I don't really "use" Windows Malicious Software per se, but I've always downloaded the "Removal Tool" as part of my Windows Updates each month. Is WMS a separate program? And what is this tool?

I thought this thing was something you download and it runs once (supposedly), though I've never noticed anything running when I've downloaded this update in the past.

Would there be a WMS program on my computer? Or is this update an .exe in of itself that just runs once like it says? I guess I'm not really clear as to what this is and what it does (though I've always downloaded it).

Does everyone usually download this update each month? Any reason not too?

I see that it's like 7.7 Megs this time, which seems pretty darn big...

(However, when I go to the link for more info on it, it says it's 6.6 Megs... why is that?)

Thanks for the help!

Malicious Software Removal Tool

Hmmm, very interesting! I've never even looked at this, just have downloaded it and hoped that it was doing it's job. You can download the tool and run it - so I'd suggest a search of your hard drive for it.

I can't locate anything on whether it scans on install or not - but running the tool on your own shows a simple dialog when scanning.

You can check to see if it runs by looking for the logfile here:

AHA! Success! from this link: http://www.microsoft.com/downloads/details...;displaylang=en

Ah... Thanks for the links and posts. I found my log, and it looks like it's been run once a month (I assume after I download the newest version with my Windows Updates). I did not find the .exe, so it looks like it does indeed run once, append to the log, and then delete itself.

So is there any reason NOT to download this each month as part of my Windows Critical Updates?

Has anyone ever had any issues with it?

I'm thinking I should just continue to do so, since I guess it's "working" and it hasn't caused me any issues (yet)...

Any final thoughts?

Thanks!

UPDATE:

So I went ahead and downloaded it... interesting note, the download was only 1.1 Megs... Not sure why it's listed as 7.7 Megs, unless you actually do keep part of the program on your computer, and the download is the "update". But it says that the files are deleted once it runs, so I'm not sure of the size difference...

It did append the log, but for the first time, I got some kind of error:

Microsoft Windows Malicious Software Removal Tool v1.29, May 2007
Started On Thu May 17 08:30:58 2007
->Scan ERROR: resource process://pid:1248 (code 0x0000054F (1359))
->Scan ERROR: resource process://pid:2056 (code 0x0000054F (1359))
->Scan ERROR: resource process://pid:1248 (code 0x0000054F (1359))

Results Summary:
----------------
No infection found.

Return code: 0
Microsoft Windows Malicious Software Removal Tool Finished On Thu May 17 08:31:38 2007


Any thoughts on this...? I tried looking up the errors, but could only find that they're "internal errors". But I might not be looking in the right place or looking up the right thing... Anything to be concerned about?

Thanks!

This topic is security related so I have moved it to a more appropriate forum.

You can also manually download MRT each month and keep it on your pc to perform scans until the newest version is released. The tool has three scan options:
1. Quick scan: Scans areas of the system most likely to contain malicious software.
2. Full scan: Scans the entire system but can take up to several hours to complete.
3. Customized scan: In addition to a quick scan, the tool will also scan the contents of a user-specified folder.

When you run MSRT, a temporary folder with random characters (79f142e5e9e574d23954) will be created on your C:\ drive that contains mrt.exe, mrtstub.exe and a file named $shtdwn$.req. After performing a scan and you click finish or cancel the folder will automatically be removed.

You receive an error when you run the Microsoft Windows Malicious Software Removal Tool

Error 0x0000054F - 1359 seems to be related to an internal error per System Error Codes

To determine which processes are pid:1248, pid:2056 and pid:1248, you can download and use Process Explorer to investigate all running processes and gather additional information to identify and resolve problems.

Thanks for the post! I actually saw all that info when trying to investigate what happened. So I was hoping that someone here might know the answer, as I really don't want to download yet another program to run... which will probably lead to some other error and/or conflict with something else, etc. etc.

Is there really any reason to be concerned with this at all or to even consider using this Process Explorer program? I saw another post by someone via google that has the same thing happen, but their pid #'s were different. I am suspecting that this is a glitch or something with the newest MRT tool download, perhaps having something to do with another update/fix or something (but that's just a total guess).

But I suspect that if everyone else checks their log for this time who has XP SP2, my guess is that they'll have the same or similar "errors". Thoughts?

Thanks!

I run MSRT every month and have never received such a message so it does not appear to be something isoloated to the tool itself. Do you get the error if you run MSRT in "SAFE MODE"?

MSRT is not finding any malware so I would not be too concerned. Still, if it were me, I'd be curious to know what processes were involved in the error. So as for Process Explorer, I highly recommend it as an excellent investigative tool which comes in handy for helping to id suspicious processes and resolving other issues.

Bloomcounty, interesting work
As Quietman7 said, ProcessExplorer is a tool, small, safe and sound. Run it, make the windows small, and do whatever you normally do on a computer. Lotsa information there!
As far as different pid# - Process IDs, the stuff you see in task manager, are assigned dynamically. So every day or every minute it'll be different. That's why ProcessExplorer is so cool - it will identify the exact process name related to whatever is running once you get the hang of it how to use it.

BTW, ProcessExplorer and similar utilities from Sysinternals have been absorbed by Microsoft. Totally legitimate. Top of the line. You can't do better.

I'm out of town right, now but I have a couple more questions about what you all posted... I'll be back to post in a couple days...

Thanks for the posts!

Your welcome.

quietman7:

I'm back now...

Okay, so I downloaded the program from here:

http://www.microsoft.com/technet/sysintern...ssExplorer.mspx

It says it's version 10.21 and lists a bunch of updates for Vista in the newest version for Vista. But this is for XP as well, right?

Some more questions:

1. So is this like an "expanded" version of Task Manager? Does it sort of "replace" Task Manager when you have it running? (Meaning, you wouldn't open TM also at the same time for any reason...?)

2. When you run the .exe, is it installing anything on your computer? Or is it a standalone program that doesn't actually install?

2a. Where do I run the .exe from? The desktop or in a certain folder?

3. Do I leave it running all the time? Or just when I'm trying to figure stuff out? Does it use a lot of your memory, etc.?

4. Can it possibly conflict with anything else on my computer by running it?

Concerning MSRT

I didn't actually run MSRT myself, it ran on its own (I guess) as part of my monthly critical Windows Update download/installation. No message popped up, the errors were just listed in the log when I opened it after it ran as part of Windows Update. So I did not run anything in "safe mode" (and actually have never done so) because it was part of the download and ran on its own.

5. So once I have the program, will I need to run MSRT again to see what codes come up as errors in the log (since the error codes change each time as tos226 mentioned, right?)?

5a. If so, what is the best way to do this? And where should I download or run it from?

6. Does the program, if manually downloaded, install anything when you run the .exe, or is it standalone without installing anything?

7. Once I have the Process Explorer program and MSRT, what exactly do I need to do, step by step, including how to run MSRT and in what manner, etc.?

7a. And do I need to do the scan in safe mode? If so, please make sure to include that in the steps I should follow.

8. If I am downloading MSRT, where do I download it to and run it from on my computer?

Note that although the instructions for booting into Safe Mode say, "When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. When that is completed it will start loading Windows." -- I don't think this really happens for me when I boot my computer (it did on my old Win98 computer, but not on my new XP laptop). So should I just keep tapping F8 as soon as my computer starts to reboot until it (hopefully) goes into safe mode?

9. A semi-related question: Should I also run my AVG free anti-virus scan, Spybot, and Ad-Aware scans in "safe mode"? If so, can I do so all during the same "safe mode session" or do I need to reboot before each scan, etc.?

Looking forward to hearing back -- thanks!

Yes. Process Explorer works on Windows 9x/Me, NT 4.0, 2000, XP, 2003, and 64-bit versions of Windows for x64 and IA64 processors, and Windows Vista.

Although it has TM features, its more of a supplement to TM that provides more detailed information which can assist in your investigation of a process.

Its a zip file that you extract to its own folder and use as a stand-alone app.

Just create a new folder on your C: drive and name it ProcessExplorerNt, then unzip into that folder. Upon it afterwards and double-click on procexp.exe to run.

Exit when done with your investigative work. While running it uses very little resources.

Nothing that I am aware of.

Yes. The point is to keep the problem processes identified so you need to know which pid is related to the error.

Manually download from here
click on the link "Skip the details and download the tool". You can save it to and run it from your desktop.

It's stand-alone. When you run MSRT, a temporary folder with random characters (79f142e5e9e574d23954) will be created on your C:\ drive that contains mrt.exe, mrtstub.exe and a file named $shtdwn$.req. After performing a scan and you click finish or cancel the folder will automatically be removed.

"How to use the Malicious Software Removal Tool"

Open your log when done.
Note the pids related to any errors.
Launch Process Explorer and match the pids with the process list.

You don't need to but it will not hurt to do so and you should learn how to do that anyway. Detailed instructions can be found in "How to start Windows in Safe Mode".

Again, its not necessary but running scans in safe mode is more effective especially for heavily infected systems. The Windows operating system protects files when they are being accessed by an application or a program. Malware writers create programs that can insert itself and hide in these protected areas when the files are being used. Using Safe Mode reduces the number of modules requesting files to only the essentials to make your computer functional. This in turn reduces the number of hiding places for malware, making it easier to find and delete the offending files. Using your anti-virus and anti-malware tools in Safe Mode also speeds up the scanning process.

Thanks for the replies! I'm downloading the program now... but I was wondering why do you have to agree to an EULA if the program doesn't install? Does that just say that you can't copy the program, etc.? Do you have to agree to that each time you run the program? Just curious... (Mostly because of that whole WGA thing where it tried to get me to agree to a bunch of stuff I didn't want to...)

Also, one thing you didn't comment on:



So is that what I should do?

Thanks again! I'll be sure to post my results (and ask questions about them) once I hear back and then run the program, etc.

Yes.

What does the End-User License Agreement (EULA) say?
A User's Guide to EULAs

Okay, here's the results, some comments, and some questions:

->Scan ERROR: resource process://pid:1244 (code 0x0000054F (1359))
vsmon.exe

->Scan ERROR: resource process://pid:2060 (code 0x0000054F (1359))
zlclient.exe

->Scan ERROR: resource process://pid:1244 (code 0x0000054F (1359))
vsmon.exe

1. In bold shows what Process Explorer says each thing is. So it's a ZoneAlarm thing. My guess is that you don't use ZA free? And maybe something changed with the newest MSRT that causes ZA to make these errors?

2. I saw when I did a search of my hard drive that MRT.exe is in System 32 folder -- Last revised May 11, but accessed today, I think when I ran the MSRT tool you had me download to my desktop (Windows-KB890830-V1.29.exe). Why is there an MRT.exe in my System32 folder already? Is that just from when the tool was originally downloaded as part of Windows Update and then this is also what is "updated" each month when you download the MSRT update as part of the critical Windows Updates?

3. Re: EULA -- I did not have one for the MSRT program, but there was one you had to agree to for the Process Explorer program. But when you open the PE program again after closing it, the EULA does not come up. If PE is a stand-alone program that doesn't install, then how does it know you've already agreed to the EULA the first time you ran the program? Where is that stored? On your computer somewhere?

4. I posted another topic asking about process that seem to show as using System Resources right when I open Task Manager, but then the CPU % goes back to zero a split second later. Can you take a look at my thread here?

http://www.bleepingcomputer.com/forums/topic93356.html

Someone posted that I can "use Process Explorer to see what's going on beneath the processes (but it'll be a trick since it's so brief)" -- but I'm uncertain how to do this and what I'd be looking for. Any thoughts/suggestions?

Thanks!

That's correct. You may have to speak to the ZA folks about the error so they can investigate.

When you run the tool a copy (most current version) is placed in your system32 folder. The other folder it creates is only temp and is removed after the tool has finished running. Its all normal.

It doesn't know. A copy of the EULA will be placed in the same folder as PE after extracting the files. Its up to you to read it. Most people are too lazy to do so.

Thanks. I guess that's solved, sort of... I'll post over there and see what they have to say...

This doesn't work for me, I don't think... Note that I have two logons on my computer, so it goes to the logon screen where you pick which account you want to logon. However, there is something the screen says at the botton right when the computer starts to boot up, maybe F10 or something or other? It's so fast, I can't read it...

Thoughts? Thanks!

Then check the owners manual that came with your pc or with the manufacturer. F8 is the standard key in most cases but its possible the manufacturer provided different directions. Sometimes when you boot up the manufacturer will actually tell you on the screen what to press.

Okay, F8 worked... wasn't pressing it soon enough...

So I did an Ad-Aware and SpyBot scan in safe mode -- no issues. I did most of an AVG Free scan, but it was taking SO LONG that I had to stop it because I needed to do stuff on my computer. It was taking about four times as long as running the scan normally. Is this normal and just a result of scanning in safe mode, or is something up?

Looking forward to hearing back -- thanks!

How long was the scan going before you stopped it? A comprehensive scan of your system can take hours. It also depends on the size of your hard drive and number of files. I use NOD32 and it can take hours so I let it run overnight.

Scan in Safe Mode done today:

5/25/2007 12:43:25 PM (total: 1:33:41.10 hrs)
Objects Scanned: 43183

Note: The cursor moves slow and stuttery while in Safe Mode

So I stopped it after 1 hour and 33 minutes

Scan done in normal mode yesterday:

5/24/2007 8:11:27 AM (total: 32:49.3 Min)
Objects Scanned: 52970

This was a complete scan. As you can see my Safe Mode scan had taken 3x the amount of time and still had about 10,000 to go...

So does this go a lot slower in Safe Mode normally?

Scanning is normally faster in safe mode. As long as the scan is not freezing or hanging up on a specific file, I would not be too concerned. Just let it continue until complete the next time you start.

If that's the case, then why would it be so extremely slow for me in Safe Mode?

I'm running a scan in normal mode again now, just for comparisons sake...

Bloomcounty...
Did you ever 'straigten out' the problem with the KB890830 showing the Scan errors?
I ran the KB890830 last night and even though "No Exceptions Found," I did notice a "scan error:resource process://PID 3436 (code0x0000054F1359."
Many of my friends are stating the same thing - they are seeing the 'scan errors,' and wonder what is happening. Could it be that the KB890830 is picking up things that it should not be picking up?
I wonder what I should do about the 'scan error' I received? I looked in my "pro express" and didn't see a 3436. I was told the '1359' referred to:
ERROR_INTERNAL_ERROR
1359 An internal error occurred.

Any information you can share. I am quite concerned about this because this is a fairly new laptop (WinXPsp2; AdAware; Norton Security; IE6), and wonder if this 'scan error' is really serious (as I am sure others are wondering also).

Thanks,
Alice

Haven't. The first errors said it was ZA related stuff, never got around to posting about it on the ZA board. I didn't check last month to see if anything popped up again. Where's the log located again? Tell me and I'll check and post what it said last month...

Got the same/similar errors this month. I'm assuming it's because of ZA like before. I'm off to post over there about it...

Microsoft Windows Malicious Software Removal Tool v1.31, July 2007
Started On Tue Jul 17 11:20:28 2007
->Scan ERROR: resource process://pid:1240 (code 0x0000054F (1359))
->Scan ERROR: resource process://pid:2092 (code 0x0000054F (1359))
->Scan ERROR: resource process://pid:1240 (code 0x0000054F (1359))

Results Summary:
----------------
No infection found.

Return code: 0
Microsoft Windows Malicious Software Removal Tool Finished On Tue Jul 17 11:21:05 2007

I am not using ZA or AVG on this laptop. I am using NIS 2005 and AdAware.
Te message Igot this time was:
>can error:resource process://PID 3436 (code0x0000054F 1359)


I didn't see PID 3436 in Process Explorer.

