Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hostageware/ Arestocrat virus?


  • This topic is locked This topic is locked
25 replies to this topic

#1 beto85

beto85

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:04:13 AM

Posted 14 May 2013 - 09:49 PM

Hello everyone,
 
About a week ago I was online when all of a sudden all the internet explorer windows closed at once and a screen with the U.S. Department of Justice logo and this message appeared: "The work of your computer has been suspended on the grounds of the violation of the law of the United States of America."
 

nz1fs.jpg

 
I did a little research and found out this is a type of "hostageware"
 
The PC is an HP m370n Media Center PC 160 GB HD, 2 GB RAM with Windows XP Professional Service Pack 3.
 
I tried to start windows in safe mode with networking, safe mode with command prompt, safe mode, last known working configuration, and normally, however it was unsuccesful in any safe mode or last known working configuration. When the PC starts up the desktop loads as normal and I am able to move the mouse around and click on start but after a few seconds the hostageware message loads and locks up the PC. I've seen a window while having the start menu open that says "Arestocrat" and I'm not sure what that is but I'm guessing probably the hostageware virus. I have tried going into msconfig and restarting in safe mode but you only have a few seconds and the virus locks up the PC. Pressing the power button only restarts the PC and you have to hold it down to shut it off.
 
I tried loading the Hitman.Pro program onto a USB drive but it didn't work in either of the 3 options.

 

acrox.jpg

 

Is there any way to use the USB drive to load another type of tool that will remove the virus? Any help would be appreciated. Thank you.

 

 

 

 



BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:02:13 AM

Posted 15 May 2013 - 08:41 PM

I'll report this topic to appropriate helpers.

Hold on there...


My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#3 beto85

beto85
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:04:13 AM

Posted 16 May 2013 - 12:15 AM

I'll report this topic to appropriate helpers.

Hold on there...

 

Sure no problem thank you



#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,247 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:13 PM

Posted 17 May 2013 - 02:20 AM

Hello,
Could you please let me know if you have the possibility to boot from a CD on your computer and to burn an .iso file to CD?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 beto85

beto85
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:04:13 AM

Posted 17 May 2013 - 03:15 AM

Hello,
Could you please let me know if you have the possibility to boot from a CD on your computer and to burn an .iso file to CD?

 

Hey,

 

Yes I could make a CD with an .iso file to boot on the PC, i'm using the laptop for now so I could do that.



#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,247 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:13 PM

Posted 17 May 2013 - 07:37 AM

Okay, please create the following CD.

Try this please. You will need a USB drive.

Download GETxPUD.exe to the desktop of your clean computer
  • Run GETxPUD.exe
  • A new folder will appear on the desktop.
  • Open the GETxPUD folder and click on the get&burn.bat
  • The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
  • Click on Start and follow the prompts to burn the image to a CD.
  • Remove the USB & CD and insert it in the sick computer
  • Boot the Sick computer with the CD you just burned
  • The computer must be set to boot from the CD
  • Gently tap F12 and choose to boot from the CD
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your user folder (for example /mnt/sda1/documents and settings/<your username>)
  • Look in the following locations in that folder and let me know what is listed there:
    application data (list only the files you see here, no need for the folders)
    start menu/programs/startup

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 beto85

beto85
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:04:13 AM

Posted 18 May 2013 - 01:07 AM

Okay, please create the following CD.

Try this please. You will need a USB drive.

Download GETxPUD.exe to the desktop of your clean computer

  • Run GETxPUD.exe
  • A new folder will appear on the desktop.
  • Open the GETxPUD folder and click on the get&burn.bat
  • The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
  • Click on Start and follow the prompts to burn the image to a CD.
  • Remove the USB & CD and insert it in the sick computer
  • Boot the Sick computer with the CD you just burned
  • The computer must be set to boot from the CD
  • Gently tap F12 and choose to boot from the CD
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your user folder (for example /mnt/sda1/documents and settings/<your username>)
  • Look in the following locations in that folder and let me know what is listed there:
    application data (list only the files you see here, no need for the folders)
    start menu/programs/startup

 

 

Hey Elise,

 

I loaded the xPUD and here's what I found in application data: various folders and two files "desktop.ini" and "G-Force Prefs (WindowsMediaPlayer).txt"

 

mu76rt.jpg

 

And in Start Menu/ Programs/ Startup there are two files: "AutoTBar.exe" and "desktop.ini"

 

2w49xn4.jpg



#8 beto85

beto85
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:04:13 AM

Posted 23 May 2013 - 08:09 PM

Does anyone know if I can run rkill, malwarebytes or some other tool off a USB drive using the xPUD program? I'm not sure if I can download anything using the internet mode of xPUD



#9 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,247 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:13 PM

Posted 24 May 2013 - 02:26 AM

My apologies, something must have gone wrong with my previous reply to you.

 

Is Administrator the profile you usually use? What else do you see in /mnt/sda2/documents and settings?


regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#10 beto85

beto85
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:04:13 AM

Posted 25 May 2013 - 12:19 AM

My apologies, something must have gone wrong with my previous reply to you.

 

Is Administrator the profile you usually use? What else do you see in /mnt/sda2/documents and settings?

 

No worries,

 

Yea I only use administrator no other profiles. In /mnt/sda2/documents and settings there are only 5 folders: administrator, All users, default user, localservice, and networkservice

 

wtyngj.jpg

 

 

And in mnt/sda2/documents and settings/ administrator/ there are several folders and four files: ntuser.dat, ntuser.dat.log, ntuser.ini, and productcontext2400.log

 

eswb9h.jpg

 

 

I haven't tried the firefox browser in xPUD to see if I can download anything that might work.



#11 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,247 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:13 PM

Posted 25 May 2013 - 03:14 AM

Can you please look in the All Users application data and startup folders to see what is there?


regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#12 beto85

beto85
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:04:13 AM

Posted 27 May 2013 - 10:33 PM

hello,

 

sorry for the delay

 

In All Users/Application Data there are various folders and 5 files : 1.bmp, 1.jpg, desktop.ini, DisplaySwitch.exe, hpzinstall.log

 

and in All Users/Start Menu/Programs/Startup there are 4 files : desktop.ini, HP Digital Imaging Monitor.Ink, HP Image Zone Fast Start.Ink, Updates from HP.Ink



#13 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,247 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:13 PM

Posted 28 May 2013 - 01:59 AM

Using the Firefox browser, can you get online? If so, upload the following file to www.virustotal.com: displayswitch.exe

 

In any case, right click on displayswitch.exe, and select Rename. Rename the file to displayswitch.vir and restart the computer. Does the ransom screen still show up?


regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#14 beto85

beto85
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:04:13 AM

Posted 29 May 2013 - 11:24 PM

Using the Firefox browser, can you get online? If so, upload the following file to www.virustotal.com: displayswitch.exe

 

In any case, right click on displayswitch.exe, and select Rename. Rename the file to displayswitch.vir and restart the computer. Does the ransom screen still show up?

 

Hey Elise,

 

I couldn't get online using firefox but I did change the filename to .vir instead of .exe and I took out the xPUD CD and restarted the PC. It loaded as normal and it worked so thank you for that. The file displayswitch.exe is only about 130 kb but once I changed the ending it didn't load the ransom screen.

 

I dunno about people with other variants but maybe they could also try looking for that file or similar and renaming it. I'm gonna scan the PC now and restart it again and see if it occurs again.



#15 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,247 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:13 PM

Posted 30 May 2013 - 01:16 AM

Okay, now that that works lets do some cleanup. :)

OTL
-----
Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the otlicon.png icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the runscan.png button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users