Tech Support pop-up scams - avoidance

[Tony D]

I get calls from users after they've been hit with a tech support pop-up scam. They lockup the screen and the user can't do anything but call the phone number. I've been able to squash the scams by restarting without an Internet connection. The when I open the browser, I don't let it restore the page.

Is there any protection from this sort of scam?

The machine brought to me yesterday running W10 Home got hit with such a scam. He has Web of Trust installed. However, he's using MS Edge and as far as I know WOT won't run on Edge.

I see Client Care Experts by LogMeIn was installed. The user paid $250 to have his machine fixed. This was before calling me. I told him to shut the machine down. This scammer may have actually been trying to 'tune up' the machine. Saying this because I see they set a restore point before they installed Adobe Reader DC and doing whatever else they did.

 

[starbuck]

Hi Tony,

As you say, the crooks have put extremely annoying scripts in place to prevent you from just closing the browser.

Try this: (assuming it's IE that's being used)
First you need to open the Windows Task Manager

In Windows 7, click on the Start Menu and type ‘task manager’.
In Windows 8, right click on the ‘Start icon’ and select ‘Task Manager’
In Windows 10, right click on the ‘Start icon’ and select ‘Task Manager’

Next thing you’ll want to do is terminate the Internet Explorer process by going under the Processes Tab and right clicking on iexplore.exe.
In some cases ‘End process” is enough, in other cases you may have to use ‘End Process Tree‘ to also kill all related instances.

In Windows 8, you can simply click on ‘End task’ once you have highlighted Internet Explorer.

You can relaunch your browser afterwards to make sure it’s clean, but you will want to opt out of the automatic ‘Restore session’, as it will bring the pop-up right back!

Finally, it is not a bad idea to check your system for malware, with a quick Malwarebytes Anti-Malware scan for example, just in case the fraudulent site also infected your PC.

 

[Tony D]

Thanks for getting back to me.

Good advice on how to stop the pop-up.

Any thoughts on WOT being able to avoid this?

In this case, the user was on Edge (I just confirmed that).

 

[starbuck]

I'm not sure that WOT could stop this.
WOT will just look for a web site address.... if it's a pop up on a web page it may not get seen by WOT.

 

[Tony D]

Thanks Pete. I just did a MalwareBytes AntiMalware scan. It shows CrossRider PUP.

I also noted that TeamViewer was installed today while I was working on the machine. I don't know how that happened. It's not something I initiated. Do you think I should move to the malware removal forum?

 

[starbuck]

If you are concerned and want me to take look, by all means.
Post a set of FRST reports and I'll take a look.
You may as well remove Team Viewer first.
Off out now but I'll take a look when I get back.