Tell users how to restore files removed by MRT

  • Thread starter Thread starter Ian
  • Start date Start date
I

Ian

Guest
I ran mrt.exe even though I scan with norton corporate. It started removing
or modifying thousands of binaries on the system. Email clients, text
editors, countless apps. I've run checksums on several of these binaries
against the publishers' hashes and they are all identical.

So how the hell do I restore/undo MRT's actions? All I can find in the KB
articles about MRT is that everything is in a log and that MRT "may not be
able to" undo the actions to some files.

If you really can restore or undo what MRT suggests as the KB hints, how the
hell do you do it?! And don't say "system restore point". This should
definitely be posted on your monthly updated KB article guys! Don't you think?

To give you an example, it deleted a multitude of binaries in the VS.NET 8.0
PF group.

----------------
This post is a suggestion for Microsoft, and Microsoft responds to the
suggestions with the most votes. To vote for this suggestion, click the "I
Agree" button in the message pane. If you do not see the button, follow this
link to open the suggestion in the Microsoft Web-based Newsreader and then
click "I Agree" in the message pane.

http://www.microsoft.com/communitie...53ae70cb5d&dg=microsoft.public.security.virus
 
Re: Tell users how to restore files removed by MRT

MRT does not remove those type of files. Every you have updated this tool it has run and has probably done no harm. Open the start panel of MRT and see which names of malware's it does remove. Not even close to Binaries.

If those (Binaries)were removed then check another source maybe even Norton or your computer.Also your system can be already infected as I believe

--
Peter

Please Reply to Newsgroup for the benefit of others
Requests for assistance by email can not and will not be acknowledged.

"Ian" <Ian@discussions.microsoft.com> wrote in message news:9920D664-1950-4ED8-8C25-9653AE70CB5D@microsoft.com...
>I ran mrt.exe even though I scan with norton corporate. It started removing
> or modifying thousands of binaries on the system. Email clients, text
> editors, countless apps. I've run checksums on several of these binaries
> against the publishers' hashes and they are all identical.
>
> So how the hell do I restore/undo MRT's actions? All I can find in the KB
> articles about MRT is that everything is in a log and that MRT "may not be
> able to" undo the actions to some files.
>
> If you really can restore or undo what MRT suggests as the KB hints, how the
> hell do you do it?! And don't say "system restore point". This should
> definitely be posted on your monthly updated KB article guys! Don't you think?
>
> To give you an example, it deleted a multitude of binaries in the VS.NET 8.0
> PF group.
>
> ----------------
> This post is a suggestion for Microsoft, and Microsoft responds to the
> suggestions with the most votes. To vote for this suggestion, click the "I
> Agree" button in the message pane. If you do not see the button, follow this
> link to open the suggestion in the Microsoft Web-based Newsreader and then
> click "I Agree" in the message pane.
>
> http://www.microsoft.com/communitie...53ae70cb5d&dg=microsoft.public.security.virus
 
Re: Tell users how to restore files removed by MRT

Binaries can contain malicious code. That's why they are scanned for patterns
within the code by scanning utilities. I think you're confusing names of
infections with file types. If it didn't remove exe files, why would it scan
them? If you don't think binary files are succeptable to infection, perhaps
you shouldn't be posting here? MRT definitely touched those type of files.
The binaries are specifically mentioned in the mrt.log. I'm very aware of
what norton and windows defender are doing, and they have not touched said
binaries.

"Every you have updated this tool it has run and has probably done no harm."
That's a bold statement. Software is hardly infallible. Search the archives
of this forum to see where users helped Microsoft uncover bugs in this very
tool.

What's disconcerting is that both Defender and NAV don't hit on any of the
10,629 files that MRT touched. Even Internet Explorer and Outlook
Express/MSNIM were broken after the scan.

In any case, this doesn't change the fact that MRT doesn't backup files it
modifies. It could at least be an option or cmd line switch.

"Peter Foldes" wrote:

> MRT does not remove those type of files. Every you have updated this tool it has run and has probably done no harm. Open the start panel of MRT and see which names of malware's it does remove. Not even close to Binaries.
>
> If those (Binaries)were removed then check another source maybe even Norton or your computer.Also your system can be already infected as I believe
>
> --
> Peter
>
> Please Reply to Newsgroup for the benefit of others
> Requests for assistance by email can not and will not be acknowledged.
>
 
Re: Tell users how to restore files removed by MRT

MRT would not report on Binaries and it will leave them alone and definitely not remove them unless they are infected with one of MRT's listed malewares that it checks for

In your place I would be looking at Norton with a long hard look.

--
Peter

Please Reply to Newsgroup for the benefit of others
Requests for assistance by email can not and will not be acknowledged.

"Ian" <Ian@discussions.microsoft.com> wrote in message news:7DAA9493-5492-4163-99DA-DA0F4741932D@microsoft.com...
> Binaries can contain malicious code. That's why they are scanned for patterns
> within the code by scanning utilities. I think you're confusing names of
> infections with file types. If it didn't remove exe files, why would it scan
> them? If you don't think binary files are succeptable to infection, perhaps
> you shouldn't be posting here? MRT definitely touched those type of files.
> The binaries are specifically mentioned in the mrt.log. I'm very aware of
> what norton and windows defender are doing, and they have not touched said
> binaries.
>
> "Every you have updated this tool it has run and has probably done no harm."
> That's a bold statement. Software is hardly infallible. Search the archives
> of this forum to see where users helped Microsoft uncover bugs in this very
> tool.
>
> What's disconcerting is that both Defender and NAV don't hit on any of the
> 10,629 files that MRT touched. Even Internet Explorer and Outlook
> Express/MSNIM were broken after the scan.
>
> In any case, this doesn't change the fact that MRT doesn't backup files it
> modifies. It could at least be an option or cmd line switch.
>
> "Peter Foldes" wrote:
>
>> MRT does not remove those type of files. Every you have updated this tool it has run and has probably done no harm. Open the start panel of MRT and see which names of malware's it does remove. Not even close to Binaries.
>>
>> If those (Binaries)were removed then check another source maybe even Norton or your computer.Also your system can be already infected as I believe
>>
>> --
>> Peter
>>
>> Please Reply to Newsgroup for the benefit of others
>> Requests for assistance by email can not and will not be acknowledged.
>>
 
Re: Tell users how to restore files removed by MRT

From: "Ian" <Ian@discussions.microsoft.com>

| I ran mrt.exe even though I scan with norton corporate. It started removing
| or modifying thousands of binaries on the system. Email clients, text
| editors, countless apps. I've run checksums on several of these binaries
| against the publishers' hashes and they are all identical.

| So how the hell do I restore/undo MRT's actions? All I can find in the KB
| articles about MRT is that everything is in a log and that MRT "may not be
| able to" undo the actions to some files.

| If you really can restore or undo what MRT suggests as the KB hints, how the
| hell do you do it?! And don't say "system restore point". This should
| definitely be posted on your monthly updated KB article guys! Don't you think?

| To give you an example, it deleted a multitude of binaries in the VS.NET 8.0
| PF group.

If the "binaries" were infected by a virus by appending, prepending, etc., and the viral
component could NOT be removed then the files will be deleted.

If the "binaries" were trojanized by appending, prepending, etc., and the added malware
component could NOT be removed then the files will be deleted.

the Malicious Software Removal Tool (MRT) Log is at...

C:\WINDOWS\Debug\mrt.log

Please post the excepts from the log around the date in which this occured (presumeably
Oct. 2008).

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
 
Back
Top