Jump to content

Removal instructions for Productkeyupdate

Recommended Posts

  • Staff

What is Productkeyupdate?

The Malwarebytes research team has determined that Productkeyupdate is a Tech Support Scam. These so-called "Tech Support Scammers" try to trick you into calling their phone number for various reasons, all of which turn out to be fraudulent in the end.

How do I know if my computer is affected by Productkeyupdate?

You may see this warning during install:


and this entry in your list of installed programs:


How did Productkeyupdate get on my computer?

Tech Support Scammers use different methods for distributing themselves.

But it also installs files that will produce a fake Windows Verification screen with the Tech Support Scammers number. This screen is activated by a reboot which the malware initiates.


How do I remove Productkeyupdate?

Our program Malwarebytes Anti-Malware can detect and remove this potentially unwanted application.
But due to the way this TechSupportScam installs itself we will need a way to bypass it.
If you already have Malwarebytes Anti-Malware installed, you can use Chameleon to get rid of this infection.

  • In the TechSupportScam screen click on the "Cmd" button which will open a command prompt.
  • In the command prompt type "explorer" and press "Enter".
  • In the resulting explorer window navigate to the Chameleon folder, usually "C:\Program Files (x86)\Malwarebytes Anti-Malware\Chameleon\Windows" and doubleclick on "iexplore(.exe)".
  • and follow the instructions ("Press any key to continue"). Chameleon will kill the process and start Malwarebytes Anti-Malware to finish it up.
  • Reboot when prompted to do so and evrything should be fine.

If you do not have Malwarebytes Anti-Malware installed, please proceed as follows.

  • In the TechSupportScam screen click on the "Cmd" button which will open a command prompt.
  • In the command prompt type "taskmgr" and press "Enter".
  • In the list of processes select "Productkeyupdate.exe" and click on "End Process".
  • Close Taskmanager and in the command prompt type "explorer" and press "Enter".
  • In the resulting explorer window navigate to "C:\Program Files (x86)\Productkeyupdate". Rightclick and delete "Productkeyupdate(.exe)"
  • Close the explorer window and in the command prompt type "shutdown -r".
  • You should see a prompt that Windows will shut down within the next minute.
  • Once your computer has rebooted normally, download Malwarebytes Anti-Malware to your desktop.
  • Double-click mbam-setup-version.exe and follow the prompts to install the program.
  • At the end, be sure a check-mark is placed next to the following:
    • Enable free trial of Malwarebytes Anti-Malware Premium
    • Launch Malwarebytes Anti-Malware
  • Then click Finish.
  • If an update is found, you will be prompted to download and install the latest version.
  • Once the program has loaded, select Scan Now. Or select the Threat Scan from the Scan menu.
  • When the scan is complete, make sure that all Threats are selected, and click Remove Selected.
  • Restart your computer when prompted to do so.

Is there anything else I need to do to get rid of Productkeyupdate?

  • No, Malwarebytes' Anti-Malware removes Productkeyupdate completely.

How would the full version of Malwarebytes Anti-Malware help protect me?

We hope our application and this guide have helped you eradicate this hijacker.

As you can see below the full version of Malwarebytes Anti-Malware would have protected you against the Tech Supprt Scam.




Technical details for experts

You may see these entries in FRST logs:



 () C:\Program Files (x86)\Productkeyupdate\Productkeyupdate.exe
 HKLM-x32\...\Winlogon: [Shell] C:\Program Files (x86)\Productkeyupdate\Productkeyupdate.exe [284672 ] () <=== ATTENTION
 HKCU\...\Winlogon: [Shell] C:\Program Files (x86)\Productkeyupdate\Productkeyupdate.exe [284672 2016-05-03] () <==== ATTENTION
 C:\Program Files (x86)\Productkeyupdate

Productkeyupdate (HKLM-x32\...\Productkeyupdate) (Version:  - )
Alterations made by the installer:



File system details [View: All details] (Selection)
    Adds the folder C:\Program Files (x86)\Productkeyupdate
       Adds the file pcrestart.bat"="5/4/2016 10:41 AM, 194 bytes, A
       Adds the file Productkeyupdate.exe"="5/3/2016 11:33 PM, 284672 bytes, A
       Adds the file Uninstall.exe"="5/17/2016 11:02 AM, 75319 bytes, A
       Adds the file Uninstall.ini"="5/17/2016 11:02 AM, 1679 bytes, A

Registry details [View: All details] (Selection)
       "DisplayIcon"="REG_SZ", "C:\Program Files (x86)\Productkeyupdate\Uninstall.exe"
       "DisplayName"="REG_SZ", "Productkeyupdate"
       "NoModify"="REG_DWORD", 1
       "NoRepair"="REG_DWORD", 1
       "UninstallString"="REG_SZ", "C:\Program Files (x86)\Productkeyupdate\Uninstall.exe"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon]
       "Shell" = REG_SZ, "C:\Program Files (x86)\Productkeyupdate\Productkeyupdate.exe"
       "Path"="REG_SZ", "C:\Program Files\Productkeyupdate\Productkeyupdate.exe"
       "CleanShutdown"= REG_DWORD, 1
    [HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
       "Shell"="REG_SZ", "C:\Program Files (x86)\Productkeyupdate\Productkeyupdate.exe"
Malwarebytes Anti-Malware log:


Malwarebytes Anti-Malware

Scan Date: 5/17/2016
Scan Time: 11:24 AM
Logfile: mbamProductKeyUpdate.txt
Administrator: Yes

Malware Database: v2016.05.17.03
Rootkit Database: v2016.05.06.01
License: Premium
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Enabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: {username}

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 310781
Time Elapsed: 2 min, 33 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 1
Rogue.WindowsActivation, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\Productkeyupdate, Quarantined, [8a6d7b5bdfba54e25d8afcda49bad030], 

Registry Values: 1
Rogue.WindowsActivation, HKCU\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON|Shell, C:\Program Files (x86)\Productkeyupdate\Productkeyupdate.exe, Quarantined, [b5428d495247cb6b0b4cc8dd2bd77987]

Registry Data: 1
Hijack.Shell, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON|Shell, C:\Program Files (x86)\Productkeyupdate\Productkeyupdate.exe, Good: (Explorer.exe), Bad: (C:\Program Files (x86)\Productkeyupdate\Productkeyupdate.exe),Replaced,[19ded204574230066874330ce321e11f]

Folders: 1
Rogue.WindowsActivation, C:\Program Files (x86)\Productkeyupdate, Delete-on-Reboot, [8a6d7b5bdfba54e25d8afcda49bad030], 

Files: 5
Rogue.TechSupportScam, C:\Users\{username}\Desktop\Hotstar.exe, Quarantined, [bc3b429425745ed87d7399387f8233cd], 
Rogue.WindowsActivation, C:\Program Files (x86)\Productkeyupdate\pcrestart.bat, Quarantined, [8a6d7b5bdfba54e25d8afcda49bad030], 
Rogue.WindowsActivation, c:\program files (x86)\productkeyupdate\productkeyupdate.exe, Delete-on-Reboot, [8a6d7b5bdfba54e25d8afcda49bad030], 
Rogue.WindowsActivation, C:\Program Files (x86)\Productkeyupdate\Uninstall.exe, Quarantined, [8a6d7b5bdfba54e25d8afcda49bad030], 
Rogue.WindowsActivation, C:\Program Files (x86)\Productkeyupdate\Uninstall.ini, Quarantined, [8a6d7b5bdfba54e25d8afcda49bad030], 

Physical Sectors: 0
(No malicious items detected)

As mentioned before the full version of Malwarebytes Anti-Malware could have protected your computer against this threat.
We use different ways of protecting your computer(s):
  • Dynamically Blocks Malware Sites & Servers
  • Malware Execution Prevention

Save yourself the hassle and get protected.

Edited by Metallica
Link to post
Share on other sites

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.