Jump to content

Removal instructions for Fake Ransom


Recommended Posts

  • Staff
What is Fake Ransom?

The Malwarebytes research team has determined that Fake Ransom is fake Ransomware. These so-called "fake Ransomwares" try to trick you into paying for encrypted files, while they haven't encrypted anything or have no way of giving the files back to you.

How do I know if my computer is affected by Fake Ransom?

You will see this screen as soon as the executable is run:

main.png

How did Fake Ransom get on my computer?

Fake Ransomwares use different methods for distributing themselves. This particular one was a mail attachment.

How do I remove Fake Ransom?

Our program Malwarebytes Anti-Malware can detect and remove this potentially unwanted application, but due to the nature of the infection this will require a few extra steps.
  • To get rid of the notice use the Ctrl-Alt-Del key combination to access Taskmanager.
  • In Taskmanager select te process called receipt69.exe and click on the "End Process" button.
    taskmgr.png
  • This should give you access to your desktop.
  • Please download Malwarebytes Anti-Malware to your desktop.
  • Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program.
  • Then click Finish.
  • Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu.
  • If another update of the definitions is available, it will be implemented before the rest of the scanning procedure.
  • When the scan is complete, make sure that all Threats are selected, and click Remove Selected.
  • Restart your computer when prompted to do so.
Is there anything else I need to do to get rid of Fake Ransom?
  • No, Malwarebytes' Anti-Malware removes Fake Ransom completely.
How would the full version of Malwarebytes Anti-Malware help protect me?

We hope our application and this guide have helped you eradicate this screen hijacker.

As you can see below the full version of Malwarebytes Anti-Malware would have protected you against the Fake Ransom.
 

protection1.png


Technical details for experts

You may see these entries in FRST logs:
 
 HKCU\...\Run: [WindowsApplication1] => C:\Users\{username}\AppData\Local\Temp\receipt69.exe [77312 2016-12-12] () <===== ATTENTION
 C:\Users\{username}\AppData\Local\Temp\receipt69.exe
Alterations made by the installer:
 
File system details [View: All details] (Selection)
---------------------------------------------------
In the existing folder C:\Users\{username}1\AppData\Local\Temp
     Adds the file receipt69.exe

Registry details [View: All details] (Selection)
------------------------------------------------
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
       "WindowsApplication1"="REG_SZ", "C:\Users\{username}1\AppData\Local\Temp\receipt69.exe"
    [HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted]
       "C:\Users\{username}\Desktop\shit.exe"="REG_DWORD", 1
Malwarebytes Anti-Malware log:
 
Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 12/14/16
Scan Time: 2:21 PM
Logfile: mbamFakeRansom.txt
Administrator: Yes

-Software Information-
Version: 3.0.4.1269
Components Version: 1.0.39
Update Package Version: 1.0.728
License: Premium

-System Information-
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: {username}-PC\{username}

-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 351404
Time Elapsed: 9 min, 17 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 1
Trojan.Agent.MSIL, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|WindowsApplication1, Delete-on-Reboot, [210], [353006],1.0.728

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 2
Trojan.Agent.MSIL, C:\USERS\{username}\APPDATA\LOCAL\TEMP\RECEIPT69.EXE, Delete-on-Reboot, [210], [353006],1.0.728
Trojan.Agent.MSIL, C:\USERS\{username}\DESKTOP\SHIT.EXE, Delete-on-Reboot, [210], [353006],1.0.728

Physical Sector: 0
(No malicious items detected)


(end)
As mentioned before the full version of Malwarebytes Anti-Malware could have protected your computer against this threat.
We use different ways of protecting your computer(s):
  • Dynamically Blocks Malware Sites & Servers
  • Malware Execution Prevention
Save yourself the hassle and get protected.
Edited by Metallica
Link to post
Share on other sites

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.