Share via

A question about Microsoft's Malicious Software Removal Tool

Anonymous
2016-12-15T13:52:45+00:00

I recently had a run in with a website that obviously had malware on it. I quickly got out of there, but I was unsure if any viruses found its way onto my computer, & rather than use Windows Defender to scan my computer, like I have always done in the past, I ran a Malicious Software Removal Tool from this link here: https://www.microsoft.com/en-ca/download/malicious-software-removal-tool-details.aspx

I ran a full scan on my computer with both this new program, and windows defender, at the same time, to see the difference between the two, & to see if one was better than the other. The removal tool worked faster and gave me a real-time look at if it found any infected files on my computer, which it apparently did. it found at leastseven infected files on my computer, but by the time the scan was done, it simply gave me the message that no infected files were found, which I found odd, as the information page for the product said if it found any infected files, it would tell me at the end of the scan that they were found, and removed.

Now here's the actual question: Did the Malicious Software Removal Tool remove the infected files after the scan or during the scan without involving me to do anything, or are the infected files still on my computer due to the virus being out of the programs removal parameters. I assumed if it scanned the files & told me if the infected files were present, it would be able to remove them, as it did say infected files were found.

I already ran a full scan of the Malicious Software Removal Tool a second time, without running defender at the same time, to see if that was the problem. Although I was not able to see the real-time scan this time, to see if it found any infected files still, (due to falling asleep, as the scan does take several hours) but it still gave me the end-message that no infected files were found

Windows for home | Previous Windows versions | Security and privacy

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question.

0 comments

19 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2016-12-17T21:31:11+00:00

    Well, I can only surmise that Windows Update's detection engine noticed that you'd  downloaded/run the December 2016 version of MSRT manually [Interactive Graphical Mode] several times since it was released the 13th and so it wasn't offered when you ran the manual check for updates shortly after 17:41 (5:41 pm) local time on the 15th - so one mystery's solved (at least for me).

    IN RE the "at least seven infected files" detected by the (November 2016?) MSRT when you ran a full scan in Interactive Graphical Mode, perhaps this recent discussion (the ANSWER posts in particular) might shed some light on things for you: https://answers.microsoft.com/en-us/protect/forum/protect_other-protect_scanning/two-infected-files-shown-during-oct-2016-malicious/fb273053-6bd7-45ba-9710-8b5e5ff0469c [1]

    Long story, short version:

    ...you need to keep in mind that MSRT only scans for and removes a limited number of specific malware families...a small subset of active malicious software so it is not comprehensive. MSRT was not designed to be a comprehensive scanning tool so it should not be relied on to ensure a computer is infection free.

    Op. Cit.

    PS: IMHO it'd be interesting to see what, if anything, a Full Scan with the Dec-16 version of the MSRT might detect after you've downloaded/run the McAfee Consumer Products Removal Tool (followed by a reboot).

    ===============================================

    1] Kudos to my colleague [Le Boule for bringing this thread to my attention yesterday!

    0 comments
  2. Anonymous
    2016-12-17T03:05:12+00:00

    1. Ran a manual check for updates, saw them, and installed them. No catalogue involved (I think.)

    1. 2016-12-15
    2. KB3205404 is listed in update history, successfully installed.
    3. No.
    4. November 2016.
    0 comments
  3. Anonymous
    2016-12-16T23:29:39+00:00

    [Apologies for the KB890830 vs. KB890930 typo in my previous post...]

    I installed the three from my Windows update page, manually.

    1. Did you run a manual check for updates, see that KB3205401, KB3205404 & KB3209498 were being offered & then successfully install them by clicking on the INSTALL UPDATES button or did you download the installers for those three (3) updates via the Microsoft Update Catalogue and install them manually?

    1. When (exact date) was KB3205401 installed according to Installed Updates (notUpdate History)?
    2. Is KB3205404 still offered to the computer when you run a manual check for updates and if not, is it listed in Update History as being successfully installed?
    • We're still learning about these new .NET Framework Security and Quality Update [sic] rollups. [1] As such, I don't know where (or even if) KB3205404 would be listed in the Installed Updates window. [This month's rollup is the first to be released for Win8.1 - assuming .NET Framework 3.5 is not enabled.]
    1. Is KB890830 offered when you run a manual check for updates now?
    2. Does the 11 November 2016 listing for KB890830 in your Update Historysay Windows Malicious Software Removal Tool x64 - November 2016 or Windows Malicious Software Removal Tool x64 -December 2016?

