We fortunately have available a little known, although monthly used. layer of security. From the article title, you will have a good idea that this layer is the Malicious Software Removal Tool from Microsoft. What you may not know is that this tool is part of the "Patch Tuesday" monthly updates, which is the reason for the phrase "monthly used" in the opening sentence. If you have "Automatic Updates" turned on and you should, an updated version of this tool is run with the installation of critical updates. Performing a scan with this tool manually, when you suspect trouble is the subject of this article.
Before continuing, we should repeat Microsoft's warning that the Malicious Software Removal Tool is NOT a replacement for an anti-virus program. It is merely an added layer of protection. So why use it? Well, as mentioned in our article on rootkits this tool can detect and remove some rootkits. With all the tools that hackers have at their disposal regular computer users need every tool they can find and use.
Unfortunately, this tool isn't available from the "Start Menu" as other programs are. You can run it from the command prompt by either typing "cmd" into the "Run" box or by clicking "Command Prompt" in the Accessories folder of the "Start Menu". Vista users, who haven't customized their "Start Menu" will find both of these items in the Accessories folder and since you have to look there anyway, you may as well just right click "command prompt" to select "Run as Administrator".
Whatever route you use to get there, when the command prompt is open type "mrt" ( without the quotes) and hit your "Enter" key. After what seems to be a long wait the Malicious Software Removal Tool will open.
The first screen of this tool's user interface, shown above, is simple in design. The title bar at the top provides the date it was last updated. below the white welcome section is a link to a Microsoft web page that serves as documentation for this tool. Below that and pointed out by an arrow is a link that opens a scrollable list of bugs this tool is designed to kill. Proceeding downward, you see a link to another Microsoft web site page. Finally, the bottom arrow points at the control buttons. Since this is the first screen the "Back" button is not activated. The "Next" button is the one you click to proceed with a scan. Then there is the "Cancel" button for those that have gotten this far and have changed their minds.
Here we have a look at the malicious software list. As can be deduced from the size of the scroll bar, the list is fairly long considering the simplicity of this tool. At least two of the 70 some odd names on this list are easily recognizable as rootkits. It also appears, judging by the names, that an attempt has been made to reduce the number of "bots" in the "bot armies" used in Denial of Service attacks and SPAM. At any rate, to close the list click the "OK" button at the bottom. Then click the "Next" button at the bottom of the Welcome screen.
The screenshot above is the second screen of the Malicious Software Removal Tool. On this screen you select the type of scan you want to run as the sub-title "Scan Type" suggests. "Quick Scan" is the default type and the type of scan that is run monthly on "Patch Tuesday". The full scan option scans your entire drive and as warned takes quite a bit if time to complete, but no longer than a complete scan with an anti-virus program takes. The customized scan option allows scanning of a single folder of your choice and when selected activates the "Choose Folder..." button.
If the Customized scan option was selected, this simplified navigation screen opens when the "Choose Folder..." button has been clicked. Briefly, if you want to scan a folder located on your C: drive, you would click the box with the "+" in it next to the entry "Local Disk (C:)". This entry "expands", showing all the folders located inside this entry/folder. Also, you will find that the "+" in the box changes to a "-", which if now clicked will close that selection. If there isn't enough room in this window to accommodate all the folders inside the selection you have opened, a scroll bar will appear on the right side of the text box. If necessary scroll to locate your target folder. When you have found it click/highlight the folder and the folder name will appear in the text box toward the bottom of this screen. This is the box labeled "Folder:" located just above the "OK" button. When you have made your selection click the "OK" button to close this navigation dialog and return to the Malicious Software Removal Tool's second screen and click the "Next" button.
After clicking the "Next" button at the bottom of the second screen, the tool starts to scan for infections. Pictured above is the view you will have until the scan is complete. The indicator arrow points out the progress bar. This gives you an idea of how much longer the scan will take. The screenshot here was made shortly after the scan started. With the Quick Scan option, this progress bar fills quite rapidly.
When the scan has completed, the user interface screen automatically transforms into the view shown above. At the top is a brief scan summary. Below that and pointed out by the arrow is a link to the full san report. Toward the bottom is a link to a Microsoft web page. At the bottom is the "Finish" button.
Clicking the report link opens a window similar to the bug list we viewed earlier.
If the Malicious Software Removal Tool found an infection, you will be able to find
out which ones here. The "OK" button at the bottom will close this window when you
have finished looking at the report. Clicking the "Finish" button at the bottom of
the Scan Report window closes the Malicious Software Removal Tool.
The information presented here enables the user to scan with this tool whenever the
urge strikes. Again, this tool is not designed or meant to replace regular anti-virus
or anti-spyware software but is comparatively similar to scanners such as McAffee's Stinger
or Avast!'s Cleaner. When used in Safe Mode, MSRT has been found, by us, to be effective against the
new Zlob Trojan variants in association with infected codecs that download rouges such as Virusheat.
This added layer of protection can and should be used as part of the individual users anti-malware
arsenal. Hopefully, knowledge of this free tool will provide some incentive for turning on
Windows Automatic Updates.
Microsoft, Microsoft Office, Windows, Windows XP and Windows Vista are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Other names have been included in the above text that are trademarks of the respective companies.
