April 30, 2013Blog Staff By Blog Staff

Fake Microsoft Security Scam

Recently we have seen an increase in fake Microsoft scams, which function by tricking people into thinking that their PC is infected.  With these types of scams there are a number of things to remember.

1.       Microsoft will never call you telling you that your PC is infected
2.       Never allow strangers to connect to your PC
3.       Do not give any credit card info to somebody claiming to be from Microsoft
4.       If in doubt, shut down your PC and call Webroot

The current scam will display a webpage that is very similar to the one in Figure 1. There are a number of ways to figure out that this is a false alert. The first is that it’s a website message and not a program; the second is that location of the web site will be a random string of letters.

More details:

These websites will normally only stay active for 24-48hrs before they are pulled down. The websites’ primary function is to get you to run a “removal tool” called “security cleaner”. This file is the infection and, if ran, will infect the PC and start displaying pop-ups (like the one in Figure 2).


Figure 1: Fake Alert

At this stage, the PC is not infected so it’s safe to close the browser and ignore any alerts from the website. Noting the website that displayed the message is good idea as you can notify the webmaster (if it’s a legitimate website).

I have seen examples of this type of fake webpage being linked from advertising links. Using a browser that has a pop-up blocker will reduce the likelihood of encountering a bad advertising link. With scams like this, the most important way to stop getting infected is to be diligent when you’re online.

If a website asks you to run a file that you haven’t asked for, be extremely cautious. The same goes for emails (even from friends). Do not open executable files unless you are 100% sure they are good.


Figure 2: Fake AV Pop-up


The info below is only a guideline as the payload can change. However, it follows the same pattern of dropping a fake AV that stops you from opening most programs.

  • Drops a randomly named file in the current users folder (Fake AV payload)
  • Creates a service for the above file
  • Disables Windows Firewall or modifies the settings to allow the file full access to the PC
  • Creates a number of files in the windows recycler folder (usually Zero Access)
  • Flags any opened program as an infection (by modifying the open shell reg key)
  • Fake AV will then prompt the user to pay to remove the detected “infections”

Webroot Detection logs:
Infection detected:
c:usersownerappdatalocalmicrosoftwindowstemporary internet filescontent.ie5wckxi56gsecurity_cleaner[1].exe

MD5: 68D9F9C6741CCF4ED9F77EE0275ACDA9
Detection rate of the file 28/46 Vendors on Virus Total.

Registry Changes:
Below is an example of some of the changes. The first shows how it modifies the open shell command so when you open any file it will run the Fake AV. The second shows the security center notifications that are disabled.

HKLMSOFTWAREMicrosoftSecurity Center  AntiVirusDisableNotify   00000001
HKLMSOFTWAREMicrosoftSecurity Center  AntiVirusOverride   00000001

How to protect yourself from these scams:

There are a number of ways to ensure your PC is protected from these types of scams. The first step is simply being aware that these scams exist! Also, make sure to:

  • Use Webroot Secure Anywhere
  • Keep Windows updates turned on and set them to automatically update
  • Use a modern secure browser like Firefox  or Chrome
  • Update any 3rd party plugins (Java/Adobe Reader/Flash player)
  • Use an ad-blocker add-on in Firefox/Chrome

I have seen a number of infections that would have been prevented if Windows was up to date. Microsoft is constantly updating Windows to patch various security updates.


Webroot SecureAnywhere automatically blocks the installation of the infection so it won’t even run (Figure 3).  If the PC has no AV software installed, booting into Safe Mode with networking and installing Webroot Secure Anywhere will remove the threat.  Manually removing this threat is possible; however, there may be some system damage that will need to be repaired.

Webroot support is always available to help with removal and questions regarding this infection.  Please visit the Webroot support web site for more detail at: http://www.webroot.com/support/.


Figure 3: SecureAnywhere Removal



Share Button

29 Responses to Fake Microsoft Security Scam

  1. Pingback: Fake AV scammers impersonate MicrosoftInformation security & technology news

  2. Pingback: Estafadores suplantan el Antivirus de Microsoft

    • David,

      The best thing to do in this scenario would be to request a refund from the company that scammed you and then report them to the proper channels. If you believe you are infected, and use Webroot, you can reach out to our support team and we would be happy to take a look at this for you.

