MS Removal Tool

Hi all,

Just finished a fun few hours getting rid of this bit rubish. Pretty much everything listed below happened.

Would not allow me to run “Start Task Manager” or “Restore”.

Running Vista Home Edition, Avast Free Program V6.0.1000 with Virus V110331-0.

Avast did not pick up anything. Tried a boot scan, that failed to find anything. Tried a full scan with everything set to max, that failed to find anything. In the end had to do a Start in Safe Mode and do a system restore from in there. Also noticed that a restore point had been created today (when infected) and dont know if this bit of crap created that to ensure that even a resore would not get rid of it.

It is a nasty bit of work and has been the only thing that has slipped past Avast since I have had it for three years.

Would be nice if you guys could look into this further.

Regards

Darryl :slight_smile:

[i]http://www.wiki-security.com/wiki/Parasite/MSRemovalTool/

Don’t forget that while MS Removal Tool may have a different name and interface, it is the same culprit that keeps attacking your PC in an attempt to trick you into buying its fake antimalware program. Once you identify the behavior, you should be able to detect the intrusion early on and shut down these rogue security programs that much quicker.

The Behavior of Windows Simple Protector:

1.After gaining deceptive entry, i.e. an infected download of shareware, freeware or codec for viewing a movie or video, or after clicking on a dubious link or visiting a malicious website, Trojan horse, a component of the security rogue program model, will immediately go to work. Trojan horse is multi-talented and will disarm your antimalware, disable your admin controls (Desktop and Taskbar), and will hijack your browser, so that you cannot download or visit a real anti-malware solution.

2.Trojan horse will install MS Removal Tool, which runs upon reboot. Trojan horse also will alter your registry files to hide itself and ensure that MS Removal Tool is allowed to run every time you reboot – until you give in and download the full version.

3.MS Removal Tool’s skin or interface pops-up on your screen and blocks you from using other applications while it screams bloody murder in the form of alerts and annoying pop-ups.

4.MS Removal Tool runs an unauthorized scan and shows you proof that your PC has been infected by UnknownWin32/Trojan, a vapor virus, and gives you the below alert:

Microsoft Security Essentials Alert!
Potential Threat Details!
Microsoft Security Essentials detected potential threats that might compromise your private or damage your computer. Your access to these
items may be suspended until you take an action. Click ‘show details’ to learn more.

5.MS Removal Tool asks you to get involved and run a scan to find ‘all’ intruders. The fake scan returns a list of violations, i.e. infected files and named vapor viruses.

6.MS Removal Tool offers to remove or clean your system if you buy and download its ‘full-version.’[/i]

Did you disable UAC? How did the malware get admin privileges?
Do you have the infected file(s) yet? I mean, can you send it to avast for analysis?
http://www.mailonpix.com/images/2ca7d332dfae2625fd83af4eed109c28.gif

@ dbs0810
This and your other topic would probably have been best kept together, http://forum.avast.com/index.php?topic=75080.0. Keeping all relevant information together.

By the way, when you disable UAC you can’t blame your antivirus after…
The OS security is below the one what a third party software can allow. The OS vulnerabilities must be patched. The OS architecture must be preserved. So UAC is in the same line of the well called Linux security, asking for elevated rights.

The same could be said of all those running as administrator or with administrator privileges and not a limited user account. It is all down to convenience and the ability of the user to use ‘their’ system and that simply isn’t going to change any time soon.

For these ones, a lot of them, there is UAC.
For the paranoid ones, use a limited user account for your common works and just logon as admin to update and install very very cleaning software.

I see UAC as a convenience. You can be logged as admin (or admin rights) and run all the programs at lower privileges. They will only ask you when they need admin rights. Like Linux.

We can bat this around for ages, but these questions are what needs to be asked of the OP and other users ‘Why they have disabled UAC.’

I know why I turned it off, it is a pain in the a**e even at the lowest setting, not user friendly and totally no configurability.

I had a similar experience with a computer at our office. It kept telling me that is detected this or than, would not allow you in the Task Manager to kill the process, would not allow you to open Hijack This, Malwarebytes or any other program that was a malware tool. It did not take over the computer like AV8 does, but it kept popping all sorts of warnings. It turned out to be a variant of the Win32/kryptik.LWO trojan.

Surprisingly, AVAST totally missed it. I had to go to Eset.com and remove it with their online scanner. If you do this, make sure you run Malwarebytes and SuperAntiSpyware to get all the traces off the computer. If you don’t, you will get all sorts of warnings from AVAST stating that it stopped malicious code from running on your computer. You will need to run Eset in Safe Mode as this variant will kill any .exe file that tries to run in normal boot mode.

Hi,

Sorry, but no to the file as I had to do a restore so any trace of it I assume would have been wiped.

As for UAC and why people turn it off…yep it is a right royal pain in the a$$.

Thinking about what has happened and how it happened has got me to wondering why Avast (and maybe it is the same for all the other anti-virus programs) could not pick up on it. True these things keep evolving, you guys come up with a way to detect it, they come up with a way to bypass detection etc etc. But given that each version does pretty much the same thing;

  1. Disable Restore.
  2. Disable Task Manager.
  3. Possibly create a restore point.
  4. God knows what else.
    Why can’t these be detected regardless of how the offending program is written as each time it goes for the same targets on your PC.

If I was a piece of anti-virus software sitting there watching I would be very interested in any program that tried to do these actions. So regardless how a piece of malicious code goes about “skinning the cat” the end act is still the same. Why cant this be detected and acted on?

I just got hit with this as well while logged on as a “standard” user. No UAC warnings. Looks like it got totally around Avast.

UPDATE

So I was bored and happy in the knowledge that i could recover from this so i went back to the offending site to see what would happen.

Avast - Up to date. Quick scan done, no infections.
Windows - Up to date.
UAC - At max.
Malwarebytes - Open. Full scan, no infections.

As soon as I visited the site a pop-up window came up saying there was an run time error running at ???.

Then the Sun Java update window opened up asking permission to do an update.

At no stage was anything clicked. After arriving on the site I just sat back and watched all this unfold.

Then it not only turned off Malwarebytes but disabled it from starting again.

Then (lots of then)went through did the usual stuff - disabled restore, disabled cmd etc.

Started up in safe mode and ran Malwarebytes and this is what it found.

But what really bugs me is how something can just walk right past my defense and do this. I understand that these attacks change on a daily basis, but the end result is still the same. Also it appears that protection software has been compromised by these people as they know exactly what to do to disable them. To me it seems as if to much time is spent on how they get from A to B rather than on what they do once there. Surly it does not matter how the offending code is written or executed the fact that it can disable protection software, UAC, task manager, restore is what should be monitored.

[i]Malwarebytes’ Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6224

Windows 6.1.7601 Service Pack 1 (Safe Mode)
Internet Explorer 8.0.7601.17514

2/04/2011 11:58:04 PM
mbam-log-2011-04-02 (23-58-04).txt

Scan type: Quick scan
Objects scanned: 150880
Time elapsed: 2 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\lDi06504aIcOn06504 (Trojan.Downloader) → Value: lDi06504aIcOn06504 → Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\programdata\ldi06504aicon06504\ldi06504aicon06504.exe (Trojan.Downloader) → Quarantined and deleted successfully.
c:\Users\Darryl\AppData\Local\Temp\jar_cache7588282362764734956.tmp (Trojan.Downloader) → Quarantined and deleted successfully.[/i]

Your Malwarebytes log show that you scanned with Database version: 6224 … Latest is 6264
always update before you scan

And all of this would have stayed in sandbox here. Also, things like

would never execute here thanks to AppLocker. Similar protection can be done with SRP.

Well it was downloaded and installed on Sunday and as soon as that finished I asked it to do an update and it did. I have just done it again and now is 6269…5 more than 6264 so can only assume updates are happening a couple of times a day.

It depends on the amount of malware that is uploaded to MBAM, and there are days with 10 updates

same thing with SAS ( 7 today ) http://www.superantispyware.com/definitionupdatehistory.html

I spent two days trying to figure this out. Tried everything. Finally got it off. But now I can’t even properly install Avast Pro. I was blue screened and am getting all sorts of errors. For one, once I actually DID get it installed again, my security system says that Avast is closed and it won’t allow me to open it. It is like this virus infected my system to the point where I cannot even run Avast anymore on this computer.

If you need help, start a new topic, follow the guide and post the logs in the new topic you start

Follow this guide from our expert malware remover Essexboy
http://forum.avast.com/index.php?topic=53253.0

To avoid using multiple post with copy and paste you have to attach the log`s
Lower left corner: Additional Options > Attach ( Malwarebytes log / OTS log )