The Urausy Trojan is a screenlocker that does not allow you to access your computer or your files without a paying a ransom. When infected with this Trojan instead of seeing your normal Windows desktop when you login, you will be greeted with a screen that states illegal activity was detected and that you have been locked out of your computer until you pay a fine. This infection will display different lock screens depending on what country your computer is currently located in. It is able to detect your country by using the IP address of your computer. This guide will focus on the USA variant of the Urausy Trojan, but the steps can be used for any variant of this ransomware.
Screenshot for the USA version of the Urausy Ransomware
For more screen shots of this infection click on the image above.
There are a total of 1 images you can view.
If your computer is connected to the Internet from the United States of America, the screenlocker will state that the FBI has locked you out of your computer. This screen continues to state that your computer is breaking copyright laws and possibly distributing pornographic material. It will then state that since this is a one-time offense you can pay a fine to gain access to your computer and not face further prosecution. It then prompts you to go to a 7-Eleven, Walmart, Rite Aid, Kmart, or CVS and purchase a green dot MoneyPak voucher for $200 US dollars. You are then told that you need to input the voucher number into the screenlocker and submit it to gain access to your computer again. Once the malware developers receive the greendot MoneyPak voucher code, they will unlock your screen and you will be able to gain access to your desktop again.
As it is possible to regain access to your computer without paying the ransom, please do not purchase a MoneyPak and instead follow the instructions below.
The text of the Urausy screenlocker pretending to be from the FBI is:
Department of Justice
Federal Bureau of Investigation
Country: US United States
Region: <Your State>
City: <Your City>
ISP: <Your ISP>
Operating System: <Your Windows Version>: Your Country Here
Username: <Your Login Name>
Your PC is blocked due to at least one of the reasons specified below.
You have been violation Copyright and Related Rights Law (Video, Music, Software) and illegally using or distributing copyrighted content, thus infringing Article I, Section 2, Clause 8, also known as the Copyright of the Criminal Code of United States of America.
Article I, Section 2, Clause 8 of the Criminal Code provides for a fine of 2 to 5 hundred minimal wages or a deprivation of liberty for 2 to 8 years.
You have been viewing or distributing prohibited Pornographic content (Child Porno/ Zoofilia and etc). Thus violating article 202 of the Criminal Code of United States of America. Article 202 of the Criminal Code provides for a deprivation of liberty for 4 to 12 years.
Illegal access has been initiated from your PC without your knowledge or consent, your PC may be infected by malware, thus you are violating the law of Neglectful Use of Personal Computer. Article 210 of the Criminal Code provides for a fine of up to $100,000 and/or a deprivation of liberty for 4 to 9 years.
Pursuant to the amendment to the Criminal Code of United States of America of August 28, 2012, this law infringement (if it is not repeated - first time) may be considered as conditional in case you pay the fine to the State.
Fines may be paid within 72 hours after the infringement. As soon as 72 hours elapse, the possibility to pay the fine expires, and a criminal case is initiated against you automatically within the next 72 hours!
To unblock the computer, you must pay the fine through MoneyPak of $200.
Remember that this is a computer infection and that your computer has not actually been locked by the FBI or the Department of Justice. Therefore, ignore this screen and do not pay the ransom. Instead use the free removal guide below to remove the Urausy ransomware from your computer.
View Urausy Trojan files.
View Urausy Trojan Registry Information.
Tools Needed for this fix:
01/31/13 - Initial guide creation
Automated Removal Instructions for Urausy Trojan using the Emsisoft Emergency Kit:
- For the first part of this removal guide you will need to use a different
computer than the infected one as you will not be able to access your screen or the Internet from the infected computer.
- On a clean computer, start Internet Explorer or other web browser, and download and save the Emsisoft Emergency Kit to your desktop from the link below:
Please note that this is a large downloaded, so please be patient while it downloads.
- When the file has finished downloading, please burn it on to a CD or save it to a USB drive so that we can transfer the file to the infected computer.
