ltechnologygroup.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to amazon.com.
A new tech support scam has been discovered that shows a fake BSOD, or Blue Screen of Death, on the infected computer and then displays an application that pretends to be a Troubleshooter for Windows. This Troubleshooter will then state that your computer cannot be fixed, blocks you from using Windows, and prompts you to purchase a program using PayPal to fix the “detected problems” and unlock the screen.
The Troubleshooting Windows Tech Support Scam
This scam was discovered by a Malwarebytes security researcher Pieter Arntz being distributed as a cracked software installer. Instead of giving access to a copyrighted program, though, it installs a tech support scam on the computer. This tech support scam is a bit different than most others I have seen because it uploads screen shots, doesn’t rely on people calling a listed number, and uses PayPal for payments.
When the installer is run, it will download various executablesfrom the site hitechnovation.com and save them in various folder. It will then configure one of these files as a Windows service so that it automatically starts and modify some Registry entries to disable various hotkeys.
The files that are downloaded are:
- csrvc.exe will be downloaded to %Temp%csrvc and will be configured as a Windows service. This program is used to kill various programs such as Task Manager, Registry Editor, and Explorer.
- BSOD.exe will be downloaded to %Temp%csrvc folder and is used to display the fake Blue Screen of Death screen.
- Troubleshoot.exe will be downloaded to the %Temp%csrvc folder and is used to display the fake “Troubleshooting Windows” tool.
- Scshtrv.exe will also be downloaded to the %Temp%csrvc folder and will be used to upload a screenshot to a remote ftp site. More information about the uploading of a screenshot will be discussed later in this article.
- Finally, a file called adwizz.exe will be downloaded and saved in the C:Program Filesadwizz folder. This file will display a window of advertisements for the banggood.com site. These advertisements most likely utilize affiliate links in order for the developer earn revenue from purchases made on the site.
Once the files are downloaded, the BSOD.exe program will display a fake BSOD on the desktop that states there is a problem with the system32.dll file and will begin to play an annoying beeping sound over and over.
The Troubleshoot.exe program will then launch and display a window called Troubleshooting Windows. This program pretends to be a windows troubleshooter that states that the computer is missing “.dll registry files” and prompt you to begin troubleshooting the computer.
When you proceed with the fake troubleshooting, it will pretend to perform a scan that states it is not able to fix the detected problems.
It then prompts you to either contact support using an included chat program or purchase “Windows Defender Essentials” using PayPal. When I tested the live chat support, there was no response.
The Buy Windows Defender Essentials option, though, will open a PayPal page where they request you purchase the program for $25. The page that is opened is for email@example.com PayPal account and uses this URL:
If a user makes the payment they will be redirected to http://hitechnovation.com/thankyou.txt, which contains the string “thankuhitechnovation”. When the program detects this specific string, it opens a new screen that pretends to fix the problems and allows you to close the program.
As you can see this is clearly a screen locker designed to trick people into paying $25 dollars to “fix” the so-called problems and remove the program. The use of PayPal as the method of payment is a bit strange, though, as it makes it easier to track down the developers and for victim’s to dispute the charges.
On a good note, the method this program uses to unlock the screen and remove the program can be easily tricked, which will be discussed in the next section.
How to remove the Troubleshooting Windows Scam
In order to determine if a victim had made a payment via PayPal, the tech support scam will check to see if a it has opened contains the string “thankuhitechnovation”. If it does, it will pretend that the problems are fixed and then allow you to close the program.
The way the developers intended this to work is that a victim makes a PayPal payment, and when successful, they are redirected to a page under their control that contains the above string and then triggers the shutdown phase of the scam.
Thankfully, as this form simply embeds a web browser, we can use it to trick the program and get it to shut down simply by navigating to any web page that contains the required string.
To do this, when at the PayPal purchase screen, simply use the Ctrl+O keyboard combination to open a dialog box that asks you what page you want to open as shown below.
Now enter the page http://hitechnovation.com/thankyou.txt, or any other page that just contains the string thankuhitechnovation and the program will think the victim paid and shut itself down.
