'Windows Troubleshooter' Technical Support Scam
The 'Windows Troubleshooter' Technical Support Scam is a campaign launched by con artists who attempt to sell a fake system restore utility. The 'Windows Troubleshooter' Technical Support Scam is facilitated by several tools downloaded on the victim's PC through what is promoted as a cracked shareware (a paid program). The scammers are using P2P and open file sharing networks to distribute a package that includes — csrvc.exe, BSOD.exe, troubleshoot.exe, scshtrv.exe and adwizz.exe. These tools are used to produce a fake Blue Screen of Death, load advertisements and generate a program window titled 'Troubleshooting Windows.' The messages utilized by the 'Windows Troubleshooter' Technical Support Scam aim to confuse and scare users as well as provide a fake troubleshooting instrument that is supposed to recover your system. The applications launched in the 'Windows Troubleshooter' Technical Support Scam are downloaded from the hxxp://hitechnovation[.]com site registered to the 182.50.132.48 IP address.
- adwizz.exe (SHA256: 5becf86e5ad1703345fa243458f6a3b6189619f87e67ffab6bc874d6bdf7c03f) is used to load advertisements from Banggood.com in the background and earn ad-revenue. The app is flagged as:
Artemis!8606B485B012
Suspicious_GEN.F47V1013
Troj.Horse.Gen!c
Trojan.Ransom.TechSupportScam - BSOD.exe (SHA-256: 9a95f7e477cede36981a6a1e01a849d9c6aeac3985ee3a492cf4136bb6dab69c), as you may guess, is used to produce the fake Blue Screen of Death. The app is flagged as:
Suspicious_GEN.F47V1116
TR/Spy.Gen
Trojan/Win32.Agent.C2274128
Win32.Trojan.Spy.Dxdc - csrvc.exe (SHA-256: 60c77f3c0e91218402f4b10ab8f5ecdff4812a1582d699f50664a1dd57a61556) is responsible for disabling the task manager, the registry editor and file explorer on Windows. The app is flagged as:
MSIL/Agent.BGC!tr.spy
Spyware ( 0051b17d1 )
TROJ_GEN.R002H0AKD17
Trojan.Generic.22622103 - scshtrv.exe (SHA-256: ad2d8ad87b2a8b475b11a3fb09d8d6a03d64ab41801cbf57e4bc250f8dfd1e25) and winsrvhst.exe (SHA-256: 5638c04e9d6c863df5993f84cc43778b50e77ccabf9f05c76df00dba3e01a920) are designed to take a screnshot of your desktop and upload it to the 'Command and Control' server of the threat actors. The app is flagged as:
MSIL/Agent.BEU!tr.spy
Spyware ( 00518c121 )
TROJ_GEN.R002C0DKB17
Trojan.GenericKD.12549367
Trojan.MSILPerseus.D2012A
UDS:DangerousObject.Multi.Generic - troubleshoot.exe (SHA-256: 442b6a45b6d786589bd8f85043f04388f565b57e8b797853c18840b270af254b) is the program window titled 'Troubleshooting Windows.' The fake troubleshooting app displays a long list of missing DLLs and offers the user to buy 'Windows Defender Essentials' via PayPal. The app is flagged as:
FileRepMalware
Rogue.TechSupportScam
Suspicious_GEN.F47V1125
Trojan/Win32.Agent.C2274119
Cyber security experts note that the 'Windows Troubleshooter' Technical Support Scam features several layers of misleading tactics and mechanisms to prevent PC users from regaining control of the infected machine. Another interesting feature of the 'Windows Troubleshooter' program is that it injects code in the default Web browser and loads a custom payment page where users are supposed to log in with PayPal and pay for the 'Windows Defender Essentials' package. As mentioned above, the 'Windows Troubleshooter' Technical Support Scam aims to sell a fake system recovery software and the tools used to lock your access to the PC may be used to deploy another malware payload. It is recommended to boot into Safe Mode without Networking and run a complete system scan with a reputable anti-malware utility.