Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.

Windows 7: Fake MS Removal Tool

28 Mar 2011   #1

Windows7 32bit
Fake MS Removal Tool

Last week I started a thread entitled Files disappeared/unreadable. The replies were very helpful and I was able to find the files again. During the dialogue I scanned the drive with 3 different AV tools: AVG free, Malwarebytes, and the ESET online scanner. None of these came up with anything substantive, so it remained a mystery what changed the file attributes.

The user has called again to report something calling itself "MS Removal Tool" purporting her machine has multiple infections and offering to "fix" them, but if she selects "ignore", files start disappearing again.

I don't have the machine with me right now (I'll pick it up tomorrow am) but my question here is:

Has anyone here heard of a fake MS Removal Tool, which so cleverly falls below the radar of mainstream AV software.

I have noticed on Google a thread entitled "How do I remove fake MS Removal Tool?", started 26 March 2011. There is another one entitled "MS Removal Tool Infection" started 27 March 2011, and another entitled "How to remove fake MS Removal Tool.?" The recent nature of these threads indicates that this fake MS Removal Tool is perhaps a new piece of malware.

I am posting the question here because you have been very helpful, and you know what I have already used to scan the drive.

Obviously once I get the box back I'll have a good look at the threads I've referred to here and I will report back whether any of the techniques they recommend succeed in knocking the problem on the head.


My System SpecsSystem Spec

28 Mar 2011   #2

Microsoft Community Contributor Award Recipient

Win 7 Pro 64-bit

I'm making an assumption that when you refer to the fake "MS Removal Tool" you're referring to a fake Malicious Software Removal Tool that has been around for a couple of years. If the malware you're going to be dealing with is something else please let us know.

Bleepingcomputer has a pretty extensive data base on removing malware, including the MS Removal Tool.

How to remove the fake Microsoft Windows Malicious Software Removal Tool

Please read through their tutorial and make note of the specific steps they recommend as well as the usual locations where this malware tries to hide. Malwarebytes should pick this up but you may have to run it in Safe Mode.
My System SpecsSystem Spec
28 Mar 2011   #3

Microsoft Community Contributor Award Recipient

Windows 7 Ult. x64 Windows 8.1 x64


marsmimar has given you a good link for removing that tool - I would follow his advice.

The greater issue here is how these rogueware are getting onto her PC. It sounds like a new infection, after you had fixed the previous issues? Is it time to consider a change to your anti-malware strategy? Is your choice of anti-malware doing the job? There are many here that would argue AVG is not as good as it used to be a few years ago - I rarely see it recommended. In fact, I often see a recommendation to remove it.

If you find that you need to consider an alternative strategy, I would certainly try two combinations to achieve a layered approach. Its difficult to offer suggestions, since everyone has their own personal favorites : MSE, aVast, Norton and Malwarebytes are very popular here, and highly rated. I noted you used Malwarebytes before, but a reminder it is only resident in memory if it is the paid version - you should maybe consider that, its quite affordable.

As a guide, I use both MSE and Malwarebytes resident in memory, since they don't "interfere" with one another. There are probably other choices that will achieve the same thing - be prepared to get a wide opinion on the matter.

Let us know if you need more help or advice.

My System SpecsSystem Spec

28 Mar 2011   #4

Windows 7 Ultimate 64 bit

My System SpecsSystem Spec
29 Mar 2011   #5

Windows7 32bit

Thanks you again for your replies, especially to Carolyn, who hit the nail on the head. The screenshot in her link matched exactly the malware running on this computer, and the date of the bleeping computer post, 27 March 2011, could not be more current.

Thank you also to Marsmimar, but for benefit of other users, your link was to an older post, and does not refer to the exploit doing the rounds right now.

And for the benefit of anyone else who likes to remove a drive from a problem computer and scan it from a clean computer, this exploit is NOT picked up by Malwarebytes, EXCEPT when it is running on the system drive. To clarify, here is the result of the Malwarebytes scan of the drive attached as a slave on my computer.

Name:  MWB110329a.jpg
Views: 52
Size:  86.2 KB

But here is the result of a Malwarebytes scan run with the drive running as the system drive in its own box.

Fake MS Removal Tool-0002.jpg

And for anyone who is interested in these things, if you compare the screenshot below with the one in Carolyn's link, you will notice that the file names have changed, and they have added another registry corruption - the disabling of taskmanager.

Fake MS Removal Tool-0004.jpg

Finally thank you Golden for your post. I take your advice on board, but FYI, I think the infection was left over from last time, because I did not then scan the drive in its own box. That was an omission on my part.

My System SpecsSystem Spec
29 Mar 2011   #6

Microsoft Community Contributor Award Recipient

Windows 7 Ult. x64 Windows 8.1 x64

Quote   Quote: Originally Posted by mcart117 View Post
And for the benefit of anyone else who likes to remove a drive from a problem computer and scan it from a clean computer, this exploit is NOT picked up by Malwarebytes, EXCEPT when it is running on the system drive.
Ah OK.....yes, that is correct. If you watch the scan progress of malwarebytes, you should noice the first thing it does is "enumerate the registry" or something similar. Since the drive you scanned was a slave in another PC, that PC's registry did not have the corruption, and thus was not picked up by Malwarebytes.

Glad everything is now clean and sorted.

My System SpecsSystem Spec
28 Apr 2011   #7

Windows 7 Ultimate x64

In addition to that, if you yourself suffer from this plague of a program than dl a few versions of rkill in safe mode, then open your computer normally and try to open each version as an administrator until one finally runs. At least one version will run. After it does, leave the notepad open and run the other versions to completely block the program. Find the files and delete them, there will be 2.
My System SpecsSystem Spec

 Fake MS Removal Tool

Thread Tools

Similar help and support threads for2: Fake MS Removal Tool
Thread Forum
Fake Microsoft Office tool hides worm Security News
Trend Micro Fake Antivirus (FakeAV) Removal Tool [Beta] System Security
MS malware removal tool System Security
AV Software Removal Tool System Security
Trojan Removal Tool System Security
Run a Conficker removal tool before April 1 System Security

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 09:59 AM.
Twitter Facebook Google+

Windows 7 Forums

Seven Forums Android App Seven Forums IOS App

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33