Scam uploads a screenshot of your active screen
Another nasty feature of this tech support scam is that it will generate a screenshot of the victim’s active screen and upload it to a FTP server at 18.104.22.168 using hard coded credentials.
It is not known what this screenshot may be used for, but could be for blackmail depending on what was on the screen, identity theft, or for detecting security researchers.
adwizz.exe: 5becf86e5ad1703345fa243458f6a3b6189619f87e67ffab6bc874d6bdf7c03f BSOD.exe: 9a95f7e477cede36981a6a1e01a849d9c6aeac3985ee3a492cf4136bb6dab69c csrvc.exe: 1b1e48f2ee9940c1965c00ee1226fd7c3b9ee9c179ba29b9aeb586c6211cb223 scshtrv.exe: 0cc8ad791dc4061ce1f492d651ed2a9baeed02413c5940240bf47bb023f509ef Troubleshoot.exe: f34185d5124690815f089b06cc1629a3d1a42cd7d51aee602823c98e03116a98
http://hitechnovation.com/Extra/Downloads/BSOD.exe http://hitechnovation.com/Extra/Downloads/csrvc.exe http://hitechnovation.com/Extra/Downloads/adwizz.exe http://hitechnovation.com/Extra/Downloads/Troubleshoot.exe http://hitechnovation.com/extra/downloads/scshtrv.exe http://hitechnovation.com/Extra/Downloads/Windows%20Chat%20Support.exe http://hitechnovation.com/thankyou.txt http://hitechnovation.com/Downloads/DList.txt http://freegeoip.net/xml ftp://22.214.171.124
%Temp%csrvcBSOD.exe %Temp%csrvccsrvc.exe %Temp%csrvccsrvc.InstallLog %Temp%csrvccsrvc.InstallState %Temp%csrvcscshtrv.exe %Temp%csrvcTroubleshoot.exe C:Program Filesadwizzadwizz.exe
Associated Registry Entries:
HKLMSOFTWAREMicrosoftWindowsCurrentVersionUninstalladwizz HKLMSOFTWAREMicrosoftWindowsCurrentVersioncsrvc HKLMSYSTEMCurrentControlSetservicescsrvc
Troubleshooting Windows Tool Alert:
Your computer is missing .dll registry files resulting in computer failure. The operating system is not able to load windows kernel files. Repair windows kernel and .dll files with the help of technicians online to prevent hard drive crash or complete data loss. Rebooting the computer multiple times will result in permanent operating system failure. Click Next to diagnose and troubleshoot the problem.
"A problem has been detected and Windows has been shut down to prevent damage to your computer. The problem seems to be caused by the following file: SYSTEM32.DLL PAGE_FAULT_IN_NONPAGED_AREA If this is the first time you've seen this stop error screen, echo restart your computer. If this screen appears again, follow these steps: Check to make sure any new hardware or software is properly installed. If this is a new installation, ask your hardware or software manufacturer for any Windows updates you might need. If problems continue, disable or remove any newly installed hardware or software. Disable BIOS memory options such as caching or shadowing. If you need to use Safe Mode to remove or disable components, restart your computer, press F8 to select Advanced Startup Options, and then select Safe Mode. Technical information: *** STOP: 0x00000050 (0xFD3094C2,0x00000001,0xFBFE7617,0x00000000) *** SYSTEM32.DLL - Address FBFE7617 base at FBFE5000, DateStamp 3d6dd67c
At L Technology Group, we know technology alone will not protect us from the risks associated with in cyberspace. Hackers, Nation States like Russia and China along with “Bob” in HR opening that email, are all real threats to your organization. Defending against these threats requires a new strategy that incorporates not only technology, but also intelligent personnel who, eats and breaths cybersecurity. Together with proven processes and techniques combines for an advanced next-generation security solution. Since 2008 L Technology Group has develop people, processes and technology to combat the ever changing threat landscape that businesses face day to day.
Call Toll Free (855) 999-6425 for a FREE Consultation from L Technology Group, https://www.ltechnologygroup.com.