DotFab Blog » Malware Removal»How to Remove Spamhaus MoneyPak Virus? (Ransomware Removal Guide)

How to Remove Spamhaus MoneyPak Virus? (Ransomware Removal Guide)

 

Your desktop was covered by a full screen notification from Spamhaus? Can’t access to your computer system or any applications? Most of your files were renamed with the .html extension? It asks you to pay a $300 fine to decrypt them? Don’t be scared. You are not having trouble with Spamhaus. It is just a ransomware. This post will guide you to remove it.

 

What Is Spamhaus MoneyPak Virus?

 

Spamhaus MoneyPak virus is a ransomware created by criminals to collect money. Once installed on your computer, the Spamhaus MoneyPak virus will display a bogus notification which pretends to be from Spamhaus. The fake notification claims that you have lost control over your computer because you were spreading the Malware (viruses, Trojans, worms) and you are breaking numerous International and USA laws. The detailed message elaborates that you involved attacks that caused $15 billion in damage. It says you should pay a fine of $300 within 48 hours via MoneyPak payment system, otherwise you will get arrested.

The screenshot of Spamhaus MoneyPak virus:

Spamhaus MoneyPak virus

 

The message displayed in the fake notification:

The Spamhaus Project
XBL Advisory
Ref: XBL198972
IP address: xx.xx.xx.xx
Tracking time: 1 w 10 h 03 m
Responsible agent: David C. Krehnke
Address: 18 Avenue Louis Casai CH-1209 Geneva Switzerland

You have 48 hours left to enter your payment.

You have lost control over your computer. Your system and all your files has been blocked and encrypted because you were spreading the Malware (viruses, trojans, worms).
You are breaking numerous International and USA laws.
Actions made by your computer backed up under United States law USA Patriot ACT
What exactly is The Patriot Act?
The Patriot Act is short for The Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001.
We have the right backed by law:
Sec. 201. Authority to intercept wire, oral, and electronic communications relating to terrorism.
Sec. 202. Authority to intercept wire, oral, and electronic communications relating to computer fraud and abuse offenses.
Sec. 209. Seizure of voice-mail messages pursuant to warrants.
Sec. 217. Interception of computer trespasser communications.
With the support of the federal Bureau investigation department on cybercrime and the Supreme court of the United States of America. We have the legal right to scan and intercept any information going in and out of your computers.

You IP address (xx.xx.xx.xx) was identified and isolated by our organization in connection with a complaint to the involvement of distributed denial of service (DDoS) attack such organizations: NASDAQ and BATSS stock exchange markets and WIKILEAKS.ORG website. Such attacks caused $15 billions in damage. In order to isolate this infected files we have blocked your access to the outside world and your IP address was listed in our XBL Block List. You can not use the internet or any of your programs.

You have a chance to settle this issue right now before we contact the proper authorities. Within 48 hours, you can pay a fine of $ 300. All your files will be decrypted, and access to the computer will be granted, a claim for compensation from affected from affected companies will be removed and your IP (xx.xx.xx.xx) address will be restored to good standings with XBL Block List.

If you don’t pay a penalty within the next 48 hours, local authorities and secret service will be contacted, and most likely it will result in your arrest. You can and will be prosecuted to the fullest extent of the law in order to recover our losses. Do not take a chance to be convicted as a felon.

Our spamhaus agent has conducted a full check of your system and found following violations:

You are a distributor of pornography and porno materials, regularly watch porno sites with child pornography and zoophilia.
You possess unlicensed software and pirate audio and video records.

As stated in the fake notification, your system and files were blocked and encrypted. The Spamhaus MoneyPak virus searches for files that end with .docx, .ppt, .zip, .php, .jpg, .txt, .xlsm … extension and renames them with .html extension, so whenever you try to open a file it will lead you to http:\\xblblock.com and prompt you to pay the ransom to decrypt your files. In fact, paying the ransom will not decrypt your files or remove this virus. On the contrary, your files may be deleted.

You can’t run any antivirus or antimalware programs because you are blocked from everything when in normal mode. If you are lucky enough you can boot your computer to Safe Mode whit Networking or Safe Mode with Command, then you can take action to repair your computer.

 

How to Remove Spamhaus MoneyPak Virus?

 

                                                                                                           

Deny Flash

Some variants of ransomware exploit Java or Flash vulnerabilities to load the malicious code. The symptoms of the infection may be suspended by denying flash. Then you can navigate through the infected system. If step is not necessary for the removal, then skip to the next step.

