Tech support scams keep trying to use different tactics to work more efficiently. The latest such scam uses a Trojan horse which once launched, makes an executable file. That executable is named “WinInfos.exe”. Registry entries are created to make the .exe file start automatically with each boot of the Windows operating system. The 844-763-5838 phone number is put as a contact detail in the fake alert messages that are being displayed. Those messages claim that the “fileview.exe” has crashed. You should read the article to the end and see how to remove this tech support scam.
Threat Summary
Name | 844-763-5838 Scam |
Type | Tech Support Scam |
Short Description | The tech support scam attempts to scare you by showing fake error messages on your screen. It is all a ruse in trying to make you call the phone number given in the messages. |
Symptoms | Fake alert messages will pop-up. The 844-763-5838 phone number will be provided as the only possible fix. |
Distribution Method | Freeware Installers, Suspicious Sites, Browser Redirects |
Detection Tool |
See If Your System Has Been Affected by malware
Download
Malware Removal Tool
|
User Experience | Join Our Forum to Discuss 844-763-5838 Scam. |
844-763-5838 Scam – Distribution Methods
The 844-763-5838 tech support scam has a couple of distribution methods. Browsing on suspicious websites with an unknown origin can be one of these methods. Files associated with the scam and its Trojan horse might be residing there and quickly infect your computer machine. That usually happens through redirects and advertisements loaded from those sites. They inject the Trojan or a PUP (potentially unwanted program) containing it whenever these is some interaction with them.
The Trojan horse which installs WinInfos.exe and which causes the 844-763-5838 phone number of the scam to appear on your PC screen could be inside an installer package. Third-party freeware and bundled applications usually have such installation setups. Those package setups might be configured to place additional components on your computer by default. To prevent installation setups to install extra components is possible if you find an Advanced or a Custom settings menu from where to deselect components.
844-763-5838 Scam – Technical Information
The tech support scam uses the 844-763-5838 phone number as a contact and puts into every fake alert message. That’s the reason it is called like that. This scam uses a Trojan horse to make an executable file called WinInfos.exe.
It puts it in the following directory:
→%Windir%\cWinInfos\168271\WinInfos.exe
Afterward, the Trojan horse creates sub-keys for that file in the Windows Registry.
These are the sub-keys:
- HKEY_LOCAL_MACHINE\SOFTWARE\cWinInfos
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Application\WinInfos
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cWinInfos
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cWinInfos\Security
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cWinInfos\Enum
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\WinInfos
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cWinInfos
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cWinInfos\Security
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cWinInfos\Enum
Then, new registry entries are created, to make the Trojan auto-start with the boot of the Windows operating system and to make it more resilient. Those are the registry entries:
→HKEY_LOCAL_MACHINE\SOFTWARE\cWinInfos\”version” = “16.8.27.1”
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CWININFOS\0000\”Service” = “cWinInfos”
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CWININFOS\0000\”Class” = “LegacyDriver”
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CWININFOS\0000\”ClassGUID” = “{8ECC055D-047F-11D1-A537-0000F8753ED1}”
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CWININFOS\0000\”DeviceDesc” = “cWindows Informations Service”
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CWININFOS\0000\Control\”ActiveService” = “cWinInfos”
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Application\WinInfos\”EventMessageFile” = “%Windir%\Microsoft.NET\Framework\v2.0.50727\EventLogMessages.dll”
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cWinInfos\”Type” = “10”
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cWinInfos\”Start” = “2”
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cWinInfos\”ErrorControl” = “1”
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cWinInfos\”ImagePath” = “%Windir%\cWinInfos\168271\WinInfos.exe”
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cWinInfos\”DisplayName” = “cWindows Informations Service”
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cWinInfos\”ObjectName” = “LocalSystem”
After all of the aforementioned prerequisites are set, the executable file WinInfos.exe keeps popping up alert messages with errors. Those alerts are fake, and the goal here is to try and trick you into calling the provided phone number, which is 844-763-5838.
This is exactly how such a fake alert message looks like:
The message reads:
WARNING!
YOUR COMPUTER MAY BE AT RISK:
CALL: (844) 763-5838
For Emergency Tech Support call immediately
fileview.exe
just crashed on your system.
Call us now for instant premium support
(844) 763-5838
Many users continue to fall victim to scams such as the 844-763-5838 fake tech support one. This is probably due to the fact that these scams find new ways to hide into your system without you noticing. They can enter your computer machine silently, without you finding out how.
In this particular case, the tech support scam does not require an active Internet connection to keep on spreading its bogus alert messages. The alerts will just keep popping up on your PC screen urging you to call the 844-763-5838 phone number. The people behind the scam will most likely present themselves as Microsoft representatives or technicians working for another legitimate company.
Whatever you do, do NOT call the scammers in any circumstances. Refrain from providing personal information over the phone when you are not certain to whom you are talking to. The 844-763-5838 number is not free, and even the shortest conversation on it can cost you a small fortune.
The con artists will try to get personal information from you if you call them and stall for time, while you are on the phone with them. Not only that the phone impulses will make them money, but they will try to extract your personal information to try and sell it on the black market to the highest bidder. That might even lead to identity theft. Whatever the case, you should remove the malware responsible for this scam.
Remove 844-763-5838 Tech Support Scam
To remove WinInfos.exe or more popularly known as the 844-763-5838 tech support scam, manually from your computer, follow the step-by-step removal instructions given below. If the manual removal does not get rid of the scam and alerts effectively, you should search for and remove any leftover items with an advanced anti-malware tool. Such software will keep your system secure in the future.
Preparation before removing 844-763-5838 Scam.
Before starting the actual removal process, we recommend that you do the following preparation steps.
- Make sure you have these instructions always open and in front of your eyes.
- Do a backup of all of your files, even if they could be damaged. You should back up your data with a cloud backup solution and insure your files against any type of loss, even from the most severe threats.
- Be patient as this could take a while.
- Scan for Malware
- Fix Registries
- Remove Virus Files
Step 1: Scan for 844-763-5838 Scam with SpyHunter Anti-Malware Tool
Step 2: Clean any registries, created by 844-763-5838 Scam on your computer.
The usually targeted registries of Windows machines are the following:
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
You can access them by opening the Windows registry editor and deleting any values, created by 844-763-5838 Scam there. This can happen by following the steps underneath:
Step 3: Find virus files created by 844-763-5838 Scam on your PC.
1.For Windows 8, 8.1 and 10.
For Newer Windows Operating Systems
1: On your keyboard press + R and write explorer.exe in the Run text box and then click on the Ok button.
2: Click on your PC from the quick access bar. This is usually an icon with a monitor and its name is either “My Computer”, “My PC” or “This PC” or whatever you have named it.
3: Navigate to the search box in the top-right of your PC's screen and type “fileextension:” and after which type the file extension. If you are looking for malicious executables, an example may be "fileextension:exe". After doing that, leave a space and type the file name you believe the malware has created. Here is how it may appear if your file has been found:
N.B. We recommend to wait for the green loading bar in the navigation box to fill up in case the PC is looking for the file and hasn't found it yet.
2.For Windows XP, Vista, and 7.
For Older Windows Operating Systems
In older Windows OS's the conventional approach should be the effective one:
1: Click on the Start Menu icon (usually on your bottom-left) and then choose the Search preference.
2: After the search window appears, choose More Advanced Options from the search assistant box. Another way is by clicking on All Files and Folders.
3: After that type the name of the file you are looking for and click on the Search button. This might take some time after which results will appear. If you have found the malicious file, you may copy or open its location by right-clicking on it.
Now you should be able to discover any file on Windows as long as it is on your hard drive and is not concealed via special software.
844-763-5838 Scam FAQ
What Does 844-763-5838 Scam Trojan Do?
The 844-763-5838 Scam Trojan is a malicious computer program designed to disrupt, damage, or gain unauthorized access to a computer system. It can be used to steal sensitive data, gain control over a system, or launch other malicious activities.
Can Trojans Steal Passwords?
Yes, Trojans, like 844-763-5838 Scam, can steal passwords. These malicious programs are designed to gain access to a user's computer, spy on victims and steal sensitive information such as banking details and passwords.
Can 844-763-5838 Scam Trojan Hide Itself?
Yes, it can. A Trojan can use various techniques to mask itself, including rootkits, encryption, and obfuscation, to hide from security scanners and evade detection.
Can a Trojan be Removed by Factory Reset?
Yes, a Trojan can be removed by factory resetting your device. This is because it will restore the device to its original state, eliminating any malicious software that may have been installed. Bear in mind that there are more sophisticated Trojans that leave backdoors and reinfect even after a factory reset.
Can 844-763-5838 Scam Trojan Infect WiFi?
Yes, it is possible for a Trojan to infect WiFi networks. When a user connects to the infected network, the Trojan can spread to other connected devices and can access sensitive information on the network.
Can Trojans Be Deleted?
Yes, Trojans can be deleted. This is typically done by running a powerful anti-virus or anti-malware program that is designed to detect and remove malicious files. In some cases, manual deletion of the Trojan may also be necessary.
Can Trojans Steal Files?
Yes, Trojans can steal files if they are installed on a computer. This is done by allowing the malware author or user to gain access to the computer and then steal the files stored on it.
Which Anti-Malware Can Remove Trojans?
Anti-malware programs such as SpyHunter are capable of scanning for and removing Trojans from your computer. It is important to keep your anti-malware up to date and regularly scan your system for any malicious software.
Can Trojans Infect USB?
Yes, Trojans can infect USB devices. USB Trojans typically spread through malicious files downloaded from the internet or shared via email, allowing the hacker to gain access to a user's confidential data.
About the 844-763-5838 Scam Research
The content we publish on SensorsTechForum.com, this 844-763-5838 Scam how-to removal guide included, is the outcome of extensive research, hard work and our team’s devotion to help you remove the specific trojan problem.
How did we conduct the research on 844-763-5838 Scam?
Please note that our research is based on an independent investigation. We are in contact with independent security researchers, thanks to which we receive daily updates on the latest malware definitions, including the various types of trojans (backdoor, downloader, infostealer, ransom, etc.)
Furthermore, the research behind the 844-763-5838 Scam threat is backed with VirusTotal.
To better understand the threat posed by trojans, please refer to the following articles which provide knowledgeable details.