      Support Number: 1-866-612-4227
      Support Ticket: https://detail.webrootanywhere.com/servicewelcome.asp

    • Hello,

      We do not stop the webpage because that’s not a virus. We stop the infection that tries to load. In the blog post we even provide the MD5. Please see “Infection detected:
      c:usersownerappdatalocalmicrosoftwindowstemporary internet filescontent.ie5wckxi56gsecurity_cleaner[1].exe” Basically when you first see this you just close the browser then no other steps need to be taken. Using an ad blocker can also help to prevent these sort of popups.

  3. My wife’s computer said that it found malicious malware via Microsoft Windows , and said to fix call support team. When we did the guy said to enter http://www.support.me then he just hung up. The next time she called it was a guy named Neal, who told her to enter another site giving her access to her computer. He told her for $299 he could remove it via a store. My wife said she couldn’t pay and he knocked it down to $99 . She still could not pay , so somehow he made her computer work again. Was he a scammer , and should she reset her pc? I have a bad feeling she almost got scammed , and he may have screwed with her harddrive . Any help on this wether good or bad would be helpful , thank you.

    • Hi, Robert. I can understand your concern after letting an unknown individual into your computer. Typically they don’t do anything to harm your information or files. In my experience (coming from Technical Support), they mostly just leave a notepad document on the Desktop with their contact info, and sometimes they also leave the Remote Software they used to “assist” customers (GoToAssist, LogMeIn, etc).

      The messages prompting you to contact “Microsoft” are illegitimate and could be caused by software on your System potentially. If you reach out to our Technical Support team directly, they can remotely check out your Computer, as sometimes having your Peace of Mind is the most important thing ?

      Support Number: 1-866-612-4227 M-F 7am−6pm MT
      Send us a Support Ticket: https://detail.webrootanywhere.com/servicewelcome.asp

      Warm Regards,
      Josh P.
      Webroot Community Support

      • I had an very similar experience with my mac. One day, my computer screen directed me to some sort of best buy/ mac technical support with a message stating my computer had been infected & I needed to call “this” number. I was very flustered seeing as I just bought the computer a few months prior. I spoke on the phone to a man with a foreign accent who explained that someone was trying to use my computer IP address & yada yada. Long story short, he then said I needed to pay $299.00 to have my computer fixed & to pay for a 3 year subscription for Webroot. He then proceeded to explain that a technician was going to work on my computer (from another source) for the next hour or so to have it up and running again. I paid the money reluctantly- I REALLY did not have the money for that seeing as I am a college student. I felt very vulnerable because here I have this new computer & someone from “technical support” seeming thay there was no way around the fee & it needed to be paid promptly. I am still very hesitant about this WHOLE interaction. I currently have Webroot on my laptop but am very convinced that this was a well thought out scam & I have been dooped for $299.00 & now I have malicious software on my computer!!

        • Hi Jen.

          Unfortunately, that sounds like a scammer without a doubt. Your gut will never lead you astray in scenarios like this.

          If you are ever in doubt, PLEASE let our Support Team at least investigate first. They will be able to tell you real quick whether you have an Infection or not. Just to be clear in situations like this, it’s pretty much a 99.99% chance that there is nothing wrong with your System at all.

          Warm Regards,
          Josh P.
          Social Media Coordinator

  4. I received a voice mail telling me my Windows License needs to be renewed or it will close. I called the 844 666 0661 number they gave on Friday and the number was out of order. I called today and a man with a foreign accent answered and started walking me through the steps online to renew the license. The program I logged onto was: Support 18 Microsoft Channel Partner. I didn’t complete the renewal and was told I could call back anytime if I wanted to renew. He said that Microsoft requires a one-time renewal or the program will expire. I have not heard of anyone else having to renew their Microsoft license. This raised a red flag for me so wanted to know what you think before I “allow” a download of this. Is this legitimate? Microsoft program is in place today and I haven’t had problems with it. Is this a scam? Should I proceed with this renewal? I asked the “Chat” box if this was legitimate but never got an answer. This is what the page read: Windows Support, we offer a usb Pc sales and support on our esteemed customers, we aspire to improvise their technical skills on the product that they are using, we provide Cloud Computer Solutions and Unlimited Storage .
    Please let me know if this is a scam. Is the Microsoft program going to close? I was not aware of a limited time use when I purchased the machine.

    • This is a social engineering attempt to fleece as much $$$$ out of your wallet as they can. Almost all of the individuals that try this use the name “Microsoft”, or the name of another well-known and respected PC Manufacturer.

