Antivirus 2008 or was it 2009 or was it…? a Malware Removal Tool Discussion

Last month’s Microsoft Malicious Software Tool cleans this threat (Win32/FakeSecSen – Microsoft naming):

…and Microsoft has had a great amount of success as reported by the tool:

From Sandi @ Spyware Sucks this business perspective breakdown in $

Fraudware detected on 994,061 computers

As reported by Microsoft:

The figures relate to what Microsoft has labeled “Win32/FakeSecSen”.  That figure does not (I think) encompass all of the fraudware (fake security software) products that are out there.

Just imagine, if you will, if just 1% of the owners of those detected machines were fooled into buying the fraudware software at $40 a pop – that’s $397,624.40 in illicit income garnered by the crooks.  When we take into account the fact that billing services such as the (now defunct?) Bucksbill were regularly accused of double-charging victim’s credit cards, then we’re looking at an illicit income of $795,248.80.

Scary, isn’t it.  Is it any wonder the crooks behind malvertizing are so persistent?

Published Friday, November 21, 2008 9:53 AM by sandi

Here’s a word on the tool from Microsoft’s Steve Riley including some information I found uniquely valuable:

Steve Riley [MSFT]


From: “Steve Riley [MSFT]” <>

Date: Mon, 1 Dec 2008 14:15:34 -0800

Local: Mon, Dec 1 2008 5:15 pm

Subject: Re: Alerting – Malicious software removal tool (MSRT)

When the MSRT runs, if it finds what it looks for, it removes it and reports that removal to Microsoft. If it finds nothing, it exits. Neither I nor the
tool nor the SIR make any claims that the MSRT completely cleans a machine. As others have pointed out, it is one element of an effective arsenal of
tools to help improve security.

Here’s something interesting, which might even surprise you: this month (November 2008) the single most prevalent piece of malware the tool detects
is Win32/FakeSecScan (rogues that mimic the Security Center). As of 13 November, we’ve tracked 811,000 removals. This includes some FakeSecScan
threats that were no longer active when detected — meaning that they were incompletely cleaned manually or by other AV products, and the MSRT
successfully cleaned out the remaining bits.

I have a proposal for you — actually, for everyone reading this thread. The MSRT creates a log file in %WINDIR%Debug. KB 890830 describes its output.
If you ever encounter an instance of where the tool fails to properly clean a machine, the Microsoft Malware Protection Center is ready to help. Go to, click on “Submit a Sample,” and please send us your MRT.LOG file and a sample of the malware, if you can.
We’d love to work with everyone to make sure the tool is as effective as possible.

Steve Riley
Protect Your Windows Network:

You may not be aware, but you can run that Microsoft tool manually.  ‘Run-> MRT’  It of course runs in the background quietly after you download it’s latest version via MU or WSUS each Patch Tuesday.  To learn more on running this manually and an in depth guide on the tool look here:


Another tool I heard recommended that I’d never heard of before (much like it was with the ever successful against this threat – Malwarebytes) is SuperAntiSpyware:

Here’s some very interesting background on the bad guys behind this threat from security super-friend (think Hall-of-Justice) Jesper:

If you want to be knowledgeable and prepared for this ever adapting malware threat, read the above and follow the references on how this elaborate shakedown scam got hacked.  It is very impressive to see how they have been so successful at their nefarious deeds due to capitalism in the black market.  Basically they have implemented a franchise business model of sorts founded on social engineering piggy-back attacks.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s