MS Removal Tool is similar in design and behavior to the System Tool rogue. It uses yellow system alert messages to get itself installed. MS Removal Tool blocks execution of most programs and Windows administrative tasks like Task Manager, Command prompt, Registry editor etc., presumably to protect itself and at the same time to scare the user to purchase a fraudulent subscription.
Once installed on the victim’s system, the MS Removal Tool rogue security software proceeds to close other applications and generates fake system security warnings about non-existent malware. The malware creates a random named folder and file in \All Users\Application Data\ folder. The last five characters always ended in 07003 in this variant, presumably the affiliate code. E.g: C:\Documents and Settings\All Users\Application Data\dHdGiAkCkEi07003\dHdGiAkCkEi07003.exe
One of the Mutex created reads Don’t stop me! I need some money!
Scareware like MS Removal Tool are commonly installed when users are redirected to fake online scanner pages or fake ‘video codec required’ pages distributed through out the Web by cyber criminals using blackhat SEO techniques, Spam and Malicious flash advertisements.
MS Removal Tool Removal (How to remove MS Removal Tool)
MalwareBytes’s Anti-Malware Free edition (mbam-setup.exe) was able to remove this infection.
- Boot in to Windows Safe Mode with networking
- Download MalwareBytes’s Anti-Malware Free edition (mbam-setup.exe) or from a clean computer download and copy to a removable drive like CD, DVD or USB flash drive.
- Double-click mbam-setup.exe to start the installation. Proceed with installation following the prompts. Make sure that the following option is checked when you finish the installation: Update Malwarebytes’ Anti-Malware.
- Once the update is completed, Launch Malwarebytes’ Anti-Malware and select Perform full scan in the Scanner tab. When the scan is completed, click “Show results“, confirm that all instances of the rogue security software are check-marked and then click “Remove Selected” to delete them. If prompted restart immediately to complete the removal process.
- Turn System Restore off and on.
You should now be clean of this rogue.
The full version of Malwarebytes’ Anti-Malware performs brilliantly against scareware such as MS Removal Tool. The real-time component of the paid version includes dynamic blocking of malicious websites, servers and prevents execution of malware. It would caution you before most rogue security software could install itself. Please consider purchasing the Malwarebytes’ Anti-Malware Full version for additional protection.
MS Removal Tool Analysis
A rogue security software such as MS Removal Tool belongs to a family of software products that call themselves as antivirus, antispyware or registry cleaners and often use deceptive or high pressure sales tactics and deliberate false positives to convince users into buying a license/subscription. They are often repackaged and renamed. They do not actually remove malware instead many of them add more malware of their own. They need to be removed immediately from your system.
The trojan file was about 319488 bytes in size. It was detected by 11/ 43 (25.6%) of the antivirus engines available at VirusTotal.
This scareware is detected as:
- a variant of Win32/Kryptik.MAR
Typical MS Removal Tool Scare Messages
Warning: Your computer is infected
Windows has detected spyware infection!
Click this message to install the last update of Windows security software…
MS Removal Tool Warning
Intercepting programs that may compromise your privacy and harm your system have been detected on your PC.
Click here to remove them immediately with MS Removal Tool
Application cannot be executed. The file filename.exe is infected.
Please activate your antivirus software.
Users should not fall for the false alerts of system infection and buy the scareware to ‘clean’ the system. If you purchased one by entering your credit card number at a rogue software website, it would be prudent to:
- Immediately contact the bank that issued the card and dispute the charges.
- Request them to not allow any further transaction and cancel the card. You may also request them to issue a new card with a different number.
MS Removal Tool Associated Files and Folders
- C:\Documents and Settings\All Users\Application Data\oGcMaMjAlJj07003
- C:\Documents and Settings\All Users\Application Data\oGcMaMjAlJj07003\oGcMaMjAlJj07003.exe
- C:\Documents and Settings\malwarehelp.org\Local Settings\Temp\aC555.exe
- C:\Documents and Settings\malwarehelp.org\Local Settings\Temp\aC555.tmp
Some of the file names may be randomly generated. The term malwarehelp.org or malwarehelp in the above entries denotes the name of the Windows user account in the test machine.
MS Removal Tool Associated Registry Values and Keys
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\oGcMaMjAlJj07003=C:\Documents and Settings\All Users\Application Data\oGcMaMjAlJj07003\oGcMaMjAlJj07003.exe
Manually editing the registry is NOT recommended.
MS Removal Tool Associated Domains
This scareware was observed accessing the following domains during installation and operation:
- http://194.28.113. 214
- http://69.50.195. 77
- http://msantispam-srv2. com
- http://69.50.209. 220
Note: Visiting the domains mentioned above may harm your computer system.
If you are unable to get rid of this scareware, please visit one of the recommended forums for malware help and post about your problem.
MS Removal Tool Scareware — Screenshots
Note: The MS Removal Tool installation and removal was tested on a default installation of Windows XP SP3. The content provided in this article is not warranted or guaranteed by Malware Help. Org. The content provided is intended for entertainment and/or educational purposes. I am not liable for any negative consequences that may result from implementing any information covered in this article. The above information is correct at the time of my testing, it might change with time and or under different testing conditions.