Spamhaus Ransomware Virus Removal
The Spamhaus Ransomware virus is one of the more volatile virii I have come across in a LOOOONG time. It will hijack a lot of known file types, as well as make it so you cannot browse the internet. This virus is very hazardous, if you are able to access your applications you should attempt to remove it immediately.
Upon infection, the Spamhaus Ransomware virus scans for these file types, .ddrw, .pptm, .dotm, .xltx, .text, .docm, .djvu, .potx, .jpeg, .pptx, .sldm, .xlsm, .sldx, .xlsb, .ppam, .xlsx, .ppsm, .ppsx, .docx, .odp, .eml, .ods, .dot, .php, .xla, .pas, .gif, .mpg, .ppt, .bkf, .sda, .mdf, .ico, .dwg, .mbx, .sfx, .mdb, .zip, .xlt, when it finds one, the virus will encrypt it and change the extension to .HTML. This will make those files utterly useless to you without the correct encryption key. On top of that, if you attempt to run any of the infected files, it will direct your browser to a “ransom” web site, where you are instructed to pay a fee to release your machine, usually via MoneyPak.
Once you find out you’re infected, and hopefully at this point your data is backed up, you should stop what you are doing, save your work, and boot into Safe Mode. To do this you will perform the following steps:
Click START -> Restart
When your machine restarts immediately start tapping F8, until you see the Boot Options Screen.
Use you arrow keys, and arrow down to Safe Mode with Networking, then hit Enter. Windows will load all types of drivers and software, so it’s normal to see a bunch of scrolling text.
Log into Windows as an Administrator. Open up your browser, IE, Chrome, Firefox, etc and download Malware Bytes using the image below, you may choose FREE or Paid.
When Malware Bytes finishes downloading, go ahead and install it like any other application. It will want to update the definitions as well, let it do so. When it finishes installing, and updating, let it run, and choose FULL SCAN, then press the Scan button. Make sure that C:\ is selected, and press Scan again.
Malware Bytes will scan for a while depending on how much data you have on your drive. Once it finishes Click the OK button.
Make sure you check all of the problems (Files and Registry Keys) it finds. Then click Remove Selected.
Malware Bytes will want you to reboot to continue removing these files. Please do so. This very problematic virus will now be removed from you machine. Though we are not quite finished yet.
Luckily with the help of the BleepingComputer.com community, there was a custom decryptor written specifically for this issue. Thanks to Fabian for this amazing little tool. Click the image below to download.
When it finishes downloading, AS LONG AS YOU HAVE ONE HARD DRIVE, run it like any normal program, and let it do it’s magic. It will decrypt all of your broken .HTML files, restoring them back to the state they were in previously. Though just be aware that this too DOES NOT DELETE THE .HTML FILE when it restores your files.
If you have more than one hard drive you will have to run this tool from the command prompt using parameters.
Use the following steps for scanning with multiple hard drives:
- Hold the WINDOWS KEY and press “R”
- Then type CMD and hit Enter
- Change directory to where you downloaded the decryptor, so if it was on your desktop it would look like this
- Now you should be in C:\Users\YOURUSERNAME\Desktop, (Or wherever you saved the file), now type
decrypt_mblblock.exe C:\ D:\ E:\
BE PATIENT WHILE THE TOOL RUNS, IT MAY TAKE SEVERAL MINUTES BETWEEN FILES. INTERRUPTING IT WILL CAUSE IT TO STOP REPAIRING YOUR FILES.
If you run HiJack This, you may see an entry for this virus in there similar to the following:
O4 – HKLM\..\Run: [<random>] <random>.exe
Advanced IT Solutions cannot be held responsible for any damage you may cause to your machine using this guide. This is USE AT YOUR OWN RISK.