Powered By Blogger

Friday, April 26, 2013

Spamhaus Ransomware Removal Guide



The Spamhaus Ransomware is computer infection that displays a a screenlocker so you can not access your desktop and applications and encrypts your files. When infected with this malware, you will be presented with a screen when you login to Windows that pretends to be from the Spamhaus Project. This screen states that they have detected your computer participating in illegal activities and have blocked access to it until you pay a fine. This infection will also scan your computer for files that end with the .ddrw ,.pptm ,.dotm ,.xltx ,.text ,.docm ,.djvu ,.potx ,.jpeg ,.pptx ,.sldm ,.xlsm ,.sldx ,.xlsb ,.ppam ,.xlsx ,.ppsm ,.ppsx ,.docx ,.odp ,.eml ,.ods ,.dot ,.php ,.xla ,.pas ,.gif ,.mpg ,.ppt ,.bkf ,.sda ,.mdf ,.ico ,.dwg ,.mbx ,.sfx ,.mdb ,.zip ,.xlt extensions and then encrypt them. When the ransomware encrypts a file it will rename it as a HTML file and then embed the encrypted file inside of it. If you then attempt to launch any of these encrypted files, you will be taken to a web page, which is currently at http://xblblock.com, that prompts you to pay the ransom in the form of a MoneyPak voucher.

Spamhaus Ransomware Screen Shot
Spamhaus Ransomware Screen Shot
For more screen shots of this infection click on the image above.
There are a total of 1 images you can view.

Unfortunately, at this time there is no decryptor for the files that have been encrypted by this malware. This means that you will need to restore from a backup or attempt to restore from a previous version using Windows. To restore from a previous version when there is no backup available, please rename the file to its original filename. Then right-click on it and select Properties. When the Properties window opens, click on the Previous Versionstab. You will now be shown a screen screen that lists any previous versions you may have of this file. If you find any, backup the existing encrypted file and then restore the previous version. Windows will then restore the older file and overwrite the encrypted one.
The text of the Spamhaus Ransomware screen locker screen is:
The Spamhaus Project
XBL Advisory
Ref: XBL198972
IP address: xx.xx.xx.xx
Tracking time: 1 w 10 h 03 m
Responsible agent: David C. Krehnke
Address: 18 Avenue Louis Casai CH-1209 Geneva Switzerland
You have 48 hours left to enter your payment.
You have lost control over your computer. Your system and all your files has been blocked and encrypted because you were spreading the Malware (viruses, trojans, worms).
You are breaking numerous International and USA laws.
Actions made by your computer backed up under United States law USA Patriot ACT
What exactly is The Patriot Act?
The Patriot Act is short for The Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001.
We have the right backed by law:
Sec. 201. Authority to intercept wire, oral, and electronic communications relating to terrorism.
Sec. 202. Authority to intercept wire, oral, and electronic communications relating to computer fraud and abuse offenses.
Sec. 209. Seizure of voice-mail messages pursuant to warrants.
Sec. 217. Interception of computer trespasser communications.
With the support of the federal Bureau investigation department on cybercrime and the Supreme court of the United States of America. We have the legal right to scan and intercept any information going in and out of your computers.
You IP address (xx.xx.xx.xx) was identified and isolated by our organization in connection with a complaint to the involvement of distributed denial of service (DDoS) attack such organizations: NASDAQ and BATSS stock exchange markets and WIKILEAKS.ORG website. Such attacks caused $15 billions in damage. In order to isolate this infected files we have blocked your access to the outside world and your IP address was listed in our XBL Block List. You can not use the internet or any of your programs.
You have a chance to settle this issue right now before we contact the proper authorities. Within 48 hours, you can pay a fine of $ 300. All your files will be decrypted, and access to the computer will be granted, a claim for compensation from affected from affected companies will be removed and your IP (xx.xx.xx.xx) address will be restored to good standings with XBL Block List.
If you don't pay a penalty within the next 48 hours, local authorities and secret service will be contacted, and most likely it will result in your arrest. You can and will be prosecuted to the fullest extent of the law in order to recover our losses. Do not take a chance to be convicted as a felon.
Our spamhaus agent has conducted a full check of your system and found following violations:
• You are a distributor of pornography and porno materials, regularly watch porno sites with child pornography and zoophilia.
• You possess unlicensed software and pirate audio and video records.
As you can see, this is a computer infection and not a legitimate message from the Spamhaus Project. Therefore, ignore anything it displays and instead use the removal guide below to remove the Spamhaus Ransomware ransomware from your computer.

Threat Classification:

Advanced information:
View Spamhaus Ransomware files.
View Spamhaus Ransomware Registry Information.

Tools Needed for this fix:

Symptoms that may be in a HijackThis Log:
O4 - HKLM\..\Run: [<random>] <random>.exe

Guide Updates:
04/19/13 - Initial guide creation


Automated Removal Instructions for Spamhaus Ransomware using HitmanPro:

  1. Print out these instructions as we may need to close every window that is open later in the fix.
  2. Reboot your computer into Safe Mode with Networking. To do this, turn your computer off and then back on and immediately when you see anything on the screen, start tapping the F8 key on your keyboard. Eventually you will be brought to a menu similar to the one below:


    MalwareBytes Anti-Malware Screen

    Using the arrow keys on your keyboard, select Safe Mode with Networking and press Enter on your keyboard. If you are having trouble entering safe mode, then please use the following tutorial: How to start Windows in Safe Mode 

    Windows will now boot into safe mode with networking and prompt you to login as a user. Please login as the same user you were previously logged in with in the normal Windows mode. Then proceed with the rest of the steps.
  3. Before we can do anything we must first end the processes that belong to Spamhaus Ransomware so that it does not interfere with the cleaning procedure. To do this we will download a program called Rkill on a clean computer and then transfer the program to the infected computer. You can transfer the files via a CD/DVD, external drive, or USB flash drive.

    The download link for Rkill is:

    http://www.bleepingcomputer.com/download/rkill/ - (Download page will open in a new tab or browser window.)

    When at the download page, click on the Download Now button labeled Rkill.com. When you are prompted where to save it, please save it on your desktop.

    If you do not have any removable media or another clean computer that you can download Rkill onto, you can try and download it to your infected computer using another method. On the infected computer, right click on the Internet Explorer's icon, or any other browser's icon, and select Run As or Run as Administrator. If you are using Windows XP, you will be prompted to select a user and enter its password. It is suggested that you attempt to login as the Administrator user. For Windows 7 or Windows Vista, you will be prompted to enter your Administrator account password. This should allow your browser to open where you can then download Rkill from the above link and save it to a folder that your infected account can access.

  4. Once it is downloaded or transferred to the infected computer, double-click on the Rkill.com icon in order to automatically attempt to stop any processes associated with Spamhaus Ransomware and other Rogue programs. Please be patient while the program looks for various malware programs and ends them. When it has finished, the black window will automatically close and you can continue with the next step. If you get a message that RKill is an infection, do not be concerned. This message is just a fake warning given by Spamhaus Ransomware when it terminates programs that may potentially remove it. If you run into these infections warnings that close RKill, a trick is to leave the warning on the screen and then run RKill again. By not closing the warning, this typically will allow you to bypass the malware trying to protect itself so that RKill can terminate Spamhaus Ransomware . So, please try running RKill until the malware is no longer running. You will then be able to proceed with the rest of the guide. Do not reboot your computer after running RKill as the malware programs will start again.

    If you continue having problems running RKill, you can download the other renamed versions of RKill from the RKill download page. All of these files are renamed copies of RKill, which you can try instead. Please note that the download page will open in a new browser window or tab.
  5. Now you should download HitmanPro from the following location and save it to your desktop:

    HitmanPro Download Link (This link will open in a new browser tab or Window.)

    When you visit the above page, please download the version that corresponds to the bit-type of the Windows version you are using.
  6. Now double-click on the file named HitmanPro.exe (for 32-bit versions of Windows) or HitmanPro_x64.exe (for 64-bit versions of Windows). When the program starts you will be presented with the start screen as shown below.


    HitmanPro Start Screen


    Now click on the Next button to continue with the scan process.
  7. You will now be at the HitmanPro setup screen. If you would like to install the 30 day trial for HitmanPro, select the Yes, create a copy of HitmanPro so I can regularly scan this computer (recommended) option. Otherwise, if you just want to scan the computer this one time, please select the No, I only want to perform a one-time scan to check this computer option.



    Kickstart Setup Options


    Once you have selected one of the options, please click on the Next button.
  8. HitmanPro will now begin to scan your computer for infections. When it has finished it will display a list of all the malware that the program found as shown in the image below. Please note that the infections found may be different than what is shown in the image.


    MalwareBytes Scan Results

    You should now click on the Next button to have HitmanPro remove the detected infections. When it is done you will be shown a Removal Results screen that shows the status of the various infections that were removed. At this screen you should click on the Next button and then if prompted you should click on the Reboot button. If HitmanPro does not prompt you to reboot, please just click on the Close button.
  9. Once your computer has has restarted or you pressed the Close button, you should now be at your Windows desktop.
  10. Unfortunately, at this time there is no decryptor for the files that have been encrypted by this malware. This means that you will need to restore from a backup or attempt to restore from a previous version using Windows. To restore from a previous version when there is no backup available, please rename the file to its original filename. Then right-click on it and select Properties. When the Properties window opens, click on the Previous Versions tab. You will now be shown a screen screen that lists any previous versions you may have of this file. If you find any, backup the existing encrypted file and then restore the previous version. Windows will then restore the older file and overwrite the encrypted one.
  11. As many malware and unwanted programs are installed through vulnerabilities found in out-dated and insecure programs, it is strongly suggested that you use Secunia PSI to scan for vulnerable programs on your computer. A tutorial on how to use Secunia PSI to scan for vulnerable programs can be found here:

    How to detect vulnerable and out-dated programs using Secunia Personal Software Inspector

Your computer should now be free of the Spamhaus XBL Advisory Ransomware infection. If your current anti-virus solution let this infection through, you may want to consider purchasing the licensed version of HitmanPro to protect against these types of threats in the future.
If you are still having problems with your computer after completing these instructions, then please follow the steps outlined in the topic linked below:



Associated Spamhaus Ransomware Files:
<random>\<random>.exe

Associated Spamhaus Ransomware Windows Registry Information:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "<random>" = <random>.exe



This is a self-help guide. Use at your own risk.
BleepingComputer.com can not be held responsible for problems that may occur by using this information. If you would like help with any of these fixes, you can ask for malware removal assistance in our Virus, Trojan, Spyware, and Malware Removal Logs forum.
If you have any questions about this self-help guide then please post those questions in our Am I infected? What do I do? and someone will help you.

No comments:

Post a Comment