PDA

View Full Version : ms tools?? LOCK DOWN



notechyet
19-05-2011, 11:20 PM
Hi ALL
I did help my partner on her (school) machine establishing a wiki for a class.
During this a popup came up to update mse, so I did.
Some time later a tool 'ms tools' started running and scanning(suposidly) and then locking down her email client.
Also popups at the bottom mentioning threats.
Has anyone come accross this?
A while ago I inserted a Kaspersky Rescue CD to boot from and run a scan as a first self-help.
Any hints would be welcome.
Thanks

Speedy Gonzales
19-05-2011, 11:34 PM
Does it look like this? (http://www.bleepingcomputer.com/virus-removal/remove-ms-removal-tool)

I would run this first, save it to the desktop (http://download.bleepingcomputer.com/grinler/rkill.exe)

notechyet
19-05-2011, 11:40 PM
Does it look like this? (http://www.bleepingcomputer.com/virus-removal/remove-ms-removal-tool)

I would run this first, save it to the desktop (http://download.bleepingcomputer.com/grinler/rkill.exe)

Speedy
Thanks, exactly what's in the first link.
Should I just get this file on a usb stick and copy to the desktop and then run?

notechyet
19-05-2011, 11:54 PM
Speedy
I have tried once before to go into safe mode but it seems that it wont let me; iit started ok in safe mode though at the end it switched to normal mode.
Could that be due to the fact that it is a school machine?
I could not run the rskill from the desktop nor could I get the task manager to start up as I wanted to kill the process.

HAL9000
20-05-2011, 12:16 AM
Oh the wonders of schools and their attempts to lock down machines, and they still cannot prevent drive by infections....

I've had this sort of thing on my wife's school issued machine.

To fix it I nuked the local Administrator account password, which then allows me to log in to Safe Mode as the local Administrator and kill the initial part of the infection.

This allows you to login normally as the local Administrator.

Then it's Malwarebytes, SpyBot S&D, HijackThis and any other tools you need to run to get rid of these peeksy critters.

Speedy Gonzales
20-05-2011, 12:31 AM
Possible that its because its a school PC. Do you look after them or someone else? If there's IT people there, get them to fix it. It doesnt crash, when you boot normally does it?? It just wont run rkill?

notechyet
20-05-2011, 12:45 AM
Possible that its because its a school PC. Do you look after them or someone else? If there's IT people there, get them to fix it. It doesnt crash, when you boot normally does it?? It just wont run rkill?

Speedy
I am only helping my partner with working issues and try to stay away from system.
No it does not crash though ero is coming on Monday and she needs to have access to all .
ATM this bloody thing makes problems.
I might try the nuke version. It is win 7. What is the best workaround for this?

HAL9000
20-05-2011, 12:46 AM
I hear you Speedy, but in the interests of matrimonial harmony SWMBO demanded that I fix this because she had loads of planning to do and could not wait until the following day.

And compared to the monkeys (you know peanuts and all that) the IT Services Company sends she'd be waiting a week for them to reimage the machine (their answer for any little problem!)

Heck they can't even get Roaming Profiles to work properly in the teachers laptops. At home SWMBO can't even save things on the laptop because unhooked from the LAN the machines (and it's most of them from the questions I get asked) it creates a temporary profile which gets deleted when the machine is shut down. Apparently this is an easy fix too.

HAL9000
20-05-2011, 01:04 AM
Speedy
I might try the nuke version. It is win 7. What is the best workaround for this?

Not sure, but my Ultimate BootDisk or Hirens sorts XP and Vista OK.

I'd guess that W7 is supported too at some level.

notechyet
20-05-2011, 01:17 AM
Not sure, but my Ultimate BootDisk or Hirens sorts XP and Vista OK.

I'd guess that W7 is supported too at some level.

Thanks Hal
I'm looking forward to a long night.

dugimodo
20-05-2011, 10:30 AM
you could try renaming rkill to explorer.exe which is one of the tricks the websites use to get Malwarebytes to install and run.

Seems likely the mse update you clicked was a fake one in a browser page rather than an actual update.

This this is really doing the rounds, I've removed it for two of my friends so far and seen multiple threads here on it.

notechyet
20-05-2011, 03:11 PM
you could try renaming rkill to explorer.exe which is one of the tricks the websites use to get Malwarebytes to install and run.
....

First time I got caught out. I just clicked while talking, bummer.
Hmmm.. I tried to execute the rskill without success. Tried to start up in safe mode which, for whatever reason, switched over to standard login as soon as I typed in the passwords.
Tried with a Kaspersky Live CD without success as it stallled.
At some stage the whole OS played up and needed to be restored by the IT's of the school.
Long story short, a good lesson!
:mad::blush::blush:

mikebartnz
20-05-2011, 08:25 PM
Oh the wonders of schools and their attempts to lock down machines, and they still cannot prevent drive by infections..
Clicking on a link is not exactly a drive infection.