Results 1 to 4 of 4
  1. #1
    3 Star Lounger
    Join Date
    Sep 2010
    Location
    Yarra Glen, Victoria, Australia
    Posts
    213
    Thanks
    0
    Thanked 38 Times in 24 Posts

    Problem with Malicious Software Removal Tool (MSRT)

    Is anyone having a problem with this? For the last two months, and with the current version now saying "May 2016", when I run it, it displays "Files Infected: x" where the value of x changes from 0 to 7 as the scan progresses. But when it ends, it then says "No malicious software was detected", and when I look at the detailed results, every malware item says "Not infected". So what or where are the 7 infected files? (Other AV programs say that my system is clean.) Also, when it runs, I get a warning about a potentially unwanted program called "d38e21ce-0e11-4bf9-baa3-764b7f551684_1d1abfada814a7d", which means nothing to me. While it is running, Process Explorer says that it is running from "C:\Windows\System32\MRT.exe", but I can find no such file in that location.

    I believe some AV products are actually flagging MSRT as malware. What is going on?

  2. #2
    Super Moderator
    Join Date
    Aug 2012
    Location
    Durham UK
    Posts
    6,610
    Thanks
    147
    Thanked 870 Times in 832 Posts
    Does the mrt.log at C:\Windows\Debug list anything ?

  3. #3
    WS Lounge VIP Calimanco's Avatar
    Join Date
    Dec 2009
    Location
    UK
    Posts
    718
    Thanks
    1
    Thanked 144 Times in 130 Posts
    MRT.exe is the MSRT. You can use it to run a scan manually. The file you quoted appears to be a temporary one. What you are seeing is what happens when an MSRT build containing false positive signatures does a scan:-

    1. MSRT makes a detection during the scan. The UI displays the detection.

    2. The scan completes, and the signature is checked with Microsoft AV back-end, which has the offending signature marked as a false positive.

    3. A disable notification is sent from the back-end, and the offending signature is disabled.

    4. The UI displays the scan result, and since the offending signature is disabled, no detections are reported.

    Your machine is, therefore, clean.

  4. The Following 2 Users Say Thank You to Calimanco For This Useful Post:

    RetiredGeek (2016-05-11),satrow (2016-05-11)

  5. #4
    3 Star Lounger
    Join Date
    Sep 2010
    Location
    Yarra Glen, Victoria, Australia
    Posts
    213
    Thanks
    0
    Thanked 38 Times in 24 Posts
    I have run it repeatedly, always with the same result. I would have thought that once the offending signature is disabled, it would not be detected next time?

    I have also run it while disconnected from the internet, again with exactly the same result, so how does it communicate with the Microsoft AV back end?

    The log file indicates no detections or errors every time.

    I can accept that there will be false positives, but if that's the case then the way they are being handled makes no sense. I don't use the MSRT as any kind of primary defence, but I like to run it each month when a new version comes out, and this is undermining my confidence in it.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •