Windows Activation Scam locks your screen and doesn’t Shut Up!

Share this…

A new Windows Activation scam has been discovered by Malwarebytes security researcher Pieter Arntz.  When I installed the sample, I discovered that this PC Tech Support scam, like many others recently, configures itself to run automatically and then displays a fake Windows Activation Screen. This screen states that Windows is not activated and ask you to enter a product key or call the 1-888-414-4284 number for help.

What is different with this sample is that this particular infection will play an audio message every time you click on the screen that asks you to call the listed number. When I called the number, I was connected with someone who wanted  to take control of my computer. After further discussions with the agent, I found out that these scumbags were charging $99.99 USD to “buy a product key” and remove the message that is displayed when you login.

As you can see from the video above, clicking anywhere on the screen will cause the audio to run. This is handled by the function below.

Voice Function
Speak Function

The fake Windows Activation screen will also contain a field where you can enter a product key and then use the Activate button to submit it.  Unless you enter the correct password, which is given below, this activate button will open a fake Settings screen that contains numerous options on the sidebar, including a Remote Help option.

Fake Settings Screen
Fake Settings Screen

The Windows Update, Windows Defender, Backup, and Recovery options will display a Access Denied message when clicking on them. Clicking on the Remote Help option will open a browser that brings you to various remote support pages like TeamViewer, Supremo, and Logmein.  The For Developers button will open a prompt that allows you to open a CMD prompt and the Explorer.

For Developers Box
For Developers Box

These tools are most likely used by the scammers when they login to your system.

How to remove this variant of the Windows Activation Scam

For anyone who is affected by this scam, please do not call them and do not purchase anything from them as the infection is easy to remove! This is because this variant has a hard coded password that you can enter into the product key to “activate” it and close it.  Simply enter closecloseclosecloseclose into the Product Key field and then click on the Activate button. When you do this, a fake activated message will appear as shown below.

Activated Messsage
Activated Messsage

Now close this box by clicking on the X button and you should get your normal desktop back. If not, reboot your computer.

If this procedure does not work, you can reboot your computer into Windows Safe Mode with Networking and scan your computer with your favorite anti-virus or anti-malware program. For those who have Malwarebytes installed, I have confirmed that it can remove this infection.