Posted by Dan Steiner on Apr 24, 2013
The Spamhaus Ransomware infection is one of the more unique ransomware infections, in that not only does it block your from accessing your computer’s desktop and programs, but in the event that you are somehow able to access your files, it will have encrypted them so you cannot view them in any way. Thus, the Spamhaus Ransomware infection is incredibly dangerous, meaning it is crucial that the moment you discover you are infected, that you remove it immediately.
The Spamhaus Ransomware scans for any files ending with the .ddrw ,.pptm ,.dotm ,.xltx ,.text ,.docm ,.djvu ,.potx ,.jpeg ,.pptx ,.sldm ,.xlsm ,.sldx ,.xlsb ,.ppam ,.xlsx ,.ppsm ,.ppsx ,.docx ,.odp ,.eml ,.ods ,.dot ,.php ,.xla ,.pas ,.gif ,.mpg ,.ppt ,.bkf ,.sda ,.mdf ,.ico ,.dwg ,.mbx ,.sfx ,.mdb ,.zip ,.xlt extensions, to which they will then be encrypted. Once the ransomware encrypts a file, it will then rename the file as an HTML file, to which it will then embed the encrypted file inside of the file. Thus, once you try to launch the encrypted fault, you will be taken a web page (blocked by http://xblblock.com), and will be instructed to pay a “ransom” via a MoneyPak code.
At this moment, there isn’t a decryptor available for the files encrypted by Spamhaus Ransomware. Therefore, you will need to restore the files from a previous backup (and if you do not have one, we highly suggest you make a habit of backing up your data in the future). If there is not a backup available, your other option is to restore the file from a previous version in Windows. To accomplish this, you will need to rename the file to the original filename, right-click the file, select Properties, select Previous Versions, and select the file from the previous versions found. Once found, backup the existing encrypted file, restore it to the previous version, to which Windows will restore the older file and overwrite the encrypted one. It’s a long, roundabout way of obtaining your files, but in the end it’s worth it if you do not have a backup of your files.
Once you are looking at the Spamhaus Ransomware screen that appears when you attempt to boot into Windows, you will see the following:
Of course, this warning is false and you should never pay the $300 as instructed by the fake warning. PAYING THE FINE WILL NOT ONLY FUND CYBER CRIMINALS IN CRIMINAL ACTS SUCH AS THESE, BUT IT COULD RESULT IN YOUR IDENTITY BEING STOLEN. IF YOU HAVE PAID THE $300 VIA A MONEYPAK CODE, CONTACT MONEYPAK AND YOUR CREDIT CARD COMPANY/BANK IMMEDIATELY AND INFORM THEM OF THE SITUATION!
The first thing we need to do is to shut the computer down. Make sure the computer is completely off! Once the computer is turned off, we need to turn it back on and boot into Safe Mode with Networking
To do this, press the power button then immediately start tapping the F8 Key on your keyboard.
Within a few seconds, you will notice the Windows Advanced Options Menu. Using your arrow keys to choose the Safe Mode with Networking option, press Enter. (Screenshot provided below)
Safe Mode with Networking will then load a variety of files and drivers, so do not worry as this is perfectly normal. You will then see your account’s user icon. Once you see it, log into your account to view your Windows’ Desktop as normally.
You will now need to open your web browser, and nearly any web browser will suffice: Internet Explorer, Firefox, or Google Chrome for starters.
Download the Free or Paid Version of Malwarebytes Anti-Malware.
Install MalwareBytes Anti-Malware as you would any other program. Once the installation process begins, the software may download new definitions and update the program, so give it a few minutes and allow it to update appropriately. Once the updates are completely and you are viewing the following screen below, you are ready to use it:
Select the Full Scan box, then select Scan to begin the scanning for malware. Ensure drive C: is selected, then select Scan once more.
Once the scan is finished, select OK to look at the files then select Show Results.
You will now notice a variety of infected files and registry keys. Ensure the detected objects are selected, then select Remove Selected.
MalwareBytes Anti-Malware will inform you that you must reboot. This is perfectly normal, and will provide the software with the opportunity to remove the infected files.
Your PC will now boot up as normally without the virus infected your machine. Open a few of your regularly-used software and ensure everything is working as normally.
We sincerely hope this guide has helped you. If you fixed your computer using our free guide, we ask that you support us by selecting one of our social share buttons or by commenting on our guide with your feedback below!