« September 2010 Windows Update Release | Main | Internet Explorer 9 Beta available for Download!! »

Using Microsoft's Malicious Software Removal Tool

A newly updated version of Microsoft's Malicious Software Removal Tool (MSRT) is released each month and installed automatically during Windows Updates.  Most  Windows users are unaware that the MSRT silently and quickly scans for the most prevalent and tenacious malware, as part of the Windows Updating process. The MSRT will notify You if threats are found, the next time You log onto your computer (there is no notification if no threats are found).

"If it detects malicious software on your computer, the next time that you log on to your computer as a computer administrator, a balloon will appear in the notification area to make you aware of the detection"

However, unbeknownst to many Windows users, this very effective anti-malware tool is at your disposal whenever You want to use it! You can run the MSRT yourself by downloading the current version, or simply running the one that already resides in your C:\Windows\system32 folder.  Running it yourself is advisable because the scan performed during Windows Update installation is a Quick Scan and it does NOT scan your entire system.  By conducting an MSRT scan yourself, You can opt to perform the Complete Scan, which is much more thorough, and just as importantly, it will give You immediate feedback as to what threats were found and disinfected.

Many current malicious threats employ self-protection measures that may include disrupting Windows Update. Performing an MSRT scan (from the current copy located in your system folder), can serve to alert You to whether this vulnerable circumstance exists, because it will immediately let You know if the version of the MSRT You are running is outdated!

The current version of the Malicious Software Removal Tool can be downloaded here:

1. 32 bit operating system version

2. 64 bit operating system version

This Microsoft Knowledge Base article provides more information on the specific "Malicious software families" the MSRT detects and removes, as well as other important explanatory information.

Running the Malicious Software Removal Tool - MSRT

Begin by launching the MSRT:

  • In Windows XP: Click Start -> Run, type mrt.exe into the Open: Box and Click OK.
  • In Vista and Windows 7: Type mrt into the Start/Search box and select mrt.exe

Alternatively, to run the Malicious Software Removal Tool  you can take one of the following actions:

  • Double-click mrt.exe in the C:\Windows\system32 folder
  • Right -Click  mrt.exe in the C:\Windows\system32 folder and Select "Open",  or "Run as Administrator" (for Win 7 and Vista users)

When the MSRT Opens, You'll immediately be greeted by the Welcome screen:

 MSRT Welcome screen.jpg

 Click "Next" and you'll see the Scan Type Window. Select "Full Scan" to scan your entire system (recommended).  If You are short on time, then select the Quick Scan but add selected folders that are known to be targeted by malware (this alternative presumes some knowledge of malware load points on the user's part).

MSRT Scan Type.jpg

While the scan is in progress, and until it finishes You will see the following Progress Bar Window:

MSRT Full Scan2 Aug2010.jpg


When the scan is complete, your Scan results will look like this, if You ARE infected:

MSRT Threats detected.jpg

If you're NOT infected, your Scan Results will look like this:

MSRTScanResults.jpg

 If it turns out that You ARE infected, click "View Detailed Results of the Scan" to determine what infections were present and to view the extent to which the MSRT removed them. To obtain manual Removal instructions for any threat that was partially removed, click the name of the malware in the Detailed Results listing.

MSRT scan report.jpg

A detailed scan report is saved to a log (Text File) located in the C:\Windows\debug folder.

You need only browse to the following location to access the log's contents:

c:\windows\debug\mrt.log

Or Your can access it from the run line or Start Search Feature, as follows
Follow the instructions below to open it.
  • In Windows XP: Click Start -> Run, type:

    c:\windows\debug\mrt.log into the Open: Box and Click OK.

  • In Vista and Windows 7: Type

    c:\windows\debug\mrt.log into the Start/Search box and hit Enter

The MRT log that opens in Notepad will be similar to this if you're infected, and something friendlier if You're not (a clean log follows this one):

---------------------------------------------------------------------------------------
Microsoft Windows Malicious Software Removal Tool v2.8, March 2009
Started On Tue Apr 14 11:26:46 2009

Extended Scan Results : G:\VirtualPCShared\MALWARE\Malware
----------------
->Scan ERROR: resource process://pid:1492 (code 0x00000005 (5))
Found malware: Trojan:Win32/Tibs.HP in file://G:\VirtualPCShared\MALWARE\Malware\_cousins_812.zip->!Cousins/blphcge4j0er77.scr.ct
Found malware: TrojanDownloader:Win32/Zlob.gen!CN in file://G:\VirtualPCShared\MALWARE\Malware\_cousins_812.zip->!Cousins/lphcge4j0er77.exe.ct->(nsis-instdata)
Found malware: Trojan:Win32/Zlob.AR in file://G:\VirtualPCShared\MALWARE\Malware\_cousins_812.zip->!Cousins/lphcge4j0er77.exe.ct->(nsis-1-$(ENVVAR))
Found malware: Trojan:Win32/Zlob.AR in file://G:\VirtualPCShared\MALWARE\Malware\_cousins_812.zip->!Cousins/RichVideoCodec.dll.ct

Extended Scan Removal Results
----------------
Start 'remove' for file://\\?\G:\VirtualPCShared\MALWARE\Malware\_cousins_812.zip->!Cousins/RichVideoCodec.dll.ct
Operation failed (code=0x8026), please use a full antivirus product ! !

