#view associated

How to remove the 1-844-208-3526 and Master.exe Fake Crash Screen

Mon, 09 May 2016 11:26:27 EDT

Read 193 times

  This guide is for a new Rogue.Tech-Support that displays a fake Windows crash, or BSOD, when you login to your computer in order to scare you into calling a remote tech support number. When installed, this infection will create a file called Master.exe, with a description called Nigma, and stores it in the %AppData%Master folder. It will also configure Windows to automatically launch master.exe when a user logs into Windows. Once master.exe is started, it will display a fake Windows crash, or Blue Screen of Death (BSOD), that states that your computer encountered an error and that you should call the listed support number. This support number, though, is for a remote tech support company who will try and sell you unneeded services.

When the Master tech support scam is is installed it will also change a variety of Windows settings, including the disabling of the Windows Task Manager. This allows it to display fake the BSOD alert, which overlaps your entire screen, without fear that you can terminate it. The text of the BSOD crash that will be displayed is:

A Critical Error has occurred. Please call certified Microsoft technicians at 1-844-208-3526 to prevent permanent damage to your system

Please follow these steps:

Do not shut down or restart your system until you have called a certified Microsoft technician.

A full diagnosis is required in order to fully resolve any hardware or software issues.

If this is a new installation, please inform the support representative.

A Critical Error has occurred. Please call certified Microsoft technicians at 1-844-208-3526 to prevent permanent damage to your system

Technical information:

****STOP: 0x00000054 (0x68697320, 0x00000069, 0x73206661, 0x00006B6f)

Without a doubt, this program was created for the sole purpose of displaying a fake Windows crash to scare you into calling the listed remote support number. For no reason should you call this number, and if you have already purchased services from them, I would advise you to dispute the charges on your credit card company. To remove this Trojan and any related software, please use the removal guide below.

Array

View Associated 1-844-208-3526 Tech Support Scam Files

C:ProgramDataMicrosoftWindowsStart MenuProgramsmaster C:ProgramDatacountry_data.txt C:ProgramDatainstallationlimit_data.txt C:ProgramDatanigma.txt %AppData%master %AppData%masterMaster.exe %AppData%masterMasterReports.dll %AppData%masteruninstaller.exe

File Location Notes:

%AppData% refers to the current users Application Data folder. By default, this is C:Documents and Settings<Current User>Application Data for Windows 2000/XP. For Windows Vista and Windows 7 it is C:Users<Current User>AppDataRoaming.

View Associated 1-844-208-3526 Tech Support Scam Registry Information

HKCUSoftwareMicrosoftWindowsCurrentVersionInternet SettingsLockdown_Zones09 0 HKCUSoftwareMicrosoftWindowsCurrentVersionInternet SettingsLockdown_Zones09 0 HKCUSoftwareMicrosoftWindowsCurrentVersionInternet SettingsLockdown_Zones09 0 HKCUSoftwareMicrosoftWindowsCurrentVersionInternet SettingsLockdown_Zones09 0 HKCUSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZones09 3 HKCUSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZones09 0 HKCUSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZones09 3 HKCUSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZones09 0 HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemEnableLUA 0 HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemDisableTaskMgr 1 HKCUSoftwareMicrosoftWindowsCurrentVersionRunmaster %AppData%mastermaster.exe HKCUSoftwarePoliciesMicrosoftInternet ExplorerTabbedBrowsing HKCUSoftwarePoliciesMicrosoftInternet ExplorerTabbedBrowsingPopupsUseNewWindow 2 HKCUSoftwarePoliciesMicrosoftInternet ExplorerTabbedBrowsingEnabled 1 HKCUSoftwarePoliciesMicrosoftInternet ExplorerTabbedBrowsingWarnOnClose 0 HKCUSoftwaremaster HKLMSOFTWAREClassesTypeLib{839891CF-C2A2-4B95-BA8D-AE02918B81F6} HKLMSOFTWAREClassesWow6432NodeTypeLib{839891CF-C2A2-4B95-BA8D-AE02918B81F6} HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerAdvancedHidden 1 HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystemDisableTaskMgr 1 HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunmaster %AppData%mastermaster.exe HKLMSOFTWAREPoliciesMicrosoftInternet ExplorerBrowserEmulationDisableSiteListEditing 1 HKLMSOFTWAREPoliciesMicrosoftInternet ExplorerCommandBarShowCompatibilityViewButton 1 HKLMSOFTWAREPoliciesMicrosoftInternet ExplorerSafetyPrivacIEDisableToolbars 0 HKLMSOFTWAREPoliciesMicrosoftInternet ExplorerTabbedBrowsingPopupsUseNewWindow 2 HKLMSOFTWAREWow6432NodeMicrosoftWindowsCurrentVersionPoliciesSystemDisableTaskMgr 1 HKLMSOFTWAREWow6432NodeMicrosoftWindowsCurrentVersionPoliciesExtDisableAddonLoadTimePerformanceNotifications 1 HKLMSOFTWAREWow6432NodeClassesTypeLib{839891CF-C2A2-4B95-BA8D-AE02918B81F6} HKLMSOFTWAREWow6432NodePoliciesMicrosoftInternet ExplorerBrowserEmulationDisableSiteListEditing 1 HKLMSOFTWAREWow6432NodePoliciesMicrosoftInternet ExplorerCommandBarShowCompatibilityViewButton 1 HKLMSOFTWAREWow6432NodePoliciesMicrosoftInternet ExplorerSafetyPrivacIEDisableToolbars 0 HKLMSOFTWAREWow6432NodePoliciesMicrosoftInternet ExplorerTabbedBrowsingPopupsUseNewWindow 2 HKLMSOFTWAREmaster

Source: Bleeping Virus