MS Recovery Tool

By | April 10, 2011 | 0 Comment

MS Recovery Tool is a computer Trojan that came from the same family as MS Removal Tool. This type of threat is in the group of rogue anti-virus program because it will promote itself as a real security product, in fact, it is a program that displays fake alerts and warning messages to deceive its victims. Additionally, MS Recovery Tool will run a virus scan once it is installed on the target computer. It has the capability to modify system settings and add an entry to Windows registry that will make itself to load on start-up. Dropped files are hardly detectable because it will contain random characters and are usually placed on random folders.

Usually, MS Recovery Tool spreads through Trojan infection. The Trojan will act as a browser hijacker that will point victim’s Internet search to malicious web sites. These sites will run an online scan on visitor’s computer and declare that the system is infected. A prompt to remove threats will appear and when executed, MS Recovery Tool will be downloaded into the computer and execute itself. Once inside the computer, continuous pop-up alerts are displayed. Some of these messages are:

MS Removal Tool Warning
Intercepting programs that may compromise your privacy and harm your system have been detected on your PC.
Click here to remove them immediately with MS Removal Tool.

MS Removal Tool Warning
Your PC is infected with dangerous viruses. Activate antivirus protection to prevent data loss and avoid the theft of your credit card details.
Click here to activate protection.

Since this rogue program will provide nothing but annoyances on victim’s computer, it is advice to remove MS Recovery Tool with the help of real anti-malware programs. A scan by legitimate anti-virus application can also help remove system files created by this malicious application.

Type Rogue
Sub-Type FakeAV
OS Affected Windows XP, Windows Vista

What are the Symptoms of MS Recovery Tool Infection?


It will modify Windows Registry and add the following entries:
KEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce “(random)”

The threat will drop the following malicious files:
c:\Documents and Settings\All Users\Application Data\(random)\
c:\Documents and Settings\All Users\Application Data\(random)\(random)
c:\Documents and Settings\All Users\Application Data\(random)\(random).exe

Leave a Reply

Your email address will not be published. Required fields are marked *