- When you have finished saving the Emergency Kit to a removable media, please reboot the infected computer. While the computer is starting please
being to repeatedly tap the F8 key on your keyboard. This
will open up the Advanced Boot Options screen, in Windows
7 or Vista, or the Windows Advanced Options Menu in Windows
XP. The screen that you need to get to will look similar to the one below.
At the above screen you will see a variety of options that can be used to
boot Windows. Using the arrow keys on your keyboard, highlight the option
labeled Safe Mode with Command Prompt. Once it is highlighted,
click on the Enter key on your keyboard.
- Windows will now start and if you have multiple accounts or a password on
your single account, you will be presented with a screen asking you to login
to Windows. Please select your account and enter any password that you may
have. When done, the Windows Command Prompt will open and you will see a screen
similar to the one below.
The Command Prompt allows you to type commands and then press Enter on your
keyboard to execute them. In this Command Prompt window, please type explorer.exe
and then press Enter on your keyboard.
- The Windows desktop will now appear. When the desktop appears you can then
close the Command Prompt window by clicking on the X.
- Now insert your CD or USB drive and copy the EmsisoftEmergencyKit.zip that you download on your clean computer to the desktop of the infected one.
- Once the file has been copied, right click on the EmsisoftEmergencyKit.zip and select the Extract menu option. This will start the Windows compressed file extraction wizard. Follow the steps to extract the file and the Emergency Kit will be extracted to a folder called EmsisoftEmergencyKit on your desktop. Please double-click on the EmsisoftEmergencyKit folder to open it.
- When the folder is open, double-click on the Start.exe button to launch the Emsisoft Emergency Kit. You will now be presented with a screen similar to the following:
Please click on the Emergency Kit Scanner option. When you click on this option, if you see a Windows message asking if you would like EmergencyScanner.bat to run, please allow it to do so by clicking on the Run or Yes buttons.
- You will now be shown an update screen prompting you to check for an update.
Please click on the NO button as you will not be able to update the program while in Safe Mode with Command Prompt.
- You will now be at the main screen for the Emsisoft Emergency Kit as shown below.
Now click on the Scan PC option in the left hand navigation menu.
- You will now be at the Scan PC screen as shown below.
Select the Deep Scan option if it is not selected and then click on the Scan button to start scanning your computer.
- When the Emsisoft Emergency Kit is finished scanning your computer, you may be presented with an alert box stating that you have a high-risk infection. If you see this alert, please click on the Close button and you should now be at the scan results screen as shown in the image below.
Click on the Quarantine Selected Objects button, which will remove the infections and place them in the program's quarantine. You can now close the Emsisoft Emergency Kit program.
- Please reboot your computer into the normal Windows mode and when you are back at your normal Windows desktop please continue with the next step.
- As this infection is known to exploit vulnerabilities in out-dated and insecure programs, it is strongly suggested that you use
Secunia PSI to scan for vulnerable programs on your computer. A tutorial on
how to use Secunia PSI to scan for vulnerable programs can be found here:
detect vulnerable and out-dated programs using Secunia Personal Software Inspector
Your computer should now be free of the
Urausy FBI Ransomware
infection. If your current anti-virus solution let this infection through,
you may want to consider purchasing the
full version of Emsisoft Anti-malware to protect your computer against these types
of threats in the future.
If you are still having problems with your computer after completing these instructions, then please follow the steps outlined in the topic linked below:
Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help
Associated Urausy Trojan Files:
File Location Notes:
%AppData% refers to the current users Application Data folder. By default, this is C:\Documents and Settings\<Current User>\Application Data for Windows 2000/XP. For Windows Vista and Windows 7 it is C:\Users\<Current User>\AppData\Roaming.
Associated Urausy Trojan Windows Registry Information:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,%AppData%\skype.dat"
This is a self-help guide. Use at your own risk.
BleepingComputer.com can not be held responsible for problems that may occur by using this information. If you would like help with any of these fixes, you can ask for malware removal assistance in our Virus, Trojan, Spyware, and Malware Removal Logs forum.
If you have any questions about this self-help guide then please post those questions in our Am I infected? What do I do? and someone will help you.