Windows DevCenter    
 Published on Windows DevCenter (http://www.windowsdevcenter.com/)
 See this if you're having trouble printing code examples


Using Microsoft's Malicious Software Removal Tool

by Mitch Tulloch
06/01/2005

Malicious, malcontent, maladapted, maladjusted, malaprop, maleficent, malodorous, malevolent ... they're all bad things. So is malware--software that can infect your computer and wreak havoc on your programs and data. Common types of malware include viruses, Trojans, and worms; some notorious examples of these nefarious entities are Mydoom, MSBlast, Sasser, and Netsky. Antivirus software usually prevents such critters from infecting your computer--so why has Microsoft gotten into the act by providing its Microsoft Windows Malicious Software Removal Tool (MSRT), a free tool that can detect the presence of common malware and clean them from your machine?

Two reasons, I suppose. First, not every one of the 300 million or so Windows users out there has antivirus software installed, and many of those who do aren't keeping it up to date. So any free tool that can help vulnerable users protect their computers (and hence other computers to which they are connected, even over the internet) is definitely a good idea. And second, as Microsoft moves forward with its Trustworthy Computing initiative, it's only logical that it should start getting into the antivirus side of things. So let's take a look at this new tool, what it does, and how to use it.

What MSRT Does

Related Reading

Windows XP Home Edition: The Missing Manual
By David Pogue

First off, you need to know what this tool doesn't do. It doesn't protect you against every known form of malware. And it doesn't scan your hard drive for files containing malware the way antivirus software does. Instead, it scans your system's memory for any evidence of currently running malware found on a list Microsoft maintains and updates regularly. Microsoft releases a new version of MSRT on the second Tuesday of each month (aka "Patch Tuesday").

So what happens if MSRT finds a running instance of Mydoom or other malware on your machine? First, it stops the processes associated with the malware entity. Second, it deletes any files and Registry keys associated with that process. But remember, MSRT can't do everything antivirus software does, so if there are other instances of that entity stored in files on your hard drive and not yet activated, MSRT won't detect or wipe them from your system. And if the active entity has infected or damaged other files on your system, MSRT won't detect this either or try to repair them.

So don't rely on MSRT completely to protect your system from malware. In fact, it's not a protective tool at all--it's a postinfection removal tool. Commercial antivirus software, on the other hand, can both protect your system against possible infection and also remove the infection from your machine. So make sure you've got antivirus software installed and aren't ignoring that Windows Security Center notification balloon that keeps reminding you that your system isn't fully protected.

Note also that MSRT works only on Windows 2000 or later, so if you're still running Windows Me or earlier, you have no choice but to rely on your antivirus software to protect you against malware on your system.

How to Use MSRT

Microsoft provides you with four different ways of running MSRT on your system: using Windows Update, Automatic Updates, the Microsoft Download Center, or an online version of the tool. Let's look at each of the options.

Windows Update

If you don't have Automatic Updates enabled on your machine because you prefer to visit the Windows Update (WU) web site and choose which updates to install manually, you'll see that one of the critical updates the site recommends is the MSRT, which is identified by Knowledge Base number KB890830. If you choose to download and install this update from WU, it runs once in the background (quiet mode) automatically, records its results in a log file (%windir%\debug\mrt.log), and then deletes itself from your system. If you visit WU again right away, you'll see that the tool is no longer present in the list of critical updates for your machine. But if you wait a month and then visit WU, you'll see the tool listed again under critical updates. That's because a new version of the tool is released every month to support new malware added to the list.

Automatic Updates

If you have Automatic Updates (AU) enabled on your machine, MSRT is downloaded and installed automatically, because it's categorized as a critical update. The tool then runs once in the background, records its results, and deletes itself. When the next version of MSRT is released, AU will do the same. Note that as of now you can use AU to install the tool only if you are running Windows XP or later.

Microsoft Download Center

If you'd prefer to run MSRT manually (and more often than once a month) and display the results of its scan, you can download a self-extracting file called Windows-KB890830-Vx.y-ENU from the Microsoft Download Center, where x.y is the current version of the tool. Once you've downloaded this file, simply double-click on it to run it. You'll be prompted to accept a EULA, after which the tool is ready to be run.

figure 1

Figure 1. Ready to run the MSRT

When you click on Next, the tool begins scanning memory for instances of running malware and a progress bar is displayed. Usually this takes less than a minute to perform, and once the scan is complete the results are displayed.

figure 2

Figure 2. No baddies found

Clicking on the link "View detailed results of the scan" displays the names of different malware scanned for and the results for each type.

figure 3

Figure 3. Details of scan results

You can also view the contents of the mrt.log file mentioned previously, which for the scan above looks like this:


------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v1.3, April 2005
Started On Tue May 03 15:39:10 2005

Results Summary:
----------------
No infection found.

Return code: 0
Microsoft Windows Malicious Software Removal Tool Finished On 
Tue May 03 15:40:43 2005

Running the tool a second time appends the results of the scan to previous scans in the log.

MSRT online

The fourth way of scanning your system is to visit the Malicious Software Removal Tool page on Microsoft's web site. On this page you can click on a button that will check your computer to see if it's infected with any malware on Microsoft's list:

figure 4

Figure 4. Running the tool from Microsoft's web site

After you accept the EULA, the tool runs without any progress bar or indicator; and once it's finished, the results are displayed in your browser.

figure 5

Figure 5. Results of running MSRT from Microsoft's web site

The results are also written to the mrt.log file, as with the other methods of running the tool. You can run the tool this way as often as you like.

Where to Find More

Microsoft has several useful Knowledge Base articles concerning this tool:

Mitch Tulloch is the author of Windows 2000 Administration in a Nutshell, Windows Server 2003 in a Nutshell, and Windows Server Hacks.


Return to the Windows DevCenter

Copyright © 2009 O'Reilly Media, Inc.