A new tech support scam has been discovered that shows a fake BSOD, or Blue Screen of Death, on the infected computer and then displays an application that pretends to be a Troubleshooter for Windows. This Troubleshooter will then state that your computer cannot be fixed, blocks you from using Windows, and prompts you to purchase a program using PayPal to fix the "detected problems" and unlock the screen.

The Troubleshooting Windows Tech Support Scam

This scam was discovered by a Malwarebytes security researcher Djordje Lukic being distributed as a cracked software installer. Instead of giving access to a copyrighted program, though, it installs a tech support scam on the computer.  This tech support scam is a bit different than most others I have seen because it uploads screen shots, doesn't rely on people calling a listed number, and uses PayPal for payments.

When the installer is run, it will download various executablesfrom the site hitechnovation.com and save them in various folder. It will then configure one of these files as a Windows service so that it automatically starts and modify some Registry entries to disable various hotkeys.

The files that are downloaded are:

  • csrvc.exe will be downloaded to %Temp%\csrvc and will be configured as a Windows service. This program is used to kill various programs such as Task Manager, Registry Editor, and Explorer.
  • BSOD.exe will be downloaded to %Temp%\csrvc folder and is used to display the fake Blue Screen of Death screen.
  • Troubleshoot.exe will be downloaded to the %Temp%\csrvc folder and is used to display the fake "Troubleshooting Windows" tool.
  • Scshtrv.exe will also be downloaded to the %Temp%\csrvc folder and will be used to upload a screenshot to a remote ftp site. More information about the uploading of a screenshot will be discussed later in this article.
  • Finally, a file called adwizz.exe will be downloaded and saved in the C:\Program Files\adwizz folder. This file will display a window of advertisements for the banggood.com site.  These advertisements most likely utilize affiliate links in order for the developer earn revenue from purchases made on the site.

Once the files are downloaded, the BSOD.exe program will display a fake BSOD on the desktop  that states there is a problem with the system32.dll file and will begin to play an annoying beeping sound over and over.

Fake Blue Screen of Death
Fake Blue Screen of Death

The Troubleshoot.exe program will then launch and display a window called Troubleshooting Windows. This program pretends to be a windows troubleshooter that states that the computer is missing ".dll registry files" and prompt you to begin troubleshooting the computer.

Fake Troubleshooting Windows Tool
Fake Troubleshooting Windows Tool

When you proceed with the fake troubleshooting, it will pretend to perform a scan that states it is not able to fix the detected problems.

Finished Fake Troubleshootin
Finished Fake Troubleshootin

It then prompts you to either contact support using an included chat program or purchase "Windows Defender Essentials" using PayPal. When I tested the live chat support, there was no response.

The Buy Windows Defender Essentials option, though, will open a PayPal page where they request you purchase the program for $25. The page that is opened is for lillysoft.it@gmail.com PayPal account and uses this URL:

https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=DXKLEMZTGTTDY
Purchase Windows Defender Essentials Via PayPal
Purchase Windows Defender Essentials With PayPal

If a user makes the payment they will be redirected to http://hitechnovation.com/thankyou.txt, which contains the string "thankuhitechnovation". When the program detects this specific string, it opens a new screen that pretends to fix the problems and allows you to close the program.

After Fake Activation
After Fake Activation

As you can see this is clearly a screen locker designed to trick people into paying $25 dollars to "fix" the so-called problems and remove the program. The use of PayPal as the method of payment is a bit strange, though, as it makes it easier to track down the developers and for victim's to dispute the charges.

On a good note, the method this program uses to unlock the screen and remove the program can be easily tricked, which will be discussed in the next section.

How to remove the Troubleshooting Windows Scam

In order to determine if a victim had made a payment via PayPal, the tech support scam will check to see if a it has opened contains the string "thankuhitechnovation". If it does, it will pretend that the problems are fixed and then allow you to close the program.

The way the developers intended this to work is that a victim makes a PayPal payment, and when successful, they are redirected to a page under their control that contains the above string and then triggers the shutdown phase of the scam. 

