ms removal tool

I have MS removal tool on my winXP.

I downloaded the app below and run exe in safe mode networking afew times. It still hasnt gone away and i cant connect to the internet still.
http://www.bleepingcomputer.com/virus-removal/remove-ms-removal-tool
jagguyAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

LHT_STCommented:
malwarebytes is usuall pretty good at removing apps like this but there are manual ways of doing so. Im not completely familiar with this app but have plenty of experience with the "system tool" malware which does the same thing.

if you can log on as a different user.

Browse to c:\documents and settings\all users\Application Data (you may need to enable hidden files and folders) if its like system tool you will find a folder in there with random arrangement of letters and numbers for its name. if you open the folder there will be a file with the same name. DELETE the folder and everything in it.
then log back in as the yourself/the user with the problem.

if it doesnt load then re-run the malware bytes scan (make sure to update it first) and i usually do a quick search in the registry on the folder name just in case anything has been missed.

let me know how you get on

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Brian GeeCommented:
Does the MS Removal screen keep appearing, or is the issue now just that the Internet is not working correctly?

Malwarebytes, like mentioned above, is a good tool to keep in your anti-malware arsenal. Also, Combofix from the bleepingcomputer.com site could help in quelling this malware issue as well.
JonveeCommented:
Another option is to reboot to "Safe Mode with Networking".
Then follow these recommended instructions to download up to four different free anti-malware software, from the list shown.
HitmanPro is particularly good.

Alternate MS Removal Tool removal instructions are also shown here, using HijackThis or Process Explorer (in Normal mode):
http://deletemalware.blogspot.com/2011/03/how-to-remove-ms-removal-tool-uninstall.html
Active Protection takes the fight to cryptojacking

While there were several headline-grabbing ransomware attacks during in 2017, another big threat started appearing at the same time that didn’t get the same coverage – illicit cryptomining.

JonveeCommented:
Please note that in some cases the "rogue program" may block your attempts to remove it.   If this is the case, you may need to rename the installer to iexplore.exe or winlogon.exe, as described in that last link.
jagguyAuthor Commented:
the problem is ms removal tool keeps appearing.
i go to safe mode with netowrking and still cant connect to the internet. malaware bytes cant be updated and the AV wont work without internet.

i uncheck the proxy server as suggested but nothing. without the internet i cant remove this.
LHT_STCommented:
have you had any joy removing it the way i suggested in the first post?

you may need to download malware bytes on another computer and copy it over via usb key.
JonveeCommented:
You could download Rkill to another machine, then copy it across using usb.
Rkill is a small, freeware and portable tool designed to terminate active malware processes allowing you to use other removal tools:
http://www.technibble.com/rkill-repair-tool-of-the-week/

Another alternative ... Rogue-Killer ... recently recommended by younghv, who was introduced to it by rpggamergirl, an EE Virus/Spyware advisor.  He has produced an excellent article in this link.
For the record i have no experience using Rogue Killer, but i am impressed at what i've read:
http://www.experts-exchange.com/Virus_and_Spyware/Anti-Virus/A_4922-Rogue-Killer-What-a-great-name.html
phototropicCommented:
"...i go to safe mode with netowrking and still cant connect to the internet..."

Have you reset your hosts file as suggested in the Bleeping Computer article you referenced?  Info is at item 22/23/24;

Are you sure that Rkill ran?  There are 7 seperate file names and extensions for Rkill - try each one until it runs.  A cmd prompt will open, some time will go by, and then a report will appear telling you which rogue process(es) got terminated.

Is Mbam fully updated?  Make sure it is, then run it again and please post the scan log here.

Mbam should be able to remove this infection in one pass...


jagguyAuthor Commented:
ok with the 1st post i removed an entry with hijack this and reboot the pc and the internet now works

i will run AV stuff now
rpggamergirlCommented:
After you unchecked the proxy, you would then need to run the renamed Rkill to kill the process before MalwareBytes can run.

Did you download all the stuff needed before you went to safe mode with networking?
Because even if you  already unchecked the proxy, the nasties are still active until you run Rkill....after Rkill then that's when MalwareBytes have a chance to update.... if still no internet connection after unchecking the Proxy and running RKill, then run the Hosts-perme.bat and delete your Hosts file.

You can also try the rogueKiller as suggested.
JonveeCommented:
Thats good.   Please ensure you update Malwarebytes and other AV software before running them.
IMHO you should not now need to run ComboFix as its really more suitable for a heavily infected computer.
rpggamergirlCommented:
Oops, missed the above post, didn't refresh the page.
JonveeCommented:
Oops, seems i didn't refresh the page.
JonveeCommented:
@ rpg  ... snap  :)
rpggamergirlCommented:
@ Jonvee, great minds think alike?... :)

Good idea suggesting CF, but where's your link? lol

-------------
ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please post the resulting log.
jagguyAuthor Commented:
thanks a lot:)
JonveeCommented:
@ jagguy ... glad you've resolved it.

@ rpggamergirl,
      >> Good idea suggesting CF, but where's your link? lol <<

Although its academic now, CF wasn't my suggestion, the initial advice was from yobri ... rightly or wrongly my suggestion was just some additional advice <grin>
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.