What is 247emailsupport?
The Malwarebytes research team has determined that 247emailsupport is a Tech Support Scam. These so-called "Tech Support Scammers" try to trick you into calling their phone number for various reasons, all of which turn out to be fraudulent in the end.
How do I know if my computer is affected by 247emailsupport?
You may see these warnings during install:
this icon on your desktop since the installer initiates an install of Reimage Repair:
And this entry in your list of installed programs:
Note that there is no version information
How did 247emailsupport get on my computer?
Tech Support Scammers use different methods for distributing themselves. This particular one was offered as an installer for PC Cleaner Pro.
But it installs files that will produce a fake BSOD screen and a popup with the Tech Support Scammers number.
And it creates a scheduled task that opens a browser window to http://www[dot]247emailsupport[dot]com (blocked by Malwarebytes Anti-Malware Malicious Website Protection).
How do I remove 247emailsupport?
Our program Malwarebytes Anti-Malware can detect and remove this unwanted application.
- Please download Malwarebytes Anti-Malware to your desktop.
- Double-click mbam-setup-version.exe and follow the prompts to install the program.
- At the end, be sure a check-mark is placed next to the following:
- Enable free trial of Malwarebytes Anti-Malware Premium
- Launch Malwarebytes Anti-Malware
- Then click Finish.
- If an update is found, you will be prompted to download and install the latest version.
- Once the program has loaded, select Scan Now. Or select the Threat Scan from the Scan menu.
- When the scan is complete, make sure that all Threats are selected, and click Remove Selected.
- Restart your computer when prompted to do so.
- No, Malwarebytes' Anti-Malware removes 247emailsupport completely.
- This Tech Support Scam creates a scheduled task. You can read here how to check for and, if necessary, remove Scheduled Tasks.
We hope our application and this guide have helped you eradicate this hijacker.
As you can see below the full version of Malwarebytes Anti-Malware would have protected you against the Tech Supprt Scam.
and it stops the connections the browser hijacker tries to make:
Technical details for experts
You may see these entries in FRST logs:
HKLM-x32\...\Run: [WLrt1] => C:\Program Files (x86)\Adobe\WLrt1.exe [820885 2016-03-26] (Windows) HKLM-x32\...\Run: [tv] => C:\Program Files (x86)\PC Cleaner Pro\TV.exe [3282584 2016-03-26] (TeamViewer) C:\Windows\System32\Tasks\Checking C:\Users\Public\Desktop\Resume Reimage Repair Installation.lnk C:\Windows\Reimage.ini C:\Program Files\Google C:\Program Files (x86)\PC Cleaner Pro C:\Program Files (x86)\Adobe PC Cleaner Pro (HKLM-x32\...\PC Cleaner Pro) (Version: - ) Task: {A3099428-8B8F-422F-8CD4-EA7CC68D9908} - System32\Tasks\Checking => C:\ProgramFiles\Google\t.batAlterations made by the installer:
File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files\Google Adds the file t.bat"="3/26/2016 11:37 PM, 105 bytes, A Adds the folder C:\Program Files\Google\Chrome Adds the file Sct - Enable.bat"="3/27/2016 12:31 AM, 130 bytes, A Adds the folder C:\Program Files (x86)\Adobe Adds the file ClearLock.ini"="3/27/2016 12:36 AM, 60 bytes, A Adds the file WLrt1.exe"="3/26/2016 10:33 PM, 820885 bytes, A Adds the folder C:\Program Files (x86)\PC Cleaner Pro Adds the file ReimageRepair.exe"="3/25/2016 10:52 PM, 772016 bytes, A Adds the file track.bat"="3/27/2016 12:51 AM, 475 bytes, A Adds the file TV.exe"="3/26/2016 10:30 PM, 3282584 