Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


"Unable to determine ransomware" - only have screen shot, please advise

  • Please log in to reply
4 replies to this topic

#1 Sierra7


  • Members
  • 2 posts
  • Local time:02:27 AM

Posted 27 November 2016 - 11:38 AM

Ref case: SHA1: d752629e7fed54d4ccc7163e8f6bbb4efe2a558c


Would be most appreciative if you could help me identify this ransomware.  It has infected both my mother's and my father's computers.  I am only able to provide a screen shot of the ransomware message, which I uploaded to the ID Ransomware tool.  Unable to figure out how to attach the screen shot to this post, however.


It is a white text, blue background message, with two additional warning popups from a "Microsoft Support Desk" that provides a toll free number to call.  It does not ask for money in the message, but my father (unfortunately) did call the number, at which point they asked him for a lot of information about his computer and network settings, and eventually were able to take control of his computer by doing a screen share, at which point my father says the cursor was moving around on the screen by itself and lots of windows were being opened and changes were being made.  Then, the "help desk" people demanded money and threatened to report him to the authorities if he did not pay a fee for them to fix the problems, citing evidence of "illegal activities" they had located on his computer.  My father is a 71 year old retiree with not so much as a parking ticket his entire life!


Thanks very much in advance for your help


BC AdBot (Login to Remove)


#2 thyrex


  • Members
  • 597 posts
  • Gender:Male
  • Location:Belarus
  • Local time:10:27 AM

Posted 27 November 2016 - 12:02 PM

You can also upload screenshot on https://www.sendspace.com and give us download link 

Microsoft MVP 2012-2016 Consumer Security

Microsoft Reconnect 2016

#3 Sierra7

  • Topic Starter

  • Members
  • 2 posts
  • Local time:02:27 AM

Posted 27 November 2016 - 12:21 PM

Uploaded screenshot to sendspace.  Here's the link: https://www.sendspace.com/file/b9yjjs


#4 Demonslay335


    Ransomware Hunter

  • Security Colleague
  • 3,579 posts
  • Gender:Male
  • Location:USA
  • Local time:01:27 AM

Posted 27 November 2016 - 04:22 PM

That isn't ransomware, just a tech scam support. If it was ransomware, it would have actually infected the system and either locked your screen until the demands are paid (screenlocker), or your files would actually be encrypted and/or renamed.

Simply kill the browser and you are probably fine. If they actually were allowed into the system, however, run scans and check installed programs to make sure they didn't leave any "presents" (or presence) behind. You can lookup some of the wording online to find removal guides with more in-depth instructions - only trust from a reputable site such as BleepingComputer. I can get a trustworthy link for you later when I'm not mobile if needed.

Edit: Here's a guide you can follow. All of the tools they suggest are reputable and recommended here as well.


P.S. ID Ransomware can't detect screenshots. I don't have Google-level OCR and AI available to me so easily. :P

Edited by Demonslay335, 27 November 2016 - 04:29 PM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.

#5 quietman7


    Bleepin' Janitor

  • Global Moderator
  • 51,937 posts
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:27 AM

Posted 28 November 2016 - 07:36 AM

Fake ransomware has become an increasing common scam tactic over the past several years. In some cases it may involve Ranscam (Scam Ransomware) or Tech Support Scamming using browser pop-up and web pages indicating that "your computer is infected with ransomware", “all your files are encrypted" and similar "fake messages". In other cases, it may involve telephone scammers such as the Startup Password computer ransom lockout scam indicating the computer is configured to required a password in order to start up.

Some types of malware will modify the Master Boot Record (MBR) so that it displays a message indicating your computer has been encrypted and that you will be unable to access your data unless you pay a ransom.Actual ransomware infections typically targets and encrypts data files, appends an obvious extension to the end of encrypted filenames, demands a ransom payment by dropping ransom notes in every directory/affected folder where data has been encrypted but leaves the operating system working so the victim can pay the ransom.

If there are no obvious extensions appended to your file name, no ransom notes and you data is not actually encrypted, then you most likely are dealing with a fake ransomware scam or something else.

You may want to read Beware of Phony Emails & Tech Support Scams which includes recommendations for performing scans with specialized programs to check your system.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users