Problem with M’soft Safety Scanner used with W8.1

Topic

New Reply

The situation began early this new year week (2024) when Windows Defender flagged a quarantined/detected trojan (Trojan:HTML/Phish!pz).  Like Santa I sprang into action, wiped the sweat from my brow and began to investigate.  Looked up what the trojan is and began several scans of Defender with latest updates and watched the quarantined/detected boxes fill with hits.  Removed all detection’s, repeated Defender scans and removed new hits and since yesterday (Jan 4) no indications of the trojan  have appeared with Defender.  I’ve run a couple of scans using Malwarebytes Premium with no positives.

I’ve also used Microsoft Safety Scanner, standalone, maybe five runs now with the latest download and it operates three hours plus each run – the stats keep piling up but then quits and the only indications I see are the scanner indicates full scan in progress and the elapsed time continues to register.  I’ve waited several hours after the first indication of stoppage on some runs but the scan never finishes.  I’ve also put the PC into safe mode and run two scans but have the same result.  No finish reported.

Currently running an ESET online scan and it’s too early into the scan for any result.

Does anyone have an idea why M’soft Safety Scanner is behaving this way?  I have used the scanner in the past, it’s been a couple of years since last time, and it always played well but what gives now.  Appreciate any commentary and thank you.

Bill T

Reply | Quote

Replies

Bill, have you tried looking at the log for the Microsoft Safety Scanner? It should be located in the \Windows\debug folder, and the file name is msert.log.

Please do not confuse that file with the file “mrt.log” which is the log for the usually monthly version of the Malicious Software Removal Tool. That’s why I put the file name in bold for the one you’re looking for.

The msert.log can give an idea of just why it seemed to grind to a halt after running for those few hours. Please let us know what you find.

1 user thanked author for this post.

kandb

Reply | Quote

Bob99,

Yes I did and just finished viewing the log.  I forgot to retrieve the log after reading I should do that very thing when I read the scanner download page the first day, Jan 3.  The log does show that Jan 3 and Jan 4 scans did complete and either the MAPS report or the Heartbeat report or both were successfully submitted depending which scan.  The Jan 5 scans show no reports were successfully submitted.  Had I remembered to check the log I may not have had to post on the subject.  But not getting any final finish to the scan in real time still makes me wonder why that didn’t happen.

Reply | Quote

More importantly, does the log show any detections by the tool?

Look at the start and end times of the log entries, and that will tell you just how long it really ran. I took a look at a left-over log I have from back in 2021, and it performed 3 scans for me in a two hour time span on one day. Each scan took just over 2 minutes from start to finish according to the log, complete with both heartbeat and MAPS reports submitted each time.

kandb wrote:

But not getting any final finish to the scan in real time still makes me wonder why that didn’t happen.

Pure speculation here: Due to the time of year, perhaps the latest version (which is only good for 10 days after downloading it) was “rushed out the door” without adequate quality checks to make sure it runs exactly as it should, down to a fully functional UI?

Hopefully, there’s a real reason why it acted the way it did with regards to what you saw when it was running.

1 user thanked author for this post.

kandb

Reply | Quote

Here’s the result from a scan:

Microsoft Safety Scanner v1.403, (build 1.403.1643.0)
Started On Thu Jan 4 14:07:33 2024

Engine: 1.1.23110.2
Signatures: 1.403.1643.0
MpGear: 1.1.16330.1
Run Mode: Interactive Graphical Mode

Results Summary:
—————-
No infection found.
Successfully Submitted MAPS Report
Successfully Submitted Heartbeat Report
Microsoft Safety Scanner Finished On Thu Jan 4 14:17:20 2024

Return code: 0 (0x0)

_______________________________________________________

Looking closer, as you mentioned, I see run times are very short compared to elapsed times shown during the scan.  And I see error codes on scans from today that I’ll look at later.

The ESET online scanner finished and found two suspects which it deleted and in the last ten minutes or so Defender was getting hits from the trojan starting at 8:32P through 8:36P CSTime.  After being quiet all day the trojan was awakened.  This is nuts!  Thanks, Bob99.

 

Reply | Quote

kandb wrote:

The ESET online scanner finished and found two suspects which it deleted and in the last ten minutes or so Defender was getting hits from the trojan starting at 8:32P through 8:36P CSTime. After being quiet all day the trojan was awakened.

Since it sounds like it came back, what have you been able to do as far as further scanning to hopefully eradicate it?

kandb wrote:

I’ve run a couple of scans using Malwarebytes Premium with no positives.

Exactly what type of scans were these with Malwarebytes (MB), as the program has different scans that it and you can run? For scanning with MB, what are your settings under the Security>Scan options and Security>Potentially unwanted items areas?

Since this piece of junk seems to have reappeared after allegedly being successfully eradicated, perhaps one of your programs that you routinely use and that connects to the internet has become infected. One possible path of infection is adding a browser toolbar or browser helper extension to your browser of choice. Some web sites have been known to try to install these things upon someone’s visit to their site, even though the visitor hasn’t knowingly clicked on a thing on the site.

Reply | Quote

Bob99,

Bob99 wrote:

Since it sounds like it came back, what have you been able to do as far as further scanning to hopefully eradicate it?

Today (Jan 6) I’ve done a Defender scan in Safe Mode with Networking and it finished clean.  Before that checked Defender history a few times today but found nothing of note.

Bob99 wrote:

Exactly what type of scans were these with Malwarebytes (MB), as the program has different scans that it and you can run? For scanning with MB, what are your settings under the Security>Scan options and Security>Potentially unwanted items areas?

I’ve run the threat scan when using MBytes and regarding potentially unwanted items I’ve set to always detect PUPs and PUMs.  Also with MBytes all real time protection is checked and MBytes runs the threat scan once p/day checking for updates once p/hour.

There have been no changes to my FFox browser toolbar or extensions in months and so far no indication of any add-on crap.  I still need to check error codes more closely to some of the M’soft scanner runs.  Currently, all is quiet.  Thanks for your input.

 

 

Reply | Quote

You’re welcome for the input! But, I still have a question. Under the Security>Scan options area, exactly which sliders are turned on? That can make a difference in scan results.

Also, do you have any recent additions to the Allow List in Malwarebytes?

P.S. Good to hear that today’s been a quiet one so far!

Reply | Quote

Bob99 wrote:

Under the Security>Scan options area, exactly which sliders are turned on?

All are selected; scan for rootkits, scan within archives, use AI to detect threats.

Bob99 wrote:

do you have any recent additions to the Allow List in Malwarebytes?

No changes to the allow list in years.

 

 

 

 

Reply | Quote

Although I’m using the free version of MB instead of the paid version, I have a fourth item in that setting area that’s labeled “Use expert system algorithms to identify malicious files” which is located right beneath the choice for using AI to detect threats and is also turned on. Is this the case for your installation of MB Premium?

I’m hoping that it’s been a quiet weekend since the last eradication crapware-wise!

1 user thanked author for this post.

kandb

Reply | Quote

Hey Bob99,

Bob99 wrote:

“Use expert system algorithms to identify malicious files”

Go to the link and the fourth post down where we both learned new info.  The five posts on the page are helpful.

https://forums.malwarebytes.com/topic/304700-security-settings-use-expert-system-algorithms-to-identify-malicious-file/

 

I played with the problem earlier today and right after I logged on the PC the trojan struck with four Defender hits pointing to numerous individual files, close to 20, in a FFox default folder, one of two default files.  I went to the cache file where they were stored but because Defender quarantined them they were deleted from the cache already.  Later I decided to close out my home page that displays twelve tabs when it opens.  These range from Ask Woody to two news pages, two weather pages, a couple of streaming news pages, etc.  I thought I’d open each one individually on startup versus en-masse and maybe find a culprit opening each one over time possibly taking a few days to see if Defender reacts on a particular page.  I deleted restore points in case the bastard is buried in one of them.  Also I looked online about the trojan and found this: https://connect.mozilla.org/t5/discussions/microsoft-defender-reporting-trojan-html-phish-pz-threat-with/m-p/48020/highlight/true/page/2

A number of mentions of the trojan possibly being a false positive but for sure this saga started late in 2023.

That’s the scoop for now.  I’ll being watching and testing and checking but for the coming week this will be on the back burner as “The Man”, you know about “The Man”, has summoned me to report for jury duty at 9:00 am in the AM.  So long.  Come back on your take on the links posted here.

Bill T

Reply | Quote

Nice read, that Malwarebytes (MB) support forum link! I’d no idea that they wanted to keep that option off by default! I remember seeing it after an update in the past, but I immediately turned it on and never gave it a second thought. I’ve never had any issues at all with MB because of having it turned on either!

An update was released back on November 30th that takes the component package version from 2189 to 2201. It is supposed to have some bug fixes in it, and perhaps one of them will fix the issue that @lmacri was having at the time of the post in that thread on the MB support forum. Perhaps the update fixed the issue, but we’ll only know if we see a post from lmacri here.

With respect to your continued troubleshooting, you’re already doing what my next suggestion was going to be…start looking at your recent history of websites to see if one of them had become infected thereby making you pick up the Trojan every time you visit the site without an existing infection on your machine. For now, I doubt it’s a false positive as some are seeming to claim in the Mozilla support forum you linked to.

The best overall way to find the offending site with the infection would be to develop a written list of ALL the sites that load when FF starts. Make sure you copy the ENTIRE length of the URLs, not just the basic site’s name. Then, proceed to check each one on Virustotal to see if any of the 70 or so anti-crapware engines gets a hit off of that site. In case you need it, here’s a link to it: https://www.virustotal.com/gui/home/url.

The alternative to submitting each one to Virustotal would be to try and check each one of them yourself by 1. Eradicating the Trojan. 2. Getting FF loaded. 3. Stopping all of the pages from loading st FF’s startup. 4. Purging FF’s cache completely. 5. Eradicating any new infection that may have occurred as a result of an infected page loading at FF’s startup. (and the list goes on and on). The overall goal is to eradicate any infection and then check each site one at a time by loading it into FF and see if that produces a hit from Defender for the Trojan. Each site would have to be loaded by itself with NO other pages open at the same time as it. The procedure can be trying on the patience and quite time consuming.

Much easier if you submit each page’s URL to Virustotal and let them do the work. BTW, Defender is on the list of anti-crapware suites that Virustotal uses to screen websites with, so you’re covered there!

From the sounds of things, this procedure might just take a bit due to your jury duty summons, so take it in pieces, bit by bit. I’m confident you’ll flesh out the offender and vanquish the crapware that’s repeatedly infecting you.

When you do find the offending site, please let us know here, but don’t post a link to it for obvious reasons. If it seems like it might be a popular site with others who frequent AskWoody, please put a warning up for everyone in the Code Red forum here so we’ll know to steer clear of the site in our daily surfing.

EDIT/UPDATE: After further reading of ALL of the posts on that Mozilla forum linked to above, which includes ones posted yesterday evening and today throughout the day, the consensus on that forum seems to be leaning indeed towards a false positive. BUT there are several indications of it possibly having something to do with a specific web hosting service that’s very popular. There are also a few posts indicating that Defender has flagged the same piece of alleged crapware in Chrome’s cache as well. Their suggested way to avoid having this alert from Defender is to have FF purge its cache completely upon being shut down, as the alerts most ALL seemed to come from FF’s cache files that remain on the drive after it’s shut down. Both MS and Mozilla have been sent reports by a few of the more prominent forum members of that Mozilla forum,, and there are reports on that forum that Mozilla is indeed looking into it.

1 user thanked author for this post.

kandb

Reply | Quote

Sorry to jump in here so late (today is May 2, 2024, 4:36 PM Pacific Coast time).

I tried Microsoft Safety Scanner today on Win10 22H2.

I don’t understand this apparent error.  While running, it reported this:

“Files Infected:  20”

… before it finished.

BUT, the log file “msert.log” contained only the following:

NB:  “No infection found”  (???)

---------------------------------------------------------------------------------------
Microsoft Safety Scanner v1.409, (build 1.409.642.0)
Started On Thu May  2 10:31:06 2024

Engine: 1.1.24030.4
Signatures: 1.409.642.0
MpGear: 1.1.16330.1
Run Mode: Interactive Graphical Mode

Results Summary:
----------------
No infection found.
Successfully Submitted MAPS Report
Successfully Submitted Heartbeat Report
Microsoft Safety Scanner Finished On Thu May  2 11:26:05 2024

Return code: 0 (0x0)

Reply | Quote

cf. “the tool will provide you with a report”

BUT, after completing, the tool reports:

“no virus, spyware, or other potentially unwanted software were detected”

Here’s are the contents of C:\Windows\debug\msert.log

NB:  “no infection found”

---------------------------------------------------------------------------------------
Microsoft Safety Scanner v1.409, (build 1.409.642.0)
Started On Thu May  2 16:20:02 2024

Engine: 1.1.24030.4
Signatures: 1.409.642.0
MpGear: 1.1.16330.1
Run Mode: Interactive Graphical Mode

Results Summary:
----------------
No infection found.
Successfully Submitted MAPS Report
Successfully Submitted Heartbeat Report
Microsoft Safety Scanner Finished On Thu May  2 17:15:59 2024


Return code: 0 (0x0)

 

1 user thanked author for this post.

Cybertooth

Reply | Quote

I see the same sort of thing happening every time I run the Microsoft Malicious Software Removal Tool: a number of files will be said to be “infected”, but when the scan finishes, it turns out that no infections were found (?!).

