The Spamhaus Ransomware is computer infection that displays a screenlocker so you can not access your desktop and applications and encrypts your files. When infected with this malware, you will be presented with a screen when you login to Windows that pretends to be from the Spamhaus Project. This screen states that they have detected your computer participating in illegal activities and have blocked access to it until you pay a fine. This infection will also scan your computer for files that end with the .ddrw ,.pptm ,.dotm ,.xltx ,.text ,.docm ,.djvu ,.potx ,.jpeg ,.pptx ,.sldm ,.xlsm ,.sldx ,.xlsb ,.ppam ,.xlsx ,.ppsm ,.ppsx ,.docx ,.odp ,.eml ,.ods ,.dot ,.php ,.xla ,.pas ,.gif ,.mpg ,.ppt ,.bkf ,.sda ,.mdf ,.ico ,.dwg ,.mbx ,.sfx ,.mdb ,.zip ,.xlt extensions and then encrypt them. When the ransomware encrypts a file it will rename it as a HTML file and then embed the encrypted file inside of it. If you then attempt to launch any of these encrypted files, you will be taken to a web page, which is currently at http://xblblock.com, that prompts you to pay the ransom in the form of a MoneyPak voucher.
Spamhaus Ransomware Screen Shot
For more screen shots of this infection click on the image above.
There are a total of 1 images you can view.
Thankfully, the developers at Emsisoft have developed a tool that can be used to decrypt the files that have been encrypted by this malware. When you run this tool you can select the drives you wish to scan for encrypted files and the program will decrypt them when found. If this tool does not work for you, then you will need to restore from a backup or attempt to restore from a previous version using Windows. To restore from a previous version when there is no backup available, please rename the file to its original filename. Then right-click on it and select Properties. When the Properties window opens, click on the Previous Versions tab. You will now be shown a screen screen that lists any previous versions you may have of this file. If you find any, backup the existing encrypted file and then restore the previous version. Windows will then restore the older file and overwrite the encrypted one.
The text of the Spamhaus Ransomware screen locker screen is:
The Spamhaus Project
IP address: xx.xx.xx.xx
Tracking time: 1 w 10 h 03 m
Responsible agent: David C. Krehnke
Address: 18 Avenue Louis Casai CH-1209 Geneva Switzerland
You have 48 hours left to enter your payment.
You have lost control over your computer. Your system and all your files has been blocked and encrypted because you were spreading the Malware (viruses, trojans, worms).
You are breaking numerous International and USA laws.
Actions made by your computer backed up under United States law USA Patriot ACT
What exactly is The Patriot Act?
The Patriot Act is short for The Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001.
We have the right backed by law:
Sec. 201. Authority to intercept wire, oral, and electronic communications relating to terrorism.
Sec. 202. Authority to intercept wire, oral, and electronic communications relating to computer fraud and abuse offenses.
Sec. 209. Seizure of voice-mail messages pursuant to warrants.
Sec. 217. Interception of computer trespasser communications.
With the support of the federal Bureau investigation department on cybercrime and the Supreme court of the United States of America. We have the legal right to scan and intercept any information going in and out of your computers.
You IP address (xx.xx.xx.xx) was identified and isolated by our organization in connection with a complaint to the involvement of distributed denial of service (DDoS) attack such organizations: NASDAQ and BATSS stock exchange markets and WIKILEAKS.ORG website. Such attacks caused $15 billions in damage. In order to isolate this infected files we have blocked your access to the outside world and your IP address was listed in our XBL Block List. You can not use the internet or any of your programs.
You have a chance to settle this issue right now before we contact the proper authorities. Within 48 hours, you can pay a fine of $ 300. All your files will be decrypted, and access to the computer will be granted, a claim for compensation from affected from affected companies will be removed and your IP (xx.xx.xx.xx) address will be restored to good standings with XBL Block List.
If you don't pay a penalty within the next 48 hours, local authorities and secret service will be contacted, and most likely it will result in your arrest. You can and will be prosecuted to the fullest extent of the law in order to recover our losses. Do not take a chance to be convicted as a felon.
Our spamhaus agent has conducted a full check of your system and found following violations:
• You are a distributor of pornography and porno materials, regularly watch porno sites with child pornography and zoophilia.
• You possess unlicensed software and pirate audio and video records.
As you can see, this is a computer infection and not a legitimate message from the Spamhaus Project. Therefore, ignore anything it displays and instead use the removal guide below to remove the Spamhaus Ransomware ransomware from your computer.
View Spamhaus Ransomware files.
View Spamhaus Ransomware Registry Information.
Tools Needed for this fix:
Symptoms that may be in a HijackThis Log:
O4 - HKLM\..\Run: [<random>] <random>.exe
04/19/13 - Initial guide creation
05/21/13 - Updated guide to include new decryption tool by Emsisoft.
Automated Removal Instructions for Spamhaus Ransomware using HitmanPro:
- Print out these instructions as we may need to close every window that is
open later in the fix.
- Reboot your computer into Safe Mode with Networking. To
do this, turn your computer off and then back on and immediately when you
see anything on the screen, start tapping the F8 key on your
keyboard. Eventually you will be brought to a menu similar to the one below:
Using the arrow keys on your keyboard, select Safe Mode with Networking and press Enter on your keyboard. If you are having trouble
entering safe mode, then please use the following tutorial: How
to start Windows in Safe Mode
Windows will now boot into safe mode with networking and prompt you to login
as a user. Please login as the same user you were previously logged in with
in the normal Windows mode. Then proceed with the rest of the steps.
