Malicious Software Tool

[Jim Bunton]

Down loaded and installed it - and for good measure rebooted.

Now - where is it?
Found out that I can uses switches to control how it runs etc BUT nothing
about HOW it is run. [or how it is possible to determin When it is run etc]

 

[Jim Bunton]

Thanks for the reply David

Next question - how do I uninstall it. I though that it was atool I could
use when I wanted to. I have AVG to scan when I want to. I don't wnat
something running in background that I can't control. Tut tut typical of
Microsof!

From: "Jim Bunton" <[email protected]>

| Down loaded and installed it - and for good measure rebooted.
|
| Now - where is it?
| Found out that I can uses switches to control how it runs etc BUT nothing
| about HOW it is run. [or how it is possible to determin When it is run etc]
|
| --
| Jim Bunton
|

This tool is a "run in the background" tool for detecting mostly Internet worms. It has a
limited target list and which you can view at;
http://support.microsoft.com/default.aspx?scid=kb;en-us;890830

The only result of the invisible background scan is a log file; %WINDIR%\debug\mrt.log .

Attached is the log file from my Win2K PC...

If you want a more comprehensive scanning tool I have one that provides scanners from;
Trend, Sophos and McAfee that have a very broad spectrum malware coverage.

Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

It is a self-extracting ZIP file that contains the Kixtart Script Interpreter {
http://kixtart.org Kixtart is CareWare } three batch files, five Kixtart scripts, one Link
(.LNK) file, this PDF instruction file and two utilities; UNZIP.EXE and WGET.EXE. It will
simplify the process of using; Sophos, Trend and McAfee Anti Virus Command Line Scanners to
remove
viruses and various other malware.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode. This
way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Exit the menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file.

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE and/or FTP.EXE to go
through your FireWall to allow them to download the needed AV vendor related files.

* * * Please report back your results * * *

 

[Tom Pepper Willett]

Jim: You need to read this page in its entirety. It is not installed nor
does it remain on your computer running in the background.

http://support.microsoft.com/default.aspx?scid=kb;en-us;890830

Tom
| Thanks for the reply David
|
| Next question - how do I uninstall it. I though that it was atool I could
| use when I wanted to. I have AVG to scan when I want to. I don't wnat
| something running in background that I can't control. Tut tut typical of
| Microsof!
|
|
| | > From: "Jim Bunton" <[email protected]>
| >
| > | Down loaded and installed it - and for good measure rebooted.
| > |
| > | Now - where is it?
| > | Found out that I can uses switches to control how it runs etc BUT
| nothing
| > | about HOW it is run. [or how it is possible to determin When it is run
| etc]
| > |
| > | --
| > | Jim Bunton
| > |
| >
| > This tool is a "run in the background" tool for detecting mostly
Internet
| worms. It has a
| > limited target list and which you can view at;
| > http://support.microsoft.com/default.aspx?scid=kb;en-us;890830
| >
| > The only result of the invisible background scan is a log file;
| %WINDIR%\debug\mrt.log .
| >
| > Attached is the log file from my Win2K PC...
| >
| > If you want a more comprehensive scanning tool I have one that provides
| scanners from;
| > Trend, Sophos and McAfee that have a very broad spectrum malware
coverage.
| >
| > Download MULTI_AV.EXE from the URL --
| > http://www.ik-cs.com/programs/virtools/Multi_AV.exe
| >
| > It is a self-extracting ZIP file that contains the Kixtart Script
| Interpreter {
| > http://kixtart.org Kixtart is CareWare } three batch files, five Kixtart
| scripts, one Link
| > (.LNK) file, this PDF instruction file and two utilities; UNZIP.EXE and
| WGET.EXE. It will
| > simplify the process of using; Sophos, Trend and McAfee Anti Virus
| Command Line Scanners to
| > remove
| > viruses and various other malware.
| >
| > C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in
C:\AV-CLS}
| > This will bring up the initial menu of choices and should be executed in
| Normal Mode. This
| > way all the components can be downloaded from each AV vendor's web site.
| > The choices are; Sophos, Trend, McAfee, Exit the menu and Reboot the PC.
| >
| > You can choose to go to each menu item and just download the needed
files
| or you can
| > download the files and perform a scan in Normal Mode. Once you have
| downloaded the files
| > needed for each scanner you want to use, you should reboot the PC into
| Safe Mode [F8 key
| > during boot] and re-run the menu again and choose which scanner you want
| to run in Safe
| > Mode. It is suggested to run the scanners in both Safe Mode and Normal
| Mode.
| >
| > When the menu is displayed hitting 'H' or 'h' will bring up a more
| comprehensive PDF help
| > file.
| >
| > To use this utility, perform the following...
| > Execute; Multi_AV.exe { Note: You must use the default folder
C:\AV-CLS }
| > Choose; Unzip
| > Choose; Close
| >
| > Execute; C:\AV-CLS\StartMenu.BAT
| > { or Double-click on 'Start Menu' in C:\AV-CLS }
| >
| > NOTE: You may have to disable your software FireWall or allow WGET.EXE
| and/or FTP.EXE to go
| > through your FireWall to allow them to download the needed AV vendor
| related files.
| >
| > * * * Please report back your results * * *
| >
| >
| > --
| > Dave
| > http://www.claymania.com/removal-trojan-adware.html
| > http://www.ik-cs.com/got-a-virus.htm
| >
| >
| >
|
|

