• Welcome to Tux Reports: Where Penguins Fly. We hope you find the topics varied, interesting, and worthy of your time. Please become a member and join in the discussions.

MS "Malicious Software Removal Tool" - How To Tell A Fake?

G

Gary Brown

Flightless Bird
Hi,

My wife's computer got infected with the "Virus Protecter"
virus. I removed it with MalwareBytes. Now we get a screen
claiming to be MS's Malicious Software Removal Tool telling us
there is an infection. Having been burned once how do we tell
if it is legitimate or another part of the scam?

Thanks,
Gary
 
U

Unknown

Flightless Bird
AFAIK this program does not start on its own. You must initialize it.
Therefore what you see is a scam.
The removal tool is KB890830 version is 3.7.
"Gary Brown" <garyjbrown@charter.net> wrote in message
news:eZx%238%231%23KHA.5808@TK2MSFTNGP02.phx.gbl...
> Hi,
>
> My wife's computer got infected with the "Virus Protecter" virus. I
> removed it with MalwareBytes. Now we get a screen claiming to be MS's
> Malicious Software Removal Tool telling us there is an infection. Having
> been burned once how do we tell if it is legitimate or another part of the
> scam?
>
> Thanks,
> Gary
>
>
 
D

Daave

Flightless Bird
Gary Brown wrote:
> Hi,
>
> My wife's computer got infected with the "Virus Protecter"
> virus. I removed it with MalwareBytes. Now we get a screen
> claiming to be MS's Malicious Software Removal Tool telling us
> there is an infection. Having been burned once how do we tell
> if it is legitimate or another part of the scam?

Assume you are still infected. This page should help:

http://www.bleepingcomputer.com/virus-removal/remove-virus-protector
 
D

David H. Lipman

Flightless Bird
From: "Gary Brown" <garyjbrown@charter.net>

| Hi,

| My wife's computer got infected with the "Virus Protecter"
| virus. I removed it with MalwareBytes. Now we get a screen
| claiming to be MS's Malicious Software Removal Tool telling us
| there is an infection. Having been burned once how do we tell
| if it is legitimate or another part of the scam?

| Thanks,
| Gary


Gary "Virus Protector" is indeed a fake but it is not classified as a "virus". It is
classified as a trojan.

There are only two ways that the MS's Malicious Software Removal Tool (MRT) is invoked.

1. Manually. That is you have to perform an "On Demand" scan with it
(%windir%\system32\MRT.exe)

2. Automatically. That is once a month a new version of the MRT is produced and performs
a scan of your PC when you get that month's updates through Automatic Updates.

Since I doubt that you initiated a MRT "On Demand" scan, based upon this post, did you
just get new updates via the Windows Automatic Update service ?

One sure way to tell if the MRT is truly indicating there is an infection is to hit;
Ctrl-Alt-Del, and invoke the Task Manager and sort the list by name and see if MRT.EXE is
listed while the window showing there is an infection is still on the screen

Additionally, you did NOT mention what "infection" was found, supposedly by MRT. That is
an important fact you left out so please provide that information.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
 
P

PA Bear [MS MVP]

Flightless Bird
You have much more work to do!

NB: If you had no anti-virus application installed or the subscription had
expired *when the machine first got infected* and/or your subscription has
since expired and/or the machine's not been kept fully-patched at Windows
Update, don't waste your time with any of the below: Format & reinstall
Windows. A Repair Install will NOT help!

Microsoft PCSafety provides home users (only) with no-charge support in
dealing with malware infections such as viruses, spyware (including unwanted
software), and adware.
https://support.microsoft.com/oas/default.aspx?&prid=7552&st=1

Also available via the Consumer Security Support home page:
https://consumersecuritysupport.microsoft.com/

Otherwise...

1. See if you can download/run the real MSRT manually:
http://www.microsoft.com/security/malwareremove/default.mspx

NB: Run the FULL scan, not the QUICK scan! You may need to download the
MSRT on a non-infected machine, then transfer MRT.EXE to the infected
machine and rename it to, e.g., SCAN.EXE before running it.