To deny/disable flash:
Visit http://www.macromedia.com/support/documentation/en/flashplayer/help/help09.html → select the Deny radio option

                                                                                                           

Outline of the Removal Guide

 

Option 1 Boot your computer in Safe Mode with Networking and remove this virus
Option 2 Restore the operating system through Safe Mode with Command Prompt
Option 3 Use Anvi Rescue Disk to Remove Decrypt Protect-MBL Block Off virus

                                                                                                           
 

Option 1 Boot Your Computer into Safe Mode with Networking and Remove This Virus

 

Some variants of the Spamhaus MoneyPak virus will not block your desktop when you start the infected computer in Safe Mode with Networking. Then you can go over the instructions in Option 1 to scan and remove the malicious files.

Step 1 Boot the infected computer into Safe Mode with Networking

 

1. Restart your infected computer.

2. Soon after windows starts, tap F8 key repeatedly until you see a menu similar to the picture below.

Advanced Boot Options

3. Use the arrow keys on the keyboard to highlight Safe Mode with Networking and press Enter on your keyboard.

Safe Mode with Command Prompt

Notice: Windows will now boot to Safe Mode with Networking and prompt you to login as a user. Please login as the same user you were previously logged in with in the normal Windows mode.

If you failed to boot to Safe Mode with Networking, you can go to How to Boot Windows into Safe Mode for tutorial.

Step 2 Perform a system scan with Anvi Smart Defender

 

1. Download Anvi Smart Defender from the below direct download link.

Anvi Smart Defender direct download link

If the download fails, please check the networking settings and the hosts files because many infections may modify them.

2. Double click asdsetup.exe file to install Anvi Smart Defender.

3. Launch Anvi Smart Defender and switch to Scan tab, then click on Full Scan button to start system scan.

Anvi Smart Defender full scan

4. After the scan finished, click on the Repair or Removal button to complete the removal of malicious files.

scan result

You can click View Details to see the detailed information of threats found and removed by Anvi Smart Defender.

details

5. Restart your computer to Normal mode, run Anvi Smart Defender and perform a Full Scan again to make sure there are no remaining threats.

 

Option 2 Restore the Operating System Through Safe Mode with Command Prompt

 

System Restore will bring your computer operating system back to a point before you get infected by this Spamhaus MoneyPak virus.

 

1. Turn off your computer and then back on.

2. During the start, tap F8 key repeatedly till you are brought to the Windows Advanced Options Menu.

3. Use the arrow keys to highlight Safe Mode with Command Prompt and then press Enter.

Safe Mode with Command Prompt

4. Once the Command Prompt window comes out, quickly type “explorer” and hit Enter.

If you fail to do so in a few seconds, the ransomware will not allow you to type any more. You should restart the computer to the safe mode and repeat the process.

Command Prompt window

5. Find out the file rstrui.exe and press Enter.

The location of the file:

Windows XP: C:\windows\system32\restore\rstrui.exe

Windows 7/Vista: C:\windows\system 32\rstrui.exe

rstrui.exe file

6. Follow all the steps to restore your computer system to an earlier time and date (restore point) before the infection.

4

7. Run a computer scan with Anvi Smart Defender and remove the infected files.

Anvi Smart Defender direct download link

Download and install Anvi Smart Defender → run Anvi Smart Defender → switch to Scan tab → run a Full Scan

Anvi Smart Defender

 

Now your computer should have got rid of the infection of the Spamhaus MoneyPak virus, but you will notice that some software installed after the restore point has gone.

 

Option 3 Use Anvi Rescue Disk to Remove Spamhaus MoneyPak Virus

 

If your computer is blocked from everything, including the running of Safe Mode with Command Prompt, then you need to go through Option 3.

You can follow the instructions in the following video to get rid of the Spamhaus MoneyPak Virus by using Anvi Rescue Disk.

 

Or, you can follow the following step by step instruction.

Step 1 Use a clean computer to download the Anvi Rescue Disk iso image file Rescue.iso and the USB disk production tool BootUsb.exe from Anvisoft official site.

Direct download link: http://www.anvisoft.com/software/rsd/

Please kindly note that Rescue.iso is a large file download; please be patient while it downloads.

Step 2 Record Anvi Rescue Disk iso image to USB drive.

You can also record the iso image to a CD/DVD. We will introduce the steps to record iso image to a CD/DVD in following guide.

