Threat Database Adware 'Windows Troubleshooter' Technical Support Scam

'Windows Troubleshooter' Technical Support Scam

The 'Windows Troubleshooter' Technical Support Scam is a campaign launched by con artists who attempt to sell a fake system restore utility. The 'Windows Troubleshooter' Technical Support Scam is facilitated by several tools downloaded on the victim's PC through what is promoted as a cracked shareware (a paid program). The scammers are using P2P and open file sharing networks to distribute a package that includes — csrvc.exe, BSOD.exe, troubleshoot.exe, scshtrv.exe and adwizz.exe. These tools are used to produce a fake Blue Screen of Death, load advertisements and generate a program window titled 'Troubleshooting Windows.' The messages utilized by the 'Windows Troubleshooter' Technical Support Scam aim to confuse and scare users as well as provide a fake troubleshooting instrument that is supposed to recover your system. The applications launched in the 'Windows Troubleshooter' Technical Support Scam are downloaded from the hxxp://hitechnovation[.]com site registered to the 182.50.132.48 IP address.

  • adwizz.exe (SHA256: 5becf86e5ad1703345fa243458f6a3b6189619f87e67ffab6bc874d6bdf7c03f) is used to load advertisements from Banggood.com in the background and earn ad-revenue. The app is flagged as:
    Artemis!8606B485B012
    Suspicious_GEN.F47V1013
    Troj.Horse.Gen!c
    Trojan.Ransom.TechSupportScam
  • BSOD.exe (SHA-256: 9a95f7e477cede36981a6a1e01a849d9c6aeac3985ee3a492cf4136bb6dab69c), as you may guess, is used to produce the fake Blue Screen of Death. The app is flagged as:
    Suspicious_GEN.F47V1116
    TR/Spy.Gen
    Trojan/Win32.Agent.C2274128
    Win32.Trojan.Spy.Dxdc
  • csrvc.exe (SHA-256: 60c77f3c0e91218402f4b10ab8f5ecdff4812a1582d699f50664a1dd57a61556) is responsible for disabling the task manager, the registry editor and file explorer on Windows. The app is flagged as:
    MSIL/Agent.BGC!tr.spy
    Spyware ( 0051b17d1 )
    TROJ_GEN.R002H0AKD17
    Trojan.Generic.22622103
  • scshtrv.exe (SHA-256: ad2d8ad87b2a8b475b11a3fb09d8d6a03d64ab41801cbf57e4bc250f8dfd1e25) and winsrvhst.exe (SHA-256: 5638c04e9d6c863df5993f84cc43778b50e77ccabf9f05c76df00dba3e01a920) are designed to take a screnshot of your desktop and upload it to the 'Command and Control' server of the threat actors. The app is flagged as:
    MSIL/Agent.BEU!tr.spy
    Spyware ( 00518c121 )
    TROJ_GEN.R002C0DKB17
    Trojan.GenericKD.12549367
    Trojan.MSILPerseus.D2012A
    UDS:DangerousObject.Multi.Generic
  • troubleshoot.exe (SHA-256: 442b6a45b6d786589bd8f85043f04388f565b57e8b797853c18840b270af254b) is the program window titled 'Troubleshooting Windows.' The fake troubleshooting app displays a long list of missing DLLs and offers the user to buy 'Windows Defender Essentials' via PayPal. The app is flagged as:
    FileRepMalware
    Rogue.TechSupportScam
    Suspicious_GEN.F47V1125
    Trojan/Win32.Agent.C2274119

Cyber security experts note that the 'Windows Troubleshooter' Technical Support Scam features several layers of misleading tactics and mechanisms to prevent PC users from regaining control of the infected machine. Another interesting feature of the 'Windows Troubleshooter' program is that it injects code in the default Web browser and loads a custom payment page where users are supposed to log in with PayPal and pay for the 'Windows Defender Essentials' package. As mentioned above, the 'Windows Troubleshooter' Technical Support Scam aims to sell a fake system recovery software and the tools used to lock your access to the PC may be used to deploy another malware payload. It is recommended to boot into Safe Mode without Networking and run a complete system scan with a reputable anti-malware utility.

Trending

Most Viewed

Loading...