MS Removal Tool
MS Removal Tool or also called as Microsoft Removal Tool is a dangerous fake security application that entice computer users to do actions for that will benefit the rogue author. This malicious software comes together with executable file that you can obtain free from file-sharing network. It is usually in disguise as a legitimate installation file. Fake online virus scanner build-up to promote the software is an alternative ways to extend MS Removal Tool virus infection. These web sites runs complete scan on visitors computer and provide believable results stating that PC is infected with various threats. Although this scan is fictitious, still so many are convinced and plunge into the trick of MS Removal Tool. It does similar harm as System Tool.
During the period that MS Removal Tool dwells into the computer, it executes quite a few changes. The fake AV modifies system settings and generates own start-up process. To further catch user’s attention, MS Removal Tool blocks execution of any application. It will exhibit false notification instead of running the preferred program. Te warning state that “.exe” file is infected and requires immediate treatment using the full version of MS Removal Tool. An attempt to fix issue opens-up a new browser Windows allowing victims to use credit card account for the transaction.
Obtaining the licensed version of MS Removal Tool won’t help in any way. Its inclusions on the lists of rogue security software clearly indicate that it should not gain your trust. Urgently remove this program with the help of real security product if it gets inside your system. Below is our recommended tool to wipe away MS Removal Tool together with associated files and components.
Screen Shot Images:
MS Removal Tool exhibits fake warning about a number of infections found on the computer. Selecting “Remove all threats now” releases new browser windows that prompts for credit card account to settle payment. You may select “Continue Unprotected” but excessive pop-up messages hassles the operation.
Technical Details and Additional Information:
Systems Affected: Windows 9x, 2000, XP, Vista, Windows 7
Malware Behavior
Presence of MS Removal Tool will cause the affected computer to fail on some aspects. The rogue program will prevent execution on almost every tool essential to perform a fix. An attempt to run any application will return a message like the one below.
Warning!
Application cannot be executed. The file cmd.exe is infected.
Please activate your antivirus software.
Constantly, this fake anti-virus program will show so many task bar alerts. You should not trust it. All of the warning messages are false; it will only depict the danger to force you into buying the registered version of MS Removal Tool. Here are some patterns of the phony warnings.
Added Registry Entries:MS Removal Tool Warning
Intercepting programs that may compromise your privacy and harm your system have been detected on your PC.
Click here to remove them immediately with MS Removal Tool.MS Removal Tool Warning
Your PC is infected with dangerous viruses. Activate antivirus protection to prevent data loss and avoid the theft of your credit card details.
Click here to activate protection.
KEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce "[random]"Associated Files and Folders:
c:\Documents and Settings\All Users\Application Data\[random]\ c:\Documents and Settings\All Users\Application Data\[random]\[random] c:\Documents and Settings\All Users\Application Data\[random]\[random].exe
How to Remove MS Removal Tool
Manual Removal Procedure
1. Press Ctrl+Alt+Del on keyboard to stop the process associated to "MS Removal Tool". When Windows Task Manager opens, go to Processes tab. Find and end this process.
(random characters).exe
2. You need to update your installed antivirus software. Please connect to the Internet and download the most recent database. This is a one-click process from your AV program’s console.
3. Thoroughly scan the computer and remove any threats found by your antivirus program. If delete option is not available, your best next choice is to quarantine the infected file. There is also a need to manually locate and delete malicious files. Please see the file section for items that are relevant to MS Removal Tool.
4. Next, you need to remove registry entries created by MS Removal Tool. Please refer to registry section to view entries related to the rogue program.
- (Windows 2000/XP) Go to Start > Run, type "regedit" on dialog box then press Enter on keyboard.
- (Windows Vista/7) Go to Start > Search Program and Files, type "regedit" and press Enter.
5. Exit registry editor when you are done.
6. Get rid of MS Removal Tool start-up entry by going to Start > Run, type msconfig on the "Open" dialog box. It will launch a new window containing System Configuration Utility. Click on the Startup tab and uncheck the following item.
(random characters).exe
Automatic Removal Procedure
1. First thing to do is to reboot the computer in Safe Mode with Networking to avoid MS Removal Tool from loading at start-up. You may want to print this procedure, as we have to restart the computer to complete the removal process.
- Restart the computer.
- Before Windows begins to load, press F8 on your keyboard.
- It will display an Advanced Boot Options menu. Select Safe Mode with Networking.
- Windows will now start in Safe Mode.
2. Download anti-malware tool and save it on your Desktop or any location on your PC.
3. When finish downloading, double-click on the file to install the application.
4. Follow the prompts and install with default configuration.
5. Before the installation completes, it will prompt for database update. Please continue.
6. Click Finish. Program will run automatically and you will be prompt to update the program before doing a scan. Please update.
7. When finished updating, the tool will run. Select Perform full scan on main screen to check your computer.
8. When scanning is finished, click on Show Results.
9. Make sure that all detected threats are checked, click on Remove Selected. This will delete all files and registry entries that belong to MS Removal Tool.
10. Restart your computer.
Note:If you cannot download the program due to malware activities, get the software from another computer. Then, rename the file to “anything.exe” to elude the malware.
Use A Portable SuperAntiSpyware:
For complete removal of the virus, carry out a separate scan using different security program. This may catch infected items that evade your previous scan. Download and run SAS Portable Scanner.
grommit
Mar 27, 2011 @ 15:12:09
MS REMOVAL TOOL (fake) has now made it impossible to download MalwareBytes via save to desk top and proceedure given. I will now attemot a “system recovery” (not system restore) loosing all data including sp3. There seems no other way!
If I pay the ransom requested, would they give my computer back to me without another ransom request? Who are these thieves and why cant someone follow the money trail and put these criminals in jail?
Zharko
Mar 27, 2011 @ 15:48:42
I think I managed to get rid of this virus.
These are the steps that I made:
1. Restarted the computer
2. Once the windows started I immediately opened the task manager (i think this should be done quite quickly before the virus fully starts and blocks even the task manager)
3. I noticed a process there with strange name (something like PkNVeZgVe.exe)
4. Before I end that process, right-click on it and select “Open File Location” – this will actually open the folder where the actual exe is.
5. End the process and delete the entire folder where the exe is located.
6. Restart the PC – Virus should be gone
7. Run a scan for viruses just in case
Michelle
Mar 27, 2011 @ 19:04:42
I tried to use Zharko’s method above, and found a similar looking process which was definitely the virus because when I ended it, the virus program ended. However, I can’t find where the file is located. When I right click on the process, nothing happens. I tried searching for the name, and can’t find it. How do I find this .exe file?
Michelle
Mar 27, 2011 @ 19:31:32
Ok, the location of the process is also under properties, which did open for me. I deleted it and now it’s gone, this method really works! Thank you!
Danny Adams
Mar 27, 2011 @ 21:01:39
Thank you Zharko!
Your solution really helped. Finally I can stop stressing! :-)
Munlyness
Mar 27, 2011 @ 21:17:18
OMG the suggestion by Zharko really worked. My husband had the virus on his computer and we did as he suggested and it left. <3 Thank you!
Gmoney
Mar 27, 2011 @ 21:20:02
This works. Thank you sooooooooooooooo much. very easy to remove – even I could do it. the file was in my programdata files.
Clare
Mar 27, 2011 @ 21:20:35
Im still struggling with this… I have seen a process which I think could be the one but am not sure how to fully delete it as i dont have the option to open file location when right click. When you mention the location can be found in properties, could you explain a little more. thanks for your advice!!
Gmoney
Mar 27, 2011 @ 21:28:10
You need to start the ‘task manager’ first to see what file name is called and where to find it
Clare
Mar 27, 2011 @ 21:35:52
yup, have done steps 1-3 of Zharko’s advice, but wasnt able to do step 4 – i cant see the option to open file location if i right click on the process. Sorry if Im missing the obvious, its just quite frustrating… thanks
SteveD
Mar 27, 2011 @ 21:55:55
I followed it too and stoppped the program but like claire can’t find where its hid
Gmoney
Mar 27, 2011 @ 21:59:18
IDK. I right-clicked on the process and it said open file location. The file
leo
Mar 27, 2011 @ 22:02:44
Zharko.. You are a legend.
Gmoney
Mar 27, 2011 @ 22:04:49
Mine was hid under C:programdata\
Mike B
Mar 27, 2011 @ 22:42:30
Thank you Zharko! Your instructions worked for me also. Bravo.
MarkyMark
Mar 27, 2011 @ 23:36:22
Finally got it. Thanks Zharko. Process was named different for me, but had crazy long name like IOoGfMAL….. something.
bobby
Mar 28, 2011 @ 01:44:51
thanks for your advise!
saves me so much trouble
Bill
Mar 28, 2011 @ 02:40:16
MS Removal Tool virus looks like a new virus.
This is exactly what I did.
1. Noticed the bogus virus scan thing while checking out online movies (an hour ago)
2. DID NOT RESTART
3. Downloaded RKILL from bleepingcomputer.com/download/anti-virus/rkill
4. Rkill gave a report of one program it stopped in C:/appdata/xxxxxxx folder. DELETED whole folder.
5. Ran MSCONFIG from start/run and only saw ICQlite listed as one I didn’t think was suppose to be there. Unchecked it.
6. Updated and ran norton antivirus and it found nothing.
7. Looking up more information before restarting Windows.
AhmaD
Mar 28, 2011 @ 04:11:47
Thank youuuuuuuu. Soooooo muchhhhhh. It really worked
Silvia
Mar 28, 2011 @ 06:22:31
It works! Thanks!!!!!
I found it under c:\programdata with some long name, delete it and virus scan the computer
Jen
Mar 28, 2011 @ 08:57:05
Thank you so much for this easy fix. You saved me soooooo much time and frustration!!!!
Steve Wellens
Mar 28, 2011 @ 15:02:49
I contacted Avast software to notify them that their software did not protect against this threat.
They asked me to zip and email them the files but I had already deleted mine.
“…if you have something avast is missing, please send the file(s) to virus@avast.com for analysis. Ideal way how to send such files is to ZIP them with the password ‘virus’.”
If anyone still has the file…please send it to them.
Thanks.
Fernando
Mar 28, 2011 @ 17:47:34
just go to system restoration and thats it
Andre
Mar 28, 2011 @ 20:41:03
Thanks, my virus scanner and malwarebytes was not picking up this virus. Had to delete using Zharko’s method.
leo
Mar 28, 2011 @ 21:05:35
Although it came crawling back when I tried my mcafee.. Fingers crossed, im giving my pc another dose of zharkomed!
JP
Mar 28, 2011 @ 22:51:49
Just used the “Zharko Method”; worked like a charm the first time.
Luis
Mar 29, 2011 @ 01:46:42
Awesome, easy, thank you Zharko!
StarLaughter
Mar 29, 2011 @ 02:13:05
Thank you Zharko!
I had no idea which process to end, but there was one which stood out, written with a combination of upper and lower case (beginning with “hOoBi”), random letters. I also did not have the option to “open containing folder”, so I did a Windows search and found the file in my “prefetch” folder, and deleted it.
However, when I restarted the laptop it popped up again (which I promptly hit “end process” for), and I am now completing a virus scan to clean any leftover nasty files….hoping this gets rid of it!
Regardless, at least I can now use the laptop to find a solution, and for that I am very grateful….thanks again!
mad
Mar 29, 2011 @ 02:15:33
I was able to end the process, but right clicking the process did not give me a “properties” option, nor did it give me an “open file location” =[
mad
Mar 29, 2011 @ 02:28:11
I’ve also found that the virus doesn’t appear to run while the computer is in safe mode. does that mean I won’t be able to locate it in safe mode, or should I give that a shot?
arcie
Mar 29, 2011 @ 04:30:07
thank you so much..it did work!we have different viruses but the method of yours is really effective!salamat!:)
Wakojako
Mar 29, 2011 @ 04:31:30
I tried Zharkos method but i dont know when im supposed to get the task manager up, and cant get the internet to work, im sending this from my iphone but i really need help with this
Zharco is the best
Mar 29, 2011 @ 04:40:28
omfg thank God it is over, finally over, been spending the past 3 hrs strugling with failed attempts to manually get rid of it thwarted by it blocking it. But Zharco, you are a shining light through all the rubish and security software sellers. If i knew you in person i would buy you a fancy dinner. Btw, i found out that it was the correct process because the description of MS Removal tool was in Russian. Meaning probability it was a russian that made the program.
mad
Mar 29, 2011 @ 04:53:08
Update – I couldn’t locate the virus, so I ended the process in order to download, install, and update Super Anti Spyware, rebooted Windows into Safe Mode, ran a complete scan with Super Anti Spyware, rebooted again normally and the virus was fully removed. This might be useful for others who are having difficulty completing the Zharkos method
M.Fred
Mar 29, 2011 @ 07:06:01
Going from Zharko’s instructions,
I am able to complete steps 1,2 and 3, but when it comes to right-clicking and selecting “Open file location” or “Properties” on the .exe file in the “Processes” Tab, eithere of the two options are not visible. I am currently using Windows XP and not sure where else I can find those options. Although once I select “End Processes” on the .exe file, Windows works fine. How am I able to find the location of the .exe file or get the file properties?
AMRAAM
Mar 29, 2011 @ 07:32:15
Thanks team. I used the (soon to be Patented) “Zharkos Method” and it appears to have worked a charm.
Amateur cyber wizard
Mar 29, 2011 @ 11:29:39
Works well. Don’t panic while the tasks jump around whilst searching. Remember to click on all processes by all users. You will see that annoying flag type icon come up on properties so you know it’s the right one. Open file location first then end process then delete file – I had 2 togethere in a folder with the same name. Remember to empty recycling bin before restarting.
Zharko is legend
Mar 29, 2011 @ 11:36:33
Zharkos method works!! Thanks man, MS Removal Tool virus was really causing me a lot of trouble!
Marley
Mar 29, 2011 @ 12:03:51
When your Task Manager is infected, you can see it and the only method left is to run a search of your computer and remove anything named best malware protection. Then clean your registry by looking for the virus entries:
To edit Windows registry:
1. Click Start > Run
2. Type regedit at the box
3. Click OK
4. Windows registry will appear.
Best Malware Protection Registry Entries:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “Best Malware Protection?
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options “Debugger” = “svchost.exe”
HKEY_CLASSES_ROOT\PersonalSS.DocHostUIHandler
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download “RunInvalidSignatures” = “1?
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “ProxyServer” = “http=127.0.0.1?
update your protection. This worked for me, pheww:)))
nalle
Mar 29, 2011 @ 12:09:44
Zharko’s method works fine for me too (Thanks!!). And if you can’t do the “open file location” from taskmanager, Mr Fred, you can always do a simple windows search for the virus in the file system (make sure hidden dirs are scanned). The program has the same name as the process with a traling “.exe”. You should also remove the corresponding register info.
Ed
Mar 29, 2011 @ 18:09:52
Zharko rocks. Control-Alt_Delete then open Task Manager, hit Proesess tab and found odd process “hOnMjCiDoGh06511″ Before I ended the process, I right clicked on it and opened window and selected “Open File Location which was found to be “ProgramData>hOnMjCiDoGh06511″ today date showing. Stopped process and then deleted both files and emptied recycel bin also. Worked great so far, thank you, thank you.
laykay
Mar 29, 2011 @ 21:08:35
I have removed the virus but now i can’t access the internet again as my local area connection keeps showing “limited or no connectivity” while every other system on the network can access the internet. Please help, is it that the virus has edited my registry or what?
Dreemboat
Mar 30, 2011 @ 03:58:01
Zharko,
Thanks man. Not only did this fix my problem. It scored my points with my girlfriend. I’m also owed a massage now.
mike
Mar 30, 2011 @ 06:18:44
zharko…it worked like a charm. took all of five minutes to do!! and the virus is completely gone
M.Fred
Mar 30, 2011 @ 12:22:46
ALL FIXED! Much appreciated Zharko and Nalle for all of your help and feedback. Big shout out to you! I cannot thank you both so much!
Robert
Mar 30, 2011 @ 13:09:18
I tried the end process suggestion but that didn’t exactly work the way it was posted. i did end a few strange looking ones and it allowed me to load a new version of Malwarebytes which was all I needed. I was being blocked until I tried thsi method. I kept removing that strange process as it popped up until MBAm loaded.Thanks for the tip!
Charles
Mar 30, 2011 @ 16:07:53
It’s TOO FAST. When i restart my cpu, the MS TOOL launches so fast that i can hardly open the Task Manager, when it’s all gone again.
Even worse, i’m using my work PC and an unable to install any anti-programs. Although i have F-Secure here, the MS Removal Tool has someway blocked it too.
PLEASE HELP!
negeue
Mar 30, 2011 @ 16:46:20
thank you very Zharko…
MS removal tool is gone..
Marley
Mar 30, 2011 @ 19:53:24
Charles,
Try to clean the registry from run, this shoulod work. Follow the following process:
To edit Windows registry:
1. Click Start > Run
2. Type regedit at the box
3. Click OK
4. Windows registry will appear.
Then search for one of these best malware protection entries and delete:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “Best Malware Protection?
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options “Debugger” = “svchost.exe”
HKEY_CLASSES_ROOT\PersonalSS.DocHostUIHandler
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download “RunInvalidSignatures” = “1?
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “ProxyServer” = “http=127.0.0.1?
Hope this helps.
