Malicious Software Removal Tool

Scareware – Yes, People Do Fall for the Ruse

What happens when people fall for the scareware ruse and actually install the stuff? Oddly enough, they may not even know they’ve been duped. Their systems may run a little slower, but they may be fooled into thinking they’re now being protected by the malware they’ve installed. What follows is a real-life example of someone who wrote in to a well-known security forum. (So as not to cause embarrassment to the victim, I have changed names and details.)

Question one, [Miss K] is very upset that Microsoft uninstalled her new antivirus program.  [Gentlemen], she writes, “I turned on my computer a few days ago, and I got a message saying that Microsoft MSRT had removed AV 2009 from my computer.  So now I don’t have an antivirus installed.  I tried to download another copy of AV 2009, but I couldn’t remember where I got it.  Can you tell me…” [the gentleman reading this question actually thinks it’s a joke] “Can you tell me where to find it, or recommend a free AV program?”

Here is some of the conversation between the hosts:

Host1:  And a lot of people have been getting it.  And MSRT has been removing it from a lot of machines.  So in case [Miss K] is serious, we’re not laughing at you, we’re laughing with you.

Host2:  Yes, because you’re not alone.  There are many, many, many people who’ve fallen for this.  I get - literally I get this call on the radio show all the time.

Host1:  Yes.  Yes.  So do not go looking for another copy of it.  Actually it’ll probably find you, without you having to look for it, and happily crawl into your computer.  It is malicious.  It’s good that Microsoft MSRT removed it.

Using the Malicious Software Removal Tool (MSRT) from the Command Line

In my September 13, 2008 post, “Software for Secure Computing: Microsoft Malicious Software Removal Tool,” I said, “Many people don’t even know that MSRT can be run from the Microsoft.com website or downloaded and run at will.” I wonder how many people know that if you have automatic updates enabled, there’s no need to download MSRT to run it–the latest version is already on your system.

The MSRT can be invoked from the Run dialog or the command line using a simple three-letter command. Several options are available.  Hit Windows Key + R to open the Run dialog and type mrt /? This will bring up an information box as shown below. (The same thing happens if you type the command at a command prompt.)

The options are self-explanatory. If you just type mrt by itself, it will bring up a UI that allows you to point and click to select the type of scan you want. At the first UI screen, you can view a list of malicious software that the tool detects and removes. The signatures are updated monthly on patch Tuesday when Microsoft releases the latest version of the tool.

Remember that the MSRT is not a replacement for an anti-virus product; it targets only a limited set of specific, prevalent malware as determined by Microsoft’s security folks.  You should use a good anti-virus product.