Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.

Windows 7: Fake MS Removal Tool

28 Mar 2011   #1

Windows7 32bit
Fake MS Removal Tool

Last week I started a thread entitled Files disappeared/unreadable. The replies were very helpful and I was able to find the files again. During the dialogue I scanned the drive with 3 different AV tools: AVG free, Malwarebytes, and the ESET online scanner. None of these came up with anything substantive, so it remained a mystery what changed the file attributes.

The user has called again to report something calling itself "MS Removal Tool" purporting her machine has multiple infections and offering to "fix" them, but if she selects "ignore", files start disappearing again.

I don't have the machine with me right now (I'll pick it up tomorrow am) but my question here is:

Has anyone here heard of a fake MS Removal Tool, which so cleverly falls below the radar of mainstream AV software.

I have noticed on Google a thread entitled "How do I remove fake MS Removal Tool?", started 26 March 2011. There is another one entitled "MS Removal Tool Infection" started 27 March 2011, and another entitled "How to remove fake MS Removal Tool.?" The recent nature of these threads indicates that this fake MS Removal Tool is perhaps a new piece of malware.

I am posting the question here because you have been very helpful, and you know what I have already used to scan the drive.

Obviously once I get the box back I'll have a good look at the threads I've referred to here and I will report back whether any of the techniques they recommend succeed in knocking the problem on the head.

MCart. :)

My System SpecsSystem Spec
28 Mar 2011   #2

Microsoft Community Contributor Award Recipient


I'm making an assumption that when you refer to the fake "MS Removal Tool" you're referring to a fake Malicious Software Removal Tool that has been around for a couple of years. If the malware you're going to be dealing with is something else please let us know.

Bleepingcomputer has a pretty extensive data base on removing malware, including the MS Removal Tool.

How to remove the fake Microsoft Windows Malicious Software Removal Tool

Please read through their tutorial and make note of the specific steps they recommend as well as the usual locations where this malware tries to hide. Malwarebytes should pick this up but you may have to run it in Safe Mode.
My System SpecsSystem Spec
28 Mar 2011   #3
Microsoft MVP

Windows 7 Ult. x64


marsmimar has given you a good link for removing that tool - I would follow his advice.

The greater issue here is how these rogueware are getting onto her PC. It sounds like a new infection, after you had fixed the previous issues? Is it time to consider a change to your anti-malware strategy? Is your choice of anti-malware doing the job? There are many here that would argue AVG is not as good as it used to be a few years ago - I rarely see it recommended. In fact, I often see a recommendation to remove it.

If you find that you need to consider an alternative strategy, I would certainly try two combinations to achieve a layered approach. Its difficult to offer suggestions, since everyone has their own personal favorites : MSE, aVast, Norton and Malwarebytes are very popular here, and highly rated. I noted you used Malwarebytes before, but a reminder it is only resident in memory if it is the paid version - you should maybe consider that, its quite affordable.

As a guide, I use both MSE and Malwarebytes resident in memory, since they don't "interfere" with one another. There are probably other choices that will achieve the same thing - be prepared to get a wide opinion on the matter.

Let us know if you need more help or advice.

My System SpecsSystem Spec

28 Mar 2011   #4

Windows 7 Ultimate 64 bit

My System SpecsSystem Spec
29 Mar 2011   #5

Windows7 32bit

Thanks you again for your replies, especially to Carolyn, who hit the nail on the head. The screenshot in her link matched exactly the malware running on this computer, and the date of the bleeping computer post, 27 March 2011, could not be more current.

Thank you also to Marsmimar, but for benefit of other users, your link was to an older post, and does not refer to the exploit doing the rounds right now.

And for the benefit of anyone else who likes to remove a drive from a problem computer and scan it from a clean computer, this exploit is NOT picked up by Malwarebytes, EXCEPT when it is running on the system drive. To clarify, here is the result of the Malwarebytes scan of the drive attached as a slave on my computer.

Fake MS Removal Tool-mwb110329a.jpg

But here is the result of a Malwarebytes scan run with the drive running as the system drive in its own box.

Fake MS Removal Tool-0002.jpg

And for anyone who is interested in these things, if you compare the screenshot below with the one in Carolyn's link, you will notice that the file names have changed, and they have added another registry corruption - the disabling of taskmanager.

Fake MS Removal Tool-0004.jpg

Finally thank you Golden for your post. I take your advice on board, but FYI, I think the infection was left over from last time, because I did not then scan the drive in its own box. That was an omission on my part.

My System SpecsSystem Spec
29 Mar 2011   #6
Microsoft MVP

Windows 7 Ult. x64

Quote   Quote: Originally Posted by mcart117 View Post
And for the benefit of anyone else who likes to remove a drive from a problem computer and scan it from a clean computer, this exploit is NOT picked up by Malwarebytes, EXCEPT when it is running on the system drive.
Ah OK.....yes, that is correct. If you watch the scan progress of malwarebytes, you should noice the first thing it does is "enumerate the registry" or something similar. Since the drive you scanned was a slave in another PC, that PC's registry did not have the corruption, and thus was not picked up by Malwarebytes.

Glad everything is now clean and sorted.

My System SpecsSystem Spec
28 Apr 2011   #7

Windows 7 Ultimate x64

In addition to that, if you yourself suffer from this plague of a program than dl a few versions of rkill in safe mode, then open your computer normally and try to open each version as an administrator until one finally runs. At least one version will run. After it does, leave the notepad open and run the other versions to completely block the program. Find the files and delete them, there will be 2.
My System SpecsSystem Spec

 Fake MS Removal Tool

Thread Tools

Similar help and support threads
Thread Forum
Virus Removal Tool
Hi experts, Is there any tool that is compact in size and is able to detect and remove nearly all kinds of viruses and malicious programs...??? Thank You.
System Security
Safety removal tool
Good day to all. Having trouble with the safety removal tool in windows 7 home premium. Every time I connect my backup hdd then when complete the safety removal tray icon don't work,I found in google a microsoft repair for this prob.But didn't work. Any thoughts on this please. Many Thanks.
Hardware & Devices
PC-Doctor removal tool
hi I have in Event Log of my PC with WIN 7,Prof. 64-bit, SP1 following entries: Log Name: Application Source: PC-Doctor Date: 05.02.2014 19:50:14 Event ID: 1 Task Category: None Level: Error
Trend Micro Fake Antivirus (FakeAV) Removal Tool [Beta]
Source A Guy
System Security

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 10:51.
Twitter Facebook Google+