2a. WinXP => Run the Windows Live Safety Center's 'Protection' scan (only!)
in Safe Mode with Networking, if need be:
http://onecare.live.com/site/en-us/center/howsafe.htm

2b. Vista or Win7=> Run this scan instead:
http://onecare.live.com/site/en-us/center/whatsnew.htm

3. Now run a thorough check for hijackware, including posting requested logs
in an appropriate forum, not here. DO NOT SKIP THIS STEP!!

I can recommend the expert assistance offered in these forums:
http://spywarehammer.com/simplemachinesforum/index.php?board=10.0,
http://www.spywarewarrior.com/viewforum.php?f=5,
http://www.dslreports.com/forum/cleanup,
http://www.bluetack.co.uk/forums/index.php, and
http://aumha.net/viewforum.php?f=30

If these procedures look too complex - and there is no shame in admitting
this isn't your cup of tea - take the machine to a local, reputable and
independent (i.e., not BigBoxStoreUSA or Geek Squad) computer repair shop.
--
~Robear Dyer (PA Bear)
MS MVP-IE, Mail, Security, Windows Client - since 2002


Gary Brown wrote:
> My wife's computer got infected with the "Virus Protecter"
> virus. I removed it with MalwareBytes. Now we get a screen
> claiming to be MS's Malicious Software Removal Tool telling us
> there is an infection. Having been burned once how do we tell
> if it is legitimate or another part of the scam?
>
> Thanks,
> Gary
 
M

MowGreen

Flightless Bird
David H. Lipman wrote:
> Gary "Virus Protector" is indeed a fake but it is not classified as a "virus". It is
> classified as a trojan.
>
> There are only two ways that the MS's Malicious Software Removal Tool (MRT) is invoked.
>
> 1. Manually. That is you have to perform an "On Demand" scan with it
> (%windir%\system32\MRT.exe)
>
> 2. Automatically. That is once a month a new version of the MRT is produced and performs
> a scan of your PC when you get that month's updates through Automatic Updates.
>
> Since I doubt that you initiated a MRT "On Demand" scan, based upon this post, did you
> just get new updates via the Windows Automatic Update service ?
>
> One sure way to tell if the MRT is truly indicating there is an infection is to hit;
> Ctrl-Alt-Del, and invoke the Task Manager and sort the list by name and see if MRT.EXE is
> listed while the window showing there is an infection is still on the screen
>
> Additionally, you did NOT mention what "infection" was found, supposedly by MRT. That is
> an important fact you left out so please provide that information.
>
> -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV -
> http://www.pctipp.ch/downloads/dl/35905.asp


From: http://support.microsoft.com/kb/890830

" When the Malicious Software Removal Tool detects malicious software

The Malicious Software Removal Tool runs in quiet mode. If it detects
malicious software on your computer, the next time that you log on to
your computer as a computer administrator, a balloon will appear in the
notification area to make you aware of the detection. "

The notification area is usually in the bottom right hand corner of the
monitor/flat panel unless you've moved the Task Bar. Is that where
you're seeing the warning message ?

Also, the MRT creates an entry in the mrt.log, which is located in
Windows\debug, each time it does a scan.


MowGreen
================
*-343-* FDNY
Never Forgotten
================

banthecheck.com
"Security updates should *never* have *non-security content* prechecked
 
D

David H. Lipman

Flightless Bird
From: "MowGreen" <mowgreen@nowandzen.com>

| From: http://support.microsoft.com/kb/890830

| " When the Malicious Software Removal Tool detects malicious software

| The Malicious Software Removal Tool runs in quiet mode. If it detects
| malicious software on your computer, the next time that you log on to
| your computer as a computer administrator, a balloon will appear in the
| notification area to make you aware of the detection. "

| The notification area is usually in the bottom right hand corner of the
| monitor/flat panel unless you've moved the Task Bar. Is that where
| you're seeing the warning message ?

| Also, the MRT creates an entry in the mrt.log, which is located in
| Windows\debug, each time it does a scan.


Good points!

The log file is...
%windir%\Debug\mrt.log


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
 
You must log in or register to reply here.
Top