What you don’t know about the Windows Malicious Software Removal Tool

Microsoft’s Windows Malicious Software Removal Tool (MSRT) is a free program that removes a whole host of the most popular malicious software (malware). Many Windows users have it installed and run it monthly, yet are not aware of its existence. It’s a stealth program, when things are functioning normally you don’t see it. It is updated silently as part of Windows Update or Microsoft Update. It runs in what the company refers to as “quiet mode”, which means it doesn’t tell you anything – at least as long as it doesn’t find any malware to remove.

This mode of operation is fine for many users, but you can get much more out of the program.

Perhaps the biggest drawback to the default stealth approach is that MSRT only rounds up the usual suspects. That is, it only looks in the usual places for malware. Like much anti-malware software, MSRT offers both a quick scan and a full scan. By default, it only runs a quick scan, below we’ll see how to run a full scan. The once a month scanning is also limiting, but you can run it manually at any time.

If you already have anti-malware software and thus feel protected, everyone needs a second opinion. I recently wrote about an infected machine (Removing malware from an infected PC – battling antivirus programs) where the fourth antivirus program still found malware that the first three had missed.

The ultimate documentation from Microsoft about MSRT seems to be Article 890830, The Microsoft Windows Malicious Software Removal Tool, which says:

Microsoft released the Microsoft Windows Malicious Software Removal Tool to help remove specific prevalent malicious software … After you download the Microsoft Malicious Software Removal Tool, it runs one time to check your computer for inflection by specific prevalent malicious software … and helps remove any infection it finds. Microsoft releases a new version of the tool every month.

Microsoft is very clear that MSRT is not an antivirus program:

• It offers no protection from infection. As Microsoft terms it, MSRT is a “post-infection removal tool”.
• It only targets malware that Microsoft has judged to be the most important. Full blown anti-malware software works against a much wider range of software.
• It only gets updated once a month. Full blown anti-malware software is updated daily, at least.

The January 2009 revision of MSRT added removal capability for only two malicious programs. The good news though, is that it can remove the extremely popular Conficker worm (a.ka.a Downadup). You can see exactly what MSRT removes at Families Cleaned by the Malicious Software Removal Tool.The Malicious Software Removal Tool works with Windows XP, Vista and 2000, as well as Windows Server 2003 and 2008. It does not work with Windows 98, Millennium Edition or NT4. It is multi-lingual. Microsoft says “For all supported languages, the same tool will show the correct language depending on the language of the operating system.”

TAKE CONTROL OF MSRT

You can run MSRT manually at any time. In Windows XP, use Start -> Run -> mrt.exe. You can even get away with just “mrt” in the Run box. In Vista, type “mrt” into the search box (yes, it’s “mrt” not “msrt”). It seems to do a lot of processing before displaying the initial window, expect a delay of 5 to 10 seconds. A portion of the initial window is shown below.

This tip came from a listener to Steve Gibson’s Security Now podcast. Specifically, the Listener Feedback episode from January 22, 2009. If you prefer to read, rather than listen, a transcript of the show is available.

There are many advantages to running MSRT manually:

• You can opt to run a full scan rather than the default quick scan
• You can run the program more than once a month, including any time a PC seems to be acting strangely
• You can manually insure that the latest version of MSRT is, in fact, installed
• You get definite notification of an infection  

The last point stems from two issues. In the normal stealth mode of operation, if MSRT finds an infection, it does not warn you immediately. Instead, it displays a warning the next time Windows starts up and an Administrator logs on. If the machine is reguarly used by a restricted user, this warning may not display for a long time. 

I mention checking that the latest version is installed because when something is automated, there may be no notification when it breaks. Windows Update (and Microsoft Update) are very often left on auto-pilot and lots of malicious software purposely breaks them. 

To check that you have the latest version of MSRT, simply start the program and look at it  (see screen shot above). The month and year of its last update is shown in the blue stripe at the top of the initial window.

Note that you have to be logged on as an Administrator to run MSRT as the error below indicates.

Microsoft releases an updated copy of MSRT once a month, on the second Tuesday. The second Tuesday of January 2009 was the 8th. For whatever reason, the latest copy of MSRT (as I write this on February 5, 2009) is dated January 9, 2009. The next update should be released February 10, 2009.   

If the latest version is not installed, you can download it from Microsoft. According to Microsoft, the URL of this download page will not change, rather the page “… will be updated on the second Tuesday of each month with a new version.”

As of today, the file that you download is called windows-kb890830-v2.6.exe. The January 2009 instance of MSRT is also referred to as version 2.6.

File mrt.exe resides in C:\Windows\system32. You can also check the file properties to verify that it’s the latest version. As of the first week of February 2009, the modification date should be January 9, 2009 and the version number should be 2.6.2427.0. I found the creation date of the file varied on different machines, it may reflect the date that Windows Update was run for the first time, I’m not sure.

If you find an old version of MSRT, something is wrong with the installation of Windows patches.

