from Understanding Java Code and Malware | Malwarebytes Unpacked
This post is a sequel to Tech support scammers using Winlogon. As we have found after writing that post there are many variants of this scam. The removal guides with examples can be found on our forums [1], [2], [3], and [4].
I want to go into some more detail about the last one. Where the first variants all showed you a screen asking for a product key and some buttons that the “remote assistants” could use to “magically” solve your reboot problem (that they caused themselves in the first place), this one just appears to be hanging. It just displays the phone number, a Microsoft Windows logo, the moving dots associated with “wait a bit, we’re working on it”, and a “Start” button.
This one can also be seen with the phone number 1-844-386-3111
Below is the sequence of events that follows if you choose to click the button(s) presented to you.
After clicking Start we get this. OK, so let’s try Next
Change without progress. Let’s focus on the prompt.
Is that English? But OK.
But….
Screaming in caps are we?
OK. That’s better.
Clicking OK there gets us back to this one.
By now they hope you are frustrated enough to call them. Thank Redmond for Ctrl-Alt-Del though. Using that key combination and picking “Start Task Manager” we took a look at the running processes.
And it’s relatively easy to spot the culprit. In this example there is only one error.exe running, but I have seen up to 3 of them, so make sure to “kill ‘em all”. Start another instance of explorer after doing so and you should have back control and be able to remove the application that calls itself LicenseError.
Extra information
A full removal guide for this variant can be found on our forums.
Md5 of the installer : e73bba955204e4f3ba800fecf0fff43a
Malwarebytes Anti-Malware Premium detects and blocks the installer as Rogue.TechSupportScam as it does any of the others in this series.
Save yourself the hassle and get protected.
Pieter Arntz
RELATED ARTICLES
April 30, 2012 - Malwarebytes Anti-Malware is under constant attack. 24 hours per day, 7 days per week, 365 days per year. If you read my recent blog post about the development of Malwarebytes Chameleon, you know that we at Malwarebytes have big red ‘X’s on our chests; the bad guys are always out to get us. Malwarebytes Anti-Malware...
April 24, 2012 - The fight against malware is a cat-and-mouse game. It is constant and constantly escalating. They make a move, you counter it, they counter your counter, lather, rinse, repeat. What’s more: malware almost always has the advantage. Our software Malwarebytes Anti-Malware earned a reputation for having a high success rate in combating new in-the-wild malware infections:...
May 7, 2012 - From the outside looking in, it may appear that the press regularly reports stories when a company’s website, database or intellectual property has been hacked, stolen or compromised. The more eye-opening fact of the matter is that the scale and scope of the cybercrime problem is much, much larger and the actual incidences of these...
May 14, 2012 - The recent attack on the Serious Organized Crime Agency (SOCA), most likely in response to the 36 data selling sites shut down a few weeks ago, lead to the admission by high ranking SOCA officials that the Ministry of Defense networks need to “beef up their security.” In response to this we would like to...
June 1, 2012 - The last time I checked with Google News this morning there were over 19,100,000 results for “flame malware”. You may have heard many stories this week about this complex trojan. Here are links to three of my current personal favorite articles on “Flame”. Powerful ‘Flame’ cyberweapon tied to popular Angry Birds game – (Fox News)...