bytes, A Adds the file Uninstall.exe"="4/7/2016 8:23 AM, 82287 bytes, A Adds the file Uninstall.ini"="4/7/2016 8:23 AM, 1567 bytes, A In the existing folder C:\Users\Public\Desktop Adds the file Resume Reimage Repair Installation.lnk"="4/7/2016 8:24 AM, 1210 bytes, A In the existing folder C:\Windows Adds the file Reimage.ini"="4/7/2016 8:23 AM, 99 bytes, A In the existing folder C:\Windows\System32\Tasks Adds the file Checking"="4/7/2016 8:27 AM, 3982 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] "tv"="REG_SZ", "C:\Program Files (x86)\PC Cleaner Pro\TV.exe" "WLrt1"="REG_SZ", "C:\Program Files (x86)\Adobe\WLrt1.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\PC Cleaner Pro] "DisplayIcon"="REG_SZ", "C:\Program Files (x86)\PC Cleaner Pro\Uninstall.exe" "DisplayName"="REG_SZ", "PC Cleaner Pro" "NoModify"="REG_DWORD", 1 "NoRepair"="REG_DWORD", 1 "UninstallString"="REG_SZ", "C:\Program Files (x86)\PC Cleaner Pro\Uninstall.exe"Malwarebytes Anti-Malware log:
Malwarebytes Anti-Malware www.malwarebytes.org Scan Date: 4/7/2016 Scan Time: 8:46 AM Logfile: mbamTSSPCCleanerPro.txt Administrator: Yes Version: 2.2.1.1043 Malware Database: v2016.04.07.01 Rootkit Database: v2016.04.03.01 License: Premium Malware Protection: Disabled Malicious Website Protection: Enabled Self-protection: Enabled OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username} Scan Type: Threat Scan Result: Completed Objects Scanned: 362782 Time Elapsed: 9 min, 19 sec Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Enabled PUM: Enabled Processes: 0 (No malicious items detected) Modules: 0 (No malicious items detected) Registry Keys: 1 Rogue.TechSupportScam, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\PC Cleaner Pro, Quarantined, [22db32798415072ffba97b214cb85ba5], Registry Values: 2 Rogue.TechSupportScam, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|WLrt1, C:\Program Files (x86)\Adobe\WLrt1.exe, Quarantined, [df1e0d9e5742a5911487839deb176a96] Rogue.TechSupportScam, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|tv, C:\Program Files (x86)\PC Cleaner Pro\TV.exe, Quarantined, [22db32798415072ffba97b214cb85ba5] Registry Data: 0 (No malicious items detected) Folders: 1 Rogue.TechSupportScam, C:\Program Files (x86)\PC Cleaner Pro, Quarantined, [22db32798415072ffba97b214cb85ba5], Files: 8 Rogue.TechSupportScam, C:\Program Files (x86)\Adobe\WLrt1.exe, Quarantined, [df1e0d9e5742a5911487839deb176a96], Rogue.TechSupportScam, C:\Users\{username}\Desktop\setup (1).exe, Quarantined, [c538f2b9831620161cdace520df554ac], Rogue.TechSupportScam, C:\Program Files (x86)\PC Cleaner Pro\track.bat, Quarantined, [22db32798415072ffba97b214cb85ba5], Rogue.TechSupportScam, C:\Program Files (x86)\PC Cleaner Pro\ReimageRepair.exe, Quarantined, [22db32798415072ffba97b214cb85ba5], Rogue.TechSupportScam, C:\Program Files (x86)\PC Cleaner Pro\TV.exe, Quarantined, [22db32798415072ffba97b214cb85ba5], Rogue.TechSupportScam, C:\Program Files (x86)\PC Cleaner Pro\Uninstall.exe, Quarantined, [22db32798415072ffba97b214cb85ba5], Rogue.TechSupportScam, C:\Program Files (x86)\PC Cleaner Pro\Uninstall.ini, Quarantined, [22db32798415072ffba97b214cb85ba5], Rogue.TechSupportScam, C:\Program Files (x86)\Adobe\ClearLock.ini, Quarantined, [af4ef1ba7425270f1381f76364a132ce], Physical Sectors: 0 (No malicious items detected) (end)As mentioned before the full version of Malwarebytes Anti-Malware could have protected your computer against this threat.
We use different ways of protecting your computer(s):
- Dynamically Blocks Malware Sites & Servers
- Malware Execution Prevention