Thankfully, as this form simply embeds a web browser, we can use it to trick the program and get it to shut down simply by navigating to any web page that contains the required string.

To do this, when at the PayPal purchase screen, simply use the Ctrl+O keyboard combination to open a dialog box that asks you what page you want to open as shown below.

Open a Web Page
Open a Web Page

Now enter the page http://hitechnovation.com/thankyou.txt, or any other page that just contains the string thankuhitechnovation and the program will think the victim paid and shut itself down.

Scam uploads a screenshot of your active screen

Another nasty feature of this tech support scam is that it will generate a screenshot of the victim's active screen and upload it to a FTP server at 182.50.132.48 using hard coded credentials.

Uploading a screenshot via FTP
Uploading a screenshot via FTP

It is not known what this screenshot may be used for, but could be for blackmail depending on what was on the screen, identity theft, or for detecting security researchers.

Correction 11/30/17: I attributed the discovery of this malware to the wrong person. It was originally discovered by Djordje Lukic.

IOCs

Hashes:

adwizz.exe: 5becf86e5ad1703345fa243458f6a3b6189619f87e67ffab6bc874d6bdf7c03f
BSOD.exe: 9a95f7e477cede36981a6a1e01a849d9c6aeac3985ee3a492cf4136bb6dab69c
csrvc.exe: 1b1e48f2ee9940c1965c00ee1226fd7c3b9ee9c179ba29b9aeb586c6211cb223
scshtrv.exe: 0cc8ad791dc4061ce1f492d651ed2a9baeed02413c5940240bf47bb023f509ef
Troubleshoot.exe: f34185d5124690815f089b06cc1629a3d1a42cd7d51aee602823c98e03116a98 

Network Connections:

http://hitechnovation.com/Extra/Downloads/BSOD.exe
http://hitechnovation.com/Extra/Downloads/csrvc.exe
http://hitechnovation.com/Extra/Downloads/adwizz.exe
http://hitechnovation.com/Extra/Downloads/Troubleshoot.exe
http://hitechnovation.com/extra/downloads/scshtrv.exe
http://hitechnovation.com/Extra/Downloads/Windows%20Chat%20Support.exe
http://hitechnovation.com/thankyou.txt
http://hitechnovation.com/Downloads/DList.txt
http://freegeoip.net/xml
ftp://182.50.132.48

Associated Files:

%Temp%\csrvc\BSOD.exe
%Temp%\csrvc\csrvc.exe
%Temp%\csrvc\csrvc.InstallLog
%Temp%\csrvc\csrvc.InstallState
%Temp%\csrvc\scshtrv.exe
%Temp%\csrvc\Troubleshoot.exe
C:\Program Files\adwizz\adwizz.exe

Associated Registry Entries:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\adwizz
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\csrvc
HKLM\SYSTEM\CurrentControlSet\services\csrvc

Troubleshooting Windows Tool Alert:

Your computer is missing .dll registry files resulting in computer failure. 
The operating system is not able to load windows kernel files. 
Repair windows kernel and .dll files with the help of technicians online to prevent hard drive crash or complete data loss. Rebooting the computer multiple times will result in permanent operating system failure. 

Click Next to diagnose and troubleshoot the problem.

BSOD Message:

"A problem has been detected and Windows has been shut down to prevent damage
to your computer.

The problem seems to be caused by the following file: SYSTEM32.DLL

PAGE_FAULT_IN_NONPAGED_AREA

If this is the first time you've seen this stop error screen, echo restart your computer. If this screen appears again, follow
these steps:

Check to make sure any new hardware or software is properly installed.
If this is a new installation, ask your hardware or software manufacturer
for any Windows updates you might need.

If problems continue, disable or remove any newly installed hardware
or software. Disable BIOS memory options such as caching or shadowing.
If you need to use Safe Mode to remove or disable components, restart
your computer, press F8 to select Advanced Startup Options, and then
select Safe Mode.

Technical information:

*** STOP: 0x00000050 (0xFD3094C2,0x00000001,0xFBFE7617,0x00000000)


*** SYSTEM32.DLL - Address FBFE7617 base at FBFE5000, DateStamp 3d6dd67c