      If you are ever unsure in the future, please hang up and contact our Technical Support Team directly to address any concerns:
      Support Number: 1-866-612-4227 M-F 7am−6pm MT
      Send us a Support Ticket: https://detail.webrootanywhere.com/servicewelcome.asp

      Warm Regards,
      Josh P.
      Social Media & Customer Relations Coordinator

  5. Josh – thanks for supplying the number however, you are simply directed to the website over and over……….
    And if you do happen to get through the “voice” they give you an estimated wait time of 10 minutes

    • Susan, call volumes fluctuate day-to-day.
      Our Team has done a great job of catching up from the Holidays, but that doesn’t mean you will be immediately connected to a Technician.

      I suggest putting the call on speakerphone and knocking out any other chores that still need your attention in the meantime 🙂

      Warm Regards,
      Josh P.
      Social Media Coordinator

  6. Just saw your phone number and plan to call you on Monday. My problem was that when the message came on the screen and the woman’s voice told me my computer was infected, I could not make a move to get the message off. I didn’t see that I had any choice but to call the number b/c my computer was frozen.

  7. I had a message similar to this, frozen, flashing, and to contact Microsoft. I don’t remember if it said NOT to reboot or if I couldn’t shut it down. I ended up with Webroot Secureanywhere. That’s what the technician put on my PC.Did I get screwed?

    • Adrien, you should always only get the contact information from a company’s official website. Whoever you spoke with that put SecureAnywhere on your Computer was most definitely not from Microsoft.

      Warm Regards,
      Josh P.
      Social Media Coordinator

  8. Reading all the comments, I think I was scammed 200.00. A woman’s voice and a page of instructions popped out at me and said My laptop was infected. I tried to exit out, it wouldn’t let me, I paid them gave them my credit card info. The tech said he will fix it and I watched what he was doing on my laptop, he went thru so much on the hard drive. I’m not sure if it was a lie, or he just hacked all my files. I’m so upset about it. Any suggestions?

    • Hello, Jennifer.

      I’ve created a case on your behalf with our Support Team. Please watch your email as our Team will be reaching out to you soon to soon to review your system and ensure nothing fishy is going on.

      Warm Regards,
      Josh P.
      Digital Care Coordinator

  9. I get a message about once every two months, now I have one calling me back on the phone after hanging up on him three times. I ask for a street address and they are reluctant to provide one, saying it’s against policy, but if I email them they will send me all the information. I tell them no, I just had my ip address changed and don’t want to give the info up to them again, they insist. I”M SICK of being SCAMMED! Microsoft, the government, internet providers, computer manufacturers, SOMEONE….., should stop this S**T!

  10. I was having a problem with my HP printer and called HP. The technician took over my computer and fixed the prob, but also sold me Microsoft Internet Security at a “discounted” price of $199. for three years. The entire process took almost an entire day and my payment did not go to HP but to an individual who said he was the technician.

    • Betty, it sounds you used a search engine like Google to find the “HP” number you called, which most definitely wasn’t HP.
      In the future, make sure to only call phone numbers that are listed on the Manufacturer’s website. If you’re ever unsure, reach out to our Support Team and they’ll point you in the right direction.

      Support Number: 1-866-612-4227 M-F 7am−6pm MT
      Send a Support Ticket

  11. A few minutes ago, I received a call from a “Microsoft” “technical advisor” from (208) 182-9111. He told me that my computer was compromised and that I needed to go to my computer and follow his instructions. I told him that I did not have a computer, but that my husband maybe did. He asked how I did not know and I told him that we had been married for 50 years and I live downstairs and he lives upstairs and I have no idea if he has a computer. He told me that my telephone (cell) number was associated with the computer and I told him that maybe that my husband gave my telephone number for his computer. As you have probably have figured out by now, I was trying to keep him on the line as I could so he would not be scamming others in those minutes. I acted really concerned that my husband’s computer could be in real danger and asked him to hold on and he said he would like to talk to my husband. After I talked to my husband and we had a good laugh, I went back to my phone and he had hung up – of course. Just a not of caution to others. By the way, I have worked for a lawyer for over 20 years and I would be happy to talk to him about going after these scammers. No promises, just tired or these lowlifes.

    • That’s a new approach to take that we haven’t heard yet, Barbara!

      Thanks for sharing your story for other’s to read and be made Aware. Having a good laugh is always a necessity! 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *