MS "Malicious Software Removal Tool" - How To Tell A Fake?

[Gary Brown]

Hi,



My wife's computer got infected with the "Virus Protecter"

virus. I removed it with MalwareBytes. Now we get a screen

claiming to be MS's Malicious Software Removal Tool telling us

there is an infection. Having been burned once how do we tell

if it is legitimate or another part of the scam?



Thanks,

Gary

 

[Unknown]

AFAIK this program does not start on its own. You must initialize it.

Therefore what you see is a scam.

The removal tool is KB890830 version is 3.7.

"Gary Brown" wrote in message

news:eZx%238%231%23KHA.5808@TK2MSFTNGP02.phx.gbl...

> Hi,

>

> My wife's computer got infected with the "Virus Protecter" virus. I

> removed it with MalwareBytes. Now we get a screen claiming to be MS's

> Malicious Software Removal Tool telling us there is an infection. Having

> been burned once how do we tell if it is legitimate or another part of the

> scam?

>

> Thanks,

> Gary

>

>

 

[Daave]

Gary Brown wrote:

> Hi,

>

> My wife's computer got infected with the "Virus Protecter"

> virus. I removed it with MalwareBytes. Now we get a screen

> claiming to be MS's Malicious Software Removal Tool telling us

> there is an infection. Having been burned once how do we tell

> if it is legitimate or another part of the scam?



Assume you are still infected. This page should help:



http://www.bleepingcomputer.com/virus-removal/remove-virus-protector

 

[David H. Lipman]

From: "Gary Brown"



| Hi,



| My wife's computer got infected with the "Virus Protecter"

| virus. I removed it with MalwareBytes. Now we get a screen

| claiming to be MS's Malicious Software Removal Tool telling us

| there is an infection. Having been burned once how do we tell

| if it is legitimate or another part of the scam?



| Thanks,

| Gary





Gary "Virus Protector" is indeed a fake but it is not classified as a "virus". It is

classified as a trojan.



There are only two ways that the MS's Malicious Software Removal Tool (MRT) is invoked.



1. Manually. That is you have to perform an "On Demand" scan with it

(%windir%\system32\MRT.exe)



2. Automatically. That is once a month a new version of the MRT is produced and performs

a scan of your PC when you get that month's updates through Automatic Updates.



Since I doubt that you initiated a MRT "On Demand" scan, based upon this post, did you

just get new updates via the Windows Automatic Update service ?



One sure way to tell if the MRT is truly indicating there is an infection is to hit;

Ctrl-Alt-Del, and invoke the Task Manager and sort the list by name and see if MRT.EXE is

listed while the window showing there is an infection is still on the screen



Additionally, you did NOT mention what "infection" was found, supposedly by MRT. That is

an important fact you left out so please provide that information.



--

Dave

http://www.claymania.com/removal-trojan-adware.html

Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

 

[PA Bear [MS MVP]]

You have much more work to do!



NB: If you had no anti-virus application installed or the subscription had

expired *when the machine first got infected* and/or your subscription has

since expired and/or the machine's not been kept fully-patched at Windows

Update, don't waste your time with any of the below: Format & reinstall

Windows. A Repair Install will NOT help!



Microsoft PCSafety provides home users (only) with no-charge support in

dealing with malware infections such as viruses, spyware (including unwanted

software), and adware.

https://support.microsoft.com/oas/default.aspx?&prid=7552&st=1



Also available via the Consumer Security Support home page:

https://consumersecuritysupport.microsoft.com/



Otherwise...



1. See if you can download/run the real MSRT manually:

http://www.microsoft.com/security/malwareremove/default.mspx



NB: Run the FULL scan, not the QUICK scan! You may need to download the

MSRT on a non-infected machine, then transfer MRT.EXE to the infected

machine and rename it to, e.g., SCAN.EXE before running it.



