Microsoft KB Archive/891716

= Deployment of the Microsoft Windows Malicious Software Removal Tool in an enterprise environment =

Article ID: 891716

Article Last Modified on 12/11/2007

-

APPLIES TO


 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise Edition
 * Microsoft Windows XP Professional
 * Microsoft Windows XP Home Edition
 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Professional Edition

-



''The Microsoft Windows Malicious Software Removal Tool is intended for use with the operating systems that are listed in the &quot;Applies to&quot; section. Operating systems that are not included in the list were not tested and therefore are not supported. These unsupported operating systems include all versions and editions of embedded operating systems.''



INTRODUCTION
Microsoft has released the Microsoft Windows Malicious Software Removal Tool to help you remove specific, prevalent malicious software from a computer.

The information that is contained in this article is specific to the enterprise deployment of the tool. We highly recommend that you review the following Microsoft Knowledge Base article. It contains general information about the tool and about the download locations. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

890830 The Microsoft Windows Malicious Software Removal Tool helps remove specific, prevalent malicious software from computers that are running Windows Vista, Windows Server 2003, Windows XP, or Windows 2000

The tool is primarily intended for noncorporate users who do not have an existing, up-to-date antivirus product installed on their computers. However, the tool can also be deployed in an enterprise environment to enhance existing protection and as part of a defense-in-depth strategy. To deploy the tool in an enterprise environment, you can use one or more of the following methods:
 * Windows Server Update Services
 * Microsoft Systems Management Software (SMS) software package
 * Group Policy-based computer startup script
 * Group Policy-based user logon script

For more information about how to deploy the tool through Windows Update and Automatic Updates, click the following article number to view the article in the Microsoft Knowledge Base:

890830 The Microsoft Windows Malicious Software Removal Tool helps remove specific, prevalent malicious software from computers that are running Windows Vista, Windows Server 2003, Windows XP, or Windows 2000

The current version of this tool does not support the following deployment technologies and techniques:
 * Windows Update Catalog
 * Execution of the tool against a remote computer
 * Software Update Services (SUS)

Additionally, the Microsoft Baseline Security Analyzer (MBSA) does not detect execution of the tool. This article includes information about how you can verify execution of the tool as part of deployment.

Code sample
The script and the steps that are provided here are only meant to be samples and examples. Customers must test these sample scripts and example scenarios and modify them appropriately to work in their environment. You must change the  and the   according to the setup in your environment.

The following code sample does the following things:
 * Runs the tool in silent mode
 * Copies the log file to a preconfigured network share
 * Prefixes the log file name with the name of the computer from which the tool is executed and with the user name of the current user. You must set appropriate permissions on the share according to the instructions in the Initial setup and configuration section.

REM In this example, the script is named RunMRT.cmd. REM The Sleep.exe utility is used to delay the execution of the tool when used as a REM startup script. See the &quot;Known issues&quot; section for details. @echo off call \\ServerName\ShareName\Sleep.exe 5 Start /wait \\ServerName\ShareName\Windows-KB890830-V1.36.exe /q

copy %windir%\debug\mrt.log \\ServerName\ShareName\Logs\%computername%_%username%_mrt.log Note In this code sample,  is a placeholder for the name of your server, and   is a placeholder for the name of your share.

Initial setup and configuration
This section is intended for administrators who are using a startup script or a logon script to deploy this tool. If you are using SMS, you can continue to the &quot;Deployment methods&quot; section.

To configure the server and the share, follow these steps:  Set up a share on a member server. Then name the share . Copy the tool and the sample script, RunMRT.cmd, to the share. See the Code sample section for details. Configure the following share permissions and NTFS file system permissions:  Share permissions:  Add the domain user account for the user who is managing this share, and then click Full Control. Remove the Everyone group. If you use the computer startup script method, add the Domain Computers group together with Change and Read permissions.</li> If you use the logon script method, add the Authenticated Users group together with Change and Read permissions.</li></ol> </li> NTFS permissions: <ol style="list-style-type: lower-alpha;"> Add the domain user account for the user who is managing this share, and then click Full Control.</li> Remove the Everyone group if it is in the list.

Note If you receive an error message when you remove the Everyone group, click Advanced on the Security tab, and then click to clear the Allow inheritable permissions from parent to propagate to this object check box.</li> If you use the computer startup script method, grant the Domain Computers group Read & Execute permissions, List Folder Contents permissions, and Read permissions.</li> If you use the logon script method, grant the Authenticated Users group Read & Execute permissions, List Folder Contents permissions, and Read permissions.</li></ol> </li></ul> </li> Under the ShareName folder, create a folder that is named Logs.

This is where the final log files will be collected after the tool runs on the client computers.</li> To configure the NTFS permissions on the Logs folder, follow these steps.

Note Do not change the Share permissions in this step. <ol style="list-style-type: lower-alpha;"> Add the domain user account for the user who is managing this share, and then click Full Control.</li> If you use the computer startup script method, give the Domain Computers group Modify permissions, Read & Execute permissions, List Folder Contents permissions, Read permissions, and Write permissions.</li> If you use the logon script method, give the Authenticated Users group Modify permissions, Read & Execute permissions, List Folder Contents permissions, Read permissions, and Write permissions.</li></ol> </li></ol>

Deployment methods
Note To run this tool, you must have Administrator permissions or SYSTEM permissions, regardless of the deployment option that you choose.

Using SMS software package
The following example provides step-by-step instructions for using SMS 2003. The steps for using SMS 2.0 resemble these steps. <ol> Extract the Mrt.exe file from the package that is named Windows-KB890830-V1.34-ENU.exe /x.</li>  Create a .bat file to start Mrt.exe and to capture the return code by using ISMIF32.exe.

The following is an example. @echo off Mrt.exe /q If errorlevel 13 goto error13 If errorlevel 12 goto error12 Goto end


 * error13

Ismif32.exe –f MIFFILE –p MIFNAME –d ”text about error 13” Goto end


 * error12

Ismif32.exe –f MIFFILE –p MIFNAME –d “text about error 12” Goto end


 * end

For more information about Ismif32.exe, click the following article numbers to view the articles in the Microsoft Knowledge Base:

268791 How a status Management Information Format (MIF) file produced by the ISMIF32.exe file is processed in SMS 2.0

186415 Status MIF creator, Ismif32.exe is available

</li> To create a package in the SMS 2003 console, follow these steps: <ol style="list-style-type: lower-alpha;"> Open the SMS Administrator Console.</li> Right-click the Packages node, click New, and then click Package.

The Package Properties dialog box appears.</li> <li>On the General tab, name the package.</li> <li>On the Data Source tab, click to select the This package contains source files check box.</li> <li>Click Set, and then choose a source directory that contains the tool.</li> <li>On the Distribution Settings tab, set the Sending priority to High.</li> <li>On the Reporting tab, click Use these fields for status MIF matching, and then specify a name for the MIF file name field and for the Name field.

Version and Publisher are optional.</li> <li>Click OK to create the package.</li></ol> </li> <li>To specify a Distribution Point (DP) to the package, follow these steps: <ol style="list-style-type: lower-alpha;"> <li>In the SMS 2003 console, locate the new package under the Packages node.</li> <li>Expand the package. Right-click Distribution Points, point to New, and then click Distribution Points.</li> <li>Start the New Distribution Points Wizard. Select an existing Distribution Point.</li> <li>Click Finish to close the wizard.</li></ol> </li> <li>To add the batch file that was previously created to the new package, follow these steps: <ol style="list-style-type: lower-alpha;"> <li>Under the new package node, click the Programs node.</li> <li>Right-click Programs, point to New, and then click Program.</li> <li>Click the General tab, and then enter a valid name.</li> <li>At the Command line, click Browse to select the batch file that you created to start Mrt.exe.</li> <li>Change Run to Hidden. Change After to No action required.</li> <li>Click the Requirements tab, and then click This program can run only on specified client operating systems.</li> <li>Click All x86 Windows 2000, All x86 Windows Server 2003, and All x86 Windows XP.</li> <li>Click the Environment tab, click Whether a user is logged in the Program can run list. Set the Run mode to Run with administrative rights.</li> <li>Click OK to close the dialog box.</li></ol> </li> <li>To create an advertisement to advertise the program to clients, follow these steps: <ol style="list-style-type: lower-alpha;"> <li>Right-click the Advertisement node, click New, and then click Advertisement.</li> <li>On the General tab, enter a name for the advertisement. In the Package field, select the package that you previously created. In the Program field, select the program that you previously created. Click Browse, and then click the All System collection or select a collection of computers that only includes Microsoft Windows 2000 and later versions.</li> <li>On the Schedule tab, leave the default options if you want the program to only run one time. To run the program on a schedule, assign a schedule interval.</li> <li>Set the Priority to High.</li> <li>Click OK to create the advertisement.</li></ol> </li></ol>

Using a Group Policy-based computer startup script
This method requires that you restart the client computer after you set up the script and after you apply the Group Policy setting. <ol> <li>Set up the shares. To do this, follow the steps in the Initial setup and configuration section.</li> <li>Set up the startup script. To do this, follow these steps: <ol style="list-style-type: lower-alpha;"> <li>In the Active Directory Users and Computers MMC snap-in, right-click the domain name, and then click Properties.</li> <li>Click the Group Policy tab.</li> <li>Click New to create a new Group Policy object (GPO), and type MRT Deployment for the name of the policy.</li> <li>Click the new policy, and then click Edit.</li> <li>Expand Windows Settings for Computer Configuration, and then click Scripts.</li> <li>Double-click Logon, and then click Add.

The Add a Script dialog box appears.</li> <li>In the Script Name box, type \\ \ \RunMRT.cmd .</li> <li>Click OK, and then click Apply.</li></ol> </li> <li>Restart the client computers that are members of this domain.</li></ol>

Using a Group Policy-based user logon script
This method requires that the logon user account is a domain account and is a member of the local administrator's group on the client computer. <ol> <li>Set up the shares. To do this, follow the steps in the Initial setup and configuration section.</li> <li>Set up the logon script. To do this, follow these steps: <ol style="list-style-type: lower-alpha;"> <li>In the Active Directory Users and Computers MMC snap-in, right-click the domain name, and then click Properties.</li> <li>Click the Group Policy tab.</li> <li>Click New to create a new GPO, and then type MRT Deployment for the name.</li> <li>Click the new policy, and then click Edit.</li> <li>Expand Windows Settings for User Configuration, and then click Scripts.</li> <li>Double-click Logon, and then click Add. The Add a Script dialog box appears.</li> <li>In the Script Name box, type \\ \ \RunMRT.cmd .</li> <li>Click OK, and then click Apply.</li></ol> </li> <li>Log off and then log on to the client computers.</li></ol>

In this scenario, the script and the tool will run under the context of the logged-on user. If this user does not belong to the local administrators group or does not have sufficient permissions, the tool will not run and will not return the appropriate return code. For more information about how to use startup scripts and logon scripts, click the following article numbers to view the articles in the Microsoft Knowledge Base:

198642 Overview of logon, logoff, startup, and shutdown scripts in Windows 2000

322241 How to assign scripts in Windows 2000

Examining return codes
You can examine the return code of the tool in your deployment logon script or in your deployment startup script to verify the results of execution. See the Code sample section for an example of how to do this.

The following list contains the valid return codes.

Parsing the log file
The Malicious Software Removal Tool writes details about the result of its execution in the %windir%\debug\mrt.log log file.

Notes
 * This log file is available only in English.
 * Starting with version 1.2 of the removal tool (March 2005), this log file uses Unicode text. Before version 1.2, the log file used ANSI text.
 * The log file format has changed with version 1.2, and we recommend that you download and use the latest version of the tool.

If this log file already exists, the tool appends to the existing file.
 * You can use a command script that resembles the previous example to capture the return code and to collect the files to a network share.
 * Because of the switch from ANSI to Unicode, version 1.2 of the removal tool will copy any ANSI versions of the Mrt.log file in the %windir%\debug folder to Mrt.log.old in the same directory. Version 1.2 also creates a new Unicode version of the Mrt.log file in that same directory. Like the ANSI version, this log file will be appended to each month's release.

The following example is an Mrt.log file from a computer that was infected with the Sasser.A worm: <pre class="fixed_text">Microsoft Windows Malicious Software Removal Tool v1.28, April 2007 Started On Mon Mar 19 13:15:07 2007 Quick Scan Results:

Found virus: Win32/Sasser.A.worm in file://C:\WINDOWS\avserve.exe Found virus: Win32/Sasser.A.worm in regkey://HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\\avserve.exe Found virus: Win32/Sasser.A.worm in runkey://HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\\avserve.exe Found virus: Win32/Sasser.A.worm in file://C:\WINDOWS\avserve.exe Quick Scan Removal Results

Start 'remove' for regkey://HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\\avserve.exe Operation succeeded ! Start 'remove' for runkey://HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\\avserve.exe Operation succeeded ! Start 'remove' for file://\\?\C:\WINDOWS\avserve.exe Operation succeeded ! Results Summary:

Found Win32/Sasser.A.worm and Removed! Return code: 6 Microsoft Windows Malicious Software Removal Tool Finished On Mon Mar 19 13:15:57 2007

The following is an example log file where no malicious software is found.

<pre class="fixed_text">Microsoft Windows Malicious Software Removal Tool v1.2, March 2005 Started On Wed May 01 21:19:01 2002 Results Summary:

No infection found. Return code: 0 Microsoft Windows Malicious Software Removal Tool Finished On Wed May 01 21:19:05 2002

The following is an example log file where errors are found. For more information about warnings and errors that are caused by the tool, click the following article number to view the article in the Microsoft Knowledge Base:

891717 You receive an error when you run the Microsoft Windows Malicious Software Removal Tool

<pre class="fixed_text">Microsoft Windows Malicious Software Removal Tool v1.2, March 2005 Started On Wed May 01 21:27:57 2002 Scanning Results:

Found virus: Win32/HLLW.Gaobot.ZF in process 1880 Found virus: Win32/HLLW.Gaobot.ZF in process 1880 Found virus: Win32/HLLW.Gaobot.ZF in file C:\WINDOWS\System32\winsec16.exe Found virus: Win32/HLLW.Gaobot.ZF in process 1880 Found virus: Win32/HLLW.Gaobot.ZF in process 1880 Found virus: Win32/HLLW.Gaobot.ZF in file C:\WINDOWS\System32\winsec16.exe Found virus: Win32/HLLW.Gaobot.ZF in file C:\WINDOWS\System32\winsec16.exe Removal Results:

Terminating process with pid 1880 ->Sysclean ERROR: Failed to kill process with PID: 1880 (Win32 Error Code: 0x00000102 (258):The wait operation timed out.) [697] Operation failed ! Terminating process with pid 1880 Operation had previously completed. Terminating process with pid 1880 Operation had previously completed. Deleting registry value HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices, entry: WinSec Operation succeeded ! Terminating process with pid 1880 Operation had previously completed. Deleting registry value HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, entry: WinSec Operation succeeded ! Writing in file C:\WINDOWS\system32\drivers\etc\hosts Operation succeeded ! Deleting file C:\WINDOWS\System32\winsec16.exe Operation succeeded ! Deleting file C:\WINDOWS\System32\winsec16.exe Operation had previously completed. Deleting file C:\WINDOWS\System32\winsec16.exe Operation had previously completed.

Results Summary:

For cleaning Win32/HLLW.Gaobot.ZF, the system needs to be restarted. Found Win32/HLLW.Gaobot.ZF, partially removed.

Known issues
When you run the tool by using a startup script, you may receive error messages that resemble the following in the Mrt.log file. The pid number will vary.

Error: MemScanGetImagePathFromPid(pid: 552) failed.

0x00000005: Access is denied.

This error occurs when a process is either just starting or when a process has been recently stopped. The only effect is that the process that is designated by the pid has not been scanned.

To work around this problem, use the Sleep.exe Platform SDK utility to delay five seconds in the startup script before you run the tool. See the previous sample script. This delay lets processes on the computer stabilize after the restart process.

FAQ
Q1. When I test my startup or logon script to deploy the tool, I do not see the log files that are being copied to the network share that I set up. Why?

A1. This is frequently caused by permissions issues. For example, the account that the removal tool was run from does not have Write permission to the share. To troubleshoot this, first make sure that the tool ran by checking the registry key. Alternatively, you can look for the presence of the log file on the client computer. If the tool successfully ran, you can test a simple script and make sure that it can write to the network share when it runs under the same security context in which the removal tool was run.

Q2. How do I verify that the removal tool has run on a client computer?

A2. You can examine the value data for the following registry entry to verify the execution of the tool. You can implement such a check as part of a startup script or a logon script. This will prevent the tool from running multiple times.

Subkey:

Entry name: Version

Every time that the tool is run, independent of the results of the execution, the tool will record a GUID to the registry to indicate that it has been executed. The following table lists the GUID that corresponds to each release.

Q3. How can I disable the infection-reporting component of the tool so that the report is not sent back to Microsoft?

A3. An administrator can choose to disable the infection-reporting component of the tool by adding the following registry key value to computers. If this registry key value is set, the tool will not report infection information back to Microsoft.

Subkey:

Entry name: \DontReportInfectionInformation

Type: REG_DWORD

Value data: 1

This functionality is automatically disabled if the following registry key value exists:

This registry key value indicates that the computer is connected to an SUS server.

Q4. With the March release, data in the Mrt.log file appears to have been lost. Why was this data removed, and is there a way for me to retrieve it?

A4. Starting with the March release, the Mrt.log file is being written as a Unicode file. To make sure of compatibility, when the March version of the tool is run, if an ANSI version of the file is on the system, the tool will copy the contents of that log to Mrt.log.old in %WINDIR%\debug and create a new Unicode version of Mrt.log. Like the ANSI version, this Unicode version will be appended to with each successive execution of the tool.

Additional query words: kbpubtypekc kbcsgcr kbcsapac

Keywords: kbpubtypekc kbinfo KB891716

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.