 

[David H. Lipman]

From: "Jim Bunton" <[email protected]>

| Thanks for the reply David
|
| Next question - how do I uninstall it. I though that it was atool I could
| use when I wanted to. I have AVG to scan when I want to. I don't wnat
| something running in background that I can't control. Tut tut typical of
| Microsof!

You don't unistall it and there is no need to do so. It is a fly by command line scanner
akin to McAfee's Stinger.

It only scans "On Demand". It is not an always running "On Access" scanner.

There are three implementations.

1. Windows Update web site twice per month
2. MS URL "On Demand" as desired
3. Downloadable EXE file for use on an Enterprise.

 

[Rob Stow]

Down loaded and installed it - and for good measure rebooted.

Now - where is it?
Found out that I can uses switches to control how it runs etc BUT nothing
about HOW it is run. [or how it is possible to determin When it is run etc]

I ran into the exact same problem myself.

By doing a before and after comparison of the files on my C:
drive, I found that the program you need to run is
C:\WinNT\System32\MRT.exe

 

[Rob Stow]

Jim: You need to read this page in its entirety. It is not installed nor
does it remain on your computer running in the background.

That *might* be true if you run the program from WindowsUpdate,
but it most definitely is not true if you download and install it.

Take a look at your hard drive and see if you have the file
c:\winnt\system32\mrt.exe

http://support.microsoft.com/default.aspx?scid=kb;en-us;890830

Tom
| Thanks for the reply David
|
| Next question - how do I uninstall it. I though that it was atool I could
| use when I wanted to. I have AVG to scan when I want to. I don't wnat
| something running in background that I can't control. Tut tut typical of
| Microsof!
|
|
| | > From: "Jim Bunton" <[email protected]>
| >
| > | Down loaded and installed it - and for good measure rebooted.
| > |
| > | Now - where is it?
| > | Found out that I can uses switches to control how it runs etc BUT
| nothing
| > | about HOW it is run. [or how it is possible to determin When it is run
| etc]
| > |
| > | --
| > | Jim Bunton
| > |
| >
| > This tool is a "run in the background" tool for detecting mostly
Internet
| worms. It has a
| > limited target list and which you can view at;
| > http://support.microsoft.com/default.aspx?scid=kb;en-us;890830
| >
| > The only result of the invisible background scan is a log file;
| %WINDIR%\debug\mrt.log .
| >
| > Attached is the log file from my Win2K PC...
| >
| > If you want a more comprehensive scanning tool I have one that provides
| scanners from;
| > Trend, Sophos and McAfee that have a very broad spectrum malware
coverage.
| >
| > Download MULTI_AV.EXE from the URL --
| > http://www.ik-cs.com/programs/virtools/Multi_AV.exe
| >
| > It is a self-extracting ZIP file that contains the Kixtart Script
| Interpreter {
| > http://kixtart.org Kixtart is CareWare } three batch files, five Kixtart
| scripts, one Link
| > (.LNK) file, this PDF instruction file and two utilities; UNZIP.EXE and
| WGET.EXE. It will
| > simplify the process of using; Sophos, Trend and McAfee Anti Virus
| Command Line Scanners to
| > remove
| > viruses and various other malware.
| >
| > C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in
C:\AV-CLS}
| > This will bring up the initial menu of choices and should be executed in
| Normal Mode. This
| > way all the components can be downloaded from each AV vendor's web site.
| > The choices are; Sophos, Trend, McAfee, Exit the menu and Reboot the PC.
| >
| > You can choose to go to each menu item and just download the needed
files
| or you can
| > download the files and perform a scan in Normal Mode. Once you have
| downloaded the files
| > needed for each scanner you want to use, you should reboot the PC into
| Safe Mode [F8 key
| > during boot] and re-run the menu again and choose which scanner you want
| to run in Safe
| > Mode. It is suggested to run the scanners in both Safe Mode and Normal
| Mode.
| >
| > When the menu is displayed hitting 'H' or 'h' will bring up a more
| comprehensive PDF help
| > file.
| >
| > To use this utility, perform the following...
| > Execute; Multi_AV.exe { Note: You must use the default folder
C:\AV-CLS }
| > Choose; Unzip
| > Choose; Close
| >
| > Execute; C:\AV-CLS\StartMenu.BAT
| > { or Double-click on 'Start Menu' in C:\AV-CLS }
| >
| > NOTE: You may have to disable your software FireWall or allow WGET.EXE
| and/or FTP.EXE to go
| > through your FireWall to allow them to download the needed AV vendor
| related files.
| >
| > * * * Please report back your results * * *
| >
| >
| > --
| > Dave
| > http://www.claymania.com/removal-trojan-adware.html
| > http://www.ik-cs.com/got-a-virus.htm
| >
| >
| >
|
|

