What is Fake Ransom?
The Malwarebytes research team has determined that Fake Ransom is fake Ransomware. These so-called "fake Ransomwares" try to trick you into paying for encrypted files, while they haven't encrypted anything or have no way of giving the files back to you.
How do I know if my computer is affected by Fake Ransom?
You will see this screen as soon as the executable is run:
How did Fake Ransom get on my computer?
Fake Ransomwares use different methods for distributing themselves. This particular one was a mail attachment.
How do I remove Fake Ransom?
Our program Malwarebytes Anti-Malware can detect and remove this potentially unwanted application, but due to the nature of the infection this will require a few extra steps.
- To get rid of the notice use the Ctrl-Alt-Del key combination to access Taskmanager.
- In Taskmanager select te process called receipt69.exe and click on the "End Process" button.
- This should give you access to your desktop.
- Please download Malwarebytes Anti-Malware to your desktop.
- Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program.
- Then click Finish.
- Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu.
- If another update of the definitions is available, it will be implemented before the rest of the scanning procedure.
- When the scan is complete, make sure that all Threats are selected, and click Remove Selected.
- Restart your computer when prompted to do so.
- No, Malwarebytes' Anti-Malware removes Fake Ransom completely.
We hope our application and this guide have helped you eradicate this screen hijacker.
As you can see below the full version of Malwarebytes Anti-Malware would have protected you against the Fake Ransom.
Technical details for experts
You may see these entries in FRST logs:
HKCU\...\Run: [WindowsApplication1] => C:\Users\{username}\AppData\Local\Temp\receipt69.exe [77312 2016-12-12] () <===== ATTENTION C:\Users\{username}\AppData\Local\Temp\receipt69.exeAlterations made by the installer:
File system details [View: All details] (Selection) --------------------------------------------------- In the existing folder C:\Users\{username}1\AppData\Local\Temp Adds the file receipt69.exe Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "WindowsApplication1"="REG_SZ", "C:\Users\{username}1\AppData\Local\Temp\receipt69.exe" [HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted] "C:\Users\{username}\Desktop\shit.exe"="REG_DWORD", 1Malwarebytes Anti-Malware log:
Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 12/14/16 Scan Time: 2:21 PM Logfile: mbamFakeRansom.txt Administrator: Yes -Software Information- Version: 3.0.4.1269 Components Version: 1.0.39 Update Package Version: 1.0.728 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username}-PC\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 351404 Time Elapsed: 9 min, 17 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Enabled PUM: Enabled -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 1 Trojan.Agent.MSIL, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|WindowsApplication1, Delete-on-Reboot, [210], [353006],1.0.728 Data Stream: 0 (No malicious items detected) Folder: 0 (No malicious items detected) File: 2 Trojan.Agent.MSIL, C:\USERS\{username}\APPDATA\LOCAL\TEMP\RECEIPT69.EXE, Delete-on-Reboot, [210], [353006],1.0.728 Trojan.Agent.MSIL, C:\USERS\{username}\DESKTOP\SHIT.EXE, Delete-on-Reboot, [210], [353006],1.0.728 Physical Sector: 0 (No malicious items detected) (end)As mentioned before the full version of Malwarebytes Anti-Malware could have protected your computer against this threat.
We use different ways of protecting your computer(s):
- Dynamically Blocks Malware Sites & Servers
- Malware Execution Prevention