RUNNING IT

Before running MSRT, I suggest making a Restore Point. If MSRT finds any malware, it will try to remove it and something can always go wrong leaving the computer in worse shape than before. I don’t mean to suggest or imply that anything will go wrong, but stuff happens and MSRT is dealing with some very nasty software.  

As with any anti-malware software, you should verify the removal by re-starting Windows and running the same scan again. If the malware removal was successful, then remove all the old Restore Points that may house extra copies of the malicious software.
 
One thing MSRT does when it’s first started is check how old it is. If it detects that it’s more than 60 days out-of-date, you’ll see the window below, which is fairly self-explanatory.

Perhaps the most important reason to run MSRT manually is to do a full scan rather than the default quick scan. You see this choice on the second window, shown below.

A full scan can take a few hours and may keep the processor pretty busy. Microsoft says that a full scan scans “all fixed and removable drives. However, mapped network drives will not be scanned. ” I can confirm that on a computer with multiple hard disk partitions, it scanned each partition.

If you can’t walk away from the computer while it’s being scanned, you can minimize the performance hit by lowering the priority of the mrt.exe process. In Task Manager, go to the process tab and right click on the mrt.exe process. There is an option to set the priority, it runs fine at the lowest setting. Still, even at the lowest priority, it can consume over 90% of the CPU if the machine is not being used for other work. You may also want to disable your antivirus program while the scan is running.

When I ran a full scan on an old laptop, I was concerned about overheating. If you use the excellent Process Explorer, you can take a time out by suspending the process. I did this, waited for the temperature of the hard disk to cool down a bit, then resumed the scan.

The working set for the MSRT process seems to vary from around 40MB to 60MB of RAM. I mention this because the process seems to suffer a huge amount of page faults, even on a system with 1.2GB of ram that reported about 880MB of that RAM was available. In the Process Explorer screen shot below you’ll see over 10 million page faults vs. only 780,000 I/Os. It may be nothing, but it may also explain why the scan takes so long (I didn’t time the scan vs. a similar scan by other anti-malware software). 

WHEN IT’S DONE

If all goes well, the scan result, shown below, is “No malicious software was detected.”

MSRT also creates a couple log files in the C:\Windows\Debug folder. The log file that Microsoft mentions in their documentation is mrt.log. It’s a cumulative log, the latest entries are at the bottom. It’s also not very informative, offering little more than a starting and ending timestamp – at least when it found nothing. Here is a sample:

Microsoft Windows Malicious Software Removal Tool v2.6, January 2009
Started On Wed Jan 21 11:23:13 2009
Results Summary:
No infection found.
Return code: 0
Microsoft Windows Malicious Software Removal Tool Finished On Wed Jan 21 11:24:37 2009
The other log file is mrteng.log. This file has even less information than the first one, and I couldn’t find any mention of it from Microsoft.

PROBLEMS  

In my limited testing, I ran across a handful of problems, including two minor bugs.

The first bug has to do with scanning just one folder. The first time I ran MSRT manually, I opted to have it scan a single folder rather than a full or quick scan. Although the user interface makes it seem as if this is an available option, it’s not. When asked to scan a single folder, it does a full scan. At least, as of the January 2009 version 2.6 edition of the software. I tested this on XP Home, XP Professional and Vista Home.

The second bug has to do with the progress bar which seems to be married to the C disk. On a computer with multiple hard disk partitions, the progress bar indicated the scan was complete when the C disk was complete. Thus, all the while it was scanning the other partitions, the progress bar had nowhere to go.

A full scan seems to consistently produce a pagefile related error in the mrt.log file. I saw this on both machines where I ran a full scan, one was XP Professional, the other XP Home Edition. The error is shown below. It’s not clear if the reference to an “extended” scan refers to a full scan or to an examination of the page file. 

Microsoft Windows Malicious Software Removal Tool v2.6, January 2009
Started On Thu Feb 05 11:41:48 2009
Extended Scan Results
->Scan ERROR: resource file://C:\pagefile.sys (code 0x00000020 (32))
No infection found as part of the extended scan
Results Summary:
No infection found.
Return code: 0
Microsoft Windows Malicious Software Removal Tool Finished On Thu Feb 05 15:19:33 2009  

I had two problems running MSRT under Vista.

On a newly installed copy of Vista Home Premium SP1, entering MRT in the search box found the program, ran it, but then nothing. After OKing it with UAC, MSRT shut down immediately. There were no errors in any of the system logs, at least none that I could find. The properties of the mrt.exe file showed it was from January 20, 2008.

So, I downloaded the latest version, installed it, ran it once, then as shown below, Vista complained that it wasn’t installed correctly.

I have no idea what this means, so I took the recommended action and was able to run MSRT normally afterwards.

Microsoft offers free tech support for MSRT. In the United States and Canada, home users can call 866-PCSAFETY (727-2338). For other countries, see the Product Support Services page.

LINKS

In addition to the aforementioned article 890830, Microsoft also offers documentation on MSRT at Malicious Software Removal Tool and they blog about it at the Malware Protection Center.

You can download the 32 bit version of MSRT here and the 64 bit version here.

Updated February 9, 2009 to include the error message issued when running MSRT as a restricted user.