Start 'remove' for file://\\?\G:\VirtualPCShared\MALWARE\Malware\_cousins_812.zip->!Cousins/lphcge4j0er77.exe.ct->(nsis-instdata)
Operation failed (code=0x8026), please use a full antivirus product ! !

Start 'remove' for file://\\?\G:\VirtualPCShared\MALWARE\Malware\_cousins_812.zip->!Cousins/lphcge4j0er77.exe.ct->(nsis-1-$(ENVVAR))
Operation failed (code=0x8026), please use a full antivirus product ! !

Start 'remove' for file://\\?\G:\VirtualPCShared\MALWARE\Malware\_cousins_812.zip->!Cousins/blphcge4j0er77.scr.ct
Operation failed (code=0x8026), please use a full antivirus product ! !


Results Summary:
----------------
Found Trojan:Win32/Tibs.HP, partially removed.
Found Trojan:Win32/Zlob.AR, partially removed.
Found TrojanDownloader:Win32/Zlob.gen!CN, partially removed.

Return code: 7
Microsoft Windows Malicious Software Removal Tool Finished On Tue Apr 14 11:42:34 2009

ws Malicious Software Removal Tool v2.8, March 2009
Started On Tue Apr 14 11:42:20 2009

Return code: 0
Microsoft Windows Malicious Software Removal Tool Finished On Tue Apr 14 11:45:24 2009

The following is a clean log (notice that the results of previous scans are appended to the log):

Microsoft Windows Malicious Software Removal Tool v3.9, July 2010
Started On Wed Jul 21 22:46:09 2010


WARNING: Security policy doesn't allow for all actions MSRT may require.->Scan ERROR: resource process://pid:1480 (code 0x00000005 (5))
-> Sysclean ERROR: Internal error, code = 80508015

Results Summary:
----------------
No infection found.
Microsoft Windows Malicious Software Removal Tool Finished On Wed Jul 21 22:48:07 2010


Return code: 0 (0x0)

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v3.10, August 2010
Started On Wed Aug 11 15:45:53 2010
WARNING: Security policy doesn't allow for all actions MSRT may require.->Scan ERROR: resource process://pid:1472 (code 0x00000005 (5))
-> Sysclean ERROR: Internal error, code = 80508015

Results Summary:
----------------
No infection found.
Microsoft Windows Malicious Software Removal Tool Finished On Wed Aug 11 15:47:41 2010


Return code: 0 (0x0)

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v3.10, August 2010
Started On Mon Sep 13 16:42:02 2010

Extended Scan Results : C:\Users\Negster22\AppData\Roaming
----------------
->Scan ERROR: resource process://pid:1416 (code 0x00000005 (5))
No infection found as part of the extended scan

Results Summary:
----------------
No infection found.
Microsoft Windows Malicious Software Removal Tool Finished On Mon Sep 13 17:09:34 2010


Return code: 0 (0x0)

---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v3.10, August 2010
Started On Tue Sep 14 23:26:51 2010

Extended Scan Results
----------------
->Scan ERROR: resource process://pid:1416 (code 0x00000005 (5))
->Scan ERROR: resource file://C:\hiberfil.sys (code 0x00000020 (32))
->Scan ERROR: resource file://C:\pagefile.sys (code 0x00000020 (32))
->Scan ERROR: resource file://C:\System Volume Information\{3808876b-c176-4e48-b7ae-04046e6cc752} (code 0x00000005 (5))
->Scan ERROR: resource file://C:\System Volume Information\{387bd025-bad3-11df-b03c-8e7df3ffa37b}{3808876b-c176-4e48-b7ae-04046e6cc752} (code 0x00000005 (5))
->Scan ERROR: resource file://C:\System Volume Information\{387bd038-bad3-11df-b03c-9aeb8efcbd6d}{3808876b-c176-4e48-b7ae-04046e6cc752} (code 0x00000005 (5))
->Scan ERROR: resource file://C:\System Volume Information\{387bd066-bad3-11df-b03c-8dd3b9848a48}{3808876b-c176-4e48-b7ae-04046e6cc752} (code 0x00000005 (5))
->Scan ERROR: resource file://C:\System Volume Information\{387bd071-bad3-11df-b03c-bb59eb0ebbce}{3808876b-c176-4e48-b7ae-04046e6cc752} (code 0x00000005 (5))
->Scan ERROR: resource file://C:\System Volume Information\{387bd07e-bad3-11df-b03c-f5c5294010bd}{3808876b-c176-4e48-b7ae-04046e6cc752} (code 0x00000005 (5))
->Scan ERROR: resource file://C:\System Volume Information\{387bd09e-bad3-11df-b03c-cf590255cd94}{3808876b-c176-4e48-b7ae-04046e6cc752} (code 0x00000005 (5))
->Scan ERROR: resource file://C:\System Volume Information\{387bd0b8-bad3-11df-b03c-efd6c8d427a2}{3808876b-c176-4e48-b7ae-04046e6cc752} (code 0x00000005 (5))
->Scan ERROR: resource file://C:\System Volume Information\{387bd0d2-bad3-11df-b03c-8f7a3eb28421}{3808876b-c176-4e48-b7ae-04046e6cc752} (code 0x00000005 (5))
->Scan ERROR: resource file://C:\System Volume Information\{387bd0eb-bad3-11df-b03c-e63ae097a600}{3808876b-c176-4e48-b7ae-04046e6cc752} (code 0x00000005 (5))
->Scan ERROR: resource file://C:\System Volume Information\{6d6617b6-b95d-11df-8888-921d7fdecbb9}{3808876b-c176-4e48-b7ae-04046e6cc752} (code 0x00000005 (5))
->Scan ERROR: resource file://C:\System Volume Information\{d20a21c8-aad9-11df-a7a8-d85e20e89682}{3808876b-c176-4e48-b7ae-04046e6cc752} (code 0x00000005 (5))
->Scan ERROR: resource file://C:\System Volume Information\{d20a21fa-aad9-11df-a7a8-f815a1329907}{3808876b-c176-4e48-b7ae-04046e6cc752} (code 0x00000005 (5))
->Scan ERROR: resource file://C:\System Volume Information\{d20a2215-aad9-11df-a7a8-93b08dcc8c83}{3808876b-c176-4e48-b7ae-04046e6cc752} (code 0x00000005 (5))
->Scan ERROR: resource file://C:\System Volume Information\{d20a2221-aad9-11df-a7a8-ef884157efa5}{3808876b-c176-4e48-b7ae-04046e6cc752} (code 0x00000005 (5))
No infection found as part of the extended scan

Results Summary:
----------------
No infection found.
Microsoft Windows Malicious Software Removal Tool Finished On Wed Sep 15 10:17:19 2010


Some Important Notes and Considerations

1. All folders specified in a Custom Scan are added to the Quick Scan locations, so a Custom Scan effectively consists of Quick Scan locations + any Custom Folders specified.

In the above Scan Report:

The Mon Sep 13 16:42:02 2010 report entry represents a Custom Scan! The custom folder added is indicated by this line:

Extended Scan Results : C:\Users\Negster22\AppData\Roaming

The "Extended Scan Results" section references items scanned beyond the basic Quick Scan locations,  In other words,  You only see "Extended Scan Results" if a Complete Scan or a Custom Scan was performed.  You do NOT see them in a Quick Scan.

The Tue Sep 14 23:26:51 2010 MSRT scan report entry represents the results of performing a Complete Scan.

 2. Lastly, the MSRT targets:

"specific, prevalent malicious software and helps to remove the infection if it is found." 

The key word here is "Specific".   This means that the MSRT is NOT a substitute for an antivirus or general purpose anti-malware solution. It is advisable to run an antivirus scan after the MSRT disinfects any targeted threats, both to disinfect any remaining inactive remnants of the targeted infection, and but more importantly, to disinfect any other threats that may be present exclusive of the MSRT detections.

TrackBack

TrackBack URL for this entry:
http://secure-computer-solutions.com/blog-mt/mt-tb.fcgi/10


Hosting by Yahoo!

Comments

I found this blog. This post VERY interesting.

hey people whats the fastest way to remove the Win32.Generic!BT trojan from my vista box?

Hey, thank you your writing style is amazing. just found your site on google. come back later for sure :)

Thanks a good deal! I truly enjoyed reading this.Looking through these posts and the information you've provided I can appreciate that I still have a lot of things to learn. I will keep reading and keep re-visiting

I am impressed by the quality of information on this website. There are a lot of good resources here. I am sure I will visit this place again soon.

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)