Monday - May 23, 2011

Killing a Nasty Bastard

What this infection does:

MS Removal Tool is a computer infection from the same family as System Tool. This infection is also categorized as a rogue anti-spyware program as it pretends to be an anti-virus program, but is actually a program that displays fake security alerts and scan results in order to make you think your computer is infected. MS Removal Tool is installed through the use of malware that will install the program onto your computer without your knowledge or permission. When installed, the infection files will be created in a random named folder in C:\Documents and Settings\All Users\Application Data\, in XP, or C:\Documents and Settings\All Users\Application Data\, in Windows Vista and Windows 7. It will then be configured to start automatically when you login to your computer.

The little bastard gets into your PC and immediately shuts down every other program’s ability to run. Those programs either won’t respond at all, or an error message will come up saying that you don’t have the proper permissions to run them. Meanwhile, MS Removal Tool will be scanning the daylights out of your hard drives, and reporting back that you have all sorts of infections, damaged files, and every other kind of horror. You can reboot all you want, and it won’t make any difference. MS Removal Tool sets itself up to be the very first program loaded on boot. It’s a con. It’s out to hold your PC hostage until you authorize it to make a charge against your credit card for $29.95. Then it goes away. For now.

It can get right through your firewall, and right through many of the commercial anti-virus software packages.

You can beat it without too much trouble, and at no cost. Download the just released tool from Microsoft, called Microsoft Safety Scanner. <<== this is the link to get it. It's big - 68Mb. And it isn't terribly fast. But it will do the job. You can even download the tool once MS Removal Tool has taken over your PC, if you know how.

Here's what to do:
1) Reboot your Windows PC in Safe Mode. Do this by hitting the reset button, and then holding down the F8 key once the BIOS information is done flashing across the screen. Some text will come up: choose Safe Mode With Networking. Detailed F8 Safe Mode Boot instructions are here for all versions of Windows.

2) If you prepared ahead of time, you downloaded Microsoft Safety Scanner, and you have the file, called msert.exe, sitting on your desktop in the upper left quadrant. Safe Mode generally defaults to VGA 640x480 resolution, so you aren’t going to see most of your desktop icons. But it seems to map them from the upper left to the lower right, so if you move msert.exe in that area you’ll always be able to click on it.
2b) If you put msert.exe anywhere else, use Start—Run to launch it.
2c) If you didn’t prepare ahead of time, you can launch a browser and go online and download it. Browsers aren’t easy to use in VGA mode, but you can do it.

3) Run msert.exe, set it to full scan, then go out to lunch. It will take the better part of an hour to run, probably longer. But it will wipe out MS Removal Tool almost as an afterthought, while scanning and removing any other bit of spyware, malware, etc on your PC. It won’t even alert you that MS Removal was found until the very last screen. But it kills it, every time.

There are other PC security tools that can detect and remove this bastard. is one.

MS Removal Tool is really just another version of the WinWebSec rogue (ID pics and info about all the variations at this link), but it is persistent and annoying. And it’s out there in lots and lots and lots of places. It looks like a Microsoft tool, or a proper anti-viral too. So be prepared. Make sure your other anti-viral applications are updated. And be familiar with the security tools that you have on your PC, so that you can spot this fake if it suddenly shows up.

The Microsoft Safety Scanner, expires 10 days after being downloaded. To rerun a scan with the latest anti-malware definitions, download and run the Microsoft Safety Scanner again. Do note that its not exactly a small file … its msert.exe file is a 68 MB download!

The MSS is different from the Malicious Software Removal Tool – nor is it meant to be a replacement for using an antivirus software program that provides ongoing protection. It is meant to be used as an additional on-demand scanner in addition to your existing antivirus software, should you feel the need for a second opinion. It works along with your existing antivirus software.

Posted by Drew458     on 05/23/2011 at 11:47 AM   
Filed Under: • Computers and Cyberspace •  
• Comments (5) • Trackbacks(0)  Permalink •  

DISCLAIMER

THE SERVICES AND MATERIALS ON THIS WEBSITE ARE PROVIDED "AS IS" AND THE HOSTS OF THIS SITE EXPRESSLY DISCLAIMS ANY AND ALL WARRANTIES, EXPRESS OR IMPLIED, TO THE EXTENT PERMITTED BY LAW INCLUDING BUT NOT LIMITED TO WARRANTIES OF SATISFACTORY QUALITY, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, WITH RESPECT TO THE SERVICE OR ANY MATERIALS.

Not that very many people ever read this far down, but this blog was the creation of Allan Kelly and his friend Vilmar. Vilmar moved on to his own blog some time ago, and Allan ran this place alone until his sudden and unexpected death partway through 2006. We all miss him. A lot. Even though he is gone this site will always still be more than a little bit his. We who are left to carry on the BMEWS tradition owe him a great debt of gratitude, and we hope to be able to pay that back by following his last advice to us all:

1. Keep a firm grasp of Right and Wrong
2. Stay involved with government on every level and don't let those bastards get away with a thing
3. Use every legal means to defend yourself in the event of real internal trouble, and, most importantly:
4. Keep talking to each other, whether here or elsewhere

It's been a long strange trip without you Skipper, but thanks for pointing us in the right direction and giving us a swift kick in the behind to get us going. Keep lookin' down on us, will ya? Thanks.

THE INFORMATION AND OTHER CONTENTS OF THIS WEBSITE ARE DESIGNED TO COMPLY WITH THE LAWS OF THE UNITED STATES OF AMERICA. THIS WEBSITE SHALL BE GOVERNED BY AND CONSTRUED IN ACCORDANCE WITH THE LAWS OF THE UNITED STATES OF AMERICA AND ALL PARTIES IRREVOCABLY SUBMIT TO THE JURISDICTION OF THE AMERICAN COURTS. IF ANYTHING ON THIS WEBSITE IS CONSTRUED AS BEING CONTRARY TO THE LAWS APPLICABLE IN ANY OTHER COUNTRY, THEN THIS WEBSITE IS NOT INTENDED TO BE ACCESSED BY PERSONS FROM THAT COUNTRY AND ANY PERSONS WHO ARE SUBJECT TO SUCH LAWS SHALL NOT BE ENTITLED TO USE OUR SERVICES UNLESS THEY CAN SATISFY US THAT SUCH USE WOULD BE LAWFUL.

Copyright © 2004-2015 Domain Owner