Questions?
Toll Free: (866) 240-9755
24 Apr

Spamhaus Ransomware Virus

Posted by Dan Steiner on Apr 24, 2013

remove_spamhaus_virus_remove-malware_info

The Spamhaus Ransomware infection is one of the more unique ransomware infections, in that not only does it block your from accessing your computer’s desktop and programs, but in the event that you are somehow able to access your files, it will have encrypted them so you cannot view them in any way. Thus, the Spamhaus Ransomware infection is incredibly dangerous, meaning it is crucial that the moment you discover you are infected, that you remove it immediately.

The Spamhaus Ransomware scans for any files ending with the .ddrw ,.pptm ,.dotm ,.xltx ,.text ,.docm ,.djvu ,.potx ,.jpeg ,.pptx ,.sldm ,.xlsm ,.sldx ,.xlsb ,.ppam ,.xlsx ,.ppsm ,.ppsx ,.docx ,.odp ,.eml ,.ods ,.dot ,.php ,.xla ,.pas ,.gif ,.mpg ,.ppt ,.bkf ,.sda ,.mdf ,.ico ,.dwg ,.mbx ,.sfx ,.mdb ,.zip ,.xlt extensions, to which they will then be encrypted. Once the ransomware encrypts a file, it will then rename the file as an HTML file, to which it will then embed the encrypted file inside of the file. Thus, once you try to launch the encrypted fault, you will be taken a web page (blocked by http://xblblock.com), and will be instructed to pay a “ransom” via a MoneyPak code.

At this moment, there isn’t a decryptor available for the files encrypted by Spamhaus Ransomware. Therefore, you will need to restore the files from a previous backup (and if you do not have one, we highly suggest you make a habit of backing up your data in the future). If there is not a backup available, your other option is to restore the file from a previous version in Windows. To accomplish this, you will need to rename the file to the original filename, right-click the file, select Properties, select Previous Versions, and select the file from the previous versions found. Once found, backup the existing encrypted file, restore it to the previous version, to which Windows will restore the older file and overwrite the encrypted one. It’s a long, roundabout way of obtaining your files, but in the end it’s worth it if you do not have a backup of your files.

Once you are looking at the Spamhaus Ransomware screen that appears when you attempt to boot into Windows, you will see the following:


“The Spamhaus Project
XBL Advisory
Ref: XBL198972
IP address: xx.xx.xx.xx
Tracking time: 1 w 10 h 03 m
Responsible agent: David C. Krehnke
Address: 18 Avenue Louis Casai CH-1209 Geneva Switzerland
You have 48 hours left to enter your payment.
You have lost control over your computer. Your system and all your files has been blocked and encrypted because you were spreading the Malware (viruses, trojans, worms).
You are breaking numerous International and USA laws.
Actions made by your computer backed up under United States law USA Patriot ACT
What exactly is The Patriot Act?
The Patriot Act is short for The Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001.
We have the right backed by law:
Sec. 201. Authority to intercept wire, oral, and electronic communications relating to terrorism.
Sec. 202. Authority to intercept wire, oral, and electronic communications relating to computer fraud and abuse offenses.
Sec. 209. Seizure of voice-mail messages pursuant to warrants.
Sec. 217. Interception of computer trespasser communications.
With the support of the federal Bureau investigation department on cybercrime and the Supreme court of the United States of America. We have the legal right to scan and intercept any information going in and out of your computers.
You IP address (xx.xx.xx.xx) was identified and isolated by our organization in connection with a complaint to the involvement of distributed denial of service (DDoS) attack such organizations: NASDAQ and BATSS stock exchange markets and WIKILEAKS.ORG website. Such attacks caused $15 billion in damage. In order to isolate this infected files we have blocked your access to the outside world and your IP address was listed in our XBL Block List. You can not use the internet or any of your programs.
You have a chance to settle this issue right now before we contact the proper authorities. Within 48 hours, you can pay a fine of $300. All your files will be decrypted, and access to the computer will be granted, a claim for compensation from affected from affected companies will be removed and your IP (xx.xx.xx.xx) address will be restored to good standings with XBL Block List.
If you don’t pay a penalty within the next 48 hours, local authorities and secret service will be contacted, and most likely it will result in your arrest. You can and will be prosecuted to the fullest extent of the law in order to recover our losses. Do not take a chance to be convicted as a felon.
Our spamhaus agent has conducted a full check of your system and found following violations:
• You are a distributor of pornography and porno materials, regularly watch porno sites with child pornography and zoophilia.
• You possess unlicensed software and pirate audio and video records.”

