Just what is the Malicious Software Removal Tool that I keep getting in Windows Updates?

Read the article that everyone's commenting on.
Subscribe to the RSS Feed for comments on this article.

Hi Leo

My guess also is that MSRT runs each time it's updated.

I've noticed that it takes longer & longer to 'install' each update, so I realised that it was probably running the scan each time. (Taking longer as it has more to scan for, I would assume).

Do you think it actually scans your entire disk, or looks into directories where Blaster, Sasser, and Mydoom (for example) are usually installed?

I think it just takes a look at specific registry entries (or directories) and deletes them if they indeed pertain to those types of infections (or maybe restores entries that have been modified). I doubt it scans the drive like Windows Defender would for example, because MS has to ask for your permission first for something like that.

Just me thinkin out loud :)

I wonder if one could run it if one wished. Also, any idea where it might be found? I checked inside Program Files and of course, it wasn't there. That didn't really surprise me, but not finding it in the Control Panel did.
Any suggestions?
Many thanks!

You say (in bold type even) that the reporting is anonymous. Unless you are connecting through an anonymizing proxy this is never true - your IP address is an essential part of the communication. And there are lawyers arguing that anything sent from an IP address that you pay for is your responsibility - even if you have no knowledge of what was being sent.

Well something must be wrong then on my side as i have MSRT and my email still tells me that i have Win32:Mydoom-M [Wrm]) I thought MSRT would take care of this but todate it has not. Does anyone have any suggestions as to how i can get MSRT to remove Win32:Mydoom-M [Wrm])? Many thanks for the great newsletter..

will ms malicious software remove win32/heur. if it cannot is there any other antivirus that can remove this particular virus or trojan or malware which i am not sure

LEO COMMENT:
I think it's pretty clear from Microsoft's description that it's only looking for certain things in certain places.
- Leo
30-Nov-2008
MY COMMENT
I think that MSRT is looking for non MS programs that emulate MS programs AND TO REMOVE THOSE!

I refuse to download it and that has generally related to Windows Defender, which is just treated as another non required Microsoft add-on.
I reckon if you are doing things that make spyware/malware, call it what you will, then you should use a properly constructed malware management suite such as CA, or even better, that plus a specific anti-spy such as spyhunter.
Problematically, most people don't want to pay for protection and that decision, in my experience can be very expensive.
One of the biggest income streams in my organisation is spyware removal (manual and machine based), and supporting people who refuse to spend money on the internet to protect themselves.

Nelson Webber wrote: "I wonder if one could run it if one wished. Also, any idea where it might be found?"

Yes:

http://www.microsoft.com/downloads/details.aspx?FamilyId=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en

N.B. that's just for this month, though -- the Knowledgebase number changes with each edition, and the corresponding URL along with it.

Hope that helps! :)

The MRT is an 'On-Demand' scanner. It is pretty efective:
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9121161&source=rss_topic125
It is offered via the Microsoft Windows Update site once per month and it will scan your OS at the time it is downloaded/re-booted.

It also can be run at any time whenever you like.

Click Start==>Run... then type (or copy/paste) "MRT.exe" (w/out quotation marks) into the box, then click the 'OK' button.
Follow the prompts.

Or

%windir%\system32\MRT.exe

Command Line Switches...
/q or /quiet -- execute without GUI
/? or /help -- displays command line switches
/n -- detect mode only
/f -- force a full scan
/f:y -- force a full scan and automatically clean infections found

MRT is much like McAfee's Stinger. It has a limited sub-set target list. However unlike Stinger it is updated monthly and is downloaded on Patch-Tuesday as well as can be manually downloaded.

MRT can be used as a valuable supplemental 'On-Demand' scanner.

To post a comment on "Just what is the Malicious Software Removal Tool that I keep getting in Windows Updates?", please return to that article's main page.