Microsoft Malicious Software Removal Tool users double check it's running

Published: 2008-08-01
Last Updated: 2008-08-02 02:33:15 UTC
by Robert Danford (Version: 2)
1 comment(s)

A reader (thanks Joe D.) shared with us his recent experience with the Microsoft Windows Malicious Software Removal Tool after the latest update (July).


The tool requires administrative privileges during the initial installation, but can then run as an unprivileged user from then on after accepting the license agreement.

From the release notes:
"You must accept the Microsoft Software License Terms. The license terms are only displayed for the first time that you access Automatic Updates.

Note After you accept the one-time license terms, you can receive future versions of the Malicious Software Removal Tool without being logged on to the computer as an administrator."

It appears that some component of the Agreement may have changed in this latest update which will require an Admin user to launch the tool and accept the new agreement. Some users may not be aware of this and be under the false impression the tool is running on a schedule as expected.

So now would be a good time to double check that the Malicious Software Removal Tool is in fact running on your machine(s) as expected. In fact now is a good time to review any security software in general that is expect/required to be running on your systems to determine it is in fact running. Any number of updates, misconfigurations, network huffage, or even better/worse malicious action could have disabled various programs or prevented them from running.

Many flavors of malware will search for and shutdown or disable most of the common personal firewall, anti-virus/anti-spyware tools. Or even more difficult to audit are those malicious programs which simply modify the firewall settings to allow the ports they need open.

Here is the link to details on the tool:

http://support.microsoft.com/?kbid=890830

This KB has some useful information for determining the tool is running (especially in a large environment):

http://support.microsoft.com/kb/891716/

Excerpt:
"A2. You can examine the value data for the following registry entry to verify the execution of the tool. You can implement such an examination as part of a startup script or a logon script. This process prevents the tool from running multiple times.

Subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemovalTools\MRT
Entry name: Version

Every time that the tool is run, the tool records a GUID in the registry to indicate that it has been executed. This occurs regardless of the results of the execution."

So for the lastest update (July 2008) the GUID you'll find listed as the "Version" is:

BC308029-4E38-4D89-85C0-8A04FC9AD976

This may also help determine that the tool is being updated.

Robert
ISC Handler on Duty

Keywords: Microsoft
1 comment(s)

Comments

KB 890830 mentions that the log file for the cleaner tool is placed at (%Windir%\Debug\Mrt.log).

Sure enough, C:\WINDOWS\Debug\mrt.log is dated 7/13, and the file actually shows two executions. They finished at 15:10:10 and 15:15:22 respectively.

Interestingly, there is also a ...\mrteng.log, which records those same executions but records less than mrt.lot does.

Diary Archives