Rach
Mar 30, 2011 @ 21:47:45
Help! When I try Zharko’s method there are too many processes running, and it comes up too quickly–I can’t identify the suspicious one because they all have long weird names! :(
Rach
Mar 30, 2011 @ 21:48:42
Also my MS Removal virus is blocking the “regedit” option
Dave
Mar 30, 2011 @ 21:50:13
Not only is it too fast for me at start up to get to task mgr, it has also disabled access to registry from Run option. Anyone know of a 3rd way to kill it?
Rach
Mar 30, 2011 @ 22:08:47
omg, I got it!!! I at least disabled it and it hasn’t opened this time, and thank God, I can now access my task manager. I have many, many processes but I kept restarting and ctrl+alt+deleting and right clicking to open file location for as many processes as I could. Quickly try to right click anything that has a name like “dkNzjTl…” and look for two other things:
1. over in the description, it will look like mumbo jumbo, rathere than DivX or Symantec or something you recognize.
2.Also, someone else mentioned this and it was really helpful–after you’ve grabbed the location of a suspicious file, check the date on it before deleting. If it looks like nonsense and the date is today (the day you got the virus) you’re probably safe deleting it.
now I’m about to see if my proper virus protection program is working again.. >deep breath<
ESperanza
Mar 31, 2011 @ 06:25:06
ZHARKO YOUR AWESOME!! TOTALLY WORKED!!
Rammer J
Mar 31, 2011 @ 10:55:01
If you cant find it in Task Mgr due virus opening too fast on boot… Open Windows Explorer, choose ‘tools’, ‘view’ and check to ‘show hidden files and folders’.
Next, go to C:\Programdata there was a folder on mine with a scrambled name, there are 2 files, go in and rename the files (they also had scambled names, 1 was an .exe – but change both) to anything you like…
Next reboot.
Go to C:\programdata and delete same folder as above. (as file has not loaded you can easily delete it)
Next empty recycle bin
Next Goto C”\Windows\prefetch and delete all
Next empty recycle bin.
Choose to re-hide file and folders if you wish. Worked for me.
deisler
Mar 31, 2011 @ 12:05:33
im going to try it.. hopefully it works..
Fred
Mar 31, 2011 @ 14:25:28
I just used system restore while in the safe mode to go back to the configuration the day before I got the virus. Worked for Windows XP. Details below.
1-Restart the PC.
2-While restarting, keep hitting F8 to get into the safe mode.
3-You will see the safe mode menu. Safe Mode should be highlighted. If not, select safe mode to proceed.
4-Use the Windows system restore. To find the Windows Restore program I just when to Start and then Help and then searched for System Restore. Remember you want System Restore (no loss of data files) vs System Recovery (loss of all data files).
5-Since it was very obvious when I got this virus, I just selected a restore point from the day before I got the virus.
ktaylor
Mar 31, 2011 @ 14:43:51
Does anyone know what size the file is? I open up my taskbar and there are almost 100 processes going on and I don’t have time to try them all!
zihao
Mar 31, 2011 @ 15:03:14
Hey Guys! i find out a gd way to disable the virus.
1st, go into programdata, drag the virus folder out to desktop.
2nd, restart your computer.
3rd, once you are at window, remove the file asap!
it works fine for me!!! try it!
Ashes
Mar 31, 2011 @ 20:49:42
Thank you so much for the solutions to getting rid of the virus. I found a virus that was under process named aZhLkWe.exe and as soon as I was able to find it (took 4 restarts) i ended the process, and now my computer is perfectly normal. It works instantly. Thank you Zharko.. I have just gotten the XoftSpySE anti-spyware program and i have read the reviews. I am thankful to Bill. You guys were very helpful!
may
Mar 31, 2011 @ 21:15:32
I believe someone asked this, but it wasn’t answered that I saw… are you able to use these methods while in safe mode?
thissitesavedmycomp
Apr 01, 2011 @ 01:08:57
Thank you so much Zharko! For me, it took over 15 restarts due to MS Removal Tool. Eventually I was able to end the process, but did not delete the files. It took another 5 tries until I could end the process and locate the folder. Without being this site and Zharko, my laptop would still be down
Mikey mike
Apr 01, 2011 @ 01:39:48
I just ran my mcafee twice in safe mode rebooted and it killed it.
Then was able to run mcafee out of safe mode!! All gone
Reese
Apr 02, 2011 @ 05:21:06
Zharko rocks! thanks bro! really hate this MS removal tool! so bothering and stressing if we can’t do anything to get rid of it!!!!
Jess
Apr 02, 2011 @ 14:34:19
I got this virus anf cant seem to get rid of it but they took $100 out of my acct how do i get it back is there anyway to find these people. i cancled my card as soon as i could but they already took some money what do i do?
Codename Panzers
Apr 02, 2011 @ 21:34:45
i have found a weak point off the stupid program
1:Go to the safe modus on the pc
2: install ccleaner don that open ccleaner
3: go to the starting up list in the tools part
4:search for a file thats make no sense with numbers en letters
5:if you have found it YOU MUST DISABLE it
6: start up your computer normal en the program can not run agian so you can start your anti spyware en your anti virus
dariuskzoot
Apr 02, 2011 @ 23:16:30
Hello Peoples …
My nephew’s Computer was infected with this MS Removal Tool virus as well … they brought it to me in a panic, hoping I could fix it for them ….
and so I did …
It’s quite easy, actually …
1) Start Windows in SAFE mode …
If you don’t know how to do this, just switch the power off rudely using the Power Button instead of the START menu .. shutdown option .. this way, the next time you turn on the power, you will receive a message telling you that you didn’t shutdown ‘properly’ … and a list of options available to you will be displayed … choose STARTUP in SAFE mode …
2) Once started up … open up your ‘C’ Drive …
Select tools\folder options\view
In the options-tree … under hidden files and folders …
Enabe ‘show hidden files, folder, and drives’
Now you will be able to see it in order to delete it!!
3) Open up your ‘C’ Drive once again …
Now you can see the formerly hidden folder ‘ProgramData’
Open that up …
You are going to see a folder in there that is named with a bunch of gibberish .. it could be different for each individual … but, if you open it up .. there will be two files inside .. a text file .. and the Virus itself .. which has an icon of a Red Shield …
Now that you know you have found the Culprit .. exit out of the folder
DELETE that entire Folder from within you ProgramData directory …
don’t just send it to the Recycle Bin … Make it go away … FOR GOOD!!!
4) Restart Windows normally … how you always do …
It should no longer be in your System … I suggest running a FULL SCAN of your system, and Update EVERYTHING … Windows. Anti-Virus, etc.
Hope this helps those of you still having difficulties getting rid of it …
DKZ
Akello
Apr 03, 2011 @ 03:50:14
Thank you Zharko! Took a couple of tries but I caught it!!!
Kevin
Apr 03, 2011 @ 05:39:06
HI, Ken (57) worked and was easy. Thanks XP user.
Kevin
Apr 03, 2011 @ 05:48:22
Sorry, should be FRED, comment 57
gabxolotl
Apr 03, 2011 @ 06:08:52
Zharko is the man
Nolongerinfected
Apr 03, 2011 @ 07:43:15
I was infected with this. I could not get the task manager to end task on the process fast enough even though i did see the name of the file. I could not delete the file as even with “show hidden files and folders” checked, “hide protected system files” unchecked and “display the contents of system folders” checked, my system could not find the file I saw launching. There also was no “programdata” folder.
However, a simple fix was to boot into safe mode with networking. Goto cnet.download.com and download a free version of Malwarebytes Anti-Malware. Installed it, ran it. Bingo. It caught it and removed it. Everything is now back to normal.
Nolongerinfected
Apr 03, 2011 @ 07:49:07
PS: Mine was located in c:\documents and settings\all users\application data\ddl06509ncfmf06509\ddl06509ncfmf06509.exe
I got infected on April, 01 2011. So, not sure about the whole date being in the file name issue.
Tobsku
Apr 03, 2011 @ 10:51:18
Thank you Rammer J!! Worked for me :)
dharshan
Apr 03, 2011 @ 11:58:51
Thousand of Thanks Zharko…..
scott
Apr 03, 2011 @ 14:18:42
how does people get that program what dose it come from ?
liam
Apr 03, 2011 @ 15:08:50
hi ive had to completly re boot my laptop as nothing would load up at all. god knows were it come from as i dont download ???? lets hope it works
dan
Apr 03, 2011 @ 16:10:35
YES — it was in my c:\documents and settings\all users\application data folder — look for long string of letters — and the redshield icon inside that folder, you know you’ve got it — move it to the desktop, reboot and throw the f3$%er ouT!
kill the guy that invented this one…….
Malebolik
Apr 03, 2011 @ 16:38:25
Hi that may sound noob but i need to know HOW do i see those tool options? Im on Vista and I dont see any options on my c:1 drive
”2) Once the computer has started up … open up your ‘C’ Drive. Thanks !
