Yet another microsoft scam support company. /

I had a call from a customer, another fake advert on their browser claiming they had a virus and asking them to call a phone number.

The advert used javascript to prevent the user from closing the tab with the error in it.

getsupportforyourpcscam3 getsupportforyourpcscam2 getsupportforyourpcscam1

The text in the scams said:

Your Computer might infected with an adware causing you to see this popup.

This may happen due to obsolete virus protections.

To fix, please call system support at 020-3805-0575 immediately. Please ensure you do not restart your computer to preovent data loss.

Possibility of Data & Identity theft, if not fixed immediately.


Your computer might contain adware

Attackers currently on might attempt to install dangerous programs on your computer that steal or delete your information (for example. photos, passwords, messages, and credit cards).

Call 020-3805-0575 for assistance with removing adware, malware and viruses.

[ ] Automatically report details of possible security incidents to Google. Privacy policy


Mouse Move Security Error.

Your computer might be infected with adware.

Attackers currently on might attempt to install dangerous programs on your computer that steal or delete your information (for example, photos, passwords, messages, and credit cards).

To fix, please contact customer care at 020-3805-0574 immediately.

The URLs the adverts were on are:

Both addresses now seem to be redirecting, in one case, successfully to (although then no page loads as the computer didn’t have a web server running) and the other to and return no fake error any more.

Both adverts listed similar telephone numbers:

02038050575 (aka 020 3805 0575 or 0203 805 0575 or +442038050575)
02038050574 (aka 020 3805 0574 or 0203 805 0574 or +442038050574)
Both numbers seem to be VoIP numbers hosted at Gamma Telecom.

At the time I called it was just putting me into a queue and then hanging up after about 30 seconds:

The website is hosted on – funnily enough also points to this IP! It is hosted at in the Netherlands. No other popular sites appear to be hosted on this IP. It appears to have an internal hostname of “”

The domain is registered with a privacy service and points to a popular DNS server with no clues as to who may be running the scam. The domain was recently registered on 2015-06-30

However, there are several other domains pointing to the same server. (slightly older, registered on 2015-06-04) (more recent again, 2015-06-30) and (mid-range ish 2015-06-23) all point to the same IP address!

righttechnicalsupport getsupportforyourpc scam

The domain is also protected with the same whois privacy service.
The other domains found,,, and are also the same.

The seems to have a lot more stuff accessible including another scam advert page:

tech computernowservices com scam advertthe host is hosted on a different server [] which seems to have a reference to the hostname []. This gives away another domain name of “” which in turn gives away a hostname of “” [] which then (long chain here) gives away another domain name of “” [].

The site is interesting. All it does is print out a URL to the screen of:{keyword}&&domain=test

When clicked the domain then sends you on to a scam avert page!

tech-support-services scam cpvlabtracker esvio [] is hosted on the same server as
At some point has also had php files containing links to the following javascript files:
Needless to say, [], isn’t an official google domain and has been registered using whois privacy.
It reverse DNSs to also registered using whois privacy.
The Javascript references yet more obscure domains: and [].

Also related seems to be, [], [],
Possibly also linked:,

Update: 13th July 2015 – So I called them again, this time they answered.
Initially they asked me to go start, run and then type in “hh h” which loads HTML help.
They then talked me through clicking the icon in the top left (as if you were to close the program) but then select “Jump to URL” and type in (here is the interesting bit!)

Now… is a domain I’ve come across before! It isn’t owned by LogMeIn! It is a domain bought by someone using domain privacy which then forwards you to logmein. I previously saw it in conjunction with the WinZip tech support scam back in December 2014.

They then offered me the following to “fix” the “problems” with my brand new fresh restore of a virtual machine.
techsupportdrive scam

Another domain associated with their operation is

I quizzed them about if they were part of winzip or any of the previous company names or domain registrants I had found on the WinZip operation but none seemed to click with the person I spoke to.

So my best guess so far is that it’s a different support department / outsourcing operation but with a script or mandate from the same parent company as the winzip operation. I don’t see why would be common between the two otherwise.

This entry was posted in Uncategorized. Bookmark the permalink.

4 Responses to Yet another microsoft scam support company. /

  1. So how do you actually fix the problem and get them off your browser? Asking for a friend.

  2. On windows, go into task manager and end task on the browser.
    Load up the browser again and DON’T restore the last session.

    Then check your add-ins section for rogue junk and also the add / remove programs section for rogue junk too.
    You may also want to check the computer with Hitman Pro

  3. Drew says:

    The above did not work for me it had embedded its self in programs and had to delete it using add delete programs in windows

  4. tony hoo says:

    There are too many scam/con adverts which offer free items and then try to charge you, they are lying cheats and there should be a facility to have them removed from the Net.

Comment on this topic

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s