MS Removal Tool – a new Scamware!
With more powerful computers, come more powerful viruses
with more powerful viruses come more powerful Anti Viruses
With all this – comes a WHOLE lot of paronia!
Scamsters building on this have created a worm that goes through the browser’s auto execute function and disables all applications.
Called the MS Removal tool – its a pain.
The users get an error message like this:
MS Removal Tool belongs to a family of software products that call themselves as antivirus, antispyware or registry cleaners and often use deceptive or high pressure sales tactics and deliberate false positives to convince users into buying a license/subscription. They are often repackaged and renamed. They do not actually remove malware instead many of them add more malware of their own. They need to be removed immediately from your system.
The trojan file was about 319488 bytes in size. It was detected by 11/ 43 (25.6%) of the antivirus engines available at VirusTotal.
This scareware is detected as:
- Trojan.Generic.KD.170369
- Trojan.Fakealert.20556
- W32/FakeAlert.LO.gen!Eldorado
- FakeAlert-SecurityTool.bf
- a variant of Win32/Kryptik.MAR
- Trojan.Agent/Gen-RogueLoad
The typical Error Messages are
Warning: Your computer is infected
Windows has detected spyware infection!
Click this message to install the last update of Windows security software…MS Removal Tool Warning
Intercepting programs that may compromise your privacy and harm your system have been detected on your PC.
Click here to remove them immediately with MS Removal ToolWarning!
Application cannot be executed. The file filename.exe is infected.
Please activate your antivirus software.
Users should not fall for the false alerts of system infection and buy the scareware to ‘clean’ the system. If you purchased one by entering your credit card number at a rogue software website, it would be prudent to:
- Immediately contact the bank that issued the card and dispute the charges.
- Request them to not allow any further transaction and cancel the card. You may also request them to issue a new card with a different number.
So Now that its there: What do you do?
Relax – there are cure’s available.
First Visit:
http://www.malwarebytes.org/mbam-download-exe.php
and Download the tool and save it on C drive
Next – Go to http://www.microsoft.com/security/pc-security/malware-removal.aspx and download the tool.
- Boot in to Windows Safe Mode with networking
- Run (mbam-setup.exe) from computer or from a clean computer download and copy to a removable drive like CD, DVD or USB flash drive.
- Double-click mbam-setup.exe to start the installation. Proceed with installation following the prompts. Make sure that the following option is checked when you finish the installation: Update Malwarebytes’ Anti-Malware.
- Once the update is completed, Launch Malwarebytes’ Anti-Malware and select Perform full scan in the Scanner tab. When the scan is completed, click “Show results“, confirm that all instances of the rogue security software are check-marked and then click “Remove Selected” to delete them. If prompted restart immediately to complete the removal process.
Restart Computer
After the computer restarts in normal mode: run the microsoft scanner to be safe.
Note: This has been tested on WinXP SP3, and Win7 Pro. Results for other OS not known.