How do i get rid of a Fake MS Removal tool - scam

I have a popup "MS Removal Tool" (a combination lock showing top left corner) showing me a list of trojan and spyware found by this fake software scan. It is preventing me from loading a removal software download and is requesting I  purchase the fix from the scam originator. Has someone had this same Virus and found the best way to get rid of it?
adhudgensAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Juan OcasioApplication DeveloperCommented:
try to do a system restore to a time prior to the occurance of the 'scan'
0
younghvCommented:
You probably have some variant of "MS Removal Tool".
The detailed instructions for removing it are here:

http://www.bleepingcomputer.com/virus-removal/remove-ms-removal-tool
0
younghvCommented:
Sorry, meant to say "variant of "System Tool".

Note that this is one of the few malware variants that requires a "Safe Mode with Networking" re-boot before you can start the process.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

Randy DownsOWNERCommented:
If you can't restore to previous time then you will need to wipe the drive & start over. It's the only sure fire fix.
0
younghvCommented:
@adhudgens,
This is a very well-known chunk of malware and there is absolutely no need to either do a "System Restore" or a "wipe".

The author of the instructions at the link I posted (Grinler) is one of the top anti-malware specialists in the world.

The bulk of my business is disinfecting computers and I use his instructions every day of the week.
0
ComphandyKenCommented:
younghv is right, this a very removable infection. adhudgens is right that the only way to be sure everything is removed is to wipe and reformat the drive (actually, these days, to be super sure, you need to reinstall the MOBO BIOS with the hard drive removed).

However, for most people, getting rid of the problem is the best solution.

I recommend using a Rescue CD, either from Kaspersky or AVG to boot the computer from the CD, and scan for malware as a first step. That  around all the settings garbage pulled by infection, which is usually varied and considerable.

BE AWARE THAT REMOVING MALICIOUS FILES MAY RENDER YOUR COMPUTER UNBOOTABLE!!!

Backup your data, set a restore point, and try to make a copy of your Registry BEFORE getting jiggy with any antimalware solutions. Also, save a log of any actions your antimalware takes in some place you can easily access, like the root of your hard drive. That way, you can undo what gets done.

Kaspersky Rescue CD/USB Disk

http://support.kaspersky.com/faq/?qid=208282173 
You will probably need to do this from a friend's computer that is not infected. To anyone reading this--SPEND A SILLY CHEAP BLANK CD AND DO THIS FIRST! I've used the Kaspersky CD I burned a couple of months ago many times since. It can download recent antivirus definitions from Kaspersky, so it is a very good thing to keep around before you are infected. Be a hero to your friends!

Burn the CD from the link. Boot from the CD. Update the CD over your network and run a complete scan.

After you finish with the rescue CD, I advise booting into Safe Mode with Networking (turn on your computer and immediately start pressing the F8 key on and off at one second intervals until the Startup Options page appears. Use the Up and Down arrow keys to select Safe Mode With Networking).

Go to Majorgeeks  and download Malwarebytes and Spybot Search and Destroy from the antimalware section

http://www.majorgeeks.com/downloads31.html

They will both install and update in Safe Mode with Networking. Run full scans with both of them. I find the combination does a good job of removing malware remnants AND restoring normal Windows settings. Malwarebytes will want you to restart to finish removing stuff, but you can let it wait until Spybot gets finished.

THEN (you're not done yet!) go to the Microsoft One Scanner and run that in Safe Mode with Networking (you don't have to restart--Malwarebytes can wait for that).  

http://onecare.live.com/site/en-us/center/whatsnew.htm

The link takes you to the Windows7/Vista version. You will have to agree to the license and give UAC permission a couple time the first time you run it. If Windows7 pops up with a persistent error, you may be able to work around it by turning off UAC in the Security Control panel. This will require a restart. Restart in Safe Mode with Networking again (DON"T DO A NORMAL STARTUP--bad stuff may reinstall).

Then run the One Scanner. Do whatever recommends. It is very reliable and has never hurt a system yet, in my personal experience (I've run it on hundreds of different machines). It will flag pirated Microsoft software.

After the One Scanner finishes, restart your computer normally. Make sure your antivirus is working properly. Run the One Scanner again! It won't find anything new, most likely, but it has a great ability to see into Windows' nooks and crannies, and your antivirus will quite likely pop up with an alert that it has found malicious bits. Quarantine those as well. Save the log, in case something gets broken.

That's a fair start to cleaning out an infected system. There is more stuff I do as a pro, but I can't give you an easy description of that process.

 If you are working on mission-critical  computer, are on a large commercial network, or using confidential client data on the infected computer, I advise you to back up your data, wipe the computer hard drive, reinstall the BIOS from a boot CD, and recreate your OS from a backup or with a Windows reinstall (the System Recovery option is probably sufficient if you reinstall the BIOS first without rebooting the computer into Windows).

NOBODY can assure you that a computer is completely bug-free once it has been infected. DON'T  assume running some utilities are going to make everything bad go away. You might get rid of the symptoms, but leave security holes (open ports, keylogger, etc) on the computer that will cause no obvious user problems, but leave your company open to actual hacking by a criminal. That can be extremely costly in terms of legal and financial losses.

If you choose to ignore this advice, don't blame me!

I also repeat:

BE AWARE THAT REMOVING MALICIOUS FILES MAY RENDER YOUR COMPUTER UNBOOTABLE!!!

After all that CYA boilerplate, Good Luck!!
0
younghvCommented:
@ComphandyKen,
Your advice will not work for the simple reason that you do not address the "rogue process" situation.

Unless and until the user stops the rogue process, Malwarebytes cannot do an effective scan.

A 'Boot CD' scan will have no affect on randomly named files that are generated on-the-spot by the malware and unknown to any "Boot CD" scanner.

You might also want to cut out the part of your "boilerplate" that repeats advice that has already been given.

http://www.experts-exchange.com/help.jsp#hs=30&hi=416
"Are there guidelines for answering questions?"

Read previous posts before commenting: It is important to read the entire thread so that you know the current situation. That will keep you from posting a duplicate answer or one that has already been shown not to work. If you basically agree with another comment but have something more to add, remember to give credit for the original suggestion -- mention that Expert by name -- in your post.


0
rpggamergirlCommented:
I concur younghv's comments.

If problem persists, here's another option you can try... RogueKiller, you can also rename it to "winlogon.exe" or "roguekiller.com" if it won't run at first.

There's an article on RogueKiller:
http://www.experts-exchange.com/Virus_and_Spyware/Anti-Virus/A_4922-Rogue-Killer-What-a-great-name.html


0
adhudgensAuthor Commented:
Thanks to everyone for the comments and help. I opened in safe mode with networking and used Malwarebytes (free) to find and remove everything but the infected registry. I was afraid I would have other problems if I deleted it.
0
younghvCommented:
adhudgens,
If you used "Safe Mode with networking", followed by Malwarebytes, then you used my advice exactly.

The advice from http:#a35233785 had already been given over 2 hours previously.
0
adhudgensAuthor Commented:
You are absolutely right younghv, you gid give the solution first. Thank you for the help but your help was not as comprehensive as ComphandyKen. I'm sorry I failed to assign you points also.
0
younghvCommented:
"Comprehensive" should not be defined by how many words are posted.

If you actually go to the link I provided, there are about 5 pages worth of "comprehensive" advice - including pictures and PROPER links to the products you needed.

The actual link to download "Malwarebytes" is:
(http://www.malwarebytes.org/mbam.php)

The actual link to download "SpyBot: is:
(http://www.safer-networking.org/index2.html)

You (as the user) need to be wary of any recommendation to download from a site other than the actual developer's.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.