Fake MS Removal Tool

mcart117 · 28 Mar 2011

Last week I started a thread entitled Files disappeared/unreadable. The replies were very helpful and I was able to find the files again. During the dialogue I scanned the drive with 3 different AV tools: AVG free, Malwarebytes, and the ESET online scanner. None of these came up with anything substantive, so it remained a mystery what changed the file attributes.

The user has called again to report something calling itself "MS Removal Tool" purporting her machine has multiple infections and offering to "fix" them, but if she selects "ignore", files start disappearing again.

I don't have the machine with me right now (I'll pick it up tomorrow am) but my question here is:

Has anyone here heard of a fake MS Removal Tool, which so cleverly falls below the radar of mainstream AV software.

I have noticed on Google a thread entitled "How do I remove fake MS Removal Tool?", started 26 March 2011. There is another one entitled "MS Removal Tool Infection" started 27 March 2011, and another entitled "How to remove fake MS Removal Tool.?" The recent nature of these threads indicates that this fake MS Removal Tool is perhaps a new piece of malware.

I am posting the question here because you have been very helpful, and you know what I have already used to scan the drive.

Obviously once I get the box back I'll have a good look at the threads I've referred to here and I will report back whether any of the techniques they recommend succeed in knocking the problem on the head.

MCart. :)

marsmimar · 28 Mar 2011

I'm making an assumption that when you refer to the fake "MS Removal Tool" you're referring to a fake Malicious Software Removal Tool that has been around for a couple of years. If the malware you're going to be dealing with is something else please let us know.

Bleepingcomputer has a pretty extensive data base on removing malware, including the MS Removal Tool.

How to remove the fake Microsoft Windows Malicious Software Removal Tool

Please read through their tutorial and make note of the specific steps they recommend as well as the usual locations where this malware tries to hide. Malwarebytes should pick this up but you may have to run it in Safe Mode.

Golden · 28 Mar 2011

Hi,

marsmimar has given you a good link for removing that tool - I would follow his advice.

The greater issue here is how these rogueware are getting onto her PC. It sounds like a new infection, after you had fixed the previous issues? Is it time to consider a change to your anti-malware strategy? Is your choice of anti-malware doing the job? There are many here that would argue AVG is not as good as it used to be a few years ago - I rarely see it recommended. In fact, I often see a recommendation to remove it.

If you find that you need to consider an alternative strategy, I would certainly try two combinations to achieve a layered approach. Its difficult to offer suggestions, since everyone has their own personal favorites : MSE, aVast, Norton and Malwarebytes are very popular here, and highly rated. I noted you used Malwarebytes before, but a reminder it is only resident in memory if it is the paid version - you should maybe consider that, its quite affordable.

As a guide, I use both MSE and Malwarebytes resident in memory, since they don't "interfere" with one another. There are probably other choices that will achieve the same thing - be prepared to get a wide opinion on the matter.

Let us know if you need more help or advice.

Regards,
Golden

Carolyn · 28 Mar 2011

Remove MS Removal Tool (Uninstall Guide)

mcart117 · 29 Mar 2011

Thanks you again for your replies, especially to Carolyn, who hit the nail on the head. The screenshot in her link matched exactly the malware running on this computer, and the date of the bleeping computer post, 27 March 2011, could not be more current.

Thank you also to Marsmimar, but for benefit of other users, your link was to an older post, and does not refer to the exploit doing the rounds right now.

And for the benefit of anyone else who likes to remove a drive from a problem computer and scan it from a clean computer, this exploit is NOT picked up by Malwarebytes, EXCEPT when it is running on the system drive. To clarify, here is the result of the Malwarebytes scan of the drive attached as a slave on my computer.

But here is the result of a Malwarebytes scan run with the drive running as the system drive in its own box.

And for anyone who is interested in these things, if you compare the screenshot below with the one in Carolyn's link, you will notice that the file names have changed, and they have added another registry corruption - the disabling of taskmanager.

Finally thank you Golden for your post. I take your advice on board, but FYI, I think the infection was left over from last time, because I did not then scan the drive in its own box. That was an omission on my part.

Golden · 29 Mar 2011

mcart117 said:

And for the benefit of anyone else who likes to remove a drive from a problem computer and scan it from a clean computer, this exploit is NOT picked up by Malwarebytes, EXCEPT when it is running on the system drive.

Ah OK.....yes, that is correct. If you watch the scan progress of malwarebytes, you should noice the first thing it does is "enumerate the registry" or something similar. Since the drive you scanned was a slave in another PC, that PC's registry did not have the corruption, and thus was not picked up by Malwarebytes.

Glad everything is now clean and sorted.

Regards,
Golden

HellsArmy · 28 Apr 2011

In addition to that, if you yourself suffer from this plague of a program than dl a few versions of rkill in safe mode, then open your computer normally and try to open each version as an administrator until one finally runs. At least one version will run. After it does, leave the notepad open and run the other versions to completely block the program. Find the files and delete them, there will be 2.