Your system should now display a Reatogo desktop.
• Locate the flash drive and run FSRT
• The tool will start to run.
  
• When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

[FL_Issac]

I just followed all of those steps to the letter but the netbook did not boot into a Reatogo desktop. It booted into Windows as usual.

I do have it set up to boot from a USB drive. Before quick formatting the flash drive as per your steps, it had an ubuntu linux partition on it that would boot just fine. I've had issues with Reatogo working before... is there something else we can try?

[SleepyDude]

Hi,

Did you see the message to Press a key to boot from the USB?

If you can't see that message lets try to format the flash drive with a different program...

• plug the flash drive and make sure it's empty because ALL THE DATA WILL BE DELETED!!
• download Install_RMPrepUSB_Full_v2.1.709a.zip from the RMPrepUSB page
  extract the zip file and install the program, accept all the defaults and run the program
• on the RMPrepUSB interface adjust the program options according to the options below:
  

• make sure you select the drive corresponding to your USB flash drive
• adjust the volume label at your choice
• set Bootloader Options to XP/BartPE [NTLDR]
• choose Filesystem: FAT32
• check the box Boot as HDD (C: 2PTNS)
• check 5 Copy OS files from here after formatting
• click the Choose Source button and select the OTLPE_New_Std.iso located on the G2G folder
• click Prepare Drive, accept all the prompts and again make sure all the commands will be executed on your flash drive if not click Cancel.
  If everything goes as expected the RMPrepUSB interface will show this:
  

Try to boot the infected computer again and let me know the result.

[FL_Issac]

Good Morning Sleepydude!

Doing these instructions and plugging the flash-drive into the infected computer yields the following message,

Remove disks or other media.
Press any key to restart

It won't boot to this it seems.

I also reviewed the BIOS settings just to be sure I had set the USB HDD as the first... my Boot order is the following
1) USB HDD: (which identifies the flash drive as being plugged in)
2) USB FDD:
3) USB CDROM:
4) IED0: WDC WD1600BEVT-22ZCTO
5) IDE1:
6) NETWORK BOOT: ATHEROS BOOT AGENT

So it definitely should be booting from the USB Flash Drive... it just doesn't seem to like this image

[SleepyDude]

Good Morning Sleepydude!

Doing these instructions and plugging the flash-drive into the infected computer yields the following message,

Remove disks or other media.
Press any key to restart

It won't boot to this it seems.

I also reviewed the BIOS settings just to be sure I had set the USB HDD as the first... my Boot order is the following
1) USB HDD: (which identifies the flash drive as being plugged in)
2) USB FDD:
3) USB CDROM:
4) IED0: WDC WD1600BEVT-22ZCTO
5) IDE1:
6) NETWORK BOOT: ATHEROS BOOT AGENT

So it definitely should be booting from the USB Flash Drive... it just doesn't seem to like this image

Hi,

Please try the USB FDD option because in some bios the flash drive can be detected and HDD others as FDD.

[FL_Issac]

Hi Sleepydude,

Changed it so USB FDD was first, it still gives the message:

Remove disks or other media.
Press any key to restart

[SleepyDude]

Hi,

Can you please try again with Rufus, I just tested this and it should work. I also updated the Rufus screenshot make sure your matches mine.

"Burn" the ISO to the flash drive

• plug the flash drive and make sure it's empty because ALL THE DATA WILL BE DELETED!!
• Execute Rufus by double clicking the file rufus_v1.3.4.exe you have downloaded, and accept any Security Warning if running Windows Vista or Higher.
  
• Make sure you have selected the correct Device
• Check the options: Quick Format and Create a bootable disk using ISO Image
• Click the CD button and select the file OTLPE_New_Std.iso located on the G2G folder.
  (The name of the ISO must be presented on the bottom left corner of the Rufus window).
• Click Start and wait for the program to extract the files from the ISO to the flash drive and make it bootable.

Farbar Recovery Scan

Download Farbar Recovery Scan Tool and save it to a flash drive.

[FL_Issac]

Hi again,

I did the same thing and again it didn't boot to the USB stick. Here is a screenshot of RUFUS showing I'm doing all the options you mention. Any advice?

[SleepyDude]

Hi again,

I did the same thing and again it didn't boot to the USB stick. Here is a screenshot of RUFUS showing I'm doing all the options you mention. Any advice?

Same result if you try to boot selecting USB HDD and USB FDD?

[FL_Issac]

Yup, the same result happens with each option.