Another day. Another Microsoft tech support scam. (or two) I will give these crooks a bit of credit for this one, at least they put some effort into it. This one combines elements from several different kinds of scam. It includes a malicious software installer, a fake blue screen of death, and a fraudulent attempt to sell you a Windows program for $25.

The good folks at Malware Bytes first reported on the scam, which involves a program called Troubleshooter. Troubleshooter gets on your PC via a seemingly legitimate software installer app. Here’s how it works.  It shows you a fake blue screen of death (the screen that indicates that your PC has crashed and is having some serious problems.)  Then it pops up a warning that the error can’t be fixed.  The example below is courtesy of Malwarebytes.

installer-fake.jpg

You’ll then see a window that says the errors couldn’t be fixed and that they recommend that you buy Windows Defender Essentials. That’s a combination of the name of two actual programs Windows Defender and Microsoft Security Essentials.  They’re only charging $25 for this alleged software, which is clever. That’s a low enough price to tempt people and to also make people believe it’s legitimate and assume that scammers would go for more money. These people are obviously hoping to make it up in volume.

If you try to just close the program, you’ll get a scary warning that an application is unable to start correctly.  If you’ve been hit with this program, here’s how to get rid of it. you’ll need to start your PC in Safe Mode and open the Task Manager using Ctrl + Alt+ Delete. Then click the File tab and choose New Task (Run) from the drop-down menu.

task-manager-run.jpg

Then type %temp% in the Run window and hit OK.

task-manager-temp.jpg

When your Temp folder opens, scroll down and look for a file called csrvc in the folder. Click to open it and look for a file called Troubleshoot.exe. Delete it.

You’ll have to go back to the task manager, click File and run a new task. This time type services.msc. Don’t forget to click OK.

services.msc-fun.jpg

Look for csrvc on the services list. Right-click on it and choose Properties from the drop-down menu.

service-properties

When the Properties window opens, you’ll want to click the arrow next to Startup type and choose Disabled from the drop-down window. Don’t forget to click OK.

service-properties-start-up-type.jpg

Using Ctrl+Alt+Del, reboot your PC.  Wait, we’re not done! You’ll need to press Ctrl+Alt+Del again and run a new a new task once more. This time, type in explorer.  Once again, don’t forget to hit OK.

service-properties-run-explorer.jpg

You should now be able to access your desktop. Now you can either go to  Uninstall/Change programs and remove a program called adwizz.

Malwarebytes suggests downloading their software to completely remove the malware and I agree.  You can download a free version, by clicking here. Once you install it, just click Scan now. 

Also, if you fell for this scam, make sure to contact PayPal or your credit card company and cancel your payment to the scammers.