What is Hallmark Card TSS?
The Malwarebytes research team has determined that Hallmark Card TSS is a Tech Support Scam. These so-called "Tech Support Scammers" try to trick you into calling their phone number for various reasons, all of which turn out to be fraudulent in the end.
How do I know if my computer is affected by Hallmark Card TSS?
You will see this screen as soon as the executable is run:
which will go away if you click the "Exit" button, but this screen will appear after a reboot:
How did Hallmark Card TSS get on my computer?
Tech Support Scammers use different methods for distributing themselves. This particular one was installed by a trojan.
How do I remove Hallmark Card TSS?
Our program Malwarebytes Anti-Malware can detect and remove this potentially unwanted application, but due to the nature of the infection this will require a few extra steps.
- Reboot the computer into Safe Mode with Networking.
- Please download Malwarebytes Anti-Malware to your desktop.
- Double-click mbam-setup-{version}.exe and follow the prompts to install the program.
- At the end, be sure a check-mark is placed next to:
Launch Malwarebytes Anti-Malware - Then click Finish.
- Once the program has loaded, select Scan Now. Or select the Threat Scan from the Scan menu.
- If an update is available, it will be implemented before the rest of the scanning procedure.
- When the scan is complete, make sure that all Threats are selected, and click Remove Selected.
- Restart your computer back into normal mode.
"13544687" hides it for 10 minutes and "642358497351" uninstalls the software.
Is there anything else I need to do to get rid of Hallmark Card TSS?
- No, Malwarebytes' Anti-Malware removes Hallmark Card TSS completely.
We hope our application and this guide have helped you eradicate this hijacker.
As you can see below the full version of Malwarebytes Anti-Malware would have protected you against the Tech Supprt Scam.
Technical details for experts
You may see these entries in FRST logs:
HKCU\...\Run: [Windows Authorization] => C:\Users\{username}\AppData\Roaming\WinErr\WinErr.exe [214016 2016-11-01] (Microsoft) C:\Users\{username}\AppData\Roaming\WinErrAlterations made by the installer:
File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Users\{username}\AppData\Roaming\WinErr Adds the file WinErr.exe"="11/1/2016 9:11 AM, 214016 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "Windows Authorization"="REG_SZ", "C:\Users\{username}\AppData\Roaming\WinErr\WinErr.exe"Malwarebytes Anti-Malware log:
Malwarebytes Anti-Malware www.malwarebytes.org Scan Date: 11/1/2016 Scan Time: 11:09 AM Logfile: mbamHallmarkTSS.txt Administrator: Yes Version: 2.2.1.1043 Malware Database: v2016.11.01.05 Rootkit Database: v2016.10.31.01 License: Premium Malware Protection: Disabled Malicious Website Protection: Disabled Self-protection: Disabled OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username} Scan Type: Threat Scan Result: Completed Objects Scanned: 326864 Time Elapsed: 8 min, 24 sec Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Enabled PUM: Enabled Processes: 0 (No malicious items detected) Modules: 0 (No malicious items detected) Registry Keys: 0 (No malicious items detected) Registry Values: 1 Rogue.TechSupportScam, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|Windows Authorization, C:\Users\{username}\AppData\Roaming\WinErr\WinErr.exe, Quarantined, [e336a813acee52e4ab54a54d05ff3fc1] Registry Data: 0 (No malicious items detected) Folders: 1 Rogue.TechSupportScam, C:\Users\{username}\AppData\Roaming\WinErr, Quarantined, [0c0df8c3009acf678f7301f2a75d5ba5], Files: 2 Rogue.TechSupportScam, C:\Users\{username}\AppData\Roaming\WinErr\WinErr.exe, Quarantined, [e336a813acee52e4ab54a54d05ff3fc1], Rogue.TechSupportScam, C:\Users\{username}\Desktop\Card.exe, Quarantined, [33e6605b5545e25456a912e0fd07cb35], Physical Sectors: 0 (No malicious items detected) (end)As mentioned before the full version of Malwarebytes Anti-Malware could have protected your computer against this threat.
We use different ways of protecting your computer(s):
- Dynamically Blocks Malware Sites & Servers
- Malware Execution Prevention