What Is “Troubleshooter”?

As you can tell, the Troubleshooter malware is not actually a legitimate troubleshooter. The name of the process is an attempt to trick the user into thinking that it’s a part of Windows. Despite its helpful-sounding name, there’s nothing helpful whatsoever about this nasty piece of malware. Troubleshooter is classed as a method of attack known as “tech support scams.” We talked about a few methods of attack before, and they’re usually an attacker pretending to be a benevolent agent. This can come in the form as a fake antivirus or malware cleaner which makes false claims of virus infections and demands payment to fix it. Sometimes it’s more direct, with scammers directly phoning people to enquire about their computers and offering aid for a small sum. Troubleshooter, however, uses a method not often seen with these attacks. Instead of trying to encourage the user into believing something is wrong with their PC, they try to make it look like something actually has gone wrong by displaying a fake blue screen of death. When the user is worried and needs assistance, Troubleshooter swoops in to “help,” despite causing the issue in the first place!

How Troubleshooter Works

When your PC is infected by Troubleshooter, the first thing you’ll see is the fake blue screen. Afterwards, Troubleshooter will open a window impersonating Windows, informing you that your PC has crashed. It will claim that there are errors with the computer’s .DLL files, and that if you reset the computer, it might do permanent damage to the operating system. Of course, this is all fake! The so-called troubleshooter will then do a fake scan of your PC, and displays a list of .DLL files that it claims is missing. It will then tell you that you can fix these “missing files”; you just need to purchase Windows Defender Essentials for $25 via PayPal. Of course, you’re not actually buying anything Windows-related. All you’re doing here is sending the creators of Troubleshooter $25. Once you’ve paid up, Troubleshooter detects this and states that all the .DLL files have been fixed. Essentially, you pay $25 to fix a problem that the “Troubleshooter” itself caused!

Defeating Troubleshooter

Of course, all Troubleshooter is really doing is locking you out of your PC until you pay up. There are ways to get around this nefarious piece of malware.

Booting into Safe Mode

Troubleshooter claims that resetting your PC will do damage, but this claim – like the blue screen – is fake. It’s purely an attempt to stop you from trying to get around it. If you have a way to boot into safe mode, restart the PC and get into safe mode. Here, you can individually strip out the components of Troubleshooter and reclaim your PC. Malwarebytes has an indepth guide on how to do this.

Tricking Troubleshooter

If you’re feeling particularly mischievous, you can actually trick Troubleshooter into thinking you’ve paid the $25! This is done by exploiting Troubleshooter’s method of validating a purchase. Once the PayPal purchase has been made, the victim’s browser is directed to the site “http://hitechnovation.com/thankyou.txt.” This site contains the string “thankuhitechnovation,” which is the “passcode” for unlocking Troubleshooter. Once Troubleshooter sees this website and the confirmation string, it assumes that the user has paid their $25 and unlocks their computer. In order to trick Troubleshooter into thinking you paid, navigate to the part where it asks for a PayPal payment. Press Ctrl + O, then type “http://hitechnovation.com/thankyou.txt” into the box that appears. This will open the webpage with the passcode on it. Troubleshooter will see this and then assume you’ve paid up!

Troublesome Troubleshooter

While tech support scams usually report on errors that aren’t there, Troubleshooter is a rarer attack vector that tries to fool you into thinking an error is currently occurring. Now you know how it works, and more importantly, how to recover a PC from being hit by Troubleshooter. Have you, or someone you know, been hit by a tech support scam before? Tell us your stories below! Image credit: Lance Fisher via Flickr