 

[David H. Lipman]

From: "Rob Stow" <[email protected]>

Down loaded and installed it - and for good measure rebooted.

Now - where is it?
Found out that I can uses switches to control how it runs etc BUT nothing
about HOW it is run. [or how it is possible to determin When it is run etc]

| I ran into the exact same problem myself.
|
| By doing a before and after comparison of the files on my C:
| drive, I found that the program you need to run is
| C:\WinNT\System32\MRT.exe

So ?

It is no big deal, that it leaves behind a 1.3MB command line scanner file.

 

[Jim Bunton]

Well thanks for all the advice folks!

In summary it seems that
1. a file C:\WinNT\System32\MRT.exe is what's down loaded from MS Update
but you won't know this without some difficulty
2. it looks likely that it doesn't run unless you RUN it
3. it's a pretty labourious read to get the basics from the Ms article
4. though it is 'installed' no info is give by Ms to uninstall it
5. It certainly doesn't appear on the (settings) installed progs list
6. If it is run it will/may leave logs on the system
7. All in all - not the most impresive bit of support from Ms
BUT - maybe if it was better they'd end up in the courts
for the same sort of reason's as bundling a browser

Jim Bunton

 

[Art]

NOTE: You may have to disable your software FireWall or allow WGET.EXE and/or FTP.EXE to go
through your FireWall to allow them to download the needed AV vendor related files.

Disable software firewall??? You must know that's very bad advice. I
just read somewhere yesterday that after creating a honeypot like
that, you can expect to take malware hits in as little as 30 seconds
nowdays.

Take a look at the wwdc util here:

http://www.firewallleaktester.com/wwdc.htm

The solution is to close all ports before disabling the firewall.

Art

http://home.epix.net/~artnpeg

 

[David H. Lipman]

From: "Art" <[email protected]>

| On Wed, 20 Jul 2005 09:38:46 -0400, "David H. Lipman"
|
| Disable software firewall??? You must know that's very bad advice. I
| just read somewhere yesterday that after creating a honeypot like
| that, you can expect to take malware hits in as little as 30 seconds
| nowdays.
|
| Take a look at the wwdc util here:
|
| http://www.firewallleaktester.com/wwdc.htm
|
| The solution is to close all ports before disabling the firewall.
|
| Art
|
| http://home.epix.net/~artnpeg

Note the word "may". Most FireWall applications will indicate a program is trying to gain
access to the Internet and one just has to allow it. So the user just has to or allow
WGET.EXE and/or FTP.EXE to go through the FireWall(s).

 

[Art]

| Disable software firewall??? You must know that's very bad advice. I
| just read somewhere yesterday that after creating a honeypot like
| that, you can expect to take malware hits in as little as 30 seconds
| nowdays.
|
| Take a look at the wwdc util here:
|
| http://www.firewallleaktester.com/wwdc.htm
|
| The solution is to close all ports before disabling the firewall.

Note the word "may".

What's that got to do with what I said??? I still say the bad advice
to disable the firewall should be removed from your instructions.
And the use of WWDC should be promoted in it's place.

Most FireWall applications will indicate a program is trying to gain
access to the Internet and one just has to allow it. So the user just has to or allow
WGET.EXE and/or FTP.EXE to go through the FireWall(s).

