MS "Malicious Software Removal Tool" - How To Tell A Fake?

[Gary Brown]

Hi,

My wife's computer got infected with the "Virus Protecter"
virus. I removed it with MalwareBytes. Now we get a screen
claiming to be MS's Malicious Software Removal Tool telling us
there is an infection. Having been burned once how do we tell
if it is legitimate or another part of the scam?

Thanks,
Gary

 

[Unknown]

AFAIK this program does not start on its own. You must initialize it.
Therefore what you see is a scam.
The removal tool is KB890830 version is 3.7.

 

[Daave]

Hi,

My wife's computer got infected with the "Virus Protecter"
virus. I removed it with MalwareBytes. Now we get a screen
claiming to be MS's Malicious Software Removal Tool telling us
there is an infection. Having been burned once how do we tell
if it is legitimate or another part of the scam?

Assume you are still infected. This page should help:

http://www.bleepingcomputer.com/virus-removal/remove-virus-protector

 

[David H. Lipman]

From: "Gary Brown" <[email protected]>

| Hi,

| My wife's computer got infected with the "Virus Protecter"
| virus. I removed it with MalwareBytes. Now we get a screen
| claiming to be MS's Malicious Software Removal Tool telling us
| there is an infection. Having been burned once how do we tell
| if it is legitimate or another part of the scam?

| Thanks,
| Gary


Gary "Virus Protector" is indeed a fake but it is not classified as a "virus". It is
classified as a trojan.

There are only two ways that the MS's Malicious Software Removal Tool (MRT) is invoked.

1. Manually. That is you have to perform an "On Demand" scan with it
(%windir%\system32\MRT.exe)

2. Automatically. That is once a month a new version of the MRT is produced and performs
a scan of your PC when you get that month's updates through Automatic Updates.

Since I doubt that you initiated a MRT "On Demand" scan, based upon this post, did you
just get new updates via the Windows Automatic Update service ?

One sure way to tell if the MRT is truly indicating there is an infection is to hit;
Ctrl-Alt-Del, and invoke the Task Manager and sort the list by name and see if MRT.EXE is
listed while the window showing there is an infection is still on the screen

Additionally, you did NOT mention what "infection" was found, supposedly by MRT. That is
an important fact you left out so please provide that information.

 

[PA Bear [MS MVP]]

You have much more work to do!

NB: If you had no anti-virus application installed or the subscription had
expired *when the machine first got infected* and/or your subscription has
since expired and/or the machine's not been kept fully-patched at Windows
Update, don't waste your time with any of the below: Format & reinstall
Windows. A Repair Install will NOT help!

Microsoft PCSafety provides home users (only) with no-charge support in
dealing with malware infections such as viruses, spyware (including unwanted
software), and adware.
https://support.microsoft.com/oas/default.aspx?&prid=7552&st=1

Also available via the Consumer Security Support home page:
https://consumersecuritysupport.microsoft.com/

Otherwise...

1. See if you can download/run the real MSRT manually:
http://www.microsoft.com/security/malwareremove/default.mspx

NB: Run the FULL scan, not the QUICK scan! You may need to download the
MSRT on a non-infected machine, then transfer MRT.EXE to the infected
machine and rename it to, e.g., SCAN.EXE before running it.

2a. WinXP => Run the Windows Live Safety Center's 'Protection' scan (only!)
in Safe Mode with Networking, if need be:
http://onecare.live.com/site/en-us/center/howsafe.htm

2b. Vista or Win7=> Run this scan instead:
http://onecare.live.com/site/en-us/center/whatsnew.htm

3. Now run a thorough check for hijackware, including posting requested logs
in an appropriate forum, not here. DO NOT SKIP THIS STEP!!

I can recommend the expert assistance offered in these forums:
http://spywarehammer.com/simplemachinesforum/index.php?board=10.0,
http://www.spywarewarrior.com/viewforum.php?f=5,
http://www.dslreports.com/forum/cleanup,
http://www.bluetack.co.uk/forums/index.php, and
http://aumha.net/viewforum.php?f=30

If these procedures look too complex - and there is no shame in admitting
this isn't your cup of tea - take the machine to a local, reputable and
independent (i.e., not BigBoxStoreUSA or Geek Squad) computer repair shop.

 

[MowGreen]

Gary "Virus Protector" is indeed a fake but it is not classified as a "virus". It is
classified as a trojan.

There are only two ways that the MS's Malicious Software Removal Tool (MRT) is invoked.

1. Manually. That is you have to perform an "On Demand" scan with it
(%windir%\system32\MRT.exe)

2. Automatically. That is once a month a new version of the MRT is produced and performs
a scan of your PC when you get that month's updates through Automatic Updates.

Since I doubt that you initiated a MRT "On Demand" scan, based upon this post, did you
just get new updates via the Windows Automatic Update service ?

One sure way to tell if the MRT is truly indicating there is an infection is to hit;
Ctrl-Alt-Del, and invoke the Task Manager and sort the list by name and see if MRT.EXE is
listed while the window showing there is an infection is still on the screen

Additionally, you did NOT mention what "infection" was found, supposedly by MRT. That is
an important fact you left out so please provide that information.

-- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV -
http://www.pctipp.ch/downloads/dl/35905.asp

From: http://support.microsoft.com/kb/890830

" When the Malicious Software Removal Tool detects malicious software

The Malicious Software Removal Tool runs in quiet mode. If it detects
malicious software on your computer, the next time that you log on to
your computer as a computer administrator, a balloon will appear in the
notification area to make you aware of the detection. "

The notification area is usually in the bottom right hand corner of the
monitor/flat panel unless you've moved the Task Bar. Is that where
you're seeing the warning message ?

Also, the MRT creates an entry in the mrt.log, which is located in
Windows\debug, each time it does a scan.


MowGreen
================
*-343-* FDNY
Never Forgotten
================

banthecheck.com
"Security updates should *never* have *non-security content* prechecked

 

[David H. Lipman]

From: "MowGreen" <[email protected]>

| From: http://support.microsoft.com/kb/890830

| " When the Malicious Software Removal Tool detects malicious software

| The Malicious Software Removal Tool runs in quiet mode. If it detects
| malicious software on your computer, the next time that you log on to
| your computer as a computer administrator, a balloon will appear in the
| notification area to make you aware of the detection. "

| The notification area is usually in the bottom right hand corner of the
| monitor/flat panel unless you've moved the Task Bar. Is that where
| you're seeing the warning message ?

| Also, the MRT creates an entry in the mrt.log, which is located in
| Windows\debug, each time it does a scan.


Good points!

The log file is...
%windir%\Debug\mrt.log