WindowsDevCenter.com
oreilly.comSafari Books Online.Conferences.

advertisement


AddThis Social Bookmark Button

Using Microsoft's Malicious Software Removal Tool

by Mitch Tulloch
06/01/2005

Malicious, malcontent, maladapted, maladjusted, malaprop, maleficent, malodorous, malevolent ... they're all bad things. So is malware--software that can infect your computer and wreak havoc on your programs and data. Common types of malware include viruses, Trojans, and worms; some notorious examples of these nefarious entities are Mydoom, MSBlast, Sasser, and Netsky. Antivirus software usually prevents such critters from infecting your computer--so why has Microsoft gotten into the act by providing its Microsoft Windows Malicious Software Removal Tool (MSRT), a free tool that can detect the presence of common malware and clean them from your machine?

Two reasons, I suppose. First, not every one of the 300 million or so Windows users out there has antivirus software installed, and many of those who do aren't keeping it up to date. So any free tool that can help vulnerable users protect their computers (and hence other computers to which they are connected, even over the internet) is definitely a good idea. And second, as Microsoft moves forward with its Trustworthy Computing initiative, it's only logical that it should start getting into the antivirus side of things. So let's take a look at this new tool, what it does, and how to use it.

What MSRT Does

Related Reading

Windows XP Home Edition: The Missing Manual
By David Pogue

First off, you need to know what this tool doesn't do. It doesn't protect you against every known form of malware. And it doesn't scan your hard drive for files containing malware the way antivirus software does. Instead, it scans your system's memory for any evidence of currently running malware found on a list Microsoft maintains and updates regularly. Microsoft releases a new version of MSRT on the second Tuesday of each month (aka "Patch Tuesday").

So what happens if MSRT finds a running instance of Mydoom or other malware on your machine? First, it stops the processes associated with the malware entity. Second, it deletes any files and Registry keys associated with that process. But remember, MSRT can't do everything antivirus software does, so if there are other instances of that entity stored in files on your hard drive and not yet activated, MSRT won't detect or wipe them from your system. And if the active entity has infected or damaged other files on your system, MSRT won't detect this either or try to repair them.

So don't rely on MSRT completely to protect your system from malware. In fact, it's not a protective tool at all--it's a postinfection removal tool. Commercial antivirus software, on the other hand, can both protect your system against possible infection and also remove the infection from your machine. So make sure you've got antivirus software installed and aren't ignoring that Windows Security Center notification balloon that keeps reminding you that your system isn't fully protected.

Note also that MSRT works only on Windows 2000 or later, so if you're still running Windows Me or earlier, you have no choice but to rely on your antivirus software to protect you against malware on your system.

How to Use MSRT

Microsoft provides you with four different ways of running MSRT on your system: using Windows Update, Automatic Updates, the Microsoft Download Center, or an online version of the tool. Let's look at each of the options.

Windows Update

If you don't have Automatic Updates enabled on your machine because you prefer to visit the Windows Update (WU) web site and choose which updates to install manually, you'll see that one of the critical updates the site recommends is the MSRT, which is identified by Knowledge Base number KB890830. If you choose to download and install this update from WU, it runs once in the background (quiet mode) automatically, records its results in a log file (%windir%\debug\mrt.log), and then deletes itself from your system. If you visit WU again right away, you'll see that the tool is no longer present in the list of critical updates for your machine. But if you wait a month and then visit WU, you'll see the tool listed again under critical updates. That's because a new version of the tool is released every month to support new malware added to the list.

Automatic Updates

If you have Automatic Updates (AU) enabled on your machine, MSRT is downloaded and installed automatically, because it's categorized as a critical update. The tool then runs once in the background, records its results, and deletes itself. When the next version of MSRT is released, AU will do the same. Note that as of now you can use AU to install the tool only if you are running Windows XP or later.

Microsoft Download Center

If you'd prefer to run MSRT manually (and more often than once a month) and display the results of its scan, you can download a self-extracting file called Windows-KB890830-Vx.y-ENU from the Microsoft Download Center, where x.y is the current version of the tool. Once you've downloaded this file, simply double-click on it to run it. You'll be prompted to accept a EULA, after which the tool is ready to be run.

figure 1

Figure 1. Ready to run the MSRT

When you click on Next, the tool begins scanning memory for instances of running malware and a progress bar is displayed. Usually this takes less than a minute to perform, and once the scan is complete the results are displayed.

figure 2

Figure 2. No baddies found

Clicking on the link "View detailed results of the scan" displays the names of different malware scanned for and the results for each type.

figure 3

Figure 3. Details of scan results

You can also view the contents of the mrt.log file mentioned previously, which for the scan above looks like this:


------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v1.3, April 2005
Started On Tue May 03 15:39:10 2005

Results Summary:
----------------
No infection found.

Return code: 0
Microsoft Windows Malicious Software Removal Tool Finished On 
Tue May 03 15:40:43 2005

Running the tool a second time appends the results of the scan to previous scans in the log.

MSRT online

The fourth way of scanning your system is to visit the Malicious Software Removal Tool page on Microsoft's web site. On this page you can click on a button that will check your computer to see if it's infected with any malware on Microsoft's list:

figure 4

Figure 4. Running the tool from Microsoft's web site

After you accept the EULA, the tool runs without any progress bar or indicator; and once it's finished, the results are displayed in your browser.

figure 5

Figure 5. Results of running MSRT from Microsoft's web site

The results are also written to the mrt.log file, as with the other methods of running the tool. You can run the tool this way as often as you like.

Where to Find More

Microsoft has several useful Knowledge Base articles concerning this tool:

  • KB 890830--This article provides an overview of the tool, how it works, what malware is scanned for, and possible issues such as conflicts with antivirus software. A FAQ can answer most of your questions concerning the tool. Microsoft says it will update this KB article monthly as new versions of the tool are released, so you can bookmark the article and check it out from time to time for any new info you might need to be aware of.
  • KB 891716--This article tells you what you need to know before using MSRT in a corporate environment and covers how to deploy the tool using various methods including SUS, WUS, WSUS, SMS, and Group Policy. It also describes several issues of interest to administrators, such as the fact that the tool can't be executed against remote computers, isn't detected by MBSA, and so on. Note that some of these issues may be resolved in various ways as the tool matures and evolves.
  • KB 891717--This tool lists the various error messages that might be displayed when MSRT is run and explains what each message means. These error messages are also recorded in the mrt.log file, but most of these issues are simply resolved by rebooting your machine and running the tool again. In some cases, the error message also recommends performing a full scan using your antivirus software after you run MSRT, but that's a good idea to do any time you run MSRT on your system.
  • KB 895339--Some malware can change your home page, search page, and other IE settings. This article helps you resolve these issues after running MSRT.

Mitch Tulloch is the author of Windows 2000 Administration in a Nutshell, Windows Server 2003 in a Nutshell, and Windows Server Hacks.


Return to the Windows DevCenter