Don't know... It's the same error I get, but I get three of them. I didn't check this month to see if the PID's matched ZA again though... I'd rather not download the whole tool to scan again to check though. I can verify next month if it shows as ZA for me...

Any thoughts from any experts around here on this...?

http://msdn2.microsoft.com/en-us/library/ms681385.aspx

Seems like it's just an "internal error" or whatever... You probably have some other program that's causing it. To find out, download and run the MSRT from the link provided in this thread, then open ProcessExplorer, then open your MSRT log and match up the PID numbers and that will tell you. It sounds like you did this already, but couldn't find them, but I'd try again. If they're still not there, I'd start a new thread and ask specifically about that...?

bloomcounty...
I downloaded the KB 890830 tonight and even though the log did not show any infections, it did report the following:
"Microsoft Windows Malicious Software Removal Tool v1.33, September 2007
Started On Tue Sep 11 20:38:48 2007
->Scan ERROR: resource process://pid:2672 (code 0x00000057 (87))
->Scan ERROR: resource process://pid:2672 (code 0x0000054F (1359))

(no 2672 found on Process Explorer!!!

Results Summary:
----------------
No infection found."

I notice you had similar results in one of your KB890830 downloads. I looked in Process Explorer but did not see any PID 2672. We are senior citizens and hope this does not mean that there is something seriously wrong with our laptop. We really couldn't afford to buy another one.
Can you offer any explanations for these two "Scan ERRORS?" I notice a lot of other people are reporting similar "Scan Errors" also.
Thank you.
Alice

WinXPsp2 / IE 6 / NAV2005 / AdAware (No Iomega)

"You receive an error when you run the Microsoft Windows Malicious Software Removal Tool".

I did not see your specific error code but the MS Article does offer some explanations for why these errors occur.

I'm at a loss here... My thought is to not worry about it -- especially since it says no infection found. There always seems to be something that doesn't jive with Microsoft... My computer causes me WAY too much worry, so I'm deciding to try to stop worrying about at least a few of the many issues I seem to have with my computer(s)... Did I mention I hate computers?

You said here that the errors were ZoneAlarm related (as I said mine were, according to the PIDs). Then you said that on your son's machine they were NAV related. So it sounds to me that MSRT is just having some weird issues with 3rd party firewalls or a/v -- especially since everyone who is getting these errors started getting them all at the same time (about 3 months ago now, I think?) and didn't have them prior. Sounds like a change in MSRT.

And this may be an explanation, of sorts.

Also, it seems to be happening with Comodo as well. So ZA, Comodo, and Norton. I don't think we have anything to worry about if all these are having the same issue...

Thoughts, quietman7?

I would not worry too much about it either.

However, you may want to ask about the error with Microsoft TechNet Support or Microsoft Support and see what they have to say.

AliceZ, can you post here what you find out after doing this? Thanks!

The posts relating to "ZA" were Error Scans we had on our quite old laptop. Our son gave us his 'old' laptop (which was newer than ours) and that is the one I am talking about now.
This laptop just has WinXPsp2; NIS 2005 and AdAware. (I always looked at the KB890830 log in the past [several months ago] and never saw these "Scan Errors.)

I sent email to MS Tech Support, but don't know if I sent to right place or if I will ever receive an answer.

The kind people here who continuously help me with my computer issues will probably find it funny that *I'm* saying this, but I think you shouldn't worry about it. Like I said, since so many people are having similar issues with similar error messages having to do with similar programs, and all at the same time, it would be REALLY weird that every one of us was infected or malware-ified by the same thing at the same time. (Of course, I suppose it's possible, since when a new virus or whatever pops up, many people get infected at the same time -- but I find it hard to believe that no one's A/V or A/S would catch anything...)

I'm certainly no expert, but that's my opinion...

