 Question About Windows Malicious Software Removal Tool Update, What is this exactly and how does it work? |
Welcome Guest ( Log In | Click here to Register a free account now! )
Register a free account to unlock additional features at BleepingComputer.com
Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.  |
 May 16 2007, 09:24 PM
Post
#1
|
|
|
Distinguished Member  Group: Members Posts: 634 Joined: 11-February 07 Member No.: 111,188  |
I thought this thing was something you download and it runs once (supposedly), though I've never noticed anything running when I've downloaded this update in the past. Would there be a WMS program on my computer? Or is this update an .exe in of itself that just runs once like it says? I guess I'm not really clear as to what this is and what it does (though I've always downloaded it). Does everyone usually download this update each month? Any reason not too? I see that it's like 7.7 Megs this time, which seems pretty darn big... (However, when I go to the link for more info on it, it says it's 6.6 Megs... why is that?) Thanks for the help! 
-------------------- My stats: Windows XP Home SP2; Firefox 2.0.0.16; IE 6.5 (used only for monthly Windows Critical Updates); ZoneAlarm 6.1.744.001 Free; AVG 7.5 A/V Free - AVG 7.5 Antispyware Free - AVG Anti-Rootkit Free (all soon to be replaced with AVG 8.0 Free); SuperAntispyware Free 4.15.1000; Spybot 1.4 (Immunised from a few months ago, but no longer doing updates - soon to be uninstalled); AdAware SE Free 1.06r1 (haven't downloaded definitions in awhile though)
|
 |
 
|
|
May 17 2007, 01:46 AM
Post
#2
|
|
 Bleepin' Cynic Group: BC Advisor Posts: 4,213 Joined: 11-November 06 Member No.: 94,959 |
-------------------- Stupidity has a knack of getting its way.
—Albert Camus |
|
|
|
|
May 17 2007, 07:13 AM
Post
#3
|
|
 Visually handicapped, hence the avatar :0) Group: Moderator Posts: 13,431 Joined: 2-October 05 From: Southeastern CT, USA Member No.: 35,824 |
Hmmm, very interesting! I've never even looked at this, just have downloaded it and hoped that it was doing it's job. You can download the tool and run it - so I'd suggest a search of your hard drive for it.
I can't locate anything on whether it scans on install or not - but running the tool on your own shows a simple dialog when scanning. You can check to see if it runs by looking for the logfile here: QUOTE The tool creates a log file named mrt.log in the %WINDIR%\debug folder. AHA! Success! QUOTE To have the newest versions automatically delivered and installed as soon as they are released, set the Automatic Updates feature to Automatic. The version of this tool delivered by Windows Update runs on your computer once a month, in the background. If an infection is found, the tool will display a status report the next time you start your computer. If you would like to run this tool more than once a month, run the version that is available from this Web page or use the version on the Malicious Software Removal Tool Web site. from this link: http://www.microsoft.com/downloads/details...;displaylang=en
This post has been edited by usasma: May 17 2007, 07:14 AM -------------------- - John
**If you need a more detailed explanation, please ask for it. I have the Knack. ** |
|
|
|
|
May 17 2007, 09:06 AM
Post
#4
|
|
|
Distinguished Member Group: Members Posts: 634 Joined: 11-February 07 Member No.: 111,188 |
Ah... Thanks for the links and posts. I found my log, and it looks like it's been run once a month (I assume after I download the newest version with my Windows Updates). I did not find the .exe, so it looks like it does indeed run once, append to the log, and then delete itself.
So is there any reason NOT to download this each month as part of my Windows Critical Updates? Has anyone ever had any issues with it? I'm thinking I should just continue to do so, since I guess it's "working" and it hasn't caused me any issues (yet)... Any final thoughts? Thanks!
-------------------- My stats: Windows XP Home SP2; Firefox 2.0.0.16; IE 6.5 (used only for monthly Windows Critical Updates); ZoneAlarm 6.1.744.001 Free; AVG 7.5 A/V Free - AVG 7.5 Antispyware Free - AVG Anti-Rootkit Free (all soon to be replaced with AVG 8.0 Free); SuperAntispyware Free 4.15.1000; Spybot 1.4 (Immunised from a few months ago, but no longer doing updates - soon to be uninstalled); AdAware SE Free 1.06r1 (haven't downloaded definitions in awhile though)
|
|
|
|
|
May 17 2007, 10:41 AM
Post
#5
|
|
|
Distinguished Member Group: Members Posts: 634 Joined: 11-February 07 Member No.: 111,188 |
UPDATE:
So I went ahead and downloaded it... interesting note, the download was only 1.1 Megs... Not sure why it's listed as 7.7 Megs, unless you actually do keep part of the program on your computer, and the download is the "update". But it says that the files are deleted once it runs, so I'm not sure of the size difference... It did append the log, but for the first time, I got some kind of error: Microsoft Windows Malicious Software Removal Tool v1.29, May 2007 Started On Thu May 17 08:30:58 2007 ->Scan ERROR: resource process://pid:1248 (code 0x0000054F (1359)) ->Scan ERROR: resource process://pid:2056 (code 0x0000054F (1359)) ->Scan ERROR: resource process://pid:1248 (code 0x0000054F (1359)) Results Summary: ---------------- No infection found. Return code: 0 Microsoft Windows Malicious Software Removal Tool Finished On Thu May 17 08:31:38 2007 Any thoughts on this...? I tried looking up the errors, but could only find that they're "internal errors". But I might not be looking in the right place or looking up the right thing... Anything to be concerned about? Thanks! This post has been edited by bloomcounty: May 17 2007, 10:52 AM -------------------- My stats: Windows XP Home SP2; Firefox 2.0.0.16; IE 6.5 (used only for monthly Windows Critical Updates); ZoneAlarm 6.1.744.001 Free; AVG 7.5 A/V Free - AVG 7.5 Antispyware Free - AVG Anti-Rootkit Free (all soon to be replaced with AVG 8.0 Free); SuperAntispyware Free 4.15.1000; Spybot 1.4 (Immunised from a few months ago, but no longer doing updates - soon to be uninstalled); AdAware SE Free 1.06r1 (haven't downloaded definitions in awhile though)
|
|
|
|
|
May 17 2007, 11:06 AM
Post
#6
|
|
 Bleepin' Janitor Group: Global Moderator Posts: 12,550 Joined: 9-July 05 From: Virginia, USA Member No.: 26,513 |
This topic is security related so I have moved it to a more appropriate forum.
You can also manually download MRT each month and keep it on your pc to perform scans until the newest version is released. The tool has three scan options: 1. Quick scan: Scans areas of the system most likely to contain malicious software. 2. Full scan: Scans the entire system but can take up to several hours to complete. 3. Customized scan: In addition to a quick scan, the tool will also scan the contents of a user-specified folder. When you run MSRT, a temporary folder with random characters (79f142e5e9e574d23954) will be created on your C:\ drive that contains mrt.exe, mrtstub.exe and a file named $shtdwn$.req. After performing a scan and you click finish or cancel the folder will automatically be removed. You receive an error when you run the Microsoft Windows Malicious Software Removal Tool Error 0x0000054F - 1359 seems to be related to an internal error per System Error Codes To determine which processes are pid:1248, pid:2056 and pid:1248, you can download and use Process Explorer to investigate all running processes and gather additional information to identify and resolve problems. -------------------- "THE BAD GUYS DON'T NEED A SEARCH WARRANT. ARE YOU PROTECTED?"
Microsoft MVP - Windows Security 2007-2008  |
|
|
|
|
May 17 2007, 03:11 PM
Post
#7
|
|
|
Distinguished Member Group: Members Posts: 634 Joined: 11-February 07 Member No.: 111,188 |
QUOTE(quietman7 @ May 17 2007, 09:06 AM)  Error 0x0000054F - 1359 seems to be related to an internal error per System Error Codes To determine which processes are pid:1248, pid:2056 and pid:1248, you can download and use Process Explorer to investigate all running processes and gather additional information to identify and resolve problems. Thanks for the post! I actually saw all that info when trying to investigate what happened. So I was hoping that someone here might know the answer, as I really don't want to download yet another program to run... which will probably lead to some other error and/or conflict with something else, etc. etc. Is there really any reason to be concerned with this at all or to even consider using this Process Explorer program? I saw another post by someone via google that has the same thing happen, but their pid #'s were different. I am suspecting that this is a glitch or something with the newest MRT tool download, perhaps having something to do with another update/fix or something (but that's just a total guess). But I suspect that if everyone else checks their log for this time who has XP SP2, my guess is that they'll have the same or similar "errors". Thoughts? Thanks!
-------------------- My stats: Windows XP Home SP2; Firefox 2.0.0.16; IE 6.5 (used only for monthly Windows Critical Updates); ZoneAlarm 6.1.744.001 Free; AVG 7.5 A/V Free - AVG 7.5 Antispyware Free - AVG Anti-Rootkit Free (all soon to be replaced with AVG 8.0 Free); SuperAntispyware Free 4.15.1000; Spybot 1.4 (Immunised from a few months ago, but no longer doing updates - soon to be uninstalled); AdAware SE Free 1.06r1 (haven't downloaded definitions in awhile though)
|
|
|
|
|
May 17 2007, 09:53 PM
Post
#8
|
|
|
Bleepin' Janitor Group: Global Moderator Posts: 12,550 Joined: 9-July 05 From: Virginia, USA Member No.: 26,513 |
I run MSRT every month and have never received such a message so it does not appear to be something isoloated to the tool itself. Do you get the error if you run MSRT in "SAFE MODE"?
MSRT is not finding any malware so I would not be too concerned. Still, if it were me, I'd be curious to know what processes were involved in the error. So as for Process Explorer, I highly recommend it as an excellent investigative tool which comes in handy for helping to id suspicious processes and resolving other issues. -------------------- "THE BAD GUYS DON'T NEED A SEARCH WARRANT. ARE YOU PROTECTED?"
Microsoft MVP - Windows Security 2007-2008 |
|
|
|
|
May 18 2007, 08:32 AM
Post
#9
|
|
|
Distinguished Member Group: Members Posts: 949 Joined: 21-October 04 Member No.: 3,911 |
QUOTE(bloomcounty @ May 17 2007, 04:11 PM) ... consider using this Process Explorer program? I saw another post by someone via google that has the same thing happen, but their pid #'s were different. Bloomcounty, interesting work  As Quietman7 said, ProcessExplorer is a tool, small, safe and sound. Run it, make the windows small, and do whatever you normally do on a computer. Lotsa information there! As far as different pid# - Process IDs, the stuff you see in task manager, are assigned dynamically. So every day or every minute it'll be different. That's why ProcessExplorer is so cool - it will identify the exact process name related to whatever is running once you get the hang of it how to use it. BTW, ProcessExplorer and similar utilities from Sysinternals have been absorbed by Microsoft. Totally legitimate. Top of the line. You can't do better. This post has been edited by tos226: May 18 2007, 08:35 AM |
|
|
|
|
May 21 2007, 09:57 AM
Post
#10
|
|
|
Distinguished Member Group: Members Posts: 634 Joined: 11-February 07 Member No.: 111,188 |
I'm out of town right, now but I have a couple more questions about what you all posted... I'll be back to post in a couple days...
Thanks for the posts!
-------------------- My stats: Windows XP Home SP2; Firefox 2.0.0.16; IE 6.5 (used only for monthly Windows Critical Updates); ZoneAlarm 6.1.744.001 Free; AVG 7.5 A/V Free - AVG 7.5 Antispyware Free - AVG Anti-Rootkit Free (all soon to be replaced with AVG 8.0 Free); SuperAntispyware Free 4.15.1000; Spybot 1.4 (Immunised from a few months ago, but no longer doing updates - soon to be uninstalled); AdAware SE Free 1.06r1 (haven't downloaded definitions in awhile though)
|
|
|
|
|
May 21 2007, 10:01 AM
Post
#11
|
|
|
Bleepin' Janitor Group: Global Moderator Posts: 12,550 Joined: 9-July 05 From: Virginia, USA Member No.: 26,513 |
Your welcome.
-------------------- "THE BAD GUYS DON'T NEED A SEARCH WARRANT. ARE YOU PROTECTED?"
Microsoft MVP - Windows Security 2007-2008 |
|
|
|
|
May 24 2007, 08:13 AM
Post
#12
|
|
|
Distinguished Member Group: Members Posts: 634 Joined: 11-February 07 Member No.: 111,188 |
quietman7:
I'm back now... Okay, so I downloaded the program from here: http://www.microsoft.com/technet/sysintern...ssExplorer.mspx It says it's version 10.21 and lists a bunch of updates for Vista in the newest version for Vista. But this is for XP as well, right? Some more questions: 1. So is this like an "expanded" version of Task Manager? Does it sort of "replace" Task Manager when you have it running? (Meaning, you wouldn't open TM also at the same time for any reason...?) 2. When you run the .exe, is it installing anything on your computer? Or is it a standalone program that doesn't actually install? 2a. Where do I run the .exe from? The desktop or in a certain folder? 3. Do I leave it running all the time? Or just when I'm trying to figure stuff out? Does it use a lot of your memory, etc.? 4. Can it possibly conflict with anything else on my computer by running it? Concerning MSRT I didn't actually run MSRT myself, it ran on its own (I guess) as part of my monthly critical Windows Update download/installation. No message popped up, the errors were just listed in the log when I opened it after it ran as part of Windows Update. So I did not run anything in "safe mode" (and actually have never done so) because it was part of the download and ran on its own. 5. So once I have the program, will I need to run MSRT again to see what codes come up as errors in the log (since the error codes change each time as tos226 mentioned, right?)? 5a. If so, what is the best way to do this? And where should I download or run it from? 6. Does the program, if manually downloaded, install anything when you run the .exe, or is it standalone without installing anything? 7. Once I have the Process Explorer program and MSRT, what exactly do I need to do, step by step, including how to run MSRT and in what manner, etc.? 7a. And do I need to do the scan in safe mode? If so, please make sure to include that in the steps I should follow. 8. If I am downloading MSRT, where do I download it to and run it from on my computer? Note that although the instructions for booting into Safe Mode say, "When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. When that is completed it will start loading Windows." -- I don't think this really happens for me when I boot my computer (it did on my old Win98 computer, but not on my new XP laptop). So should I just keep tapping F8 as soon as my computer starts to reboot until it (hopefully) goes into safe mode? 9. A semi-related question: Should I also run my AVG free anti-virus scan, Spybot, and Ad-Aware scans in "safe mode"? If so, can I do so all during the same "safe mode session" or do I need to reboot before each scan, etc.? Looking forward to hearing back -- thanks! -------------------- My stats: Windows XP Home SP2; Firefox 2.0.0.16; IE 6.5 (used only for monthly Windows Critical Updates); ZoneAlarm 6.1.744.001 Free; AVG 7.5 A/V Free - AVG 7.5 Antispyware Free - AVG Anti-Rootkit Free (all soon to be replaced with AVG 8.0 Free); SuperAntispyware Free 4.15.1000; Spybot 1.4 (Immunised from a few months ago, but no longer doing updates - soon to be uninstalled); AdAware SE Free 1.06r1 (haven't downloaded definitions in awhile though)
|
|
|
|
|
May 24 2007, 09:43 AM
Post
#13
|
|
|
Bleepin' Janitor Group: Global Moderator Posts: 12,550 Joined: 9-July 05 From: Virginia, USA Member No.: 26,513 |
QUOTE It says it's version 10.21...But this is for XP as well, right? Yes. Process Explorer works on Windows 9x/Me, NT 4.0, 2000, XP, 2003, and 64-bit versions of Windows for x64 and IA64 processors, and Windows Vista.QUOTE Does it sort of "replace" Task Manager when you have it running? (Meaning, you wouldn't open TM also at the same time for any reason...?) Although it has TM features, its more of a supplement to TM that provides more detailed information which can assist in your investigation of a process.QUOTE When you run the .exe, is it installing anything on your computer? Or is it a standalone program that doesn't actually install? Its a zip file that you extract to its own folder and use as a stand-alone app.QUOTE Where do I run the .exe from? The desktop or in a certain folder? Just create a new folder on your C: drive and name it ProcessExplorerNt, then unzip into that folder. Upon it afterwards and double-click on procexp.exe to run.QUOTE Do I leave it running all the time?..Does it use a lot of your memory, etc.? Exit when done with your investigative work. While running it uses very little resources.QUOTE Can it possibly conflict with anything else on my computer by running it? Nothing that I am aware of.QUOTE will I need to run MSRT again to see what codes come up as errors in the log (since the error codes change each time as tos226 mentioned Yes. The point is to keep the problem processes identified so you need to know which pid is related to the error.QUOTE where should I download or run it from? Manually download from hereclick on the link "Skip the details and download the tool". You can save it to and run it from your desktop. QUOTE Does the program, if manually downloaded, install anything when you run the .exe, or is it standalone without installing anything? It's stand-alone. When you run MSRT, a temporary folder with random characters (79f142e5e9e574d23954) will be created on your C:\ drive that contains mrt.exe, mrtstub.exe and a file named $shtdwn$.req. After performing a scan and you click finish or cancel the folder will automatically be removed.QUOTE Once I have the Process Explorer program and MSRT, what exactly do I need to do, step by step, including how to run MSRT and in what manner, etc.? "How to use the Malicious Software Removal Tool"Open your log when done. Note the pids related to any errors. Launch Process Explorer and match the pids with the process list. QUOTE And do I need to do the scan in safe mode? If so, please make sure to include that in the steps I should follow. You don't need to but it will not hurt to do so and you should learn how to do that anyway. Detailed instructions can be found in "How to start Windows in Safe Mode".QUOTE Should I also run my AVG free anti-virus scan, Spybot, and Ad-Aware scans in "safe mode"? If so, can I do so all during the same "safe mode session" or do I need to reboot before each scan, etc.? Again, its not necessary but running scans in safe mode is more effective especially for heavily infected systems. The Windows operating system protects files when they are being accessed by an application or a program. Malware writers create programs that can insert itself and hide in these protected areas when the files are being used. Using Safe Mode reduces the number of modules requesting files to only the essentials to make your computer functional. This in turn reduces the number of hiding places for malware, making it easier to find and delete the offending files. Using your anti-virus and anti-malware tools in Safe Mode also speeds up the scanning process.
-------------------- "THE BAD GUYS DON'T NEED A SEARCH WARRANT. ARE YOU PROTECTED?"
Microsoft MVP - Windows Security 2007-2008 |
|
|
|
|
May 24 2007, 11:38 AM
Post
#14
|
|
|
Distinguished Member Group: Members Posts: 634 Joined: 11-February 07 Member No.: 111,188 |
Thanks for the replies! I'm downloading the program now... but I was wondering why do you have to agree to an EULA if the program doesn't install? Does that just say that you can't copy the program, etc.? Do you have to agree to that each time you run the program? Just curious... (Mostly because of that whole WGA thing where it tried to get me to agree to a bunch of stuff I didn't want to...)
Also, one thing you didn't comment on: QUOTE Note that although the instructions for booting into Safe Mode say, "When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. When that is completed it will start loading Windows." -- I don't think this really happens for me when I boot my computer (it did on my old Win98 computer, but not on my new XP laptop). So should I just keep tapping F8 as soon as my computer starts to reboot until it (hopefully) goes into safe mode? So is that what I should do? Thanks again! I'll be sure to post my results (and ask questions about them) once I hear back and then run the program, etc.
-------------------- My stats: Windows XP Home SP2; Firefox 2.0.0.16; IE 6.5 (used only for monthly Windows Critical Updates); ZoneAlarm 6.1.744.001 Free; AVG 7.5 A/V Free - AVG 7.5 Antispyware Free - AVG Anti-Rootkit Free (all soon to be replaced with AVG 8.0 Free); SuperAntispyware Free 4.15.1000; Spybot 1.4 (Immunised from a few months ago, but no longer doing updates - soon to be uninstalled); AdAware SE Free 1.06r1 (haven't downloaded definitions in awhile though)
|
|
|
|
|
May 24 2007, 11:49 AM
Post
#15
|
|
|
Bleepin' Janitor Group: Global Moderator Posts: 12,550 Joined: 9-July 05 From: Virginia, USA Member No.: 26,513 |
QUOTE So should I just keep tapping F8 as soon as my computer starts to reboot Yes.QUOTE why do you have to agree to an EULA if the program doesn't install? What does the End-User License Agreement (EULA) say?A User's Guide to EULAs -------------------- "THE BAD GUYS DON'T NEED A SEARCH WARRANT. ARE YOU PROTECTED?"
Microsoft MVP - Windows Security 2007-2008 |
|
|
|
|
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members: