Fake Tech Support Screen Lockup

A client recently made the mistake of Googling a customer support number for Gmail and letting a fake tech support guy access her computer.

After allowing the faker to access her computer — he used the remote access program Supremo — she got worried when he asked for money so she hung up on him.

Unfortunately the faker already installed a virus program on her computer so when she rebooted it came up with the following screen.

It covered the entired desktop so access to the normal desktop program icons was not possible.

Control-Alt-Delete would bring up the task window although the Task Manager itself was disabled so I couldn’t kill the program that was covering the desktop.

Although running the Task Manager would fail, it did allow me to access the toolbar so I thought I could run programs like regedit or gpedit.msc to kill the desktop task.

However when running the program they would not show up because somehow the desktop screen was controlling the desktop space.

Booting to Safe mode seemed to work OK so I was pretty sure the virus was installed as some kind of start up program or task.

In Safe mode I installed RKill and Autoruns. I then made a shortcut to the programs and added them to the Favorites so I could access them even if the desktop virus was running.

After booting normally — and getting the desktop virus — I ran RKill which detected the registry entry that disabled the task manager. After fixing the registry entry I could run the Task Manager and noticed Defender was running which I thought was odd because I typically don’t install that program. After killing that Defender task the desktop virus disappeared immediately and I could see the normal desktop again so I knew the Defender program was the main culprit.

I then ran Autoruns which showed that the fake Defender program was running as a startup task. Instead of Windows Defender the virus was called MS Defender. I removed that as a start up task and now the computer is back to normal.