The Spamhaus ransomware is a malicious program that displays an intimidating lock screen and also threats of legal prosecution unless the user of the infected computer pays a fine of $300 within a 48 hour period through MoneyPak. It goes on to state that "You have lost control over your computer. Your system and all your files has been blocked and encrypted because you were spreading the Malware (viruses, trojans, worms)".
The ransomware masquerades as being part of The Spamhaus Project. It also states that it you don't pay the $300 fine through a Green Dot MoneyPak transaction within 48 hours, you will never be able to decrypt your files. The time limit is false and is only meant to scare you into paying the fine quickly. So don’t panic, because you have more than enough time to resolve this infection.
Once the Spamhaus virus compromises a computer, it encrypts some of the most common file types and then changes their extension to ".html". If you attempt to open any of the modified files, you will be forwarded to a web page that indicates you must pay the fine.
How to remove the Spamhaus Ransomware
You’ll need to download a few removal utilities on a known clean computer and then transfer them to the infected computer via a burned cd/dvd.
You will need to download:
- Once you have downloaded the files and burned them to a cd, restart the compromised computer into "Safe Mode with Command Prompt" by pressing the "Function F8" key at system start up, before the “Windows” logo appears.
- Once you're logged into Safe mode and the command prompt appears, insert the burned cd/dvd that you copied the needed removal software on.
- Next, navigate to the drive letter of the cd/dvd. If you copied the files onto a cd the drive letter will probably be "D" or maybe "E". If you copied the files onto a flash drive on the other hand, you may have to try several letters systematically before you locate the correct one.
- In our example we'll be using drive "D". So at the command prompt type "D:" without the quotation marks.
- You can verify that you're in the correct drive and folder by typing "Dir" at the command prompt to display the folder's contents.
- Once you’re in the correct directory, execute the copy of rKill" by typing "rkill.exe' at the command prompt. Follow the prompts while “Rkill” terminates any malicious processes that it locates are running on your computer.
- Next, extract the copy of Emsisoft Emergency Kit” by typing it’s executable. Extract it to an easily accessible location on your computer, such as in the root of drive “C”.
- Next, start the kit by typing “Start.exe” while in the correct directory.
- Afterwards, click on “Emergency Kit Scanner”.
- Next, perform a deep scan of your computer.
- After the scan completes, remove any malicious files it finds.
- Next, start the Emsisoft Decrypter by typing it’s executable at the prompt. If you’re unsure of it’s name, type “Dir’ at the prompt to list the directory contents.
- Once the files have been decrypted, execute the copy of Combofix by typing “combofix.exe’ at the prompt. Follow the prompts and give Combofix around 20 minutes to complete it’s scan and removal process.
- After Combofix completes it’s scan and displays it’s log, type “explorer” at the prompt to open the “Windows Explorer”.
- Next, restart your computer normally.
- Check for any remnants of the Spamhaus virus, such as it’s pop ups. Also check your files to make sure they have been unencrypted completely.
- And finally open a web browser and check for Internet connectivity. At this point your computer should be clean, but if there are still indications of the virus, you may need to contact a computer virus removal specialist to resolve your situation.
Smith Technical Resources makes no guarantees or claims that the information contained in this article will help you completely remove the above listed malicious program(s) from your computer. There are several variations of each particular virus in the wild . And the procedure listed above may not be adequate for the specific version of the virus that your computer has been compromised by.
If you feel uncomfortable performing any of the procedures that we've listed on this page, please contact a professional computer repair company in your area and have them complete the needed repairs on your computer. Smith Technical Resources takes no responsibility for any possible damage that could result from your use of the above instructions.