Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Question About Windows Malicious Software Removal Tool Update


  • Please log in to reply
46 replies to this topic

#1 bloomcounty

bloomcounty

  • Members
  • 672 posts
  • OFFLINE
  •  
  • Local time:02:46 PM

Posted 16 May 2007 - 09:24 PM

I don't really "use" Windows Malicious Software per se, but I've always downloaded the "Removal Tool" as part of my Windows Updates each month. Is WMS a separate program? And what is this tool?

I thought this thing was something you download and it runs once (supposedly), though I've never noticed anything running when I've downloaded this update in the past.

Would there be a WMS program on my computer? Or is this update an .exe in of itself that just runs once like it says? I guess I'm not really clear as to what this is and what it does (though I've always downloaded it).

Does everyone usually download this update each month? Any reason not too?

I see that it's like 7.7 Megs this time, which seems pretty darn big...

(However, when I go to the link for more info on it, it says it's 6.6 Megs... why is that?)

Thanks for the help! :thumbsup:
My stats: Windows XP Home SP2; Firefox 3.0.14 w/ Ad-Block Plus; IE 6.0 (used only for monthly Windows Critical Updates); ZoneAlarm 6.1.744.001 Free; AVG 8.5 A/V Free; SuperAntispyware Free 4.28.1010

BC AdBot (Login to Remove)

 


#2 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:46 AM

Posted 17 May 2007 - 01:46 AM

Malicious Software Removal Tool
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#3 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad


  • BSOD Kernel Dump Expert
  • 25,091 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:05:46 PM

Posted 17 May 2007 - 07:13 AM

Hmmm, very interesting! I've never even looked at this, just have downloaded it and hoped that it was doing it's job. You can download the tool and run it - so I'd suggest a search of your hard drive for it.

I can't locate anything on whether it scans on install or not - but running the tool on your own shows a simple dialog when scanning.

You can check to see if it runs by looking for the logfile here:

The tool creates a log file named mrt.log in the %WINDIR%\debug folder.


AHA! Success!

To have the newest versions automatically delivered and installed as soon as they are released, set the Automatic Updates feature to Automatic. The version of this tool delivered by Windows Update runs on your computer once a month, in the background. If an infection is found, the tool will display a status report the next time you start your computer. If you would like to run this tool more than once a month, run the version that is available from this Web page or use the version on the Malicious Software Removal Tool Web site.

from this link: http://www.microsoft.com/downloads/details...;displaylang=en

Edited by usasma, 17 May 2007 - 07:14 AM.

My browser caused a flood of traffic, sio my IP address was banned. Hope to fix it soon. Will get back to posting as soon as Im able.

- John  (my website: http://www.carrona.org/ )**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message. My eye problems have recently increased and I'm having difficult reading posts. (23 Nov 2017)FYI - I am completely blind in the right eye and ~30% blind in the left eye.<p>If the eye problems get worse suddenly, I may not be able to respond.If that's the case and help is needed, please PM a staff member for assistance.

#4 bloomcounty

bloomcounty
  • Topic Starter

  • Members
  • 672 posts
  • OFFLINE
  •  
  • Local time:02:46 PM

Posted 17 May 2007 - 09:06 AM

Ah... Thanks for the links and posts. I found my log, and it looks like it's been run once a month (I assume after I download the newest version with my Windows Updates). I did not find the .exe, so it looks like it does indeed run once, append to the log, and then delete itself.

So is there any reason NOT to download this each month as part of my Windows Critical Updates?

Has anyone ever had any issues with it?

I'm thinking I should just continue to do so, since I guess it's "working" and it hasn't caused me any issues (yet)...

Any final thoughts?

Thanks! :thumbsup:
My stats: Windows XP Home SP2; Firefox 3.0.14 w/ Ad-Block Plus; IE 6.0 (used only for monthly Windows Critical Updates); ZoneAlarm 6.1.744.001 Free; AVG 8.5 A/V Free; SuperAntispyware Free 4.28.1010

#5 bloomcounty

bloomcounty
  • Topic Starter

  • Members
  • 672 posts
  • OFFLINE
  •  
  • Local time:02:46 PM

Posted 17 May 2007 - 10:41 AM

UPDATE:

So I went ahead and downloaded it... interesting note, the download was only 1.1 Megs... Not sure why it's listed as 7.7 Megs, unless you actually do keep part of the program on your computer, and the download is the "update". But it says that the files are deleted once it runs, so I'm not sure of the size difference...

It did append the log, but for the first time, I got some kind of error:

Microsoft Windows Malicious Software Removal Tool v1.29, May 2007
Started On Thu May 17 08:30:58 2007
->Scan ERROR: resource process://pid:1248 (code 0x0000054F (1359))
->Scan ERROR: resource process://pid:2056 (code 0x0000054F (1359))
->Scan ERROR: resource process://pid:1248 (code 0x0000054F (1359))

Results Summary:
----------------
No infection found.

Return code: 0
Microsoft Windows Malicious Software Removal Tool Finished On Thu May 17 08:31:38 2007



Any thoughts on this...? I tried looking up the errors, but could only find that they're "internal errors". But I might not be looking in the right place or looking up the right thing... Anything to be concerned about?

Thanks!

Edited by bloomcounty, 17 May 2007 - 10:52 AM.

My stats: Windows XP Home SP2; Firefox 3.0.14 w/ Ad-Block Plus; IE 6.0 (used only for monthly Windows Critical Updates); ZoneAlarm 6.1.744.001 Free; AVG 8.5 A/V Free; SuperAntispyware Free 4.28.1010

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,749 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:46 PM

Posted 17 May 2007 - 11:06 AM

This topic is security related so I have moved it to a more appropriate forum.

You can also manually download MRT each month and keep it on your pc to perform scans until the newest version is released. The tool has three scan options:
1. Quick scan: Scans areas of the system most likely to contain malicious software.
2. Full scan: Scans the entire system but can take up to several hours to complete.
3. Customized scan: In addition to a quick scan, the tool will also scan the contents of a user-specified folder.

When you run MSRT, a temporary folder with random characters (79f142e5e9e574d23954) will be created on your C:\ drive that contains mrt.exe, mrtstub.exe and a file named $shtdwn$.req. After performing a scan and you click finish or cancel the folder will automatically be removed.

You receive an error when you run the Microsoft Windows Malicious Software Removal Tool

Error 0x0000054F - 1359 seems to be related to an internal error per System Error Codes

To determine which processes are pid:1248, pid:2056 and pid:1248, you can download and use Process Explorer to investigate all running processes and gather additional information to identify and resolve problems.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 bloomcounty

bloomcounty
  • Topic Starter

  • Members
  • 672 posts
  • OFFLINE
  •  
  • Local time:02:46 PM

Posted 17 May 2007 - 03:11 PM

Error 0x0000054F - 1359 seems to be related to an internal error per System Error Codes

To determine which processes are pid:1248, pid:2056 and pid:1248, you can download and use Process Explorer to investigate all running processes and gather additional information to identify and resolve problems.


Thanks for the post! I actually saw all that info when trying to investigate what happened. So I was hoping that someone here might know the answer, as I really don't want to download yet another program to run... which will probably lead to some other error and/or conflict with something else, etc. etc.

Is there really any reason to be concerned with this at all or to even consider using this Process Explorer program? I saw another post by someone via google that has the same thing happen, but their pid #'s were different. I am suspecting that this is a glitch or something with the newest MRT tool download, perhaps having something to do with another update/fix or something (but that's just a total guess).

But I suspect that if everyone else checks their log for this time who has XP SP2, my guess is that they'll have the same or similar "errors". Thoughts?

Thanks! :thumbsup:
My stats: Windows XP Home SP2; Firefox 3.0.14 w/ Ad-Block Plus; IE 6.0 (used only for monthly Windows Critical Updates); ZoneAlarm 6.1.744.001 Free; AVG 8.5 A/V Free; SuperAntispyware Free 4.28.1010

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,749 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:46 PM

Posted 17 May 2007 - 09:53 PM

I run MSRT every month and have never received such a message so it does not appear to be something isoloated to the tool itself. Do you get the error if you run MSRT in "SAFE MODE"?

MSRT is not finding any malware so I would not be too concerned. Still, if it were me, I'd be curious to know what processes were involved in the error. So as for Process Explorer, I highly recommend it as an excellent investigative tool which comes in handy for helping to id suspicious processes and resolving other issues.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 tos226

tos226

    BleepIN--BleepOUT


  • Members
  • 1,577 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:LocalHost
  • Local time:05:46 PM

Posted 18 May 2007 - 08:32 AM

... consider using this Process Explorer program? I saw another post by someone via google that has the same thing happen, but their pid #'s were different.

Bloomcounty, interesting work :thumbsup:
As Quietman7 said, ProcessExplorer is a tool, small, safe and sound. Run it, make the windows small, and do whatever you normally do on a computer. Lotsa information there!
As far as different pid# - Process IDs, the stuff you see in task manager, are assigned dynamically. So every day or every minute it'll be different. That's why ProcessExplorer is so cool - it will identify the exact process name related to whatever is running once you get the hang of it how to use it.

BTW, ProcessExplorer and similar utilities from Sysinternals have been absorbed by Microsoft. Totally legitimate. Top of the line. You can't do better.

Edited by tos226, 18 May 2007 - 08:35 AM.


#10 bloomcounty

bloomcounty
  • Topic Starter

  • Members
  • 672 posts
  • OFFLINE
  •  
  • Local time:02:46 PM

Posted 21 May 2007 - 09:57 AM

I'm out of town right, now but I have a couple more questions about what you all posted... I'll be back to post in a couple days...

Thanks for the posts! :thumbsup:
My stats: Windows XP Home SP2; Firefox 3.0.14 w/ Ad-Block Plus; IE 6.0 (used only for monthly Windows Critical Updates); ZoneAlarm 6.1.744.001 Free; AVG 8.5 A/V Free; SuperAntispyware Free 4.28.1010

#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,749 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:46 PM

Posted 21 May 2007 - 10:01 AM

Your welcome.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 bloomcounty

bloomcounty
  • Topic Starter

  • Members
  • 672 posts
  • OFFLINE
  •  
  • Local time:02:46 PM

Posted 24 May 2007 - 08:13 AM

quietman7:

I'm back now... :thumbsup:

Okay, so I downloaded the program from here:

http://www.microsoft.com/technet/sysintern...ssExplorer.mspx

It says it's version 10.21 and lists a bunch of updates for Vista in the newest version for Vista. But this is for XP as well, right?

Some more questions:

1. So is this like an "expanded" version of Task Manager? Does it sort of "replace" Task Manager when you have it running? (Meaning, you wouldn't open TM also at the same time for any reason...?)

2. When you run the .exe, is it installing anything on your computer? Or is it a standalone program that doesn't actually install?

2a. Where do I run the .exe from? The desktop or in a certain folder?

3. Do I leave it running all the time? Or just when I'm trying to figure stuff out? Does it use a lot of your memory, etc.?

4. Can it possibly conflict with anything else on my computer by running it?

Concerning MSRT

I didn't actually run MSRT myself, it ran on its own (I guess) as part of my monthly critical Windows Update download/installation. No message popped up, the errors were just listed in the log when I opened it after it ran as part of Windows Update. So I did not run anything in "safe mode" (and actually have never done so) because it was part of the download and ran on its own.

5. So once I have the program, will I need to run MSRT again to see what codes come up as errors in the log (since the error codes change each time as tos226 mentioned, right?)?

5a. If so, what is the best way to do this? And where should I download or run it from?

6. Does the program, if manually downloaded, install anything when you run the .exe, or is it standalone without installing anything?

7. Once I have the Process Explorer program and MSRT, what exactly do I need to do, step by step, including how to run MSRT and in what manner, etc.?

7a. And do I need to do the scan in safe mode? If so, please make sure to include that in the steps I should follow.

8. If I am downloading MSRT, where do I download it to and run it from on my computer?

Note that although the instructions for booting into Safe Mode say, "When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. When that is completed it will start loading Windows." -- I don't think this really happens for me when I boot my computer (it did on my old Win98 computer, but not on my new XP laptop). So should I just keep tapping F8 as soon as my computer starts to reboot until it (hopefully) goes into safe mode?

9. A semi-related question: Should I also run my AVG free anti-virus scan, Spybot, and Ad-Aware scans in "safe mode"? If so, can I do so all during the same "safe mode session" or do I need to reboot before each scan, etc.?

Looking forward to hearing back -- thanks!
My stats: Windows XP Home SP2; Firefox 3.0.14 w/ Ad-Block Plus; IE 6.0 (used only for monthly Windows Critical Updates); ZoneAlarm 6.1.744.001 Free; AVG 8.5 A/V Free; SuperAntispyware Free 4.28.1010

#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,749 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:46 PM

Posted 24 May 2007 - 09:43 AM

[quote]It says it's version 10.21...But this is for XP as well, right?[/quote]Yes. Process Explorer works on Windows 9x/Me, NT 4.0, 2000, XP, 2003, and 64-bit versions of Windows for x64 and IA64 processors, and Windows Vista.

[quote]Does it sort of "replace" Task Manager when you have it running? (Meaning, you wouldn't open TM also at the same time for any reason...?)[/quote]Although it has TM features, its more of a supplement to TM that provides more detailed information which can assist in your investigation of a process.

[quote]When you run the .exe, is it installing anything on your computer? Or is it a standalone program that doesn't actually install?[/quote]Its a zip file that you extract to its own folder and use as a stand-alone app.

[quote]Where do I run the .exe from? The desktop or in a certain folder?[/quote]Just create a new folder on your C: drive and name it ProcessExplorerNt, then unzip into that folder. Upon it afterwards and double-click on procexp.exe to run.

[quote]Do I leave it running all the time?..Does it use a lot of your memory, etc.?[/quote]Exit when done with your investigative work. While running it uses very little resources.

[quote]Can it possibly conflict with anything else on my computer by running it?[/quote]Nothing that I am aware of.

[quote]will I need to run MSRT again to see what codes come up as errors in the log (since the error codes change each time as tos226 mentioned[/quote]Yes. The point is to keep the problem processes identified so you need to know which pid is related to the error.

[quote]where should I download or run it from?[/quote]Manually download from here
click on the link "Skip the details and download the tool". You can save it to and run it from your desktop.

[quote]Does the program, if manually downloaded, install anything when you run the .exe, or is it standalone without installing anything?[/quote]It's stand-alone. When you run MSRT, a temporary folder with random characters (79f142e5e9e574d23954) will be created on your C:\ drive that contains mrt.exe, mrtstub.exe and a file named $shtdwn$.req. After performing a scan and you click finish or cancel the folder will automatically be removed.

[quote]Once I have the Process Explorer program and MSRT, what exactly do I need to do, step by step, including how to run MSRT and in what manner, etc.?[/quote]"How to use the Malicious Software Removal Tool"

Open your log when done.
Note the pids related to any errors.
Launch Process Explorer and match the pids with the process list.

[quote]And do I need to do the scan in safe mode? If so, please make sure to include that in the steps I should follow.[/quote]You don't need to but it will not hurt to do so and you should learn how to do that anyway. Detailed instructions can be found in "How to start Windows in Safe Mode".

[quote]Should I also run my AVG free anti-virus scan, Spybot, and Ad-Aware scans in "safe mode"? If so, can I do so all during the same "safe mode session" or do I need to reboot before each scan, etc.?[/quote]Again, its not necessary but running scans in safe mode is more effective especially for heavily infected systems. The Windows operating system protects files when they are being accessed by an application or a program. Malware writers create programs that can insert itself and hide in these protected areas when the files are being used. Using Safe Mode reduces the number of modules requesting files to only the essentials to make your computer functional. This in turn reduces the number of hiding places for malware, making it easier to find and delete the offending files. Using your anti-virus and anti-malware tools in Safe Mode also speeds up the scanning process.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#14 bloomcounty

bloomcounty
  • Topic Starter

  • Members
  • 672 posts
  • OFFLINE
  •  
  • Local time:02:46 PM

Posted 24 May 2007 - 11:38 AM

Thanks for the replies! I'm downloading the program now... but I was wondering why do you have to agree to an EULA if the program doesn't install? Does that just say that you can't copy the program, etc.? Do you have to agree to that each time you run the program? Just curious... (Mostly because of that whole WGA thing where it tried to get me to agree to a bunch of stuff I didn't want to...)

Also, one thing you didn't comment on:

Note that although the instructions for booting into Safe Mode say, "When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. When that is completed it will start loading Windows." -- I don't think this really happens for me when I boot my computer (it did on my old Win98 computer, but not on my new XP laptop). So should I just keep tapping F8 as soon as my computer starts to reboot until it (hopefully) goes into safe mode?


So is that what I should do?

Thanks again! I'll be sure to post my results (and ask questions about them) once I hear back and then run the program, etc.

:thumbsup:
My stats: Windows XP Home SP2; Firefox 3.0.14 w/ Ad-Block Plus; IE 6.0 (used only for monthly Windows Critical Updates); ZoneAlarm 6.1.744.001 Free; AVG 8.5 A/V Free; SuperAntispyware Free 4.28.1010

#15 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,749 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:46 PM

Posted 24 May 2007 - 11:49 AM

So should I just keep tapping F8 as soon as my computer starts to reboot

Yes.

why do you have to agree to an EULA if the program doesn't install?

What does the End-User License Agreement (EULA) say?
A User's Guide to EULAs
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users