- Before we can do anything we must first end the processes that belong to
so that it does not interfere with the cleaning procedure. To do this we will download a program called Rkill on a clean computer and then transfer the program to the infected computer. You can transfer the files
via a CD/DVD, external drive, or USB flash drive.
The download link for Rkill is:
http://www.bleepingcomputer.com/download/rkill/ - (Download page will open in a new tab or browser window.)
When at the download page, click on the Download Now button
labeled Rkill.com. When you are prompted
where to save it, please save it on your desktop.
If you do not have any removable media or another clean computer that you
can download Rkill onto, you can try and download it to your
infected computer using another method.
On the infected computer, right click
on the Internet Explorer's icon, or any other browser's icon, and select Run
As or Run as Administrator. If you are using Windows
XP, you will be prompted to select a user and enter its password. It is suggested
that you attempt to login as the Administrator user. For
Windows 7 or Windows Vista, you will be prompted to enter your Administrator
account password. This should allow your browser to open where you can then download Rkill from the above link and save it to a folder that your infected account can access.
- Once it is downloaded or transferred to the infected computer, double-click on the Rkill.com icon in order to automatically attempt to stop any processes associated with
and other Rogue programs. Please be patient while the program looks for various
malware programs and ends them. When it has finished, the black window will
automatically close and you can continue with the next step. If you get a
message that RKill is an infection, do not be concerned. This message is just
a fake warning given by
when it terminates programs that may potentially remove it. If you run into
these infections warnings that close RKill, a trick is to leave the warning
on the screen and then run RKill again. By not closing the warning, this typically
will allow you to bypass the malware trying to protect itself so that RKill
. So, please try running RKill until the malware is no longer running. You
will then be able to proceed with the rest of the guide. Do not reboot
your computer after running RKill as the malware programs will start again.
If you continue having problems running RKill, you can download the other
renamed versions of RKill from the RKill
download page. All of these files are renamed copies of RKill, which
you can try instead. Please note that the download page will open in a new
browser window or tab.
- Now you should download HitmanPro from the following
location and save it to your desktop:
HitmanPro Download Link (This link will open in a new browser tab or Window.)
When you visit the above
page, please download the version that corresponds to the bit-type of the Windows version you are using.
- Now double-click on the file named HitmanPro.exe (for 32-bit versions of Windows) or HitmanPro_x64.exe (for 64-bit versions of Windows). When the program starts you will be presented with the start screen as shown below.
Now click on the Next button to continue with the scan process.
- You will now be at the HitmanPro setup screen. If you would like to install the 30 day trial for HitmanPro, select the Yes, create a copy of HitmanPro so I can regularly scan this computer (recommended) option. Otherwise, if you just want to scan the computer this one time, please select the No, I only want to perform a one-time scan to check this computer option.
Once you have selected one of the options, please click on the Next button.
- HitmanPro will now begin to scan your computer for infections. When it has finished it will display a list of all the malware that the program found as shown in the image below. Please note that the infections found may be different
than what is shown in the image.
You should now click on the Next button to have HitmanPro remove the detected infections. When it is done you will be shown a Removal Results screen that shows the status of the various infections that were removed. At this screen you should click on the Next button and then if prompted you should click on the Reboot button. If HitmanPro does not prompt you to reboot, please just click on the Close button.
- Once your computer has has restarted or you pressed the Close button, you should now be at your Windows desktop.
- Emsisoft has released a MBLBlock decryption tool that can be used to decrypt the files encrypted by this infection. Please download this tool from the following link and save it to your desktop:
decmblblock.exe Download Link
Once the file has been downloaded, double-click on the decmblblock.exe icon that should now be on your desktop to launch the application. When the program is started you will find that all the hard drive letters on your computer are already configured to be scanned by the program as shown in the image below.
If there is another drive or folder that is not listed that you need to scan, you can add it by clicking on the Add Folder button. When all the drives and folders you wish to scan are listed, click on the Decrypt button to begin the decryption process. When the program is finished scanning the selected folders, any encrypted files that were found should now be decrypted.
If the tool from Emsisoft does not work for you, then you will need to restore from a backup or attempt to restore from a previous version using Windows. To restore from a previous version when there is no backup available, please rename the file to its original filename. Then right-click on it and select Properties. When the Properties window opens, click on the Previous Versions tab. You will now be shown a screen screen that lists any previous versions you may have of this file. If you find any, backup the existing encrypted file and then restore the previous version. Windows will then restore the older file and overwrite the encrypted one.
- As many malware and unwanted programs are installed through vulnerabilities found
in out-dated and insecure programs, it is strongly suggested that you use
Secunia PSI to scan for vulnerable programs on your computer. A tutorial on
how to use Secunia PSI to scan for vulnerable programs can be found here:
detect vulnerable and out-dated programs using Secunia Personal Software Inspector
Your computer should now be free of the
Spamhaus XBL Advisory Ransomware
infection. If your current anti-virus solution let this infection through,
you may want to consider purchasing the
licensed version of HitmanPro to protect against these types
of threats in the future.
If you are still having problems with your computer after completing these instructions, then please follow the steps outlined in the topic linked below:
Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help
Associated Spamhaus Ransomware Files:
Associated Spamhaus Ransomware Windows Registry Information:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "<random>" = <random>.exe
This is a self-help guide. Use at your own risk.
BleepingComputer.com can not be held responsible for problems that may occur by using this information. If you would like help with any of these fixes, you can ask for malware removal assistance in our Virus, Trojan, Spyware, and Malware Removal Logs forum.
If you have any questions about this self-help guide then please post those questions in our Am I infected? What do I do? and someone will help you.