Select tools\folder options\view
In the options-tree … under hidden files and folders …
Enabe ’show hidden files, folder, and drives’
Now you will be able to see it in order to delete it!! ”
Malebolik
Apr 03, 2011 @ 17:06:50
OK I confirm that dariuskzoot’s method works !!!! It takes a minute (look post #67)
Thanks a lot man
Zippy
Apr 03, 2011 @ 22:02:08
As Dan said in XP it was in C:\Documents And Settings\All Users\Application Data folder.
You will need to set hidden files and folders to visible. To do this go to My Computer and select tools – folder options – View and then select the Show Hidden Files and Folders button.
When you find the offending folder hold down the shift key and press delete as this will by pass the Recycle Bin. You must also go to the folder C:\Windows\Prefetch and delete the entry there. If you put the files in date order it should be easy to identify the latest entries.
Finally check the registry HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce and delete the entry with the executable in it.
This worked for me.
Rekha
Apr 04, 2011 @ 03:38:43
Hi,
THanks to dariuskzoot i followed ur insructions and deleted it.
and thanks to “nolongerinfected” as you told it was in application data.
Thank Jah Jah
Apr 04, 2011 @ 03:41:22
Thank you all!
Nothing in seemed to work until I unhide the files and located them by following the method in post 72 (I believe.) After locating them, I tried to delete them with the shift delete method, but it wouldn’t let me. I dragged the folder to my desktop, and renamed it.
After that I rebooted, thinking it would come right back. It didn’t!!!! Still need to get it off there, but at least it’s back up.
Symptoms included not being able to get into safemode or bios. None of my geek friends could figure it out, but you guys rocked it, THANKS!
Thanks
Apr 04, 2011 @ 05:45:46
Thanks to dariuskzoot the virus is gone, I just had to go to proggram data, was already showed. So thanks for the help all.
Scotty79
Apr 04, 2011 @ 16:39:50
Thankyou all sooooo much… I’ve been trying to get rid of this virus for a week and this is the only place that has helped…. Dariuskzoot ( comment 67 ) and Dan ( comment 77 ) If I ever meet ya I’ll buy ya a pint!! Cheers all!!
Usdi
Apr 04, 2011 @ 16:57:21
(ZIPPY) I deleted the same one (HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce)
BUT when i did this it deleted all of my internet networks please some one help me with this I got this virus on Friday and it took me till yesterday to find the file and get rid of it. Now its gone but I have no internet at all and a lot of my stuff is damaged from it like I cant run system recovery even in safe mode…. I cant install or uninstall eithere i’m not sure were to go from here except maybe breaking the PC with MS Removal Tool virus……… its a vista software HP Laptop
jack
Apr 04, 2011 @ 21:32:03
I tried to do Zharko’s solution, but was unable to find the process quick enough before MS Removal took over. After four or five attempts I tried another approach which worked for me.
It seemed as if everyone who posted the file’s location had this in C:\programdata. With that I assumed it likely mine was there as well, so I did the following.
1) Restarted in Safe Mode – this can be done by pressing F8 repeatedly during start up (or just once at the right time), or for those that have laptops that require a modifier key (fn) to use F8, you should have a short screen during startup that at the bottom left tells you to hit ESC to open startup options.
2) While in Safe Mode, I opened C:\programdata – simply open Windows Explorer (or just open pretty much any file) and type “c:\programdata” in the location bar.
3) Sort folders by “Date Modified” – In all likelihood, it will be the most recently modified folder, and almost certainly have the most recent “Created” date (viewed by right-clicking and viewing properties). If you can’t narrow it down, or are uncertain, try a quick google search (if you started in Safe Mode with Networking).
4) Delete problem folder, restart normally; all should be good.
NOTE: If you are completely uncertain as to whethere or not the file is the culprit, don’t delete it. There are some files in C:\programdata that, if deleted, could cause very undesirable results. The folder I deleted was the only one created on the day this started, so I figured that even if the folder wasn’t the culprit, it was unlikely that I “needed” it because I didn’t have it yesterday when my computer worked fine. There is a difference between date Created and date Modified.
I hoped this helps those that couldn’t do it Zharko’s way.
Bobsta the man
Apr 05, 2011 @ 10:18:28
Zharco wat can i say you r defo the greatest couldnt hav dun it without u
Mustangdoc85
Apr 06, 2011 @ 01:56:06
Zharko hit it for me as far as the files being hidden in the program data files #1 & #2 partition. I couldn’t get the task mgr to stay on long enough eithere before deleting the funny files with no dates of entry or any info within them. Once I deleted them in the program data files & cleared my recycle bin, I used rkill.com & Superantispyware Pro which cleaned out the trojan horse and also MS Removal Tool virus. My screen is no longer blue anymore- Yea! Who on earth does this kind of mean crap? I read all of the preceding threads, & Many thanks to Zharko & all of the rest of you from a simple doc who knows a little more about computers!
Zoltan
Apr 06, 2011 @ 07:18:34
Excellent advice to use Task Manager. Managed to kill the process before it started and then run the tool advised in the article…
Great help !!!! Thanks sooo much
Zoltan
paz
Apr 06, 2011 @ 14:29:58
@dariuskzoot I love you.
Adrianna
Apr 06, 2011 @ 21:00:50
Thanks Dan! I couldn’t get the task manager opened quick enough to try Zharko’s method, but was able to take care of the problem on my Mom’s computer by following your directions. Just hoping now that it stays safe. Got her set up now for automatic updates so this shouldn’t be a problem anymore (fingers crossed!) Thanks!!
jacob
Apr 07, 2011 @ 06:18:36
Thanks a lot to Jack. His solution worked very well as I couln’t keep my task manger open long enough to stop th program from running. His solution worked well for me.
TiredAndGrateful
Apr 07, 2011 @ 10:19:11
Zharko, DariusKZoot, and everyone else on this page who posted information, you are amazing people and I don’t know what I would do without people like you. Thanks!!
Enthung
Apr 07, 2011 @ 16:35:33
zharko’s way didn’t work for me..then i tried jack’s way..thanks god it’s worked..
thank you jack..you are awesome..
thank you zharko anyway.. :D
shniggle
Apr 08, 2011 @ 01:44:54
Jack, post number 87 – thank you!! I was about to throw my lappy out of the window until I used your method. Thank god I’ve got a Blackberry otherwise I wouldn’t be getting any sleep tonight. Cheers buddy
JPK
Apr 08, 2011 @ 01:50:27
On Windows 7 searching c:/programdata worked to find the file. As suggested before moving the file to the desktop and renaming it, we were able to restart and delete the file.
Jamie
Apr 08, 2011 @ 08:01:37
This method worked for me.
-Select F8, start in safe mode with networking.
-Once in safe mode, click start and then run.
-Type regedit and select the following:
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run.
It might also be under(runonce)under current version .
Under this registry name there will be a default value. Dont delete that only the .exe file under neath the default value. Then restart the pc in normal mode and you should have no more issues. :)
Mike
Apr 08, 2011 @ 20:01:15
Got it. I quickly pulled up the task manager and stopped the process. Then I looked in my c:\documents and settings\all users\application data folder and it was there. Finally.
Thanks everybody!
Mike
Apr 08, 2011 @ 20:55:11
Big thanks to zharko for kicking me off in the right direction, and for many other useful hints and different strategies from other contributors. I managed to use task manager to stop the virus but not locate it or even note its name accurately. On a subsequent attempt, with the virus running, I could remember enough to identify the likely candidate from its Windows/prefetch copy, backed up by the creation date. I then located the virus folder in All Users/Applications Data. Although I could not delete the files with the virus running, I could rename them. I was also able to delete the prefetch copy, which I thought might at least give me time to use task manager before the virus opened. On the next reboot, Avast updated normally and the problem seems solved. I have deleted the virus program folder into the Recycle bin. I have reported to Avast their complete failure to recognise the the threat, even when scanning the virus folder seperately, and will forward the files to them if they wish.
René
Apr 08, 2011 @ 21:53:45
How to remove the virus without knowing something specific or doing something specific but just execute a standard Windows system recovery:
Procedure :
1. Press F8 when booting windows (after bios startup)
2. Choose start Windows in Safe Mode
3. Run a Windows Systemrecovery og choose a suitable date before infection : mostly a day before if you use Windows Update on daily basis
4. After the system recovery and restart of Windows
update your antivirus program
5. Check for for important new Windows updates with Windows Update and install those new updates
I use microsoft essentials and I am not a Microsoft employee : I am just a normal Windows user.
This standard procedure I have used now 4 times to remove malware and virus and it worked fine every time.
This procedure will not affect your personal data like music photos etc.
mtrip
Apr 08, 2011 @ 21:54:48
We stopped before we bought ms removal tool but still have pop-ups should we worry or just close them out
René
Apr 08, 2011 @ 21:58:40
Hi Fred comment 57 I did not see your comment because I made actually the same comment number 100
and I agree fully with you the easiest way to get rid of a virus is doing a system recovery !!