Of course, this warning is false and you should never pay the $300 as instructed by the fake warning. PAYING THE FINE WILL NOT ONLY FUND CYBER CRIMINALS IN CRIMINAL ACTS SUCH AS THESE, BUT IT COULD RESULT IN YOUR IDENTITY BEING STOLEN. IF YOU HAVE PAID THE $300 VIA A MONEYPAK CODE, CONTACT MONEYPAK AND YOUR CREDIT CARD COMPANY/BANK IMMEDIATELY AND INFORM THEM OF THE SITUATION!

Removal Options for Spamhaus Ransomware Virus


    Stop! Is your Data Backed up? Virus removal can be potentially damaging to your computer.
    If you are uncomfortable making changes to your operating system, please contact an Expert!
  1. Boot up Your Computer via ‘Safe Mode with Networking’

    The first thing we need to do is to shut the computer down. Make sure the computer is completely off! Once the computer is turned off, we need to turn it back on and boot into Safe Mode with Networking

    To do this, press the power button then immediately start tapping the F8 Key on your keyboard.

    Within a few seconds, you will notice the Windows Advanced Options Menu. Using your arrow keys to choose the Safe Mode with Networking option, press Enter. (Screenshot provided below)

  2. safemodebootup

  3. Log into Windows and View Desktop

    Safe Mode with Networking will then load a variety of files and drivers, so do not worry as this is perfectly normal. You will then see your account’s user icon. Once you see it, log into your account to view your Windows’ Desktop as normally.

  4. Open Your Web Browser (Internet)

    You will now need to open your web browser, and nearly any web browser will suffice: Internet Explorer, Firefox, or Google Chrome for starters.

  5. browser_icons

  6. Download Trusted Removal Software

    Download the Free or Paid Version of Malwarebytes Anti-Malware.

    Malwarebytes Anti-Malware

    • FREE / $24.95 USD (Lifetime)
    • Malware Scanner Utility (No Protection)
    • Malware Scanner + System Protection
  7. Install MalwareBytes Anti-Malware

    Install MalwareBytes Anti-Malware as you would any other program. Once the installation process begins, the software may download new definitions and update the program, so give it a few minutes and allow it to update appropriately. Once the updates are completely and you are viewing the following screen below, you are ready to use it:

  8. mb_fullscan_selected

  9. Run a Full Scan with MalwareBytes

    Select the Full Scan box, then select Scan to begin the scanning for malware. Ensure drive C: is selected, then select Scan once more.

  10. mb_scanning

  11. Look at the Infected Files

    Once the scan is finished, select OK to look at the files then select Show Results.

  12. mb_objects_detected

    mb_scan_completed

  13. Remove the Infected Files via MalwareBytes

    You will now notice a variety of infected files and registry keys. Ensure the detected objects are selected, then select Remove Selected.

  14. mb_infections

  15. Reboot Your PC

    MalwareBytes Anti-Malware will inform you that you must reboot. This is perfectly normal, and will provide the software with the opportunity to remove the infected files.

  16. mb_reboot_window

  17. Boot Back into Windows

    Your PC will now boot up as normally without the virus infected your machine. Open a few of your regularly-used software and ensure everything is working as normally.

  18. Congratulations! All Finished!

    We sincerely hope this guide has helped you. If you fixed your computer using our free guide, we ask that you support us by selecting one of our social share buttons or by commenting on our guide with your feedback below!

!
Thank the Author!

Dan Steiner is an IT from San Luis Obispo, California. He has helped thousands of people with virus removal and other computer related issues.

Posted 24.04.2013

Send the Author a Coffee

Thanks for supporting our work!

Was This Guide Helpful
Spamhaus Ransomware Virus
5 votes, 4.60 avg. rating (92% score)

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>