Keep Running Windows 7 Safely for Years to Come  
Make Windows 10 look and work like Windows 7

1 user thanked author for this post.

SupremeLaW

Reply | Quote

I did system and database programming for a living, prior to 1990.

This is a total mystery to me, based on that experience:

If/whenever a utility program detects some anomaly, it SHOULD log what it detected in plain language that facilitates troubleshooting.

What is a “MAPS Report”?

What is a “Heartbeat Report”?

It claims both were “Successfully submitted”.  Does that mean both “Reports” were submitted to Microsoft, but NOT stored anywhere on our PC here?

Are those 2 Reports documented somewhere at the MS main website?

Why should anyone need to ask that question in the first place??

This kind of stuff is what drives me up the wall with MS in general.

I honestly do NOT know how Susan Bradley puts up with all of the problems she skillfully documents with Windows Update.

And, I’m very grateful for this Forum:  many contributors here have enormous amounts of experience that newly hired MS programmers simply cannot have.

1 user thanked author for this post.

Cybertooth

Reply | Quote

Google site:microsoft.com “Microsoft Safety Scanner” “Heartbeat Report”

finds e.g.:

https://answers.microsoft.com/en-us/windows/forum/all/what-is-wrong-with-the-microsoft-safety-scanner/27c95df9-7d49-4d02-b734-bcb16495cfc3

This speaks volumes:

“the operation of all of these Microsoft scanners is really far more complex and deep than most people understand”

Allow me to translate:  MS programmers are just smarter than everyone else in the vast world of computing, so don’t ask us to explain something you will never understand.

Is that arrogance, or something else?  We IT “idiots” out here have learned nothing after beginning with computers in 1971 (first year of grad school).  TILT!

On the merits, this software must be searching for malware inside .cab and .zip files, which would explain its file counter i.e. over one million on the one PC we tested.

But, when I do this in Command Prompt:

C:

cd \

dir /s >E:\dirlist.txt

… at the very end it reported less than 400,000 discrete NTFS files.

1 user thanked author for this post.

Cybertooth

Reply | Quote

It’s a mystery. If we counted all the files contained inside those .cab and .zip files, would it add up to the million files it claimed to have scanned?

Keep Running Windows 7 Safely for Years to Come  
Make Windows 10 look and work like Windows 7

1 user thanked author for this post.

SupremeLaW

Reply | Quote

Q:  “would it add up to the million files it claimed to have scanned?”

A:  excellent question!

This next idea may be totally irrelevant;  nevertheless, I’m still suspecting that a one-bit decay may have happened is an OS file on the KingSpec SSD that came with that refurb HP workstation.

The mistake I made was failing to order a Samsung or Western Digital SSD to host Windows 10 x64.  It’s no big deal to migrate C: to one of the latter.

The other factor of concern is that I had not started that PC for more than one week.

An experiment I have not seen anywhere on the Internet (not yet, anyway):

(1) wire 4 identical 2.5″ SSDs to a quality RAID controller and format in JBOD mode

(2) 1 of 4 and 2 of 4 are powered normally i.e. at SHUTDOWN SATA power goes OFF

(3) 3 of 4 and 4 of 4 are ALWAYS ON powered 24/7 by an AT-style PSU that is powered 24/7 by a quality UPS

(4) whenever this experimental PC is STARTED, ideally during normal 8-to-5 working hours M-F, run a custom program coded to perform the exact same I/O to all 4 SSDs formatted as JBOD e.g. XCOPY will work nicely for this experiment

(5)  this custom program could be a simple BATCH file that repeatedly copies typical data sets back and forth between pairs of SSDs e.g. from 1 to 2, from 1 to 3, from 1 to 4, from 2 to 1, from 2 to to 3, from 2 to 4, etc. so that at day’s end, all 4 SSDs have done the same amount of I/O with the exact same data sets

(6)  said BATCH file would include normal “rest” periods e.g. running SLEEP for 5 seconds, to allow SSD caches to be flushed routinely to NAND flash cells

(7) at the end of a long period of time, e.g. 6 to 12 months, perform a detailed forensic examination of all 4 SSDs, looking for any significant differences.

The focus of that forensic examination is to determine if keeping quality SSDs powered ON 24/7 makes any differences in errors, performance, reliability etc.

p.s.  If anyone here knows about such an experiment that has already been done, I would love to read the results.  THANKS!

1 user thanked author for this post.

Cybertooth

Reply | Quote

I wouldn’t touch an app that automatically removes software it finds as malware (including false positive) as there is no pre-notification.
The software will probable erase all Nir Sofer’s apps.

1 user thanked author for this post.

SupremeLaW

Reply | Quote