Art

http://home.epix.net/~artnpeg

 

[David H. Lipman]

From: "Art" <[email protected]>

| On Wed, 20 Jul 2005 13:22:41 -0400, "David H. Lipman"

|> Disable software firewall??? You must know that's very bad advice. I
|> just read somewhere yesterday that after creating a honeypot like
|> that, you can expect to take malware hits in as little as 30 seconds
|> nowdays.
|>
|> Take a look at the wwdc util here:
|>
|> http://www.firewallleaktester.com/wwdc.htm
|>
|> The solution is to close all ports before disabling the firewall. |

|
| What's that got to do with what I said??? I still say the bad advice
| to disable the firewall should be removed from your instructions.
| And the use of WWDC should be promoted in it's place.
||
| Art
|
| http://home.epix.net/~artnpeg

I have comminucated with many where the only alternative left was to disable the FireWall.
That is why I make a note of that possibility. I see no way around this if they first
disallow the utilities Internet access. I'm trying to keep the instructions as simple as
possible. There are /still/ those that can't handle them.

 

[Art]

I have comminucated with many where the only alternative left was to disable the FireWall.
That is why I make a note of that possibility. I see no way around this if they first
disallow the utilities Internet access. I'm trying to keep the instructions as simple as
possible. There are /still/ those that can't handle them.

Doesn't matter. It makes no sense whatsoever to advise people to
disable their firewall. Very bad.

Art

http://home.epix.net/~artnpeg

 

[David H. Lipman]

From: "Art" <[email protected]>


|
| Doesn't matter. It makes no sense whatsoever to advise people to
| disable their firewall. Very bad.
|
| Art
|
| http://home.epix.net/~artnpeg

Well I could create a FTPget() function in Kixtart using...
CreateObject("Microsoft.XMLHTTP")

However, it would not have user feedback and for the FTP connection and download period the
user would think the utility is not running.

I think the rare situation cost-benefit is worth the risk and it is only needed for the
short period during the process. Once the files are obtained the FireWall can be
re-enabled. Now if there is a way to implement a FTPget() function with a progress bar I
will re-code the utility.

Thanx for the feedback Art.

 

[David H. Lipman]

From: "David H. Lipman" <[email protected]>

ADDENDUM;

Now that I think about it, CreateObject("Microsoft.XMLHTTP") is good for replacing WGET.EXE
not FTP.EXE and it is more or less FTP.EXE that has FireWall issues not WGET.EXE.

 

[Art]

From: "David H. Lipman" <[email protected]>

ADDENDUM;

Now that I think about it, CreateObject("Microsoft.XMLHTTP") is good for replacing WGET.EXE
not FTP.EXE and it is more or less FTP.EXE that has FireWall issues not WGET.EXE.

I used to supply a .WGETRC file with my updaters. I can't find it
right now but it was something like:

passive=on

(or was it off instead of on?). Anyway, this fixed a firewall blocking
problem with wget, according to a few users. I dimly recall that
that Norton's firewall was one of the culprits. I just can't remember
whether I had it set active or passive FTP.

I notice that wwdc is only a 50K file. Insignificant compared to the
size of the Sysclean downloads. It works with command line and
it's suitable for batch files. Many users ought to have their ports
closed in any event. They're forever disabling their firewall for a
short time and taking hits. The best thing you could do for them
is close their goddam ports so they don't keep coming back for
help

Art

http://home.epix.net/~artnpeg

 

[JM]

quoting:

WGET.EXE.

I used to supply a .WGETRC file with my updaters. I can't find it
right now but it was something like:

passive=on

(or was it off instead of on?). Anyway, this fixed a firewall blocking
problem with wget, according to a few users. I dimly recall that
that Norton's firewall was one of the culprits. I just can't remember
whether I had it set active or passive FTP.

I notice that wwdc is only a 50K file. Insignificant compared to the
size of the Sysclean downloads. It works with command line and
it's suitable for batch files. Many users ought to have their ports
closed in any event. They're forever disabling their firewall for a
short time and taking hits. The best thing you could do for them
is close their goddam ports so they don't keep coming back for
help

Art

http://home.epix.net/~artnpeg

They should not be valnerable if they're up to date, so "taking hits" would
be a moot point. "disable" is probably a bad thing, instead a better thing
would be to poke a little hole in the firewall for wget to go though, so
users wouldn't have to disable the firewall at all, not even for a short
time. Besides, aren't majority of users broadband by now and aren't they
behind routers? This whole thing could be moot.