2a. WinXP => Run the Windows Live Safety Center's 'Protection' scan (only!)

in Safe Mode with Networking, if need be:

http://onecare.live.com/site/en-us/center/howsafe.htm



2b. Vista or Win7=> Run this scan instead:

http://onecare.live.com/site/en-us/center/whatsnew.htm



3. Now run a thorough check for hijackware, including posting requested logs

in an appropriate forum, not here. DO NOT SKIP THIS STEP!!



I can recommend the expert assistance offered in these forums:

http://spywarehammer.com/simplemachinesforum/index.php?board=10.0,

http://www.spywarewarrior.com/viewforum.php?f=5,

http://www.dslreports.com/forum/cleanup,

http://www.bluetack.co.uk/forums/index.php, and

http://aumha.net/viewforum.php?f=30



If these procedures look too complex - and there is no shame in admitting

this isn't your cup of tea - take the machine to a local, reputable and

independent (i.e., not BigBoxStoreUSA or Geek Squad) computer repair shop.

--

~Robear Dyer (PA Bear)

MS MVP-IE, Mail, Security, Windows Client - since 2002





Gary Brown wrote:

> My wife's computer got infected with the "Virus Protecter"

> virus. I removed it with MalwareBytes. Now we get a screen

> claiming to be MS's Malicious Software Removal Tool telling us

> there is an infection. Having been burned once how do we tell

> if it is legitimate or another part of the scam?

>

> Thanks,

> Gary

 

[MowGreen]

David H. Lipman wrote:

> Gary "Virus Protector" is indeed a fake but it is not classified as a "virus". It is

> classified as a trojan.

>

> There are only two ways that the MS's Malicious Software Removal Tool (MRT) is invoked.

>

> 1. Manually. That is you have to perform an "On Demand" scan with it

> (%windir%\system32\MRT.exe)

>

> 2. Automatically. That is once a month a new version of the MRT is produced and performs

> a scan of your PC when you get that month's updates through Automatic Updates.

>

> Since I doubt that you initiated a MRT "On Demand" scan, based upon this post, did you

> just get new updates via the Windows Automatic Update service ?

>

> One sure way to tell if the MRT is truly indicating there is an infection is to hit;

> Ctrl-Alt-Del, and invoke the Task Manager and sort the list by name and see if MRT.EXE is

> listed while the window showing there is an infection is still on the screen

>

> Additionally, you did NOT mention what "infection" was found, supposedly by MRT. That is

> an important fact you left out so please provide that information.

>

> -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV -

> http://www.pctipp.ch/downloads/dl/35905.asp





From: http://support.microsoft.com/kb/890830



" When the Malicious Software Removal Tool detects malicious software



The Malicious Software Removal Tool runs in quiet mode. If it detects

malicious software on your computer, the next time that you log on to

your computer as a computer administrator, a balloon will appear in the

notification area to make you aware of the detection. "



The notification area is usually in the bottom right hand corner of the

monitor/flat panel unless you've moved the Task Bar. Is that where

you're seeing the warning message ?



Also, the MRT creates an entry in the mrt.log, which is located in

Windows\debug, each time it does a scan.





MowGreen

================

*-343-* FDNY

Never Forgotten

================



banthecheck.com

"Security updates should *never* have *non-security content* prechecked

 

[David H. Lipman]

From: "MowGreen"



| From: http://support.microsoft.com/kb/890830



| " When the Malicious Software Removal Tool detects malicious software



| The Malicious Software Removal Tool runs in quiet mode. If it detects

| malicious software on your computer, the next time that you log on to

| your computer as a computer administrator, a balloon will appear in the

| notification area to make you aware of the detection. "



| The notification area is usually in the bottom right hand corner of the

| monitor/flat panel unless you've moved the Task Bar. Is that where

| you're seeing the warning message ?



| Also, the MRT creates an entry in the mrt.log, which is located in

| Windows\debug, each time it does a scan.





Good points!



The log file is...

%windir%\Debug\mrt.log





--

Dave

http://www.claymania.com/removal-trojan-adware.html

Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp