This post is a sequel to Tech support scammers using Winlogon. As we have found after writing that post there are many variants of this scam. The removal guides with examples can be found on our forums [1], [2], [3], and [4].
I want to go into some more detail about the last one. Where the first variants all showed you a screen asking for a product key and some buttons that the “remote assistants” could use to “magically” solve your reboot problem (that they caused themselves in the first place), this one just appears to be hanging. It just displays the phone number, a Microsoft Windows logo, the moving dots associated with “wait a bit, we’re working on it”, and a “Start” button.
This one can also be seen with the phone number 1-844-386-3111
Below is the sequence of events that follows if you choose to click the button(s) presented to you.
After clicking Start we get this. OK, so let’s try Next
Change without progress. Let’s focus on the prompt.
Is that English? But OK.
But….
Screaming in caps are we?
OK. That’s better.
Clicking OK there gets us back to this one.
By now they hope you are frustrated enough to call them. Thank Redmond for Ctrl-Alt-Del though. Using that key combination and picking “Start Task Manager” we took a look at the running processes.
And it’s relatively easy to spot the culprit. In this example there is only one error.exe running, but I have seen up to 3 of them, so make sure to “kill ‘em all”. Start another instance of explorer after doing so and you should have back control and be able to remove the application that calls itself LicenseError.
Extra information
A full removal guide for this variant can be found on our forums.
Md5 of the installer : e73bba955204e4f3ba800fecf0fff43a
Malwarebytes Anti-Malware Premium detects and blocks the installer as Rogue.TechSupportScam as it does any of the others in this series.
Save yourself the hassle and get protected.
Pieter Arntz