René
Apr 08, 2011 @ 22:00:06
Comment on comment 100 I ment a system restore not a system recovery !!!
Chris
Apr 09, 2011 @ 11:32:36
Ty to post 55. that worked like a charm on Windows 7. Best of luck to anyone with this little bitch of a virus.
Mike
Apr 09, 2011 @ 16:16:16
I’m running Windows XP and was infected with the “MS Recovery” virus. I couldn’t open task manager, and I couldn’t run Malawarebites Anti-Malware. I followed Post #2, and hit the [Ctrl][Alt][Delete] keys to open the Task manager as soon as Windows loaded and my desktop appeared. I then chose the “Processes” tab, and ended anything that seemed suspicious, especially anything with a jumble of letters (as described in post #2). One of them was the virus, because after that, I was able to open Malawarebites Anti-Malware, update the virus definitions, and run a full scan. Virus deleted. Hooray!
Mike
Apr 09, 2011 @ 16:18:25
P.S. You have to be quick when deleting the malicious processes, otherwise the virus loads and closes the task manager. Also, be careful when ending processes…you could end something vital, like Windows or something, then you’d have to reboot by holding-in your power button.
AnAnd
Apr 09, 2011 @ 18:29:00
Hi All,
I Looked in my “Programdata” folder and found one folder name with a very suspicious looking long name ( alphabets and numbers). I could not deleted it directly as it was already running in background. I just renamed that folder and restarted the laptop. Problem solved.
Then deleted the renamed folder.
:)
My Gf showed it to many experts and ppl who looked for hours and I did it in 5 minutes only. Am her troubleshooter hero :)
ReneeRemington
Apr 09, 2011 @ 20:00:37
I could not get task manager to run. I opened in Safe Mode. Located the infected file in All Users/Applications Data. It was named something odd with lots of letters and numbers. The file was created today so I knew it was the one. I deleted it. Restarted the computer. Seems to have worked. Thanks to all for the clues on what to do.
Teresa
Apr 09, 2011 @ 22:29:19
If you already have MalwareBytes installed, then there is an easy way of fixing this. I just did it myself and it got rid of MS Removal Tool virus.
1. Restart Windows
2. While loading repeatedly press the f8 key until the safe mode screen comes up
3. Select Safe Mode with networking
4. Open MalwareBytes and update it
5. Perform the quick scan and it will find the virus and put them in quarantine.
6. Go to the quarantine and remove them.
7. Restart Windows and you should be fine now.
I just did this and it worked.
Teresa
Apr 09, 2011 @ 22:35:19
I just read some other comments about doing a system recovery, don’t do this! It’s not necessary. Even if you don’t have Malwarebytes downloaded on your computer you can do so from “safe mode with networking”. Do as I said in my previous post to get your Windows into safe mode. Once there you can go online to download the MBAM program. Then run the quick scan and remove the MS Removal Tool virus. As long as you are in safe mode the virus won’t be able to run. I’ve seen other people talking about going into program files and removing things, and I don’t know how to do this eithere. I believe that this is the easiest way to do it. Once I figured this out the virus was gone in under 10 minutes. Good luck
TopNerdJR
Apr 09, 2011 @ 23:15:41
Just turn your computer on is safe mode and go to program data and look for the folder that has a bunch of random letters and numbers. Delete that folder and then restart. that took care of the virus for me.
fractal5
Apr 10, 2011 @ 06:27:51
Zharko’s method worked perfectly. You have to do it fast though. On my computer (running XP SP3) the file was located at C/Documents and Settings/All Users/Application Data/virusfoldername
The virusfoldername is usually a long string starting with letters eg:jBi0031…
Delete the folder
The go to Run > Regedit
Find HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
Here you will see an entry with the same virusfoldername. Delete that registry.
fractal5
Apr 10, 2011 @ 06:29:59
More details on removing the registry entry
http://www.im-infected.com/rogue/fake-ms-removal-tool.html
Backing the registry isn’t necessary.
philly
Apr 10, 2011 @ 14:39:17
I got it too running XP SP3. To get rid of MS Removal Tool, I started Windows in safe mode ( keep pressing F8 whilst Windows OS is loading & follow on screen instructions to start in safe mode)
When in safe mode open
MY COMPUTER
LOCAL DISC C
DOCUMENTS & SETTINGS
ALL USERS
APPLICATION DATA
In there you will find a folder with an unusual name (mine started with fe8333 or something)
Delete the entire folder
Go to desktop & empty recycle bin
Restart PC in normal mode and it should be gone.
Crobertobr
Apr 10, 2011 @ 14:57:51
Hey Guy,
You’re the best. The program worked very well. Congratulations.
Harry
Apr 10, 2011 @ 21:18:04
Hi all,
Rene’s method seems to be the most efficient overall for this MS Removal Tool virus, since you don’t need to locate a file that you don’t know the name of. Also it will not require multiple restarts to give you enough time to locate it. Just to share my experience using Rene’s mentod and perhaps catpure a wider spectrum of individual laptop behaviors:
i) MS Removal Tool has just popped up.
ii) Shut down laptop by holding down the power off button.
iii) Switch laptop back on, and keep hitting F8.
iv) Menu with various options to login in Safe Mode come up.
v) Scroll with arrow keys to select “Safe Mode with Networking”. Hit Enter.
vi) Desktop will probably show an unfamiliar black/blue background.
vii) At the same time System Recorevy console will pop-up.
viii) What you want to do it restore your laptop to the way it was, before the wretched virus got in. The console is pretty much self-explanatory.
ix) It will ask if you want to restore (not recover!) your system to a previous date. Select yes, next and the calendar widget comes up.
x) Select a date just before the day the virus came up. It can even be a few days prior (need not be just one day before) if the virus has infected your memory too :). There will be one selection in the box, which indicates the last time your system was “saved” (sort of like saving a video game once you’ve crossed a stage).
xi) Follow on screen instructions and hit next.
xii) Laptop will reboot in normal mode and the virus will no longer block you from doing anything.
xiii) Finally, if you’re an XP user, go into C->Documents and Settings->All users->Application Data. In here on the tool bar on top, click on “View” and select “Details”. Find the folder that was created around the time the virus showed up. Important – This folder’s name is completely random. It will make no sense. If you have other folders created around the same date, please distinguish using the non sensical name of the virus folder. Another way to confirm – open the nonsense folder. Inside if you see one pair of files (this will be the only content of the folder) with the same name, but one of them with a “.exe” extension (This exe file has a logo as a red shield or as the Microsoft company logo). Delete the whole folder and empty recycle bin.
xiv) Update your antivirus and run a manual scan.
A word to the creator of MS Removal Tool virus.
Dear sir (you cannot be a woman),
May your fingernails fill up with debilitating necrosis the next time they set out to type out such a monstrosity. The money you would make this way won’t even pay for a tenth of the cost of treating the untold miseries you’ll suffer from bad karma and ill-will of thousands of innocent users. Hope you realize how much life-saving business you could have damaged? I got this virus from surfing news channels. Your brilliant yet deviant mind could be of so much better use, but you chose, to extort, blackmail, steal. Shame. What if your mom’s computer was infected with the same? Do you have a list of IPs of friends and families that the virus knows to skip? Do yourself a favor and stop spreading it.
emily
Apr 11, 2011 @ 00:41:22
I dealt with this today. I believe I got it from a megavideo website (getting my fix of How I Met Your Mother), who the hell knows. The downside of watching streaming tv is the occasional and incredibly irritating virus. Removal is always easy. Boot in safe mode by hammering F8 as soon as the computer restarts – this will prevent the virus from running and blocking any helpful programs. Then eithere run MB (or any virus-removal program of your choice), or do a system restore. I always do a system restore because I just don’t give a crap, then run anti-virus software after the restart. Works every time.
Sarah
Apr 11, 2011 @ 04:15:53
Just got this virus myself trying to watch something on Megavideo after work this evening. Rebooted in safe mode and ran all of my antispyware (I have MalwareBytes and SuperAntiSpyware), neithere of which found anything… so I thought that was kind of odd considering it seems like everyone else was able to detect the virus through these. However, I did find a random folder in my Application Data files, created today, which I deleted then ran CCleaner. I rebooted normally, the virus program is not popping up, and am running a full system scan.
I’m still kind of weirded out that none of my antispyware programs actually detected any trace of the virus. Could that mean it’s still lurking somewhere?
technoluis
Apr 11, 2011 @ 07:25:34
You should also clear all your cookies and stuff to play it safe. Also delete all the java files too. That’s where mine originated from.I never use java and I knew something was going down when it popped up
missedabee
Apr 11, 2011 @ 10:43:16
A big big thanks to Zharko and all others whose help enabled me to remove this pernicious virus. It was a bit tricky but after 2 or 3 attempts I managed to act in time to end the process in task manager ( you have to be quick!) and remove the offending folder
Many many thanks to all who helped
lisa
Apr 11, 2011 @ 13:02:27
Harrys post at 117 worked for me …a big thankyou!! id tried zharkos method but i think because i have so many things opening in the procceser i just couldnt find it quick enough…
all i did was…
turn on laptop & kept pressing f8
used arrow key to go to SAFE MODE WITH NETWORKING
when system restore poped up RESORED TO A FEW DAYS EARLIER
& hey presto its gone!!! thankyou harry!
does anyone know how we got the virus? im on windows 7 and have a child safety laptop aswell!!!
Ben Stevie
Apr 11, 2011 @ 13:26:26
Just did the Zharko method of Control Alt Delete to invoke Windows TASK MAN …right after Windows started. I was staring at the contents when the goofy MS REMOVAL took over and shut it down.
So I figured out to act faster, did it all again, got to TaskMan and saw a weird looking process running (with Upper and Lower Case) and just stopped it from running.
That seemed to be it… as that bought time to go to Accessories \ System Tools \ System Restore and then to restore the system back to a week ago. (I copied off a couple of fresh word docs just in case.)
So far so good…
Shadowyoshi
Apr 11, 2011 @ 13:59:32
It took 5 tries but the Zharko method worked! Thanks!
Elizer
Apr 11, 2011 @ 16:23:14
OMG THANK YOU
kahunabob
Apr 11, 2011 @ 19:23:06
To all. Thanks for your postings. This MS Removal Tool virus also popped up unexpectedly on my desktop (probably a news site). With all the great descriptions and suggestions, I was able to fix it using the procedure.
Thanks again !
Bob
iaifortune
Apr 12, 2011 @ 06:37:32
OMG thanks man it worked and i then got rid of it manuly after just endding prosses :D thanks!
Boss
Apr 12, 2011 @ 14:30:06
Marley way, #49 worked for me. Had to do it in safe mode. Found it under HKEY_Current_USERS/Software/Microsoft/Current Version/Run Once “NIe24500aGmOp24500″. I knew that was the one to delete because I saw that when I right clicked the task bar icon for MS Removal Tool.
Sounds like it’s a diffent code for everyone. Right click the MS Removal Tool icon in the task bar to find out which one you have to get rid of. I tried Zharko’s method but Task manager would stay open long enough to find the process before MS Removal Tool block task manager.
Thank Marley. Hope my extra comments help others!
steve
Apr 12, 2011 @ 16:03:20
dariuskzoot, you rock, I can not thank you enough, God bless you and more power to your good work, you are a best friend and i will always appreciate for helping get ride of that stupid virus.
stuart
Apr 12, 2011 @ 16:19:25
checking hotmail today )( 12th april) and got ms removal infection, so glad I came onto his forum. tried Zharko’s method but couldn see anything.
jamie’s post #98 worked for me though, thanks very much!!!!
PC
Apr 12, 2011 @ 18:14:35
I’m just starting this , was hit with itlast night will try every thing posted thanks
JohnH
Apr 12, 2011 @ 21:24:31
I tried the Zharko method and found you need to be an administrator to get the option to ‘open file location’. When I right clicked on the process a window appeared and and asked “Perform Administration Tasks”?. Click on this option and you will be able to right click to get the ‘Open File Location’ option.
Hope this helps.
Jordy
Apr 12, 2011 @ 21:59:47
Thanks to all… never could have done this without you all! Method #118 by Emily worked perfectly for me and was very simple to do for someone who isnt very tech friendly. This thing is nasty I wish everyone luck who encounters it.
Kirsty
Apr 12, 2011 @ 22:30:40
Thank You Fred 57 soooooo much. Complete nightmare of a virus. Tried restoring on normal login – did not work as could not even get into it! Worked a treat in Safe Mode. Thank you again.
Have these idiots not got nothin better 2 do then waste peoples time by makin these awful viruses!
Zac
Apr 12, 2011 @ 23:28:27
Thank you everyone for the help, you guys rock!
Jim
Apr 13, 2011 @ 00:35:28
Using safe mode and doing an earlier restore date did the trick!!! Thank you!
Geert
Apr 13, 2011 @ 09:06:01
1. Start Your pc in safe mode with network support
2. google for combofix.exe (make sure you download it from bleepingcomputers.com or majorgeeks.com)
3. Download and run
(if your av is running, disable the real time protection)
4. After scanning & restarting (by combofix) everything should be ok
Michael
Apr 13, 2011 @ 14:14:10
Thanks for telling me that the little bugger hides in ProgramData (folder is called dKa18402iGnEo18402 in my case). It didn’t allow me to delete it (among many other things), but I was able to mess the .exe up by changing its file type to .txt (highlight, then press F2).
Chas
Apr 13, 2011 @ 15:09:23
The roommate picked up this virus. He was going to take it to Best Buy “Geek Squad” but I told him to let me have a crack at it 1st. His old PC loads so much random junk upon startup it was hard to find the MS Removal Tool, but using advice here searched Windows for files created that day. Found a suspicious folder and attempted to delete (could not because process was running) Knew I had the culprit. Deleted the prefetch, renamed, rebooted and ran MalwareBytes, found something like 10 infected files. Virus now gone thanks for the money saving advice.
ben
Apr 13, 2011 @ 18:32:01
thank you darius. post 67. totally sorted me, the application data file was hidden and his post was most helpful. good effort sir!!
Chloe
Apr 14, 2011 @ 14:29:22
Thanks guys, these comments really helped. I found the MS Removal Tool virus thing hiding in the c drive under documents and settings\ All Users\Application Data and it was a long weird file name. Checked the date of when it was created and had today’s date on it so assumed that must be it. I moved it to my desktop, restarted my PC, deleted it then deleted it from the recycle bin too. Thank goodness everything is now back to normal!
Snow White
Apr 14, 2011 @ 18:20:03
i just ran it in SAFE MODE WITH NETWORKING then i downloaded the anti-malware and did a QUICK SCAN and it removed all my threats. then my labby restarted i went into WINDOWS NORMALLY and i did a scan with my WINDOWS DEFENDER to remove all remaining viruses on my labby and it was gone….yay!!!!
B-rad
Apr 14, 2011 @ 21:45:59
Praise this string and praise smartphones which enabled me to investigate this while my other computer was on the DL.
rALPHY bOY
Apr 14, 2011 @ 23:00:32
ZHARKO The Greatest!!!
rALPHY bOY
Apr 14, 2011 @ 23:01:33
ZHARKO YOU ARE THE GREATEST
bizy
Apr 15, 2011 @ 00:32:57
thank you G-d now my Russian wife can watch her stupid videos on her own computer…
Jasmine
Apr 15, 2011 @ 02:51:38
Just wanted to add my experience in…I tried to follow the Zharko Method, but when I was finally able to gain access to the task manager, the virus killed it. I was, however, able to go into safe mode and download Malwarebytes free trial and run a scan on the computer. 10 minutes and 6 viruses later, I restarted and I dont have any problems. It appears that the virus is gone. This thread helped me tremendously! Thanks everyone for the help!
Will
Apr 15, 2011 @ 11:13:18
I could not get it with Zharko’s way since it starts too fast.
I removed it from
1:Safe Mode(press F8 on startup)..
2:launched free cleaner CCleaner(any software that can disabled startup programs) and disabled a process : ProgramData\kOi0….(write down folder 1st so you know where to find and delete it after this step)
3:(you can skip steps 1 & 2 if you were able to disable via ZharkoKillMethod).Unhide all hidden folders(since my guess it will hang on a hidden folder) search for the process you disabled then delete(immediately clean afterwards to make sure)..
evegarod
Apr 15, 2011 @ 11:18:59
Running windows xp 32 bit a coworker seem to accidentally installed this ms removal tool. I did open the task manager quickly ended the process from starting. Something like [random].exe (meaning by random jdhfkxhdk or sometjing like that). Then i just restored the pc 3 days back and no other problem so far.
me
Apr 15, 2011 @ 16:38:25
What I did:
1. Run in Safe Mode
2. Search for .exe files
3. Sort by date, look out for today’s creation date with a random file name. Mine looked something like>> eLdfjsalx_dfsfda.exe
4. Move file to desktop
5. Restart in normal mode
6. Delete the exe file immediately and empty recycle bin.
Thanks for this page!!
Keith
Apr 16, 2011 @ 05:58:11
Search for *.exe files failed to locate. C:\programdata found folder with long strange name with 2 files, 1 .exe 1 folder empty. Remaned both to .doc, restarted and all is well. Put this page on an irc help folder to share with online chat. Thanks to all for taking the time to figure this out.
Alek
Apr 16, 2011 @ 22:02:42
I wonder How it gets into my computer as i didn’t install anything nor visit any funny website. I was on some gaming site and facebook.
Anyway all the info above is enough to remove the Malware. Thanks guys, really appreciate it.. 17 April 2011
Ramesh
Apr 16, 2011 @ 22:40:21
Hello Guys,
Mine problem resolved just after renaming suspicious file which got installed today.. so you can check when ur problem started and rename suspicious file,, name was something like iLm01814oNgma01814
Ramesh
Apr 16, 2011 @ 22:41:37
Thanks everyone specially to Zharko who started giving solution with some twicking rathere than going for any antivirs
Michael
Apr 17, 2011 @ 00:28:59
Just got this today. Vista 32.
Zharko’s method worked great. Took 3 attempts, as the virus is FAST!
SAFE mode attempts did nothing for me.
THANK YOU!
John
Apr 17, 2011 @ 02:48:28
Thank you Chloe I did what u suggested it worked for me..virus is gone
raj
Apr 17, 2011 @ 08:04:16
thank you guyz lv u all..
Osagie
Apr 18, 2011 @ 15:34:30
I tried system recovery but I ran out of battery and the computer just went off before I could plug the charger. Now my system is not booting up to the desktop anymore. I tried the safe mode option still it doesn’t boot up to the desktop. Only black and blank screen shows.
Anyone with a solution please?
kj
Apr 18, 2011 @ 23:25:50
My Windows will not open in safe mode. It just freezes.
When I open task manager it shows me no programs that are open, including MS Removal Tool.
Task manager stays open for :30-:45 then ms tool removal closes it and will not let it open.
MS Removal Tool virus will not let me open regedit.
MsTool Removal will not let me open IE.
I have exhausted all of the options from this board and others. Can someone help me with some other ideas. This is a nasty virus.
Marley
Apr 19, 2011 @ 12:01:31
KJ
run regedit and follow my comment No.49. Surely this will work
yo
Apr 21, 2011 @ 07:20:08
thanks zharco, been trying to find a solution for &*%^&%$%^$ 4 hours and i just read your comment.
thanks bro
HELPER
Apr 21, 2011 @ 18:15:31
helper
try these
Go to right side of ms removal tool , there is a “registration ” tab; select t and write this code “WNDS-TGN15-RFF29-AASDJ-ASD65″ WRITE IT IN SAME MANNER and than select Activate
once u activate ur pc will shut down automatically and it will get restart
and u will see the magic and ms removal tool is no longer harming u……….
Derek
Apr 22, 2011 @ 20:22:41
hey
i found the jibberish files and deleted them.. this stopped the MS removal tool from opening everytime i would log on.
i still cant get the internet. open itunes, system restore…. and everytime the program can not be opened, the speakers “beep” denying access..
im lost now!
Derek
Apr 22, 2011 @ 20:26:43
ALSO!!!! my device manager is blank when you open it up.. the volume controls say no audio device. i also have a norton antivirus CD that i can not upload because it says it the wrong version.
joseph
Apr 23, 2011 @ 04:38:58
I got the MS Removal Tool virus today (4/22). I clicked on Folders and went to C:/ProgramData, looked at the folders from 4/22 and saw one with lots of numbers and letters, renamed it “delete this”, dragged it to my desktop, restarted my PC, then dragged “delete this” to the recycle bin and emptied it. Done!
James
Apr 23, 2011 @ 08:25:06
Thanks to Fred (57)!!! I rebooted, pressed F8 and did a system restore. Now I’m running a virus scan to be safe. Glad I found this discussion! Just to be sure: I knew that I got the virus tonight so I set the restore to two days ago. Now that the restore has been done, can I be sure that the virus is no longer on my computer? I’m able to get on the net with no problems now. THANKS EVERYONE!!!
Roger Kalevra
Apr 23, 2011 @ 11:53:20
Zharko…you are simply legend…..wait for it….DARY!!!
Dixon Hollis
Apr 24, 2011 @ 18:43:49
Gonna have to say, doing the system restore was the easiest and fastest method for me. Worked like a charm and didn’t have me scurrying around trying to be faster than the virus. Thanks Renee and the others who suggested it. Now my malware will run.
Jeremie007
Apr 24, 2011 @ 19:23:50
man when ever i ” Ctrl+Alt+Del ” the fake software keeps on blocking it.. even when i install the malwarebytes’.. even if i go to Run, it says that it’s infected and i need to purchase bla bla bla… what do i need to do??
David
Apr 25, 2011 @ 13:51:30
Its all crap nothing worked you should call online Tech support and the guyz really helped me..
Luke wOe
Apr 26, 2011 @ 01:13:42
hey guys.. all i did was find were the place was installed. open program click right and go propities, mine was in program data. named some weird name.. after than hold off button and put computer into safe mode. go to file directory and delete it.. thats all i did..
Kulisi
Apr 26, 2011 @ 01:36:28
heyy guys i was in safe mode and ran a System Restore and it worked fine for me, i didnt get the chance to pull off a stunt like zharko or darius. but thanks guys.
Max Power
Apr 26, 2011 @ 20:17:50
Zharko instructions worked for me other then a few minor variances mentioned by others. My only problem is I could still not start IE or Firefox
Marley instructions on 49 helped a little other then the fact that none of the reg entries he mentioned existed for me. I did get firefox working by deleting a redirect entry for it under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
IE still won’t work for me though and I can’t find the registry redirect causing it?? Any suggestions would be appreciated
Thanks
Connie
Apr 27, 2011 @ 00:57:53
Well, I paid the ransom – it totally blocked EVERYTHING before I was able to get to this site (from another PC). I am furious and disputing the credit card charge. I KNEW it was a scam and felt powerless to stop it! I am so angry. They should lock these people away!
evil burrito
Apr 27, 2011 @ 21:58:16
Jack (post 89) hooked it up for me …thanks dude
Hazel
Apr 30, 2011 @ 19:22:28
I have tried all the options but cannot get them to work. It has blocked task manager and despite unhiding them, says all program files empty. I tried to delete it when I first found it but it blocked that. It will also not allow me to do a restore, I tried that and it did not work. I am running XP pro and was not looking at anything unusual when it got in. I am running Win Essentials and AVG – no use. I cannot even get my pc to start in safe mode via F8. What next? Seems pointless way to raise money from you if they just b—-r your machine before you have had a chance to pay them off (not that I intended to)::(-
wizzy
Apr 30, 2011 @ 23:53:29
it wont let me even open task manager now can someone help me please this is getting extreamly annoying
keppi
May 01, 2011 @ 06:07:37
i wasnt able to boot my task manager up fast enough and so i followed darius (post 67) and deleted it, my computer has stopped the MS removal tool virus. Thank you. but has anyone encountered the “vista home security” thing? i believe its a virus and to prevent it, im trying to load system restore but its been running for 20minutes and it still wouldnt show up. i wonder if its preventing it? help please
keppi
May 01, 2011 @ 06:18:19
i got the vista home security virus along with MS removal tool i believe. the vista home security virus was running even when i was on safe mode strangely, and it says my product is unregistred but i purchased my computer at bestbuy and its been running fine for the past 5-6years. i need help, i wish i can use the zharko method but now my MS removal tool virus is gone, im stuck with another one.
keppi
May 01, 2011 @ 06:51:27
wow i cannot even system restore the “vista security virus”. i really need help please!
Time Manager
May 01, 2011 @ 13:08:50
I received this virus this morning at about 8:30am. I am clear of it as of 9:08am following this method.
HIT CTRL+ALT+DEL AS SOON AS THE WINDOWS LOADER ICON APPEARS. DO NOT WAIT FOR WINDOWS TO ACTUALLY LOAD. I was able to access the task manager as windows started to display itself, and easily caught the virus program.
Boma357
May 01, 2011 @ 21:45:43
Zharko’s method does work & everyone else’s contribution. The method to find the file itself is different for winxp, win7, winvista the difference is that C:Programdata is available only on win7 & winvista for winxp you go to C: Documents and Setting/All Users/Application Data but before you do this you have to enable hidden files. This method works after doing the steps that Zharko does, it may take several times to get to terminate the virus on task manager but it will be obvious since it has a bunch of random letters/numbers and you MUST terminate the program before deleting the folder/file because if the rogue software is running, it won’t let you delete the folder/file itself. The regedit is optional, sometimes it shows sometimes it doesn’t.
The easiest by far is the system restore. There’s no need for safe mode with network, safe mode is just fine. If you have a restore point, it will work. However, I’ve seen the damage this virus can do and actually deletes (or locks) system restore. So the only option you have is the above with Zharko’s method. Generally after terminating/deleting the rogue file, you have to run an antivirus just to be sure. Also, clean your prefetch. The best malware removal of choice majority of the time is Malwarebytes. There are rare instances that this virus also locks your auto updates.
Good luck everyone.
Nigel
May 02, 2011 @ 07:04:13
Zharko, i did exactly what u said and it worked instantly!!! u r a godsend!!! :)
JMLPN
May 03, 2011 @ 01:01:58
Jack! (post #87) Youre instructions worked perfectly, and only took one minute! Thank you!!!!
jonson
May 05, 2011 @ 17:24:01
EASY WAY TO GET RID OF MS Removal Tool Virus! you will thank me…
Open up Program Data and locate the a file with a weird name. NOTE:(check the date of the file, if this date is around the date you got the malaware rename it) Once it is renamed the file will no longer open when your Windows is restarted. Restart, locate File and Delete it. CONGRATS, it is now gone.
Vrresto
May 11, 2011 @ 18:22:04
Thank you, dariuskzoot(67). I tried everything else and was almost about to give up. Malwarebytes wasn’t helping me and I wasn’t fast enough for Zharko’s solution. It turned out the virus was just sitting there in ProgramData sticking out like a sore thumb.
Jeff
May 14, 2011 @ 13:22:12
Good morning all; for those of you running Windows XP don’t forget to turn OFF System Restore before deleting the “MS Removal Tool ” file, if you don’t it WILL return at some point. Also, be sure to open >Windows > prefetch and delete and shred the file name that you saw on the Task Manager and any other files that are not recognizable in the prefetch folder that have the same date. Once this is done, I suggest you go to Microsoft downloads and get the Malware removal Tool and be sure to update your SP2 or SP3.
Robin
May 16, 2011 @ 18:20:47
Hi I’m having to write this on my iPhone as I seem to have had a majorly bad experience with this virus. As per the rest of the story’s I have read on here I was browsing nothing and pc was just left on desktop then came up a message from ms removal tool with the usuall crap then shortly followed by a message saying the my main hard drive c drive had been disconnected. I was called away by boss at this point and turned my pc off to come back and fix it later in the afternoon. Now I am sat infront of a pc that brings up a scrambled screen with what looks like the safe mode option in the back ground but if I just take a stab in the dark and try to guess which is the safe mode tab it just shows the windows loadin icon and then resets it’s self and will go round and round doing this by itself. All I have access to is the bios options and I’m running xp. Any ideas would be great!!
michael
May 20, 2011 @ 14:24:15
sir zhark tnks for info very much i have that problem to it is realy work i wil ltry
YaX
May 21, 2011 @ 05:48:01
Whew, this virus just came in while I’m searching something related to “Python programming language”…
Good thing I removed this virus by going to safe mode. Geez, Safe mode is COOL.
evan
May 21, 2011 @ 18:23:04
the virus shuts down my task manager before i can delete the file…please help me what should i do???
David
May 22, 2011 @ 02:48:37
For me, the task manager didn’t work so I had to do it this way.
(I use Vista)
1. Go into safe mode (at startup repeated press F8) this will stop the MS from even starting up.
2. Go into control panel
3. Go into folder options, then hit the view tab, then check “show hidden files and folders”
4. Now go into your C: drive
5. A folder should pop up called ProgramData
6. There should be a folder with crazy letters and numbers. When you click on it, there should be file and the actual program. Roll over the program and check the date it was created. If it was created on the day of the virus, DELETE IT (DONT JUST PUT IT IN THE RECYCLING BIN, BUT EMPTY IT FROM THE RECYCLING BIN AS WELL)
7. Restart Windows into regular windows mode and run a scan to make sure its clean from MS Removal Tool.
Balldude
May 22, 2011 @ 20:39:50
Wow! 6 hours later..simple solution (I think). Just go to (in C drive) documents and settings>all users>Application Data…click ‘View’ on tool bar…and select ‘Details’. Find the folder that was created on the date the problem started and delete that Mother..then empty your recycle bin….update and scan…Note..I tried system restore twice but failed both times..above is better and less risky.
Andy
May 22, 2011 @ 22:00:21
I really need to know the specific name of the files cuz i have a lot that were created/edited on the day that i need to sort through.
Steve
May 24, 2011 @ 06:01:12
Thank you so much!! I thought I was going to have to reinstall windows!
I was able to boot in safe mode and use reg edit to delete the “RunOnce” entries and delete the files that you noted in the C:documents and settings folder.
Problem fixed!
NOTE: I was able to start my antivirus and begin a virus scan even while my computer was infected and the virus was running. But I didn’t allow the scan to finish because I didn’t think my antivirus would be able to detect or shut down the virus while the virus was active…
Now that I know how the virus works, it would have been an interesting test of my antivirus to see if it could detect the virus during a scan and shut the virus down, all while the virus was running. (I use Avast)
I am disappointed that avast didn’t catch and stop this malware.
But I am very grateful to people like you who solve these problems put the correct solutions out there for the rest of us.
Thanks again!!
heather
May 26, 2011 @ 20:39:54
I am currently having problems with this MS virus. I tried everything everyone listed on here, I cant even open task manager it says administrator blocking or something like that, I tried typing msconfig and nothing will pop up. unfortunately i think my mother allowed the virus (which looks like its loading) to complete because she had no idea what was going on. if anyone has any advise please help!
RajaMohan
May 27, 2011 @ 19:00:18
Thanks David,What ever david said i followed those steps..i get rid out of the hell..Thanks David again
Zharko
May 28, 2011 @ 01:08:03
You’re Welcome
LOLA :)
May 29, 2011 @ 01:23:22
THANK YOU SOO MUCH!
i had a different virus before and it took days to get it off but using this website it just took me minutes to get rid of this one! THANKS AGAIN <3
Marcelo
May 29, 2011 @ 04:12:39
Muito obrigado pela ajuda, eu já estava ficando louco com este virus. a ajuda foi otima.
none
May 29, 2011 @ 15:51:01
you might want to reboot and run the PC in safemode to clean the virus.
John M
May 29, 2011 @ 18:47:45
Thanks to Everyone who took the time to help the rest of us,
It was not allowing me to get the Task Manager to run for more then a few seconds. Via Zharkos advice.
I went to Option two starting in SAFE MODE F8 etc…
I Ran the Safe Mode,It got me through the process For the recovery to the day before.
However after the rebbot it said that it failed to do the Recovery.
So from that page which stayed open after i hit ok my computer went to the original start up and I tired the Zharko Task manager method again Cntl-Alt-Delete. Some how this time it stayed open alot longer and i was able to locate the odd looking file with missmatched letters upper and lower case,Right clicked on it and clicked End Process. Gone!!!! Halleluja it is cone. A message popped up imediately that said Your System has just recovered from a Fatal Error
Everything went back to normal. I then Ran hitman pro 3.5 and it Got rid of any Malicious oookies left over.
Good Luck to All. It was about a two hour ordeal for me. with about 10 reboots along the way.
derek2210
May 30, 2011 @ 08:14:42
dariuskzoot thanks buddy worked a treat
Stephanie V. Wolff
Jun 03, 2011 @ 22:13:37
Thank you so much guys! I tried all of your options but didn’t worked until the 3th one!..
ron danish
Jun 04, 2011 @ 06:30:03
#72 noninfected had the answer – MalwareBytes AV took it right off Win 7 Pro 64 bit – gone now – just let it scan, picks it up right away!
Oa
Jun 06, 2011 @ 19:59:24
Thank you Zharko
Karl
Jun 07, 2011 @ 23:59:57
Download Stopzilla! It really worked
Min Chang
Jun 08, 2011 @ 20:23:55
I love this site with all my heart. The simplest way to get rid of this annoying spyware is to use one of the registration keys. it then gives you acces to use your computer and you can simply go delete it later. God I love this site. I thank you so much.
anubhuti
Jun 10, 2011 @ 13:06:32
it got registered , and now my microsoft security essential is not running properly nad i m not getting how to completely remove this virus or unsuscribe it. plzzz let me know….
Toushirou
Jun 10, 2011 @ 23:53:56
mm this is the 10th one i have ran in to all of them have there issues this one was on of the eseyest to remove but i have had worse one that i have had to wipe the computer to get it working again and on a safe leve again.
Ty zharko
Jun 11, 2011 @ 03:36:14
Thanks zharko. This is also much eaipsier to do when you activate it with one of the fake codes.
:)
Jun 12, 2011 @ 02:46:54
Zarko you are a genuous !!! :D
Anny
Jun 12, 2011 @ 07:34:01
I inserted the activation code as provided here and then made malwarebytes’ anti-malware to scan my complete PC. There were about 300 infected files that i deleted, but got all my data saved……….!!!!!!
Bryce
Jun 12, 2011 @ 17:20:10
Hey if this virus disables your ability to run malwareBytes (save it to a external usb device) or to use taskman.exe: while your pc is booting up after the windows screen goes away but before the icons show up hit ctrl+alt+del and open up the taskman quick, then end explorer.exe, then go up to start new task and click browse on the new dialog, navigate to my computer and go into your external usb device, then open the mbam setup, then click ok and it should run the installer. The trick is to NOT LET WINDOWS EXPLORER START. Since this particular type of virus hooks into windows and runs on start, if windows doesn’t start it wont have a chance to run.
BOOSH!
Zharko
Aug 17, 2011 @ 00:30:56
No problem