Subscribe to Malware Help RSS Feed RSS Feed - Subscribe to Malware Help. Org on Twitter Follow on Twitter - Malware Help YouTube Channel YouTube Channel - Subscribe to Malware Help by Email Subscribe by Email

MS Removal Tool Removal and Analysis

by Shanmuga| Tweet This | Google +1 | Facebook | Stumble It | Reddit | Digg | del.icio.us

MS Removal Tool is similar in design and behavior to the System Tool rogue. It uses yellow system alert messages to get itself installed. MS Removal Tool blocks execution of most programs and Windows administrative tasks like Task Manager, Command prompt, Registry editor etc., presumably to protect itself and at the same time to scare the user to purchase a fraudulent subscription.

Once installed on the victim’s system, the MS Removal Tool rogue security software proceeds to close other applications and generates fake system security warnings about non-existent malware. The malware creates a random named folder and file in \All Users\Application Data\ folder. The last five characters always ended in 07003 in this variant, presumably the affiliate code. E.g: C:\Documents and Settings\All Users\Application Data\dHdGiAkCkEi07003\dHdGiAkCkEi07003.exe

One of the Mutex created reads Don’t stop me! I need some money!

ms removal tool system scan 590x441 MS Removal Tool Removal and Analysis

MS Removal Tool Fake System Scan

Scareware like MS Removal Tool are commonly installed when users are redirected to fake online scanner pages or fake ‘video codec required’ pages distributed through out the Web by cyber criminals using blackhat SEO techniques, Spam and Malicious flash advertisements.

MS Removal Tool Removal (How to remove MS Removal Tool)

MalwareBytes’s Anti-Malware Free edition (mbam-setup.exe) was able to remove this infection.

  1. Boot in to Windows Safe Mode with networking
  2. Download MalwareBytes’s Anti-Malware Free edition (mbam-setup.exe) or from a clean computer download and copy to a removable drive like CD, DVD or USB flash drive.
  3. Double-click mbam-setup.exe to start the installation. Proceed with installation following the prompts. Make sure that the following option is checked when you finish the installation: Update Malwarebytes’ Anti-Malware.
  4. Once the update is completed, Launch Malwarebytes’ Anti-Malware and select Perform full scan in the Scanner tab. When the scan is completed, click “Show results“, confirm that all instances of the rogue security software are check-marked and then click “Remove Selected” to delete them. If prompted restart immediately to complete the removal process.
  5. Turn System Restore off and on.

You should now be clean of this rogue.

The full version of Malwarebytes’ Anti-Malware performs brilliantly against scareware such as MS Removal Tool. The real-time component of the paid version includes dynamic blocking of malicious websites, servers and prevents execution of malware. It would caution you before most rogue security software could install itself. Please consider purchasing the Malwarebytes’ Anti-Malware Full version for additional protection.

MS Removal Tool Analysis

A rogue security software such as MS Removal Tool belongs to a family of software products that call themselves as antivirus, antispyware or registry cleaners and often use deceptive or high pressure sales tactics and deliberate false positives to convince users into buying a license/subscription. They are often repackaged and renamed. They do not actually remove malware instead many of them add more malware of their own. They need to be removed immediately from your system.

The trojan file was about 319488 bytes in size. It was detected by 11/ 43 (25.6%) of the antivirus engines available at VirusTotal.

This scareware is detected as:

  • Trojan.Generic.KD.170369
  • Trojan.Fakealert.20556
  • W32/FakeAlert.LO.gen!Eldorado
  • FakeAlert-SecurityTool.bf
  • a variant of Win32/Kryptik.MAR
  • Trojan.Agent/Gen-RogueLoad

Typical MS Removal Tool Scare Messages

Warning: Your computer is infected
Windows has detected spyware infection!
Click this message to install the last update of Windows security software…

MS Removal Tool Warning
Intercepting programs that may compromise your privacy and harm your system have been detected on your PC.
Click here to remove them immediately with MS Removal Tool

Warning!
Application cannot be executed. The file filename.exe is infected.
Please activate your antivirus software.

Users should not fall for the false alerts of system infection and buy the scareware to ‘clean’ the system. If you purchased one by entering your credit card number at a rogue software website, it would be prudent to:

  • Immediately contact the bank that issued the card and dispute the charges.
  • Request them to not allow any further transaction and cancel the card. You may also request them to issue a new card with a different number.

MS Removal Tool Associated Files and Folders

  • C:\Documents and Settings\All Users\Application Data\oGcMaMjAlJj07003
  • C:\Documents and Settings\All Users\Application Data\oGcMaMjAlJj07003\oGcMaMjAlJj07003.exe
  • C:\Documents and Settings\malwarehelp.org\Local Settings\Temp\aC555.exe
  • C:\Documents and Settings\malwarehelp.org\Local Settings\Temp\aC555.tmp

Some of the file names may be randomly generated. The term malwarehelp.org or malwarehelp in the above entries denotes the name of the Windows user account in the test machine.

MS Removal Tool Associated Registry Values and Keys

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\oGcMaMjAlJj07003=C:\Documents and Settings\All Users\Application Data\oGcMaMjAlJj07003\oGcMaMjAlJj07003.exe

Manually editing the registry is NOT recommended.

MS Removal Tool Associated Domains

This scareware was observed accessing the following domains during installation and operation:

  • http://194.28.113. 214
  • http://69.50.195. 77
  • http://msantispam-srv2. com
  • http://69.50.209. 220

Note: Visiting the domains mentioned above may harm your computer system.

If you are unable to get rid of this scareware, please visit one of the recommended forums for malware help and post about your problem.

MS Removal Tool Scareware — Screenshots

Note: The MS Removal Tool installation and removal was tested on a default installation of Windows XP SP3. The content provided in this article is not warranted or guaranteed by Malware Help. Org. The content provided is intended for entertainment and/or educational purposes. I am not liable for any negative consequences that may result from implementing any information covered in this article. The above information is correct at the time of my testing, it might change with time and or under different testing conditions.

You may also like to read



{ 35 comments… read them below or add one }

Josh April 2, 2011 at 6:17 AM

Shanmuga,

Thank you so much for your very helpful article. This little program installed itself on my system, my room kept clicking it and trying to use it to delete the “problems” it was finding. I walked in just as he was about to use his credit card to purchase a subscription, stopping him I viewed what was happening and immediately restarted into SafeMode, found your article, and now I am running in perfect form. Thank you again, your help was very much appreciated!

Sincerely,
Josh A.

Reply

Bill R. April 9, 2011 at 12:56 AM

My computer is infected with the MS Removal tool. I ran both Webroot Antivirus with Spy Sweeper software and the Malwarebytes’ Anti-Malware software under safe mode. Webroot picked up the Fakealert file and I deleted it. Rebooted in regular mode and the MS Removal Tool still was active. I ran both Webroot and Malware softwares again in safe mode and they didn’t detect anything. Rebooted in regular mode but got the same results. I run two Antivirus softwares: Webroot and Trend Micro Titanium. Trend Micro Titantium is all locked up, I can’t access it, I can’t uninstall it, I can’t install over top of it. So, I wonder if there’s a new version of this MS Removal Tool that’s imbedded into my Trend Micro Titantium software. It won’t go away.

I could use some more help to fix it. Any ideas.

Reply

Rick Kwak April 9, 2011 at 10:51 AM

@ Bill

Bill, I had the same issue today. Here is how I got rid of it.

I ran both Avast and Malwarebyte to no avail. I then first downloaded a file called Rkill.exe. This will in effect stop the ms tool remover and give you full control of your computer. I then opened up CC Cleaner and went to Tools -> Startup and found an odd looking file that got installed today called mBl06504nJoNd06504. This is the malware. I then disabled this from startup and restarted the computer. Low and behold, malware did not run on startup anymore. I did a search under my C: drive and for 06504 and it found it in C: Program data and the directory mBl06504nJoNd06504. Opened it and deleted all files in this folder (should be two files). Once this was done, I found no more malware.

Good luck. Let me know how it goes.

Reply

Liz SMith April 9, 2011 at 4:14 PM

Thank you so much for that tip about Rkill.exe, Rick. Awesome, awesome program. Just saved my husband’s ass this morning. The damn rogue file wouldn’t let us open Malwarebyte installation. Downloaded the alternate-name versions of Rkill (MS Tool Remover was shutting down the others.) If anyone has that problem, you can just rename the file yourself and the rouge won’t be able to shut it down. Also, Rick’s advice about the file name proved to be spot on. We found an odd prefetch file with the last five digits 06504. The program must generate some sort of user tracking code, so definitely search for these files and delete.

Good Luck everyone!

Rick Kwak April 9, 2011 at 8:39 PM

@ Liz

You’re very welcome. I am glad I could help.

Susan April 10, 2011 at 9:05 PM

Our son inadvertently got this mess on our computer probably while on Youtube. After researching it and finding this info, we were able to get rid of it by starting in safe mode with networking; running rkill (which we renamed to avoid any detection); went to cc-cleaner and found the file which was had downloaded itself as an executable into the application data/users folder (it used a different set of numbers, however, so don’t just look for 06504 because it will have different numbers on your computer — ours was 31001). After disabling at start-up, we ran a search and found 2 files in a program folder, as well as the .exe file we’d found in cc-cleaner, deleted them all, and then we also as a safeguard did a system restore to 7 days back, BEFORE restarting the computer in normal mode. So far we seem to be clean. Thanks for all your advice!

senthil April 11, 2011 at 10:23 AM

Thanks Rick – using RKILL and CC cleaner stopped this nightmare. However the “odd looking file” in my case had a different name and I am not able to find the file in C:. Atleast I have disabled in “startup”…and I do not see the “MS security tool” fake messages anymore…

senthil April 11, 2011 at 11:09 AM

Update – Opened C:\programdata and found a directory (hfc31002gAhjk31002) and program that was installed today with two files in it – have deleted it.

Thanks a lot Rick…

Rick Kwak April 11, 2011 at 9:25 PM

Right on. There are different names for the same virus, it appears. Running CC Cleaner and knowing what got installed and disabling is the first step. Usually the Malware file listed in CC Cleaner will be named the same thing as the executable file in your hard drive.

ramu April 9, 2011 at 5:39 PM

I just needed to run the antimalware in safemode as the article said. Thank u very much.

Reply

Rick Kwak April 9, 2011 at 8:37 PM

Yes, I was able to fix this in Safemode two months ago. However, this time, this malware was more evolved and I was not able to remove it using the same prior method. I would keep this website as your favorite so that you can come back too, if needed.

Dave April 9, 2011 at 7:10 PM

Thanks for clearing what was a nightmare – nothing would work!! Just a little frustrated why my F-secure software didn’t intercept the malware. Cheers again.

Reply

UG April 10, 2011 at 5:32 AM

This works great!!!

Reply

Niall April 10, 2011 at 8:33 AM

Any suggestions if virus is preventing internr connection in safe mode.

Reply

Shanmuga April 10, 2011 at 8:43 AM

This one doesn’t block internet, at least not when I last checked. Did you select ‘Safe mode with networking’?

Rick Kwak April 10, 2011 at 8:43 AM

Try opening Internet Explorer, Tools, Internet Options, Connections, Lan Settings and uncheck use proxy server. You should now be able to access websites. Hope this helps.

Reply

Niall April 10, 2011 at 8:59 AM

No go on the proxy. That’s not it.

Harry1971 April 10, 2011 at 8:53 AM

Thanks, guys, I am really grateful for your help! Following the instructions above, I was able to fix my wife’s laptop; she has an assignment due Monday, and we were really scared because it was impossible to work on her laptop. I finally decided to google the name of this malaware, and found this page. My wife owes me big time now….hoping to collect tonight!…;)

Reply

Harry1971 April 10, 2011 at 9:12 AM

Thanks again!

Reply

DK April 11, 2011 at 3:51 AM

Guys, you freaking rock! Between you and bleeping computer.com I was able to fix this, and I really appreciate you guys offering your help and experiences online for free. Thank you!

Reply

Dan Slone April 11, 2011 at 12:23 PM

I’m glad I found this site. My wife came across a facebook site that had an embedded video. A message popped up saying that she needed a codec (I guess this is a common ploy). She hit the red X, but apparently the malware loaded anyway. I told her to press “Alt-F4″ next time to kill the window instead of the X because the X can be hijacked. Symantec Endpoint and MalwareBytes could not remove it, and apparently rkill did not do anything. What worked was CCleaner, deleting the startup (disable did not work), then going and deleting the files as previously described. What sucked was that it removed all privileges from the affected folders, and until I ran the CCleaner step, even in safe mode I could not regain my privileges with my admin account. After CCleaner, I took ownership, then restored the privileges. This was nasty! I has also changed a bunch of other settings that I’m working on fixing. Thanks everyone!

Reply

Pat April 11, 2011 at 8:55 PM

I have tried all the ways listed here to remove MS Removal Tool and it still remains on my computer. When I run RKill right as my computer boots up it will stop it from popping up, but then when I run Malewarebytes, nothing is found. Then when I run CCleaner stuff shows up in the registry to delete, but when I delete it then restart my computer the MS Removal Tool still is not removed. If someone knows an alternate way other the the ones listed in prior posts, please inform me. Thanks in advance. – Pat

Reply

Susan April 12, 2011 at 12:09 AM

Pat as per all the advice we found above, it is not enough just to delete it from the cc cleaner start up. Choose the disable option. Then, do a search on your computer (including system folders and hidden files) and look for the 5-number sequence found in the file name of the file you found in CC Cleaner (ie, the executable file). Searching those 5 numbers, we were able to find the files that had gotten embedded in our computer. It actually created a directory and had two files created, in addition to the executable file that we found with CC cleaner. So you should find maybe four incidences of this number sequence. Delete ALL those when you find them (and empty the recycle bin too), and then you should be able to shut down, re-start in normal mode and find the virus is gone. Good luck!

Pat April 12, 2011 at 1:23 AM

I finally got rid of it!!! Since malwarebytes and CCleaner were not finding the file. I ran Rkill and it came up with the file name and I searched for it from the start menu then just deleted the file. After doing so, I have had no problems (knock on wood).

Dan Slone April 12, 2011 at 7:18 AM

Make sure in CCleaner you delete the entry in the startup section, not just the registry section. Then you can restart the computer without it and dig into the folders. Good luck! I know several people who are now infected with this – helping them as fast as I can.

Mario April 11, 2011 at 10:39 PM

I am having an issue, the virus is preventing internal connection in safe mode.
Any suggestions?

Reply

Mark April 13, 2011 at 8:00 PM

Thanks heaps! The instructions worked perfectly. Just one question though – what exactly is the purpose of turning off/on Windows Restore and how important is it to do that? (I haven’t done that yet). I literally know nothing about the restore function (which is odd considering I probably know more about computers than your average person) but I just want to make sure that messing with it isn’t going to have any other side effects.

Thanks again!

Reply

Frosty April 14, 2011 at 6:09 AM

Ok so what do you do when u have run the rkill, and cc in safemode , opend the tool box for start up menu and there are no numbers to trace to disable it. no date of install of new programs. Im not a computer guy. 6 hours now im quite frazled :)

Reply

Robin April 14, 2011 at 10:32 AM

Thanks…running antimalware in safe mode cleared it for me :)

Reply

Paksoy May 1, 2011 at 11:07 PM

Worked like a charm! Thank you!

Reply

Joey May 2, 2011 at 6:52 AM

Thanks a bunch. Worked great, once I updated Malwarebytes.

Reply

angel_rose May 10, 2011 at 9:19 AM

I got scammed by this yesterday and went to see if i could unistall it today and now i can’t find it any where in my computer. Is it gone? I have McAfee and have scanned my computer three times today and it didn’t find anything. Should i still be worried?

Reply

Basu May 29, 2011 at 10:15 AM

This is an excellent tool. Ensure that you first restart windows in safe mode with networking before you download and run this tool. Also recommend enabling Windows Security Essentials

Reply

Stan June 21, 2011 at 10:47 AM

Took the advice of a couple of commentators and left it for a few days
Seem to recall about 5 days, but other people had success in just two days
And it was gone

Reply

Joshua June 30, 2011 at 2:04 AM

Thanks for the help! that f*****g scared me!

Reply

Leave a Comment

Previous post:

Next post: