MS Removal Tool - How to remove?

 

MS Removal Tool is a fake antivirus that impersonates name of legitimate anti-malware tool. The real program is distributed by Microsoft and included in modern Windows OS by default. This is not the first version of malware that uses this name: couple month ago there was another, non related, rogue using Microsoft Malicious software removal tool name. This rogue is far by new, its predecessor System Tool still wrecks havoc on PCs worldwide.

MS Removal Tool infects user PCs through various exploits and trojans. You might get infected when visiting websites displaying infected advertisements or when you download some kind of “free” download from the torrents or web. It is critical to scan all executables downloaded with legitimate antivirus software, or in worst case upload to websites as virustotal.com for double-checking. In other cases your PC will get MS Removal Tool rogue or similar parasite in no time.

After the PC is fully infected, MS Removal Tool will start its advertising campaign to convince you into giving away your credit card details. This malware will replace background with huge warning about infections, and will stop your PC from executing all programs. The malware will display lots of warnings about infections and demand that you launch MS Removal Tool scan and then purchase its full version. This is a trick: There is no full version of this program, and all the files it detect are harmless. However, it is impossible to use PC till MS Removal Tool is removed from PC.

In some cases MS Removal Tool displays various warnings and alerts like these:

MS Removal Tool Warning
Your PC is infected with dangerous viruses. Activate antivirus protection to prevent data loss and avoid the theft of your credit card details.
Click here to activate protection.

MS Removal Tool Warning

Intercepting programs that may compromise your private and harm your system have been detected on your PC.
Click here to remove them immediately with MS Removal Tool.

Security Monitor: WARNING!
Attention: System detected a potential hazard (TrojanSPM/LX) on your computer that may infect executable files. Your private information and PC safety is at risk. To get rid of unwanted spyware and keep your computer safe you need to update your current security software.
CLick Yes to download official intrusion detection system (IDS software).

Warning: Your computer is infected
Windows has detected spyware infection!
Click this message to install the last update of Windows security software…

It also changes the background of Windows desktop and then reports:

Warning!
Your’re in Danger!
Your Computer is infected with Spyware!

All you do with your computer is stored forever in your hard disk. When you visit sites, send emails… All your actions are logged. And it is impossible to remove them with standard tools. Your data is still available for forensics, and in some cases

For your boss, your friends, your wife, your children. Every site you or somebody or even something, like spyware, opened in your browsers, with all the images, and all the downloaded and maybe later removed movies or mp3 songs – ARE STILL THERE and could break your life!

Secure yourself right now!
Removal all spyware from your PC!

Note: Some users make a mistake and pay for MS Removal Tool or similar rogue. In such case you should contact your bank and dispute the charges. Additionally, it is highly advisable to change your credit card numbers, as you might be charged several times later on.
To remove MS Removal Tool, I recommend following procedure:
1. Reboot into safe mode with networking
2. Disable proxy server in your browser.
3. Start task manager and stop processes that look like garbage: random letter and number combo.
4. Download and scan your PC with spyhunter, Malwarebytes Anti-Malware to identify the infected files. Do full system scan or search for stopped processes on the disk.
5. Delete these files.
6. Restore the windows shell to explorer.exe if you haven’t used automatical removal procedure.
In addition, you can try these keys of System Tool infection That still might work with MS Removal Tool as parasites are closely related:
WNDS-TGN15-RFF29-AASDJ-ASD65
WNDS-U94KO-LF4G4-1V8S1-2CRFE
WNDS-6W954-FX65B-41VDF-8G4JI
WNDS-G84H6-S854F-79ZA8-W4ERS
WNDS-TTUYJ-7UO54-G561H-J1D6F
WNDS-A1SDF-6AS4D-RF5RE-79G84
WNDS-A1SDF-RY4E8-7U98D-F1GB2
WNDS-5SRTS-AEHUF-YA54S-D6F35
WNDS-P9685-4H41A-DSW3A-2R64T
WNDS-2AE32-1VFC2-B6894-G67YU
WNDS-4TS8R-D6F5D-4JH8T-U4JK5
WNDS-FGS5D-649RG-4S53D-412SF
WNDS-452S3-ER00F-TSE35-S8FSD
WNDS-SERFH-2642S-F04SD-64FG1
WNDS-F40SA-1ER5H-4FG5D-F8412
WNDS-5D1V2-XB0D5-JT1TY-97DS3
WNDS-4BGY2-JY4KO-IT98Y-7HJ43
WNDS-G8FB6-1V87S-DRT1S-63SRG
WNDS-HFVDR-9844O-U54DA-5TBSC
WNDS-89OF7-7324R-5SAD4-TG68U
WNDS-JUYH3-24GHJ-HGKSH-FKLSD
Full version of Eset Smart Security and most other decent antiviruses, or Spyhunter, Malwarebytes Anti-Malware would have protected from these infections.

UPDATE!!

Thanks to S!Ri, there have been revealed new registration codes of MS Removal Tool, so try enetering one of them if you have problems with its removal:

WEEA-S0DF5-GS5E0-FG14S-2DF8G
WEEA-JUYH3-24GHJ-HGKSH-FKLSD
WEEA-89OF7-7324R-5SAD4-TG68U
WEEA-HFVDR-9844O-U54DA-5TBSC
WEEA-G8FB6-1V87S-DRT1S-63SRG
WEEA-4BGY2-JY4KO-IT98Y-7HJ43
WEEA-5D1V2-XB0D5-JT1TY-97DS3
WEEA-F40SA-1ER5H-4FG5D-F8412
WEEA-SERFH-2642S-F04SD-64FG1
WEEA-S0DF5-GS5E0-FG14S-2DF8G
WEEA-452S3-ER00F-TSE35-S8FSD
WEEA-FGS5D-649RG-4S53D-412SF
WEEA-4TS8R-D6F5D-4JH8T-U4JK5
WEEA-2AE32-1VFC2-B6894-G67YU
WEEA-P9685-4H41A-DSW3A-2R64T
WEEA-5SRTS-AEHUF-YA54S-D6F35
WEEA-A1SDF-RY4E8-7U98D-F1GB2
WEEA-A1SDF-6AS4D-RF5RE-79G84
WEEA-TTUYJ-7UO54-G561H-J1D6F
WEEA-G84H6-S854F-79ZA8-W4ERS
WEEA-6W954-FX65B-41VDF-8G4JI
WEEA-U94KO-LF4G4-1V8S1-2CRFE
WEEA-TGN15-RFF29-AASDJ-ASD65

 

Automatic MS Removal Tool removal tools

 
  Download Spyhunter for MS Removal Tool detectionNote: Spyhunter trial provides detection of parasite like MS Removal Tool and assists in its removal for free. You can remove detected files, processes and registry entries yourself or purchase a full version.
 

Manual MS Removal Tool removal

 

Important Note: Although it is possible to manually remove MS Removal Tool , such activity can permanently damage your system if any mistakes are made in the process, as advanced spyware parasites are able to automatically repair themselves if not completely removed. Thus, manual spyware removal is recommended for experienced users only, such as IT specialists or highly qualified system administrators. For other users, we recommend using Spyhunter or other tools found on 2-viruses.com.

Processes:
Files:
Registers:

It is impossible to list all file names and locations of modern parasites. You can identify remaining parasites, other MS Removal Tool  infected files and get help in MS Removal Tool  removal by using Spyhunter scanner. 

 

MS Removal Tool screenshots

 
ms-removal-tool
 
 
 
 
 
 
 
 
 

145 thoughts on “MS Removal Tool

  1. Angela
     

    Yesterday this happended to my computer and im at the point where i cant download anything if its to clean up this MS removal. Everytime i try anything it says its been infected. If you could help out id really appriciate it. Email me and hopefully i can have my computer back. I do have several friends who are willing to help, i just dont have time on my hands. Thanks!

     
  2. John
     

    Hi I am having the problem, please advise how I can get rid of MS removal from my computer. Thanks

     
  3. Steven Grabert
     

    I am invected by MS Removal Tool. How do I get rid of it?

     
  4. nikkic
     

    Please help..having the same problem, with constant popups!!

     
    1. admin
       
       
      Post author

      Use the codes to fake-register it. Then use removal tools.

       
  5. Bob W.
     

    Down loaded, paid for and ran Spyware Dr and after reboot could not even open SpywareDr. because fo this spyware. So that does not work!!!!!

     
    1. admin
       
       
      Post author

      Bob W. Contact PCTools support – they will work through this. Make sure, that you have last definitions.
      First scan should be done in safe mode with networking. Do full system scan. In normal mode, go to Spyware doctor folder, right-click on executable and choose run as administrator.

       
  6. Dawn
     

    I have a computer infected with this and it will not let me run anything. I already have malware bytes installed on it but everything I try to run says it is infected and won’t let me run it.

     
  7. Jim
     

    What codes do you use to “fake-register” it? Nothing I type works.

     
  8. Lourn Lober
     

    Yeah I just got infected with this crap and I can’t run malware bytes either which I already had installed along with AGV, I can’t even run task manager.

     
  9. Mark Rahm
     

    It tells me to activate my anti-virus software after it turns it off, and then when I try to go to anything with Windows, it goes right to the MS Removal Tool page. Who’s the a****** that comes up with these viruses and then tries to steal credit card info by “selling” us the “anti-virus” that they just infected our computer with? I’d like to send them down the razor-blade-slide into a salt pit!!!

     
  10. ryan
     

    i did too. but luckily i have webroot. hopefully it works im doing the full sweepnow so cross my fingers. this is messed up isnt it vandalism, i paid a grand for my system and took 6 months to pay it off and in less the 6 min. it turned my pc into a paperwieght!!!! how is that legal? and why cant they stop it?

     
  11. Roman
     

    Sory about my English! Please do:
    Reboot Your computer with pressing “F8″, sellect “Safe mode”, “Accessories”,
    ” System tools”, “System restore”, sellect the date (days behind, when the system was still ‘OK’), “Enter”. Good luck!

     
    1. admin
       
       
      Post author

      Roman: System restore does not clean everything. Do a scan after system restore.

       
  12. Dave Smith
     

    Where do you go to find these file to remove them IO have looked all over my computer and i can’t find it. Also when I try to download the Spyware Dr it won’t let me

     
  13. Bill
     

    @Angela
    Maybe this will help you. I had the same issue, tried all and got the same, it either blocked the program or the program simply didnt see it. This fix was very simple. I had an old copy of C cleaner on a usb drive. I rebooted in safe mode, ran C cleaner and under the startup programs I had a program listed Keh06511FlaLB06511.exe/Run once/. I disabled and deleted this file(yours may be named similar) and It immediatly fixed the issue allowing me to run other spyware and virus removal tools to clean up the mess. Hope it helps

     
  14. Nadeem
     

    My computer got this crappy virus yesterday. And it behaved just like its described in the article. I DLed Malware but it wouldn’t let me open it. However, I followed the directions in this article (Start in Safe with Networking, etc.) and that worked like a charm. Thanks.

     
  15. shane
     

    I have 2 computers in the house happened on one in evening. What I did to get around it was logged into a different user account and did a system restore from there then logged back in to original that was infected and ran virus program from there. Now it also happened on other computer but don’t have any user accounts except admin so now I will try what this article states to get around it. problem is I run a hd monitor and have to switch hdmi cable to vga so i can see startup to enter safemode. I really do not like this program.

     
  16. Mike
     

    Its just a big scam set in place by anti virus software companies if there were no viruses like this no one would need antivirus softwear kinda makes sense doesnt it. I agree something needs to be done computers arent cheep. @ryan

     
    1. admin
       
       
      Post author

      Mike: Rogue anti-viruses are way too visible for any legitimate antivirus company to create. There are plenty of other viruses too, so I am 100% sure major companies are not behind this.

       
  17. Milo
     

    I have read the article and still have no idea of how to complete the steps. Lets start with disable proxy server in yuor browser. How do I do this? Then provide every step/key stroke for those of us that don’t know as much about computers. I’m in safe mode now or I get nothing. Thanks

     
  18. Lisa
     

    I had this popup in my system and I found info on it on several different sites. I used “Spyhunter” (as per Wiki-Security) to scan my system completely in the F8 safe networking mode and then rebooted the computer normally and now the MS TOOL REMOVER doesn’t pop up. Does that mean it’s gone?

     
    1. admin
       
       
      Post author

      Lisa: doubt it.
      Scan with other tools as well.

       
  19. Wil
     

    Happened to me today, great advise to restart it in safe mode with f8 then went to Documents and settings/ Application Data and found a new folder that was created today, the name of the folder was a bunch of nosense letters and numbers. Erased it and started my clean up with my CA security anti spyware and antivirus. Tip when in Application data click on properties of every folder in that way you will find out what folders were created the day you first experienced problems AND ERASE IT. Thank very much to all.

    @admin

     
  20. Lisa
     

    @admin
    Nothing else picks it up….although malware bytes’ one detected two trojans, but wasn’t specific….

     
  21. dan
     

    Ive started up in safemode/networking and ran the malwarebytes scan, and it found zip…nothing. Ran spyhunter 4 and it found a couple trojans but none were the name of this ms removal tool, same with spydoctor. It still keeps popping up in normal boot..

     
  22. vince
     

    Guys I ran into this problem and I actually purchased this product only to find out on line through your post that I had been scammed. Their phone number is 800-417-5679 if any of you want to call them to give them your piece of mind.

     
  23. Wil
     

    Its me again, the false ms tool came back again,went back to safe mode but didnt find anything on Administrator\docs and settings\Application Data, then what I did was check All Users\docs and sett…….and voila y showed up, then I just erased the new folder. Then what I did is I went to microsoft.com and got the free malware tool the offer THE REAL ONE and after 20 mins of scanning it found win32/VBinject.gen!AC and it found two of these, this guy is the one that breeds those sitting in Administrator and All users area, hopefully this is the source, good luck to all, ooh yeah i forgot CA security does not protect against this as per today.

     
  24. Leo
     

    vince have you got other charges? it said transaction declined when I got scammed so I’m wondering if they have my credit card info now???

    I’m running full system scan in safe mode now.. i’m still not 100% clear on how to actually remove “ms removal”

     
  25. Austin
     

    i was infected and what happened is it didnt let me un ny type of antivirus softwares and now when i turn on my laptop i try to do safe mode but it freezes when it gets to AVGIDSEH.Sys and then it goes to a blue screen and shuts down. what should i do?

     
    1. admin
       
       
      Post author

      Austin: read the guide. You can do this in regular mode as well.

       
  26. Jack
     

    Hey folks,
    My wife accidentally downloaded this rogue while finding clip art for a power point. I had trouble getting into “safe mode” with WIN Vista. This Trojan seems to block every attempt. The “F8″ key did not work, msconfig was blocked and so was any anti-malware or download. I finally had to simply unplug the computer while it was running (Dangerous, but I had no choice) so it would automatically boot to the boot choice menu. I then selected “Safe Mode with Network” and downloaded “Malwarebytes Anti-malware…Install this program, update, and run the “Quick Scan”. Click on “Remove Selected Items” and it will take care of the problem. I would recommend running the full or deep scan as well while in safe mode. You should also run all your anti-spy, virus etc. software while in safe mode and then re-boot just to be safe. That’s my story. OK, Jack.

     
  27. Rob
     

    Yes, I just called 800-417-5679 (tech support) and spoke with a lady with a Latino accent. I asked for her help to get MS Tool off of my computer and she asked for a transaction ID. She asked if I had purchased the removal tool. I told her it is a non-secure website and I will not pay MS Tool to take their software off of my computer. I told her that the computer store says $200 to get this off my computer. I told her what they have done must be illegal. She said that since I am not a customer of theirs she will have to end the call.

     
  28. Tim
     

    I cant’t even get into safe mode. Any ideas ou there?

     
  29. Keenan
     

    @admin
    admin;

    I did a full system restore and then downloaded the newest trial version of AVG. after multiple full system scans and root scans it appears to be clean. i have an icon in my notification area though that displays as , what could that be?

    thank you for all of your help. you are doing a wonderful job.
    regards

     
  30. Keenan
     

    @Keenan that blank is no title i put it in carrots and the html hid it.

     
  31. fearthefuture
     

    i had this problem last night, i started up in safe mode then i found a folder in the the application data that i didnt know what it was and that i was started at the same time the program got me. So deleted the folder. I also uninstalled ATI because the version that attacked me was using ATI.

     
  32. Rob
     

    Thank you very much for the advice on how to log into the infected computer by safe mode and restore to an earlier point in time. This worked to allow be able to start up virus softwar and the system is working through a full scan now. Best Buy seriously told me in person earlier today that the charge to restore my computer would be $199. You told me how to do this for free. Thank you.

     
  33. Peter
     

    We seemed to have cured the problem regarding MS REMOVAL TOOL by simply Utilising the system restore facility to a time when no problems were being encountered. We found some of the advise difficult to comprehend as we are NOT computer GEEKS Who are able to understand all the code words!

     
  34. Bryan
     

    Im so mad th ms removal is ruining my computer, also the spyhunter said it crushed? I have no idea whats going on.

     
  35. ad
     

    I Want to quit it because i did’ent know you need to pay so can someone tell me how to quit

     
  36. Jacob
     

    I have AVG, and caught it in the blue screen and came straight to here. Do you think that if i do a full scan with avg while in normal that it will be able to catch it?

     
    1. admin
       
       
      Post author

      Jacob: give it a try.

       
  37. Jerry
     

    Hi all. I’ve this problem a least a dozen times. Slightly different forms but the same scam. Like the above user I would restart in normal mode and get to my system tools before “ms” could get loaded & begin the “system restore”. It works every time. Today I experienced it again. I haven’t seen it like this. It loads faster than the one I saw several months ago. I had to start in “safe mode” & then prompted for “system restore” option. I picked yesterday & all is well. I’m so sorry for you guys that are having trouble like this. The computer retailers/repair shops should be ashamed of themselves for charging $199.00 to perform a “system restore”. It’s extortion just like the criminals who designed “MS Removal Tool”.

     
  38. Connie Rinando
     

    This morning my wesite i was listening to was blocked by you people.
    not happy. I was going to purchase anti-virus protection from from you guys and was having trouble with my MC . What is your deal?
    Connie Rinando

     
  39. grumble
     

    @Roman
    F8 to reboot? That did nothing. How do I reset or wipe the hd?

     
  40. grumble
     

    OK what you didn’t say was that you have to restart and hit F8. But System Restore wouldn’t work because it said “no changes have been made since that date”. How frustrating! I’m moving closer to the hammer solution. I remember there used to be a way to completely wipe a Windows 95 computer – looking in that direction now.

     
  41. Austin
     

    @admin
    the problom is is that i cant get past the loading screen at all whether its regular or any of the safe modes.

     
  42. Kurt
     

    Got rid of my nasty MS Removal Tool infestation by rebooting my computer in SAFE MODE and going to service.symantec.com to download their free Norton Power Eraser. When you get to the site click on “Norton Product Support” then click on “Spyware & Virus Removal”. The removal program killed something that was found in my startup. I then rebooted in normal mode and found my problem to be gone. Boy was I happy! What a nasty piece of malware.

     
  43. Robyn
     

    Computer ran fine yestrday and first thing today Im getting this Warning.. application cannot be executed. The file TCrdMain.exe is infected. Activate antivirus software. Spyware detected!
    Had this happen the beginning of the year and tried to download Norton to clean it up and remove what was there. My computer just shut down. It wouldnt start, open or do anything. I just put into the search MS Removal Tool after it was on my computer doing a ‘scan’ of 38 files infected. Of course, it wants my to buy it but there is no info on it so when I searched, its a fake. But I’m still worried about trying to download anything on here to fix it. I don’t need it to totally shut down on me again. THAT was expensive to fix!! Any suggestions?

     
  44. chris
     

    im a computer tech (also make virus’s for test programs and this is like nothing ive seen before) and this came on my cousins computer and im about to do some stuff and if it works ill let everyone know

     
  45. chris
     

    to use ur computer again go to regrastration on the top right of ms removal tool and put in WNDS-TGN15-RFF29-AASDJ-ASD65 (exactly like that) and once it updates from the fake code go to settings and turn everything off and this will turn off this program and this will make your computer run cause this fake anit virus program is shut off.. to delete it.. im still working on will update after but the step i just said to do will shut it off so you can use your computer like before it came on

     
  46. chris
     

    fallow the steps on this page and u can get rid of it.. hope this all helped

     
  47. Logan Tatom
     

    I got this today (4/15/11) and just got rid of it on my own
    what i did was put the comp. on safe mode and then did a system restore to a few days ago, the program/virus/spyware/PieceofCrap/whatever else you wanna call it is GONE and i have no other problems now

     
  48. ginny
     

    will system restore help this problem

     
  49. chris
     

    yea that really works thanks download a anti virus program i dont want to get rid of a virus :P

     
  50. Roger
     

    HERE IS THE FIX!!!!

    It is VERY easy to get rid of the MS Removal Tool.

    1. Run Windows update and apply all listed critical patches.
    2. Reboot
    3. Go to one of the paths listed below and delete the directory the exe is in:

    Windows XP: c:\Documents and Settings\All Users\Application Data\[gibberish]
    Windows 7: c:\Users\All Users\AppData\Roaming\[gibberish]

    This application is taking advantage of a known security hole in Windows, if you patch windows it will close the hole.

    I have followed this procedure on 3 of my friends PCs.

    This will teach you all to keep windows fully patched.

     
  51. Dave
     

    @admin
    Looks like the F8 to restore did it. This thing is a real annoyance. I agree these people need to be banned from cyberspace and then locked in a cell for a LONG time. Are you listening Microsoft? Please do something about these guys!!!

     
  52. karen
     

    how do i get rid of it?

     
  53. karen
     

    the mrs removal tool software

     
  54. keith
     

    F8 then went to safe mode with network Next to system restore and went back a few days and restored. Worked great

     
  55. Jamie
     

    Austin :
    @admin
    the problom is is that i cant get past the loading screen at all whether its regular or any of the safe modes.

    This method works perfectly, great find! Quick, easy, and appeared to completly eradicate the issue within five seconds. Definetly worth a go.

     
  56. Jamie
     

    Jamie :

    Austin :
    @admin
    the problom is is that i cant get past the loading screen at all whether its regular or any of the safe modes.

    This method works perfectly, great find! Quick, easy, and appeared to completly eradicate the issue within five seconds. Definetly worth a go.

    My apologies, clicked the wrong quote. Try this one insted…

    Kurt :
    Got rid of my nasty MS Removal Tool infestation by rebooting my computer in SAFE MODE and going to service.symantec.com to download their free Norton Power Eraser. When you get to the site click on “Norton Product Support” then click on “Spyware & Virus Removal”. The removal program killed something that was found in my startup. I then rebooted in normal mode and found my problem to be gone. Boy was I happy! What a nasty piece of malware.

     
  57. cesar tiberio
     

    microsoft is the Real Problem. all is for sales more antivirus. ok

    bussines is the business

     
  58. Captn Morgan
     

    did the restore from safe mode. once screen is up, type restore from start search its one with clock not the restore center. You should have a date to choose as long you have used your computer at all with auto-updates at some point. Good luck

     
  59. Josh
     

    @Keenan Of course it worked.. a full system restore formats your hard drive! This is not an option if you want to keep your data.

     
  60. Joey
     

    @Bill
    this trick actually really worked bill. thanks alot for your help. i did everything before and nothing worked, but since you mentioned ccleaner, it really worked. thanks alot again

     
  61. Breanna
     

    ms removal tools appeared out of no where, used ‘system restore’, dated it 2 days before and it worked. thanks so much for the advice found on this site. so relieved!!!!!!!

     
  62. Valerie
     

    I really really need help getting rid of this thing..i dunt kno what safe mode is or how to do any of these steps..

     
  63. Valerie
     

    everything i try to do it wont let me do it..i try to restore and it prevents me from doing it..i ant even open up the start task manager…this is getting annoying!

     
  64. Ally
     

    I got this last night and nothing I do is working. I got it on both my computers. My desktop and my laptop. It must search the network for other open holes or something. Anyway, I am calling and calling the number that is provided in this thread. At first the guy told me that he would send me a link that would allow me to uninstall the stupid program. Never got the email. Called the ahole back and totally screamed and yelled at him. Threatened that I was going to call the authorities and sue their asses for ruining my computers. He then told me that the program would be uninstalled in 24 hours. WTFever! I’m now waiting for my IT/virus pro boyfriend to help me remove the idiot program. I think everyone should call them and just hound them to death! Can we call the authorities on these criminals?

     
  65. Dennis
     

    I have tried everything suggested. I use a US Cellular air card for internet connection and can’t seem to connect for updates in safe mode. I have used Malware Bytes, CCleaner, Avira, Norton eraser(says it needs live connection),Trojan Cleaner, etc. None worked. I tried to use the recovery tool 2 days earlier. from safe mode. It shut down saying that my computer was in danger of being destroyed. I searched and looked and can’t seem to find (Windows 7: c:\Users\All Users\AppData\Roaming\[gibberish])I just don’t know where to look. I am at a loss here.

    Roger :
    HERE IS THE FIX!!!!
    It is VERY easy to get rid of the MS Removal Tool.
    1. Run Windows update and apply all listed critical patches.
    2. Reboot
    3. Go to one of the paths listed below and delete the directory the exe is in:
    Windows XP: c:\Documents and Settings\All Users\Application Data\[gibberish]
    Windows 7: c:\Users\All Users\AppData\Roaming\[gibberish]
    This application is taking advantage of a known security hole in Windows, if you patch windows it will close the hole.
    I have followed this procedure on 3 of my friends PCs.
    This will teach you all to keep windows fully patched.

    Where and how do I run windows update from safe mode. I can’t do anything if I am not in safe mode.I spent all day trying to get this fixed. Help Please

     
    1. admin
       
       
      Post author

      Dennis: Disable proxy during safe mode with networking. Also, download (on other PC) and run TDSS Killer – in some cases it is a bit more complex than Roger described.

       
  66. Dennis
     

    By the way, I can’t get to the internet to update anything on the infected computer. Not even in safe mode.

     
  67. Chris R.
     

    Please help me. My computer is infected by the MS removal tool( April 23 2011). I used the malwarebytes and scan my computer but when i finished and restarted my computer it’s still their( I am using the Safe mode with networking). I tried everything but i nothing happens it’s still popping annoying notifications or warning. What should I do? I am using windows 7 home premium. Please help me and email me immediately. !!!!!!:(

     
  68. Peter J
     

    @Roger Roger’s got it right – April 16th, 2011 at 15:41. It’s simple. Thanks, regards Peter

     
  69. Kenneth
     

    To Roman et al
    Thanks very much for your helpful advice. I rebooted in “Safe Mode (tapping F8 repeatedly) — which allowed me to acess “System Restore” I restored to the previous day. Just to be sure, I scaned the hard drive with Malwarebytes Anti Malware. Found no viruses The “MS Removal Tool” is the most wicked virus I have ever encountered!

     
  70. Kenneth
     

    “MS Removal Tool” seems to be a recent virus. This thread began only on March 31, 2011. Any suggestions how to avoid future infections?

     
    1. admin
       
       
      Post author

      Kenneth: Get a decent internet security suite and link scanner (if not included). For example, AVG link scanner and ESET smart security (there are more choices). That should protect from 95%+ of infections

       
  71. Angie B
     

    I have Trend Micro anti virus running. Why it is not able to block this virus.

     
  72. rightstufff
     

    @chris
    Hey Chris I would like to read up on your the step to take to deal with this MS removal tool however I can’t open the page you mention could you please send me all the steps thanks

     
  73. amit
     

    i was infected from this shit last nyt. . . . .same was the condition with me like others..then i shut down my lappy. And on the other day when i opened it in normal. Mode everything was ok.,,but soon a window came saying a program wants ur request.then i blocked it. . As it was ms removal tool…then i deleted it parmanently from th folder where it was downloaded ,…then i scanned full system and everzthing was OK. FINALLY

     
  74. John
     

    I too am a idiot of this silly game and I wish I knew who it was. I paid the 60.00 bucks but some how I will find out. It just diapeared from my system and a virus appeared. Some one is making good money out of it. There are too many websites saying they can get rid of it but you cant tell which one is right.

     
  75. A. Patriot
     

    malwarebytes, that’s the miracle saviour, if you are quick enough just pull the power cable and shut everything down, a reboot after a short wait and you may be lucky.
    I installed malwarebytes ages ago and as soon as I get a whiff of rogue software, I go straight for the malwarebytes and kick start it, if I need to, start it in safe mode and let it do it’s thing——works every time for me, can not recommend it highly enough.

     
  76. Chris
     

    it’s a dirty bastard this one. I went into safemode, run malwarebytes, it found a trojan and then I done a search on recent items on my hard drive. I found a folder which had to be it. Deleted it and things seem back to normal.

     
  77. Erick
     

    I just received MSRemoval today at work. My pc does not let me have admin rights. I was trying to reboot pc in safemode but the option wasn’t there! So after several tries. I decided I was going to beat MSRemoval before it initiated on start up…
    As soon as you see the desk top backround hold Ctrl-Alt-Esc to open Windows Task Mngr. Go to processes and watch what program gets started right before MSRemoval initiates. This might take several times to figure out, I used my phone to video record task mngr for a better look.
    Now that you know what’s the name of the file, right click and press “End process tree” and Enter asap. You will have about 3-5 seconds to do this before MSRemoval loads all the way and turns off taskmngr.
    After that I went to c:\Documents and Settings\All Users\Application Data\ and found 2 folders with random letters and numbers. Inside I found a program in each folder with different icons and a small file. At first I changed the names of the folders and files but then I just deleted them to trashbin plus deleted them permanently.
    I cant get to the regedit or msconfic folders due to not having admin rights. So if you get this while being on work because WebSense isnt working anymore then you can try this.
    I have not restarted the computer since it occured this morning, but if it occurs again then I know how to stop it and Ill just blame my co-worker for this lol.

    ps. use the keyboard “Enter” button when prompted to if you want to “End process tree”, it will be faster than the mouse. Also, taskmngr will come up quicker at start up if you do it within the first second of startup.

     
  78. Dom
     

    My wife just got it ^%$#@!!!!
    She has MS essentials (free from MicroSoft). BUT for some reason was turned OFf. The VIRUS would not let me run any executables Especially MS Essentials or Task Manager or……
    So I searched IE for MS Removal tool and saw a free BUT not free removal Wiki- something . it downloaded and executed!!!! (the scan portion — the removal costs $40). BUT it seemed to freeze the malware. I redownloaded MicroSoft Essentials with all those windows open .. and then ran the MSEssentials scanner which seemed to remove it. I also made sure that MSEssentials is in the ‘STARTUP’.

     
  79. Dom
     

    PS I did not pay the $40 but just downloaded and ran the scanner …not the $40 removal program.

     
  80. keshav
     

    Great advice from various members. Found myself struggling with this horrible trojan. Opened in safe mode with networking and then use malware to bust the adware. Then start the computer as before. Thanx again.

     
  81. Krystina
     

    I somehow have this MS Removal Tool…

    I have have downloaded Malwarebytes Anti-Malware but cannot access it.

    I tried booting into safe mode but my keyboard does not work in safe mode, so I can’t put the password in. I read online there must be something wrong with my bios, if the keyboard doesn’t work. Am I able to download the files necessary to get this keyboard working? Or will this program block that or infect those files?

    I’m not quite sure where to go from here.

     
  82. Krystina
     

    @Krystina
    I did find the file in document and setting/allusers but obviously cannot remove it. But it does say it was created yesterday, so that makes me feel better knowing I’m not the one who got this thing – my boyfriend is. Someone please help.

     
    1. admin
       
       
      Post author

      USB Keyboards might not work in safe mode or driver is corrupt. Try borrowing simple keyboard.
      Also, try running rkill in normal mode or using one of the listed keys – this might allow executing Malwarebytes or SD.

       
  83. Dwayne
     

    @chris
    This worked!!! Thanks!

     
  84. Noonpwner
     

    You need to run in safe mode before you can use any of you programs. Learn to read noobs! To get safe mode press F8 when your computer is starting up

     
  85. Mark McCloud
     

    Thank so much to everyone that took the time to figure this out ;because of this site i was able to get rid of this crap

    My question (or rather comment)is… can anyone figure out who made this, or what the physical location of the server that is being used to install this crap, the name of the bank or credit card company that is processing these sales… Please; I for one, would like to see the people who created this, the bank that is billing the credit cards, the location and company name of the server… be published for all to see

     
  86. cee88
     

    I just got this virus tonight and I’m not computer savvy. I spent the last couple hours looking through sites most with instructions that looked like a different language, required me to download stuff, wanted me to rover my system to an earlier date or required me to type in a long list of codes. Well I didn’t want to recover because I didn’t want to loose data and at the moment I don’t trust downloading anything off the internet so neither of those seemed to be the right answer to me. I tried a bunch of the codes and such and none of that was working especially since most info was for windows xp or vista and I have windows 7 on a notebook laptop. Eventually after much fiddling around this is how I got rid of it (a a lot simpler then anything I’ve seen so far) for me it didn’t matter what mode I was in, did it in regular mode and double checked in safe mode… Go to “start”, click on “coumputer” or “my computer” a screen will pop up at the top of that screen in the address bar type: c:\Documents and Settings\All Users\
    Hit “enter” button. A folder list will show up one folder will have a bunch of random numbers and letters for example: c:\Document and Settings\All Users\MKb31000gfhl31000
    The random numbers and letters are different for everyone and there may be more then one of theses “random” titles folder but it/they should stand out as all other folders will have proper names. Open the file/s and you’ll see 2 items simple right click on each of them and rename them “virus” or whatever tickles your fancy (if you have more then one of the random-named folder then do the same for all items in them) after that just restart your computer. The ms removal tool program won’t run when your computer starts up so simply go back and find those files the same way. (Start, my computer, type in c:\documents and settings\all users\) now find your renamed items and folder right click them and click “delete” or just drag them to your recycle bin then empty your recycle bin and *poof!* its gone hope that helps someone!

     
  87. Patty N
     

    I got this yesterday.. I knew it was fake. It kept asking for a CC#..lol.. really! I have trend micro, but somehow it was turned off..hmm.. all weekend my kids were on the computer..games..n stuff.. only their username came out with this.. but I would go into mine and nothing.. it was fine. So my question is…. WILL DELETING THEIR USERNAME/PROFILE GET RID OF THIS.

     
  88. Dave Wilker
     

    I tried all of these. I couldn’t do anything in normal mode, as the program stopped everything. In safe mode, I couldn’t run Restore or Security Essentials. I finally took the hard drive out, connected it to my other machine via a USB adapter, and scanned the drive with Security Essentials. That fixed it.

     
  89. Gr9ce
     

    hi I got this today i suspect via some google images i was checking out. At first thought a real alert as my computer installed some updates when last shut down so thought something new loaded had found some nasties. However being suspicious i tried to ignore it and couldn’t, then tried to download an antivirus and couldn’t as said infected, thats when i knew it was bogus, so googled for solutions.

    Start in safe mode whilst tapping F8 worked for me, then started in safe mode with networking then did a system restore for couple days back and it disappeared.
    Have now downloaded free AVG and am running a scan.
    It is a nasty as it installs an icon in the start up bar so looks authentic. Why can’t the minds behind these concentrate on global energy solutions and feeding the world? grrrrr.

     
    1. admin
       
       
      Post author

      Gr9ce
      Take care, AVG does not repair all the registry keys. Some people complain, that after AVG fix they can’t run any .exe file. Make sure you run .exe file fix or edit registry accordingly.

       
  90. J.T.
     

    Cee88, I could kiss you. I got this virus yesterday and spent 2 hours on the phone with microsoft. After trying “everything in the book” (his exact words) the tech recommended I re-install my operating system. I just followed your instructions, and *POOF!* is right. It’s gone. FYI, I have Vista.

     
  91. Mahak
     

    hi there
    i had that problem too, but im using windows 7 and windows defender removed the virus from my computer

     
  92. John Grace
     

    This is why I bought a Mac!@Mark Rahm

     
    1. admin
       
       
      Post author

      John : there are fake antivirus for mac too now :)

       
  93. Mike
     

    I just got this virus today at 4:12 AM EST. I restarted my laptop, went STRAIGHT to IE, came to this site via google, used a fake register key (which stopped the pop-up windows), and then I ran rkill.exe and Malwarebytes’ Anti-Malware (which is still running atm). Once the windows stopped I activated Gamebooster (for you all who don’t know, Gamebooster closes background programs to enhance computer performance for gaming) and it closed the program. After it was closed, I deleted the folder that was created today by opening up task manager, clicking create new task, and using the code C:\Documents and Settings\All Users. Mine was named o3684s587w2ecssf55$#5!. I deleted it, and so far, nothing has happened. once MBAM is done, I will post another reply.

     
  94. Jigs
     

    thanks for this article. we got rid of it within minutes by following your instructions.

     
  95. sasha
     

    please help me get rid of this ms thing, i tried getting rid of it like it sais on the net but its blockin me from doing it. please help

     
  96. Grace
     

    I have the same problem right now. I just went into safe mode and now I’m having malwarebytes scan it. I’m just hoping that this virus goes away soon. It’s really worrying me.

     
  97. Willis c
     

    Ok I’m 14 and I got one , it won’t let me play world of Warcraft , use the Internet , go on system restore , nothing it turned my screen background blue … If I get a norton anti virus will it get rid of this shit ….? I just wanna Play …

     
  98. connor
     

    the codes work just highlight 1 woooooooooooooooooooooo

     
  99. Jordan H
     

    i cant download anything to get it off nor is it letting me pull up system restore so that i can go back the dates

     
  100. Jordan H
     

    ok so.. i got McAfee on my computer, will that get rid of it?

     
  101. c h smith
     

    I tried your spy doctor and it did not work either I was just like ms removal It tried to sell me a gimmick too. So if you are legit like you claim show mme.

     
    1. admin
       
       
      Post author

      c h smith
      No malware remover is 100%, but SD full version is capable to remove most strains of MS Removal Tool. Make sure you update it before scan. If you are unhappy with Spyware Doctor, try other tools – Malwarebytes, Hitman Pro , SuperAntiSpyware.
      If malware blocks execution of these programs, try fake-registering it.

       
  102. Phil
     

    My computer is up to date with WindowsUpdate and I did not download anything and I did not open any email attachments, and my computer still got infected.

    so my real question is how did they infect my computer?

     
    1. admin
       
       
      Post author

      Phil: Do you have antivirus or internet security ? If not, sometimes a single infected website is enough, or an infected machine in the same network as yours.

       
  103. computer grandpa
     

    Hi;
    You can boot up (F8) into Safe mode with command prompt.
    Then you can eat its lunch. do a dir /A to display the hidden directory.
    Change to the directory cd programdata.
    Display its contents in date order, dir /O-D .
    Look for a jibberish directory near the top.
    Click on the square at the upper left corner of the
    DOS window and select edit and mark.
    Use the mouse to highlight the jibberish directory name and
    press enter. (This will save you some typing).
    Then type dir and richt click the mouse and select paste.
    then hit enter and enter the jubberish directory. Then
    rename the extensions of the files in this directory, i.e .xxx
    and .yyy .zzz etc.
    Then reboot and see if this helps.

    Have fun.

    OLDNASADUDE

     
  104. Tony Patlan
     

    (you dont have to be in safe mode to do what im about to tell you)all you have to do is click to activate ms removal tool and once that loads up all you have to do is put in one of the keys this guys has in the updated section and your ms removal tool should be activated and the “viruses” will be removed and your computer will go back to normal after that you dont have to worry about it if it will pop up again because its already activated and you can continue to use your old antivirus

     
  105. Y.W
     

    Malwarebytes’ Anti malware works, all you have to do is to scan and it deletes the Msremoval tool for free.

     
  106. computer grandpa
     

    If you are badly infected it won’t let you click on anything. Everything you
    click tries to extort money from you. Malware bytes won’t run, Spybot won’t run, etc..

    A bad infection requires you to get to the command prompt prior to windows loading. Once windows loads, you are toast.

    Another way to get in is to boot up an Ubuntu version 10 boot disk if you can make one somewhere else. You will have to know unix commands. There are
    more instructions on the Ubuntu website.

    Also, Malware bytes has a feature to make a bootable usb stick for future use.

    Good luck

    Failure is not an option

     
  107. Jonni
     

    CD keys work :) if your infected, enter a valid cd-key and just delete the software, thanks :-)

    – J

     
  108. AA
     

    Ok, tried the key above. How do we delete the program? couldn’t find a way to do that.

     
  109. Michael
     

    Hi, I just removed MS Tools and the removal guide that I used said that I had to delete the C:\Windows\System32\Drivers\etc\HOSTS file and replace it. Is this true and is it necessary? Any help would be appreciated.

     
    1. admin
       
       
      Post author

      Michael : it is worth checking HOSTS file for malicious entries.

       
  110. dimitar
     

    I have been able to call task manager before that thing got runninng.
    now I am trying to kill it.

    So if you can’t come with anything better you could try my way :
    hit CTRL-SHIFT-ESC or CTRL-ALT-DEL before it is to late and stop it as it it described above.

     
  111. GQS
     

    You HAVE to be f-ing kidding me! I download Spyware Doctor as instructed, it runs for friggin’ hours, and then after it tells me its found 15 infections I have to either register – WHICH IT WOULDN’T ALLOW ME TO DO – or purchase the software. I was so P!$$ed off that if I could have reached through my computer and strangled whoever wrote this f-ing article I would have.

    I gotta say, I haven’t been this steamed in a long time.

    Ultimately this whole procedure was a waste of time. My brother-in-law fixed this fast and remotely – reverted back to the last known good restore point. Boom – problem gone – and no rip-off software required.

     
    1. admin
       
       
      Post author

      GQS : You can always delete the files SD finds manually. It shows full, correct path of infection.
      Sure, you can use system restore but consider getting a bit better antivirus next time (are you using one? :) )
      System restore does not clean everything, except if made from complete system images.

       
  112. joe blaeser
     

    how do i go about getting my money back or am i sol.

     
  113. steve
     

    there have been several ways to fix the ms fake virus the easiest way.(And I cant believe nobody has figured it out) do not reboot and or restore the restore can no longer be done I believe because the virus now blocks anything even firefox from running. but all you have to do is find the virus program by right clicking on it and looking at its properties. Mine was in a long name begining with a k and a bunch of random crap, anyway you cant delete it yet cuz it is being used. So rename the file to whatever I renamed it 1 then I renamed the folder it was in. then I moved the folder to my desktop then restart your computer and when it starts up the virus will not be running because the name change then you delete it. DONE!! I would follow up with malwarebytes antimaleware program which is free. Note you may need to be able to view invisible folders to find the virus itself.

     
  114. steve
     

    Oh and joe your SOL sorry buddy you can make a claim somewhere Im sure, but id bet a dollar youl never see a penny.

     
  115. Jimmy Marconi
     

    I gave my credit card info. Is that bad?

     
  116. uiyikhk
     

    This nasty appeared on a friend’s PC running XP. Would not let any removal/clean software, task manager or regedit run. It had also disabled AVG. Opened the program folder containing CCleaner, renamed CCleaner.exe to .exe. Double-clicked it and it ran OK. Selected tools and then startup. Found the process and the folder it was located in. Disabled the process then went to the folder, binned it and used CCleaner to permanently delete it. After that, rebooted and ran STOPzilla to scan. PS Don’t forget to re-rename CCleaner!!

     
  117. TM
     

    @cee88

    I’m running windows 7; no safe mode available; I’m not particularly tech savvy. Your advice worked perfectly cee88.

     
  118. Jake
     

    Well it got soo bad for me I had to look this up on my iPod but I think I did the smart thing I just went to safe mode with networking and just reset mycomp the good thing was i restored it to the day before soo yea Try it peopl

     
  119. Juliana
     

    This MS removal tool has ruined my computer it wont allow me to get on any of my icons just the internet PLEASE HELP!!!!

     
  120. weeks
     

    ms removal just wont allow my husband to get on his computer nothing. Ms removal is the only thing that shows up can u help please.how do u remove ms removal

     
  121. SSS
     

    I
    FREAKIN’
    LOVE
    YOU!!!
    THX THX THX THX THX THX THX :,)

     
  122. Gianni
     

    I got it from Rouge:WinWebSec and that is a pain to remove Ms Removal tool.
    It almost tricked me. All these popups Alwis popped up. I coulden’t go on the
    internet. It said it was infected by worm. task manager wouden’t work.
    It was just horrible

     
  123. Nikolas
     

    @cee88

    many thanks for your help!!

    I tried other things before that,but dint work for me!
    I found this site:
    bleepingcomputer.com/virus-removal/remove-ms-removal-tool

    but neither F8 worked nor did a window pop open after typing “msconfig”.

    I am not at all into computers,and I know very basic stuff, so I just wanted to mention that after clicking on “Documents and Settings” I had a choice of “All Users” and “All Users.Windows”. At the first choice I dint find anything, so at “All Users.Windows” and after clicking at “Application Data” I found a “strange” file like cee88 mentions!
    After renaming don’t forget to delete the files because if you don’t they are “reborned” after a few minutes!! I forgot and they came again!!!:)

     
  124. Riya
     

    My pc got infected with this virus, i didnt turn it on for 3-4 days . Then when switched it on my pc was working just fine… i mean nothing is appearing the blue screen , that ms removal tool thing .. nothing …. so is my computer completely safe now..??
    I installed an antivirus into my computer which was not getting installed earlier because of the virus …. the difference opening my pc this time was that i had inserted an empty dvd into it… does this virus go this way..?? Help.

     
    1. admin
       
       
      Post author

      Riya
      No, MS Removal Tool is spread through network mostly. Scan with decent anti-malware tools (at least 2 programs, like Spyware Doctor and Malwarebytes) to make sure you are clean, update each before scan. Some types of malware have time switch to uninstall after couple days. Some leave a rootkit though.

       
  125. Sam
     

    I had a huge problem with this. What I did was completely shut down the computer, unplug it and take it to a professional. He fixed it right up.

     
  126. Ameen
     

    helped me out ……. used one of the activation keys and later malwarebytes to remove it. Thanks Alot

     
  127. Stacey
     

    I had this pleasure once. What I did was booting into a safe mode and running a nice program to stop the MS removal tool process: Kill process. It will kill any undesirable process and then there will be no trouble downloading and installing the antispyware program. Of course you have to check your browser proxy settings and registry.

     

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title="" rel=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>