MS Removal Tool (Malware) – Registry removal method.

A number of weeks ago I created an article of how to remove the MS Removal Tool using a combination of safe mode and MalwareBytes anti malware program. Since then I have had a couple of requests asking for the registry entry removal method. Firstly a word of warning, editing the registry of your computer can have some disastrous effects so please follow the guide carefully and if in doubt please get in touch.

Step 1

Enter ‘Safe mode’ and log onto the infected account, sometimes you will find that it you have multiple users on the PC not all user accounts are affected. We now need to open the registry editor which is built into Windows. To try and keep this as simple as possible I will show the methods for Windows XP and Windows 7. Locating the program in Windows 7 is simple, click start and in the search box type in regedit, under the programs list it should appear. For Windows XP you need to click start and locate the RUN command, when the run box opens type in regedit and press return (as shown in the picture).

Windows 7 search results for regedit

Windows Run Command

Once you have got to either of these stages either click the regedit icon (Win 7 / Vista) or click OK on the RUN command box, this will open your registry editor (regedit). It is easy to get lost in all the entries in the registry so please double check you are at the right location before deleting anything. The registry is where most of your programs settings
are stored and entails things like program location and CD keys.

Step 2

Once the registry editor is open you will notice it will have the computer icon at the top and 5 expandable folders – if you browse through these it may seem daunting but the registry entries we are looking for are fairly easy to find. Most guides only accommodate for looking at the PC overall, if you have multiple users on the PC and only certain accounts are affected follow this guide for each account.

Registry Folders - Click to expand

The folder we are initially concerned with is HKEY_CURRENT_USER. To open the folders just double click them and all the entries in each sub folder are in alphabetical order. We need to navigate through the following directories. Starting off at HKEY_CURRENT_USER using the double click method open SOFTWARE, MICROSOFT, WINDOWS, CURRENTVERSION, and select the RUNONCE folder. In the image shown it shows the keys attributed to my PC, what you are looking for is something like “[five random letters] [five random numbers]” “%systemdrivepath%\ .exe”. Take a note of the drive location then highlight the entry and right click and select delete.

Run Once folder - click to expand

Next close all the folders you have opened so you have only the 5 folders showing, using the same method of searching through the folders check there is no directory under HKEY_LOCAL_MACHINE, SOFTWARE called FAKE MS REMOVAL TOOL if there is right click the folder and select delete.


Step 3


Finally if you remember where the file location was from step 2 – search your hard drive to locate the file name and delete it. Reboot the PC and see if MS Removal tool is still running. If not you have managed to stop the program starting up but I would advise doing a malware scan again and possibly a full virus scan just to be safe.


Whilst this guide is aimed at removing the start-up of the MS removal tool it may not cure every users problems, there is one final method that can be tried but it is undertaken via remote assistance. If you are unsure about any part of the guide please get in touch and I will try to help remove this annoying program. To contact me either use the contact page or leave a comment.
Related Posts Plugin for WordPress, Blogger...
Both comments and pings are currently closed.

Comments are closed.

Get Adobe Flash player