Solved Malicious Software Removal Tool - Does it create logs?

[Mellon Head]

I ran the newest Malicious Software Removal Tool from the latest batch of Windows updates yesterday. Since I have a lot of files in ran into the wee hours. It showed 5 infections when I went to bed, and I expected it to be still going this morning, but when I went to look this morning, MRT.exe was no longer running.

The Event Viewer shows a number of errors around 4:00 AM with files and programs that should not even have been running. I suspect that this is when MRT.exe shut down, though it doesn't show in the event log as shutting down.

Does the Malicious Software Removal Tool create logs of any kind as it works? If so, where can I find them?

Any help gratefully received.

 

[johnhoh]

search your hard drive for mrt.log

 

[mjf]

The mrt.log should be in c:\windows\debug

When I ran mrt.exe manually on c: it took ~30min and I saw 7 infections accumulate as it was running. When it finished it reported no malicious software detected. The log file stated "no infection found" along with all of the previous automatic msrt runs stating "no infection found".

I have no idea what the reported infections meant while it was running.

 

[johnhoh]

When I ran mrt.exe manually on c: it took ~30min and I saw 7 infections accumulate as it was running. When it finished it reported no malicious software detected. The log file stated "no infection found" along with all of the previous automatic msrt runs.

exact same thing happened to me

 

[Mellon Head]

I have no idea what the reported infections meant while it was running.

I have no idea either. The log says it didn't crash like I thought it did, but it showed five infections along the way. The log results show no infections found.

Weird.

I'll mark this as solved. Thanks for the help, guys.

 

[Anak]

From what I read here: Malicious Software Removal Tool finds 194 infections, says there is none on completion The first answer by RickCP:

If the mrt.log file shows clean (no infection found) then it's likely MSRT suspected a possible threat during the scan, displayed it as such (preliminary detection) but determined it was not an actual threat before completion.

The initial detection could be due to heuristic analysis or an incorrect virus signature in the database. Microsoft Antimalware software uses heuristic analysis which will automatically submit suspected threats to the server where the file(s) is checked against signature updates in the master database.

If a match is found and verified as malicious, updated signatures will be downloaded in order to take action on the detection.

If the detection is determinded to be a false positive, no action is necessary.

My take on this is the dialog box while mrt is running is deceptive and there should be a link to a more complete explanation of how mrt works.

What is not explained is these supposedly infected files are flagged as suspicious and unbeknownst to the user mrt sends reports of these files to the server for further review, when the server sends the results back to the running program, the program acts accordingly and either ignores the flagged files or cleans them from your system.

If one sees infected files but a clean system you're okay.
if one sees no infected files and a clean system you're okay.

Kinda like you're damned if you do and damned if you don't, but it's still best to run mrt.


Note: Kudos to RickCP he explained it more eloquently that me.