    ================================================

    [1] cf. https://blogs.msdn.microsoft.com/dotnet/2016/08/15/introducing-the-net-framework-monthly-rollup/

    0 comments
  4. Anonymous
    2016-12-16T21:37:12+00:00
    1. I installed the three from my Windows update page, manually. I'm just assuming these were mandatory updates that would come automatically if I turned off my computer at a regular pace rather than taking weeks, or sometimes month's.  (I basically keep it running all day, every day.)
    2. Just KB3205401
    3. Yes.
    4. KB890830 is the only KB8- listed in update history, which was installed 2016-11-11, everything else is KB2- or KB3-. There is no KB890930 listed
    5. December 14th of this year, about 30 minutes or so prior to the MSRT scan. As I said before, I scanned the computer with both programs the first time. I have not used it since, and have only scanned, manually,  with MSRT for the past 3 days. However, I still have defender running, I did not disable it, I have just not used it for a manual scan. I realise MSRT is not a program to replace conventional security software like Defender, it tells you that every time it runs a manual scan.

    Also sorry for my prodding. I realise that you are not here 24/7, nor do you have any obligation to help me specifically, and that you are also answering plenty of other questions on this site. I am just a bit on edge about the whole situation I am currently having. Thank you for understanding.

    Also sorry for the constant editing. I'm just trying to make it look professional.

    0 comments
  5. Anonymous
    2016-12-16T20:58:31+00:00

    Now what?

    You wait until I'm back in these forums again & reply to your thread. <wink> I don't live in these forums (nor do I work for or represent Microsoft) and I was kinda/sorta waiting to see if you were done editing your penultimate reply. That being said...

    1. Were KB3205401, KB3205404 & KB3209498 offered & installed via Windows Update or did you download/install them manually via the Microsoft Update Catalogue?
    2. Are KB3205401 and KB3205404 both listed in in Installed Updates (not Update History) now?
    3. Is Adobe Flash Player v24.0.0.186 installed now? TEST HERE USING INTERNET EXPLORER ONLY! => http://www.adobe.com/software/flash/about/ 
    4. Is Windows Malicious Software Removal Tool x64 - December 2016 (KB890930 KB890830) listed in Update History (this time) now?
    5. When was the last time you ran a Full system scan using Windows Defender? [See below]
    
IN RE the detections when you (first?) ran the MSRT manually...

&lt;QP&gt;

When the Malicious Software Removal Tool detects malicious software

The Malicious Software Removal Tool runs in quiet mode. If it detects malicious software on your computer, the next time that you log on to your computer as a computer administrator, a balloon will appear in the notification area to make you aware of the
 detection. Performing a full scan If the tool finds malicious software, you may be prompted to perform a full scan. We recommend that you perform this scan. A full scan performs a quick scan and then a full scan of the computer, regardless of whether malicious
 software is found during the quick scan. This scan can take several hours to complete because it will scan all fixed and removable drives. However, mapped network drives are not scanned. Removing malicious files If malicious software has modified (infected)
 files on your computer, the tool prompts you to remove the malicious software from those files. If the malicious software modified your browser settings, your homepage may be changed automatically to a page that gives you directions on how to restore these
 settings.   

You can clean specific files or all the infected files that the tool finds. Be aware that some data loss is possible during this process. Also, be aware that the tool may be unable to restore some files to the original, pre-infection state.

The removal tool may request that you restart your computer to complete the removal of some malicious software, or it may prompt you to perform manual steps to complete the removal of the malicious software.
*To complete the removal, you should use an up-to-date antivirus product.* 
[emphasis mine]

&lt;/QP&gt;

Source: [https://support.microsoft.com/en-us/kb/890830](https://support.microsoft.com/en-us/kb/890830)
    0 comments