Remove the Urausy FBI Ransomware Infection (Uninstall Guide)

Filed Under : Ransomware

January 31, 2013

What is Urausy Trojan?

Skip this and learn how to remove Urausy Trojan!

The Urausy Trojan is a screenlocker that does not allow you to access your computer or your files without a paying a ransom. When infected with this Trojan instead of seeing your normal Windows desktop when you login, you will be greeted with a screen that states illegal activity was detected and that you have been locked out of your computer until you pay a fine. This infection will display different lock screens depending on what country your computer is currently located in. It is able to detect your country by using the IP address of your computer. This guide will focus on the USA variant of the Urausy Trojan, but the steps can be used for any variant of this ransomware.

If your computer is connected to the Internet from the United States of America, the screenlocker will state that the FBI has locked you out of your computer. This screen continues to state that your computer is breaking copyright laws and possibly distributing pornographic material. It will then state that since this is a one-time offense you can pay a fine to gain access to your computer and not face further prosecution. It then prompts you to go to a 7-Eleven, Walmart, Rite Aid, Kmart, or CVS and purchase a green dot MoneyPak voucher for $200 US dollars. You are then told that you need to input the voucher number into the screenlocker and submit it to gain access to your computer again. Once the malware developers receive the greendot MoneyPak voucher code, they will unlock your screen and you will be able to gain access to your desktop again. As it is possible to regain access to your computer without paying the ransom, please do not purchase a MoneyPak and instead follow the instructions below.

The text of the Urausy screenlocker pretending to be from the FBI is:

Department of Justice
Federal Bureau of Investigation

ATTENTION!
IP: xxx.xxx.xxx
Country: US United States
Region: <Your State>
City: <Your City>
ISP: <Your ISP>
Operating System: <Your Windows Version>: Your Country Here
Username: <Your Login Name>

Your PC is blocked due to at least one of the reasons specified below.

You have been violation Copyright and Related Rights Law (Video, Music, Software) and illegally using or distributing copyrighted content, thus infringing Article I, Section 2, Clause 8, also known as the Copyright of the Criminal Code of United States of America.

Article I, Section 2, Clause 8 of the Criminal Code provides for a fine of 2 to 5 hundred minimal wages or a deprivation of liberty for 2 to 8 years.

You have been viewing or distributing prohibited Pornographic content (Child Porno/ Zoofilia and etc). Thus violating article 202 of the Criminal Code of United States of America. Article 202 of the Criminal Code provides for a deprivation of liberty for 4 to 12 years.

Illegal access has been initiated from your PC without your knowledge or consent, your PC may be infected by malware, thus you are violating the law of Neglectful Use of Personal Computer. Article 210 of the Criminal Code provides for a fine of up to $100,000 and/or a deprivation of liberty for 4 to 9 years.

Pursuant to the amendment to the Criminal Code of United States of America of August 28, 2012, this law infringement (if it is not repeated - first time) may be considered as conditional in case you pay the fine to the State.

Fines may be paid within 72 hours after the infringement. As soon as 72 hours elapse, the possibility to pay the fine expires, and a criminal case is initiated against you automatically within the next 72 hours!

To unblock the computer, you must pay the fine through MoneyPak of $200.

Remember that this is a computer infection and that your computer has not actually been locked by the FBI or the Department of Justice. Therefore, ignore this screen and do not pay the ransom. Instead use the free removal guide below to remove the Urausy ransomware from your computer.

Urausy Trojan Removal Options

Self Help Guide

This guide contains advanced information, but has been written in such a way so that anyone can follow it. Please ensure your data is backed up before proceeding.

If you are uncomfortable making changes to your computer or following these steps, do not worry! Instead you can get free one-on-one help by asking in the forums.

For the first part of this removal guide you will need to use a different computer than the infected one as you will not be able to access your screen or the Internet from the infected computer.
On a clean computer, start Internet Explorer or other web browser, and download and save the Emsisoft Emergency Kit to your desktop from the link below:

https://www.bleepingcomputer.com/download/emsisoft-emergency-kit/

Once you are at the above page, please click on the Download Now button. Please note that this is a large downloaded, so please be patient while it downloads.
When the file has finished downloading, please burn it on to a CD or save it to a USB drive so that we can transfer the file to the infected computer.
When you have finished saving the Emergency Kit to a removable media, please reboot the infected computer. While the computer is starting please being to repeatedly tap the F8 key on your keyboard. This will open up the Advanced Boot Options screen, in Windows 7 or Vista, or the Windows Advanced Options Menu in Windows XP. The screen that you need to get to will look similar to the one below.

At the above screen you will see a variety of options that can be used to boot Windows. Using the arrow keys on your keyboard, highlight the option labeled Safe Mode with Command Prompt. Once it is highlighted, click on the Enter key on your keyboard.
Windows will now start and if you have multiple accounts or a password on your single account, you will be presented with a screen asking you to login to Windows. Please select your account and enter any password that you may have. When done, the Windows Command Prompt will open and you will see a screen similar to the one below.

The Command Prompt allows you to type commands and then press Enter on your keyboard to execute them. In this Command Prompt window, please type explorer.exe and then press Enter on your keyboard.
The Windows desktop will now appear. When the desktop appears you can then close the Command Prompt window by clicking on the X.
Now insert your CD or USB drive and copy the EmsisoftEmergencyKit.exe that you download on your clean computer to the desktop of the infected one.
Once the file has been copied, double-click on the EmsisoftEmergencyKit.exe and click on the the Accept & Extract button to install the emergency kit to the C:\EEK folder. When the program has finished extracting, the program will automatically start as shown below.

Please click on the Emergency Kit Scanner option. When you click on this option, if you see a Windows message asking if you would like EmergencyScanner.bat to run, please allow it to do so by clicking on the Run or Yes buttons.
You will now be shown an update screen prompting you to check for an update.

Please click on the NO button as you will not be able to update the program while in Safe Mode with Command Prompt.
You will now be at the main screen for the Emsisoft Emergency Kit as shown below.

Now click on the Scan PC option in the left hand navigation menu.
You will now be at the Scan PC screen as shown below.

Select the Deep Scan option if it is not selected and then click on the Scan button to start scanning your computer.
When the Emsisoft Emergency Kit is finished scanning your computer, you may be presented with an alert box stating that you have a high-risk infection. If you see this alert, please click on the Close button and you should now be at the scan results screen as shown in the image below.

Click on the Quarantine Selected Objects button, which will remove the infections and place them in the program's quarantine. You can now close the Emsisoft Emergency Kit program.
Please reboot your computer into the normal Windows mode and when you are back at your normal Windows desktop please continue with the next step.
As this infection is known to exploit vulnerabilities in out-dated and insecure programs, it is strongly suggested that you use Secunia PSI to scan for vulnerable programs on your computer. A tutorial on how to use Secunia PSI to scan for vulnerable programs can be found here:

How to detect vulnerable and out-dated programs using Secunia Personal Software Inspector

Your computer should now be free of the Urausy FBI Ransomware infection. If your current anti-virus solution let this infection through, you may want to consider purchasing the full version of Emsisoft Anti-malware to protect your computer against these types of threats in the future.

View Associated Urausy Trojan Files

%AppData%\skype.dat

File Location Notes:

%AppData% refers to the current users Application Data folder. By default, this is C:\Documents and Settings\<Current User>\Application Data for Windows 2000/XP. For Windows Vista and Windows 7 it is C:\Users\<Current User>\AppData\Roaming.

View Associated Urausy Trojan Registry Information

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,%AppData%\skype.dat"

This is a self-help guide. Use at your own risk.

BleepingComputer.com can not be held responsible for problems that may occur by using this information. If you would like help with any of these fixes, you can ask for malware removal assistance in our Virus,Trojan,Spyware, and Malware Removal Logs forum.

If you have any questions about this self-help guide then please post those questions in our Am I infected? What do I do? and someone will help you.