Malicious software remove tool

[chimpy]

I noticed that the last three scans on microsofts malicious software remove tool (those three are the only logs I have) have not found anything but have thrown up errors in the process, Scan ERROR: resource process://pid:1272 (code 0x00000005 (5)) , Scan ERROR: resource process://pid:1320 (code 0x00000005 (5)) , and Scan ERROR: resource process://pid:1252 (code 0x00000005 (5)) .

I cant find anything about these errors on the database list that microsoft has, can anyone enlighten me as to what they might be?

Thanks.

[exile360]

Hello chimpy.

It sounds to me like MRT can't scan certain processes for some reason. To find out which ones they are, run another MRT scan and don't reboot or anything after it completes, then look in the most recent log for the error to find out the PID of the offending process. Then, if you're running XP Pro or Media Center Edition, copy the following into notepad and save it as runningtasks.bat. Make sure when you save it that you select the drop down next to "save as type" and select all files:

tasklist.exe>"%userprofile%\desktop\tasks.txt"

Once you've done that, double click the runningtasks.bat file you created and you should see a text file on your desktop called tasks. Open it up and post back with the name of the process that has the same PID as the one in the MRT error log. If you aren't running XP Pro or Media Center, you can use MS Sysinternals Process Explorer to find out the name of the process of the listed PID.

[chimpy]

How do i find Microsoft Windows Malicious Software Removal Tool on my computer to run it? I can only find the logs.

[exile360]

Click on Start then click Run and type in MRT.exe and press enter. I recommend just using the quick scan option (default) as this is the one that runs when the tool initially gets installed (which is where the logs are from).

[chimpy]

I thought it might help if I ran the long scan and it came up with a lot more scan errors but just one pid number and that the tasks file I made points to audiodg.exe , I dont know what that is. The previous pids numbers are not on the tasks file I made though.

[exile360]

Well, if you're running Vista then that process is a normal part of Windows so I wouldn't worry too much about it. Here's some links with a bit more info on what it is and what it does:

http://blogs.msdn.com/larryosterman/archiv...udiodg-exe.aspx

http://www.processlibrary.com/directory/files/audiodg/

As far as why it's having that issue, I'm not sure. It could be that there's a problem with that file/process. Where are the errors coming from, the Event Viewer, a message box or what?

[chimpy]

I dont know where they come from, I wouldnt even know there where errors if i hadnt just found the log by accident!

I get this

>Scan ERROR: resource file://C:\System Volume Information\ ...list of numbers ect (quite a few of them)

and these

->Scan ERROR: resource file://C:\hiberfil.sys (code 0x00000020 (32))

->Scan ERROR: resource file://C:\pagefile.sys (code 0x00000020 (32))

and theses

->Scan ERROR: resource file://C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl (code 0x00000005 (5))

->Scan ERROR: resource file://C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl (code 0x00000005 (5))

->Scan ERROR: resource file://C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl (code 0x00000005 (5))

->Scan ERROR: resource file://C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl (code 0x00000005 (5))

->Scan ERROR: resource file://C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTMsMpPsSession.etl (code 0x00000005 (5))

Its says it found no infection but still comes up with the errors so im still clueless!

[exile360]

Where's the log located? Nevermind, found it Here's the error codes

0 = No infection found

1 = OS Environment Error

2 = Not running as an Administrator

3 = Not a supported OS

4 = Error Initializing the scanner. (Download a new copy of the tool)

5 = Not used

6 = At least one infection detected. No errors.

7 = At least one infection was detected, but errors were encountered.

8 = At least one infection was detected and removed, but manual steps are required for a complete removal.

9 = At least one infection was detected and removed, but manual steps are required for complete removal and errors were encountered.

10 = At least one infection was detected and removed, but a restart is required for complete removal

11 = At least one infection was detected and removed, but a restart is required for complete removal and errors were encountered

12 = At least one infection was detected and removed, but both manual steps and a restart is required for complete removal.

13 = At least one infection was detected and removed, but a restart is required. No errors were encountered.

It's strange that it says code 5 is not used.

Error: MemScanGetImagePathFromPid(pid: 552) failed.

0x00000005: Access is denied.

Note The pid number will vary.

This error message occurs when a process is just starting or when a process has been recently stopped. The only effect is that the process that is designated by the pid is not scanned

Guess I should've kept reading. It looks like it just means that it couldn't scan those objects. The most likely reason (at least for most of them) is because they are in use or aren't scannable (the errors for hiberfile.sys and pagefile.sys cause this type of error with av scanners all the time) and the same is most likely true for those etwrt logs because they're constantly being written to by the system so they can't be fully scanned because they're always open/changing. Not sure why it couldn't scan audiodg, but it could be because it's always in use by the system since it's somewhat driver related.

[chimpy]

I've scanned using malwarebytes and spybot, not to mention avg so im pretty sure im clean!

plus theres no signs of my computer not working, its just a bit unnerving that it cant scan some files, I presume that theres no chance these are infected and the infection is stopping them being scanned?

[exile360]

No, like I said, issues with most of those files is pretty typical. It doesn't seem to me that you're infected, I think it's just an issue with MRT. Here's a copy of my own log:

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v2.8, March 2009
Started On Fri Mar 20 18:37:37 2009
->Scan ERROR: resource process://pid:512 (code 0x00000005 (5))
->Scan ERROR: resource process://pid:3368 (code 0x00000005 (5))
->Scan ERROR: resource process://pid:1256 (code 0x00000005 (5))
->Scan ERROR: resource process://pid:1256 (code 0x00000005 (5))

Results Summary:
----------------
No infection found.

Return code: 0
Microsoft Windows Malicious Software Removal Tool Finished On Fri Mar 20 18:39:44 2009

and it appears I have similar issues with it and I know for a FACT that I'm not infected.

[chimpy]

Ah! Its microsofts fault yet again!

great! thanks alot for your help!

[exile360]

No problem. I'm glad I could help relieve your stress !

[vnvnvn2000]

I seem to have several folders in the root of my c drive, with class id like names that contain different versions/sizes of this executable. System is XP Pro SP3, should I delete these various entries, or will microsoft eventually remove them or just continue to add further versions add-infinitum 'til my hard drive fills up?