Remove 844-763-5838 Tech Support Scam - How to, Technology and PC Security Forum |

Remove 844-763-5838 Tech Support Scam


Tech support scams keep trying to use different tactics to work more efficiently. The latest such scam uses a Trojan horse which once launched, makes an executable file. That executable is named “WinInfos.exe”. Registry entries are created to make the .exe file start automatically with each boot of the Windows operating system. The 844-763-5838 phone number is put as a contact detail in the fake alert messages that are being displayed. Those messages claim that the “fileview.exe” has crashed. You should read the article to the end and see how to remove this tech support scam.

Threat Summary

Name844-763-5838 Scam
TypeTech Support Scam
Short DescriptionThe tech support scam attempts to scare you by showing fake error messages on your screen. It is all a ruse in trying to make you call the phone number given in the messages.
SymptomsFake alert messages will pop-up. The 844-763-5838 phone number will be provided as the only possible fix.
Distribution MethodFreeware Installers, Suspicious Sites, Browser Redirects
Detection Tool See If Your System Has Been Affected by 844-763-5838 Scam


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss 844-763-5838 Scam.

844-763-5838 Scam – Distribution Methods

The 844-763-5838 tech support scam has a couple of distribution methods. Browsing on suspicious websites with an unknown origin can be one of these methods. Files associated with the scam and its Trojan horse might be residing there and quickly infect your computer machine. That usually happens through redirects and advertisements loaded from those sites. They inject the Trojan or a PUP (potentially unwanted program) containing it whenever these is some interaction with them.

The Trojan horse which installs WinInfos.exe and which causes the 844-763-5838 phone number of the scam to appear on your PC screen could be inside an installer package. Third-party freeware and bundled applications usually have such installation setups. Those package setups might be configured to place additional components on your computer by default. To prevent installation setups to install extra components is possible if you find an Advanced or a Custom settings menu from where to deselect components.

844-763-5838 Scam – Technical Information

The tech support scam uses the 844-763-5838 phone number as a contact and puts into every fake alert message. That’s the reason it is called like that. This scam uses a Trojan horse to make an executable file called WinInfos.exe.

It puts it in the following directory:


Afterward, the Trojan horse creates sub-keys for that file in the Windows Registry.
These are the sub-keys:

  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Application\WinInfos
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cWinInfos
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cWinInfos\Security
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cWinInfos\Enum
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\WinInfos
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cWinInfos
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cWinInfos\Security
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cWinInfos\Enum

Then, new registry entries are created, to make the Trojan auto-start with the boot of the Windows operating system and to make it more resilient. Those are the registry entries:

→HKEY_LOCAL_MACHINE\SOFTWARE\cWinInfos\”version” = “”
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CWININFOS\0000\”Service” = “cWinInfos”
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CWININFOS\0000\”Class” = “LegacyDriver”
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CWININFOS\0000\”ClassGUID” = “{8ECC055D-047F-11D1-A537-0000F8753ED1}”
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CWININFOS\0000\”DeviceDesc” = “cWindows Informations Service”
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CWININFOS\0000\Control\”ActiveService” = “cWinInfos”
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Application\WinInfos\”EventMessageFile” = “%Windir%\Microsoft.NET\Framework\v2.0.50727\EventLogMessages.dll”
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cWinInfos\”Type” = “10”
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cWinInfos\”Start” = “2”
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cWinInfos\”ErrorControl” = “1”
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cWinInfos\”ImagePath” = “%Windir%\cWinInfos\168271\WinInfos.exe”
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cWinInfos\”DisplayName” = “cWindows Informations Service”
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cWinInfos\”ObjectName” = “LocalSystem”

After all of the aforementioned prerequisites are set, the executable file WinInfos.exe keeps popping up alert messages with errors. Those alerts are fake, and the goal here is to try and trick you into calling the provided phone number, which is 844-763-5838.

This is exactly how such a fake alert message looks like:

Image source: Symantec

The message reads:

CALL: (844) 763-5838
For Emergency Tech Support call immediately
just crashed on your system.
Call us now for instant premium support
(844) 763-5838

Many users continue to fall victim to scams such as the 844-763-5838 fake tech support one. This is probably due to the fact that these scams find new ways to hide into your system without you noticing. They can enter your computer machine silently, without you finding out how.

In this particular case, the tech support scam does not require an active Internet connection to keep on spreading its bogus alert messages. The alerts will just keep popping up on your PC screen urging you to call the 844-763-5838 phone number. The people behind the scam will most likely present themselves as Microsoft representatives or technicians working for another legitimate company.

Whatever you do, do NOT call the scammers in any circumstances. Refrain from providing personal information over the phone when you are not certain to whom you are talking to. The 844-763-5838 number is not free, and even the shortest conversation on it can cost you a small fortune.

The con artists will try to get personal information from you if you call them and stall for time, while you are on the phone with them. Not only that the phone impulses will make them money, but they will try to extract your personal information to try and sell it on the black market to the highest bidder. That might even lead to identity theft. Whatever the case, you should remove the malware responsible for this scam.

Remove 844-763-5838 Tech Support Scam

To remove WinInfos.exe or more popularly known as the 844-763-5838 tech support scam, manually from your computer, follow the step-by-step removal instructions given below. If the manual removal does not get rid of the scam and alerts effectively, you should search for and remove any leftover items with an advanced anti-malware tool. Such software will keep your system secure in the future.

Berta Bilbao

Berta is a dedicated malware researcher, dreaming for a more secure cyber space. Her fascination with IT security began a few years ago when a malware locked her out of her own computer.

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share