Here is the email answer I received. Supposedly "scan errors" are NOTHING TO WORRY ABOUT. Wonder if these MS email answers are coming from outside the USA?
===================
Dear Alice, Thank you for contacting Microsoft Windows Update Support. My name is Susan and I am glad to work with you. You can contact me directly by sending an email to v-30suy@mssupport.microsoft.com with the case ID SRX1044110919 in the subject line.
First, I would like to apologize for your support request being unexpectedly delayed during our internal transfer process. Please be assured you have successfully contacted the correct support team and I will be working with you to address your concerns as quickly as possible.
From the problem description, I understand that after Microsoft Windows Malicious Software Removal Tool has been downloaded and running, two scan errors were received. If there has been any misunderstanding, please let me know.
I understand the inconvenience you have experienced. Please be assured that I will do my best to help you.
Alice, I would like to explain that Scan error means it could not perform something it wanted to do and we could ignore the message. The important part for it is that No infection found. Therefore, we do not need to worry about it and the computer was running with no problem.
If you would like to learn more about Microsoft Windows Malicious Software Removal Tool, please refer to the following link.
The Microsoft Windows Malicious Software Removal Tool helps remove specific, prevalent malicious software from computers that are running Windows Vista, Windows Server 2003, Windows XP, or Windows 2000
http://support.microsoft.com/kb/890830
Please let me know the results at your earliest convenience. If you have any other questions, please do not hesitate to let me know. I am standing by for your response.
Best Regards, Susan Yuan v-30suy@mssupport.microsoft.com Microsoft Windows Update Support Professional
Happy customers are my top priority. Please let either myself or my manager know what you think of the level of service provided. You can send feedback directly to my manager, Tony Tang at v-30tont@mssupport.microsoft.com
===================

Well at least they responded but it sounds like a generic response. I don't think Susan actually knows what is causing the scan errors but since MS is probably getting lots or complaints, they put together a standard reply.

Since these errors don't seem to be anything to be concerned about at this time, I too would just ignore them.

Just a quick update... I got a new one this time around:

Microsoft Windows Malicious Software Removal Tool v1.33, September 2007
Started On Sun Sep 23 08:21:27 2007
->Scan ERROR: resource process://pid:1244 (code 0x00000005 (5))
->Scan ERROR: resource process://pid:1244 (code 0x0000054F (1359))
->Scan ERROR: resource process://pid:992 (code 0x00000005 (5))
->Scan ERROR: resource process://pid:992 (code 0x0000054F (1359))
->Scan ERROR: resource process://pid:1244 (code 0x00000005 (5))
->Scan ERROR: resource process://pid:1244 (code 0x0000054F (1359))

Results Summary:
----------------
No infection found.

Return code: 0
Microsoft Windows Malicious Software Removal Tool Finished On Sun Sep 23 08:22:10 2007

Not sure what program that has to do with... But, I'm guessing it's no big deal like the other ZA related errors.

Just ran this month's tool. Same errors as last month. I checked the PID #'s. They are all related to ZA. Four of them are for True Vector Service and two are for Zone Alarm Client.

If M$ is incapable of scanning drivers and live and open files, just shut down ZA when you do M$ updates when they include that malware scan thing. Updates will run faster that way anyway. You can disconnect from the internet for the duration of all those bug fix installs they push.
Don't forget, TrueVector is deeply imbedded in the OS, which is why it can protect you pretty well. And ZA won't let it be touched.
Just my opinion. Give it a try if it bugs you so much.

That all makes sense. And it really doesn't bug me. I just posted that to try to alleviate the worries of that other poster who was having similar issues and was worried about it.

Thanks!

Just thought that the topic "Windows Malicious Software Removal Tool Update" might be of interest to many, especially since it is updated monthly (I just got the update on 25 computers I maintain) so I thought I'd post in the thread.

This Microsoft article - The Microsoft Windows Malicious Software Removal Tool helps remove specific, prevalent malicious software from computers that are running Windows Vista, Windows Server 2003, Windows XP, or Windows 2000 (previously mentioned above), may be of interest to some.

I must admit that I'm not sure how useful or effective this "tool" is. The price is right though.