1. Connect USB to the computer.

You’d better backup your important data and format your USB drive before use it to record the iso image.

2. Locate your download folder and double click on BootUsb.exe to start it. And then click “Choose File” button to browse into your download folder and select Rescue.iso file as your source file.

USB burning

3. Select the path of USB drive, such as Drive H:

4. Click “Start Burning” to start the burn of USB Rescue Disk boot drive.

5. Close BootUsb.exe tool when you get the following message.

congratulations

Now, you have bootable Anvi Rescue Disk to repair your infected computer.

Alternative Option-Record the iso Image to a CD/DVD

Any CD/DVD record software is fine for burn iso image. If you don’t have one, you can download and install Nero Burning ROM and ImgBurn. Here we will use Nero Burning ROM for demonstration purpose.

1. Open and start Nero Burning ROM and select Burn Image from the drop-down menu of the Recorder.

CD/DVD recorder

2. Locate your download folder and select Rescue.iso file as your source file and then click Open button.

3. Click Burn button to start record the iso image.

After a few minutes, you will have a bootable Anvi Rescue Disk to repair your computer.

Step 3 Restart your computer and configure your computer to boot from USB drive/CD/DVD that recorded Anvi Rescue Disk. Basically, you can use F8 to load USB boot menu.

For different motherboard, you may need to use the Delete or F2, F11 keys, to load the BIOS menu. Normally, the information how to enter the BIOS menu is displayed on the screen at the start of the OS boot.

boot menu instruction

The keys F1, F8, F10, F12 might be used for some motherboards, as well as the following key combinations:

• Ctrl+Esc
• Ctrl+Ins
• Ctrl+Alt
• Ctrl+Alt+Esc
• Ctrl+Alt+Enter
• Ctrl+Alt+Del
• Ctrl+Alt+Ins
• Ctrl+Alt+S

Step 4 After you enter Anvisoft Rescue Disk menu, please selected your preferred language and press Enter to continue.

Anvi Rescue disk language setting

Step 5 Now you are in the mini Operating system, please double click Rescue tool to start Anvi Rescue disk.

Anvi Rescue Disk

Step 6 Make sure that your computer is connected to network connection before you run a scan on your computer. You can go to Network Troubleshooting Tips for Ransomware Removal using Anvi Rescue Disk for tutorial.

Internet connection

Step 7 Please run a full scan by clicking the “Scan Computer” button in the middle of the program to detect and kill the PC lockup virus.

Anvi Rescue disk scan

Step 8 Clicking “Fix Now” to Remove the detected threat by Anvi Rescue Disk.

Anvi Rescue disk fix now

Step 9 Switch to Repair tab. Scan and fix the registry error with the “Repair” module of Anvi Rescue Disk.

Anvi Rescue disk repair

Important Notice: You must repair the registry error after kill the virus. You are probably disabled to boot your Windows without fixing registry damaged by the virus.

Step 10 Download and install Anvi Smart Defender to full scan your computer and remove all the infections detected.

Some ransomware variants are incredibly persistent, so you are highly recommended to download the antimalware promgram Anvi Smart Defender to remove all the detected threats as prompted.

Download-ASD-in-Rescue-Disk

After download, please restart your computer to normal Windows mode and then go to the folder: C:\Users\[username]\Downloads.

Double click asdsetup.exe file to install Anvi Smart Defender, then perform a Full Scan.

Or you can download it from this direct download link: http://www.dotfab.com/download_asd.html when you boot your computer to normal Windows mode.

Now your computer should be free from the infection of the Spamhaus MoneyPak virus.
 
Unfortunately, a decrypt tool for the files that have been encrypted by this virus is not available at this time. You need to restore from a backup or attempt to restore from a previous version using Windows.

To restore from a previous version using Windows: backup the existing encrypted file → rename the file to its original name → right click on it and select Property → click on Previous Versions tab → select one available previous and click on Restore button

 

                                                                                                           

Malware prevention tips

The malware usually explores the vulnerabilities of your computer system to infect your computer. You should upgrade your system timely and patch the system vulnerabilities when prompted.

Apart from that you can keep the antimalware program Anvi Smart Defender as an additional protection to your computer. The Guard function puts your computer under a real-time protection, but you need to buy its pro version to get Full Guard. It will keep you away from malware and malicious websites.

Click Anvi Smart Defender to buy its pro version.

 

Please feel free to contact us, if you have any question.