I hope this post prevents one of my users or students avoid this tech support scam malware infection.
This past week I had a client drop of a laptop with what he thought was a problem with windows 10, its license and its files. The laptop would turn on an as soon as the user logged in this message that was vaguely disguised as a Microsoft Alert would pop up. If you closed it, it would come back each login. See the message below. To the average computer user this may be scary. For those who know better it is clearly a Tech Support Scam.
From the message “Your Computer Has Been Infected With Ransomware And Malware. Microsoft Inc. Error 00×890186… etc” lets look at it closer. Also notice the phone number at the top of the warning message.
Here are a few things that should tip you off that this is a fake alert message.
- The bad word capitalization (every word is capitalized)
- The bad spacing between sentences
- The fact that there is a number to call
- If you search google for the error number it does not exist
For my clients, students or followers, if you ever encounter an alert similar to this please give me, or other reputable computer repair shop a call directly. Never call a number in the alert box itself.
What could happen if you fall for this Tech Support Scam
There are several possible outcomes if you fall for this scam. I will mention one specific incident that a former client encountered a few years back. If you call the “tech support” number listed you will likely reach a “tech support technician” from outside of the USA. They would probably ask for a credit card number and charge you a very large amount money to “fix” the problem. Next, they would likely use some fancy buzz words to try to convince you that it is legitimate. The “technician” would connect to your computer remotely to “remove” the malware causing the popup to appear. What you may not know is now that they are connected they now have complete access to any information you have on your pc. Not to mention the Credit Card that you gave them in the first place.
How to remove this type of infection
In this case I looked at some of the usual places where this type of infection can reside including the Windows registry, Windows Startup Folders, Windows Services and Windows Processes. This infection was caused by a visual basic script that was installed into the Windows Startup folder. The script would run when any user logged into the system. The script would then cause the popup alert box.
For this specific script simply removing it from the startup folder stopped the popup from showing.
As one of my goto programs I installed and ran a full Malware-bytes software scan. When the full scan finished I then removed any other infections it found.
When to fully reinstall Windows 10
In some cases it may be safer to fully wipe your hard drive clean and reinstall Windows 10. For this computer I found a key-logger installed.
What is a key logger?
Keystroke logging, often referred to as keylogging or keyboard capturing, is the action of recording (logging) the keys struck on a keyboard, typically covertly, so that person using the keyboard is unaware that their actions are being monitored. Data can then be retrieved by the person operating the logging program. A keystroke recorder or keylogger can be either software or hardware.
For more information see this article from Malwarebytes website.
This client did not fall for the tech support scan and did not have any critical or important files on the laptop so I recommended a full clean re-install of Windows 10. I also recommended that any passwords be changed and to keep an eye on any strange bank transactions.
This may not be the only way to fix this type of Tech Support Scam but “ITFIXED it for Me”. For more “ItFixed it for Me” articles please click here.