Avast WEBforum
Other => General Topics => Topic started by: S.Z.Craftec on January 11, 2005, 10:58:07 PM
-
2 New updates for Windows XP are available for download from the Microsoft web site... one of them is Malicious Software Removal Tool...
Read about it in here:
http://support.microsoft.com/?kbid=890830
Quote from FAQ (few very important facts):
Q1: Does this tool provide my computer with protection against infection from malicious software like viruses, worms, and Trojan horses?
A1: No. This tool is strictly a postinfection removal tool.
Q7: Is this tool a replacement for an antivirus product?
A7: No. We strongly recommend that you install and use an up-to-date antivirus product. For more information, visit the following Microsoft Protect Your PC Web site:
http://go.microsoft.com/fwlink/?linkid=37595
Q8: How does this tool work with the System Restore feature in Windows XP?
A8: This tool does not create a system restore point, nor does it scan system restore points for malicious software. However, if there is active, prevalent malicious software running on a computer that is stored in a restore point, the removal tool will detect and remove it.
Q9: Can this tool be redistributed?
A9: Yes. Per the terms of this tool's EULA, the tool can be redistributed. However, make sure you are redistributing the latest version of the tool.
Q10: Can the tool run on a computer that is running Microsoft Windows 98, Microsoft Windows Millennium, or Microsoft Windows NT 4.0?
A10: No.
Q11: What is the difference between this tool and an antivirus product?
A11: There are three key differences between the Malicious Software Removal tool and an antivirus product: • The tool provides postinfection removal of malicious software. It can only remove malicious software from an already-infected computer. Antivirus products are also able to block malicious software from running on a computer. It is significantly more desirable for malicious software to be blocked from running on a computer than being removed postinfection.
• The tool removes only specific, prevalent malicious software. See "Release information" for the specific list. Specific, prevalent malicious software is a small subset of all the malicious software in the wild today. An antivirus product can remove significantly more-malicious software.
• The tool focuses on the detection and removal of active malicious software. Active malicious software is malicious software that is currently running. The tool cannot remove malicious software that is not running. An antivirus product can perform this task.
Q12: When do new versions of the tool become available?
A12: New versions become available on the second Tuesday of every month. Microsoft may also release an updated version of the tool to supplement these releases if an emergency occurs.
Q14: How do I know that I am using the latest version of the tool?
A14: Check Windows Update or Automatic Updates if you are a Windows XP user. Check the Microsoft Download Center if you use Windows Server 2003 or Windows 2000. Also, if the tool is more than 60 days out of date, it will remind you to see whether there is a new version of the tool.
Q16: Why does my antivirus product take longer to scan my computer than this tool?
A16: Unlike an antivirus product, the Malicious Software Removal Tool scans only for "active" malicious software. Specifically, the tool does not scan the whole hard disk. This enables it to run fairly quickly. It is highly recommended that you use an up-to-date antivirus product to also scan for inactive malicious software.
Q20: Does this tool send back any information to Microsoft?
A20: Yes. If the tool finds an infection or an error, anonymous information is sent back to Microsoft. See the "Reporting component" section for more information.
Q21: Can I prevent this tool from sending information back to Microsoft?
A21: Yes. The reporting component can be disabled by setting a specific registry key. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
891716 Deployment of the Microsoft Windows Malicious Software Removal Tool in an enterprise environment
Q29: Can I run this tool on a Windows Embedded computer?
A29: Currently, the Malicious Software Removal Tool is not supported on a Windows Embedded computer.
Q30: Does running of the tool require any security updates to be installed on the computer?
A30: No. Unlike most previous cleaner tools that were produced by Microsoft, the Malicious Software Removal tool does not require any security update prerequisites. However, it is strongly recommended that all critical updates be installed before using the tool, to help prevent reinfection by malicious software that takes advantage of security vulnerabilities.
Q33: Do I need the previous cleaner tools installed to run the Malicious Software Removal Tool?
A33: No.
Q34: Is there a newsgroup available to discuss this tool?
A34: Yes. You can use the microsoft.public.security.virus newsgroup.
-
Interesting. Thanks.
-
I like the fact that it can remove it from a restore point.
-
After the install, where the heck does MS put this tool? I can't find it!
Tipton
-
After the install, where the heck does MS put this tool? I can't find it!
I look like a monkey to found and I can't too :(
-
After the install, where the heck does MS put this tool? I can't find it!
I look like a monkey to found and I can't too :(
From what I gather from other sources, it actually does not get installed at all. It just gets ran when you accept the download. I am still a bit confused on this.
Tipton
-
From what I gather from other sources, it actually does not get installed at all. It just gets ran when you accept the download. I am still a bit confused on this.
Ok but it must be saved to disk sooner or later to be run...
The recovery file applications cannot found them... ::)
It seems to be shread (erased) after run :(
-
From what I gather from other sources, it actually does not get installed at all. It just gets ran when you accept the download. I am still a bit confused on this.
Ok but it must be saved to disk sooner or later to be run...
The recovery file applications cannot found them... ::)
It seems to be shread (erased) after run :(
Exactly! It gets removed from your system after it is ran. Right after I installed it along with the other critical MS patch, I found it's exe under LocalDisk C. Later, it was gone!
Tipton
-
Thanks for the heads up Sash :)
-
But it specifically says it can be redistributed... therefore I take it that it is NOT delled after running. :)
-
Guys, guys ::) You don't read instructions and info... read here:
Usage information
When the Malicious Software Removal Tool runs, it performs the following functions. Except where noted, the tool has the same behavior independent of what command-line switches you use or how you download and run the tool. Note that the tool is not actually installed on a computer. Therefore, no entry is created for it in the Programs folder or in Add/Remove Programs.
Notes• When you download the tool from Windows Update or from Automatic Updates, the tool always runs in quiet mode.
• When you run the tool from our Web site at http://www.microsoft.com, the tool always displays a user interface (UI).
• When you download the tool from the Microsoft Download Center, the tool ordinarily displays a UI when it runs. However, if you supply the /Q command-line switch, it runs in quiet mode.
Recording scan data
After the scan is complete, the tool creates a log file that contains the results of the scan. The name of the file is Mrt.log. The file is in the %windir%\Debug folder.
• This log file is available in English only.
Standalone program can be downloaded here:
http://www.microsoft.com/downloads/details.aspx?FamilyId=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en
Command-line switches
The Malicious Software Removal Tool supports two command-line switches: • /Q or /quiet - Use quiet mode. This option suppresses the user interface of the tool.
• /? - Display a dialog box that lists the command-line switches.
You can run it, check your system, and then you can re-run it additional million times if you want... but, be sure that you always download latest version, because... read this:
A new version of this tool is released on the second Tuesday of every month. These new versions will be available from the Microsoft Download Center—this page—as well as from Windows Update / Automatic Updates. It is recommended that Windows XP users use Windows Update / Automatic Updates to download the tool. If you are using any other version of Windows for which this tool is supported, please download the tool from this page or run the online version of the tool at least once a month to ensure that you are using the latest version of this software.
Also, there is online version of the tool:
An online version of the tool is also available. Click here: http://www.microsoft.com/security/malwareremove/default.mspx
All other information can be found in here:
http://support.microsoft.com/?kbid=890830 ;)
It can be redistributed... of course if you download latest version of the program...
Q9: Can this tool be redistributed?
A9: Yes. Per the terms of this tool's EULA, the tool can be redistributed. However, make sure you are redistributing the latest version of the tool.
Cheers !
-
Thanks Sasha! I was able to find my mrtlog. I suppose the best method would be to just run this tool via windows update, so you know that it is using the most recent up to date release. Of course the downloadable version is nice to have to run on other systems out of the house.
Tipton
-
Exactly Tipton ! IMHO, automatic checking through standard Windows update is great, maybe the best method. User doesn't have to do anything, everything is done automaticaly. Online version is also useful, of course downloadable version too.
Cheers !
-
Just came across this topic by accident.
It seems to me very significant that the product can remove a virus from a System Restore point.
Avast (and other checkers) were never able to do this.
Can the latest versions remove from System Restore or does MS know something that they're not letting on
J
-
System Restore's System Volume Information and the _restore points are windows protected storage. Windows is protecting it, so I would say they should know how to remove that protection, remove a restore point and enable protection again.
We mere mortals usually have to disable system restore (which gets rid of all restore points not just an infected one), resolve any other issues and then enable system restore.
-
Hi DavidR
Removing the protection is in the public domain. In fact Eddy showed me how to do it when I wanted to just scan the System Volume Information. Subsequently I wrote some scripts to deprotect and protect that folder. But as you imply, going any further than that is fraught with danger. However, if Microsoft have the knowhow they really should be passing it on to the Avast programmers. My personal interest in this stems from the fact that the first time I got a virus in the SVI I disabled and enabled System Restore (as is the standard procedure) but my computer failed to boot. I got back on track eventually and the virus has disappeared but the experience has made me nervous. On the only other occasion the standard procedure worked perfectly. But it would be nice if Avast could identify it AND GET RID OF IT!
John (also from UK)
-
I believe that avast team are working on that as a possible future enhancement. I think that there was something along these lines in a previous thread.
I have stopped using System Restore it is just not reliable enough, I take regular image back-ups of my HDD and If I get into a fix, it is a few minute task to install the last image.
There are many, many reasons why a System Restore may fail. For example, see "Why are previous restore points not working?" in the "Troubleshooting" section of this official Microsoft page:
http://www.microsoft.com/technet/prodtechnol/winxppro/plan/faqsrwxp.mspx
There's lots more on that page that's worth reading too. Note especially the sections on "Does System Restore protect personal data files?" (the short answer: no); "What should I do if System Restore does not work?"; "Why are my restore points missing or deleted?"; "Why does the System Restore Wizard lockup?"; and so on. Just a few minutes on that page ought to convince just about anyone that System Restore is not intended for heavy-duty system protection!
More info:
http://www.kellys-korner-xp.com/xp_restore.htm
http://www.experts-exchange.com/Operating_Systems/WinME/Q_20718080.html
http://www.google.com/search?q=system+restore+fail
How to Access System_Volume_Information Folder (http://support.microsoft.com/default.aspx?kbid=309531)
-
Thanks DavidR Useful reply
There's a lot to digest but I'll certainly look at some of your sites
John