Spyware remover in Updates?

[Harold Gunn]

When I scanned at the XP site this week, one of the two recommended
updates was a spyware removal tool of some sort. I installed it, but see
no reference to it in programs or control panel. What is it and how does
it work?

I know about the new MS anti-spyware beta, so I'm pretty sure I'm not
confusing it with something else. Thanks..

 

[Jim]

When I scanned at the XP site this week, one of the two recommended
updates was a spyware removal tool of some sort. I installed it, but see
no reference to it in programs or control panel. What is it and how does
it work?

I know about the new MS anti-spyware beta, so I'm pretty sure I'm not
confusing it with something else. Thanks..

It runs, examines your system, creates a logfile, exits, and deletes itself.
The logfile is /Windows/Debug/mrt.log.
Jim

 

[Harold Gunn]

It runs, examines your system, creates a logfile, exits, and deletes itself.
The logfile is /Windows/Debug/mrt.log.
Jim

Thanks, Jim. I found it. Does it run without being prompted?

 

[Jim]

Thanks, Jim. I found it. Does it run without being prompted?

Yes. The only clue about it running is a very show message down in the
taskbar.
Jim

 

[Wesley Vogel]

The Malicious Software Tool ran once and apparently found no problems.

See what the mrt.log says...

Paste this in the Start | Run box...

%windir%\debug\mrt.log

Click OK
---

[[Q2. How do I verify whether the removal tool has run on a client computer?

A2. You can examine the following registry key to verify the execution of
the tool. Note that you can implement such a check as part of a startup or
logon script. This will prevent the tool from running multiple times.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemovalTools\MRT with value
named "Version".

Every time the tool is executed, independent of the results of the
execution, the tool will record a GUID to the registry to indicate that it
has been executed. The following table lists the GUID corresponding to each
release.

Release Value Data
January 2005 E5DD9936-C147-4CD1-86D3-FED80FAADA6C ]]

Deployment of the Microsoft Windows Malicious Software Removal Tool in an
enterprise environment
http://support.microsoft.com/default.aspx?scid=kb;en-us;891716

 

[Harold Gunn]

The Malicious Software Tool ran once and apparently found no problems.

See what the mrt.log says...

Paste this in the Start | Run box...

%windir%\debug\mrt.log

Click OK
---

[[Q2. How do I verify whether the removal tool has run on a client computer?

A2. You can examine the following registry key to verify the execution of
the tool. Note that you can implement such a check as part of a startup or
logon script. This will prevent the tool from running multiple times.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemovalTools\MRT with value
named "Version".

Every time the tool is executed, independent of the results of the
execution, the tool will record a GUID to the registry to indicate that it
has been executed. The following table lists the GUID corresponding to each
release.

Release Value Data
January 2005 E5DD9936-C147-4CD1-86D3-FED80FAADA6C ]]

Deployment of the Microsoft Windows Malicious Software Removal Tool in an
enterprise environment
http://support.microsoft.com/default.aspx?scid=kb;en-us;891716

How often does it run?

Here's my log entry:
Microsoft Malicious Software Removal Tool v1.0, January 2005
Started On Tue Jan 11 22:13:00 2005
Removal Tool Results:
No infection found.
Microsoft Malicious Software Removal Tool Finished On Tue Jan 11
22:13:03 2005

 

[Wesley Vogel]

The Malicious Software Removal Tool from Automatic Updates, runs once and
it's gone. Supposedly MS will update this tool monthly.

[[A new version of this tool is released on the second Tuesday of every
month. These new versions will be available from the Microsoft Download
Center—this page—as well as from Windows Update / Automatic Updates. An
online version of the tool is also available. It is recommended that Windows
XP users use Windows Update / Automatic Updates to download the tool.]]
Microsoft® Windows® Malicious Software Removal Tool (KB890830)
http://www.microsoft.com/downloads/...e0-e72d-4f54-9ab3-75b8eb148356&displaylang=en

[[Windows XP users may get the latest version through Windows Update. To
have the newest versions automatically delivered and installed as soon as
they are released, set the Automatic Updates feature to Automatic.

Note The version of this tool delivered by Windows Update runs in the
background and then deletes itself. If you would like to run this tool more
than once a month, use the version on this Web page or install the version
that is available in the Download Center.]]
On-line version of the Malicious Software Removal Tool
http://www.microsoft.com/security/malwareremove/default.mspx

The Malicious Software Removal Tool is no substitute for update antivirus
software that is run regularly.

Maybe you are really asking about this...

Microsoft Windows AntiSpyware (Beta) Home
http://www.microsoft.com/athome/security/spyware/software/default.mspx


--
Hope this helps. Let us know.
Wes

In

The Malicious Software Tool ran once and apparently found no
problems.

See what the mrt.log says...

Paste this in the Start | Run box...

%windir%\debug\mrt.log

Click OK
---

[[Q2. How do I verify whether the removal tool has run on a client
computer?

A2. You can examine the following registry key to verify the
execution of the tool. Note that you can implement such a check as
part of a startup or logon script. This will prevent the tool from
running multiple times.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemovalTools\MRT with value
named "Version".

Every time the tool is executed, independent of the results of the
execution, the tool will record a GUID to the registry to indicate
that it has been executed. The following table lists the GUID
corresponding to each release.

Release Value Data
January 2005 E5DD9936-C147-4CD1-86D3-FED80FAADA6C ]]

Deployment of the Microsoft Windows Malicious Software Removal Tool
in an enterprise environment
http://support.microsoft.com/default.aspx?scid=kb;en-us;891716

How often does it run?

Here's my log entry:
Microsoft Malicious Software Removal Tool v1.0, January 2005
Started On Tue Jan 11 22:13:00 2005
Removal Tool Results:
No infection found.
Microsoft Malicious Software Removal Tool Finished On Tue Jan 11
22:13:03 2005

 

[Rock]

The Malicious Software Tool ran once and apparently found no problems.

See what the mrt.log says...

Paste this in the Start | Run box...

%windir%\debug\mrt.log

Click OK
---

[[Q2. How do I verify whether the removal tool has run on a client
computer?

A2. You can examine the following registry key to verify the execution of
the tool. Note that you can implement such a check as part of a
startup or
logon script. This will prevent the tool from running multiple times.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemovalTools\MRT with value
named "Version".

Every time the tool is executed, independent of the results of the
execution, the tool will record a GUID to the registry to indicate
that it
has been executed. The following table lists the GUID corresponding to
each
release.

Release Value Data
January 2005 E5DD9936-C147-4CD1-86D3-FED80FAADA6C ]]

Deployment of the Microsoft Windows Malicious Software Removal Tool in an
enterprise environment
http://support.microsoft.com/default.aspx?scid=kb;en-us;891716

How often does it run?

Here's my log entry:
Microsoft Malicious Software Removal Tool v1.0, January 2005
Started On Tue Jan 11 22:13:00 2005
Removal Tool Results:
No infection found.
Microsoft Malicious Software Removal Tool Finished On Tue Jan 11
22:13:03 2005

It only runs once, and it's not anti-spyware. It looks for a small list
of viruses.

 

[Frank Saunders, MS-MVP]

How often does it run?

Here's my log entry:
Microsoft Malicious Software Removal Tool v1.0, January 2005
Started On Tue Jan 11 22:13:00 2005
Removal Tool Results:
No infection found.
Microsoft Malicious Software Removal Tool Finished On Tue Jan 11
22:13:03 2005

It runs once or again when updated from Windows Updates.

The tool is
Windows-KB890830-ENU.exe (probably in your default download folder).
The results are in C:\Windows\Debug\mrt.log

--
Frank Saunders, MS-MVP, IE/OE
Please respond in Newsgroup only. Do not send email
http://www.fjsmjs.com
Protect your PC
http://www.microsoft.com./athome/security/protect/default.aspx

 

[Bruce Chambers]

When I scanned at the XP site this week, one of the two recommended
updates was a spyware removal tool of some sort. I installed it, but see
no reference to it in programs or control panel. What is it and how does
it work?

I know about the new MS anti-spyware beta, so I'm pretty sure I'm not
confusing it with something else. Thanks..

You need to read the KB Article that describes the use of this
tool. The tool is updated the second Tuesday of each month, appears as a
"Critical Update" on the Windows Update site, and runs only when
"downloaded." Nothing is installed; there's nothing to run at a later date.

http://support.microsoft.com/default.aspx?scid=kb;en-us;890830

--

Bruce Chambers

Help us help you:



You can have peace. Or you can have freedom. Don't ever count on having
both at once. - RAH

 

[Bruce Chambers]

When I scanned at the XP site this week, one of the two recommended
updates was a spyware removal tool of some sort. I installed it, but see
no reference to it in programs or control panel. What is it and how does
it work?

I know about the new MS anti-spyware beta, so I'm pretty sure I'm not
confusing it with something else. Thanks..

The way many mass emailing worms work is that they send out emails
from the infected machine to every address it finds, and it
randomly selects one of those found addresses to place in the "from"
fields. What this means is that someone else who has your email
address in his/her contact list may be the infected party. You
might consider advising everyone with who you've recently corresponded
that they should all perform virus scans.


--

Bruce Chambers

Help us help you:



You can have peace. Or you can have freedom. Don't ever count on having
both at once. - RAH

 

[Steve N.]

When I scanned at the XP site this week, one of the two recommended
updates was a spyware removal tool of some sort. I installed it, but see
no reference to it in programs or control panel. What is it and how does
it work?

I know about the new MS anti-spyware beta, so I'm pretty sure I'm not
confusing it with something else. Thanks..

You're asking for trouble if you just go ahead with caution to the wind
and install stuff you don't know about, even if it is from Microsoft.

Read first, install later.

Steve

 

[DrJoel]

I think that this application runs in the background and only pops up if it
finds something.

 

[Frank Saunders, MS-MVP]

It's a beta and has caused some users lots of trouble. Be careful about
what you let it delete. Quarantying is much better.

--
Frank Saunders, MS-MVP, IE/OE
Please respond in Newsgroup only. Do not send email
http://www.fjsmjs.com
Protect your PC
http://www.microsoft.com./athome/security/protect/default.aspx

 

[Malke]

It's a beta and has caused some users lots of trouble. Be careful
about
what you let it delete. Quarantying is much better.

The malicious software removal tool found at Windows Update is not
related to the Microsoft AntiSpyware tool that is currently in beta.
The tool that is at Windows Update is targeted to remove a few specific
worms, just like the Blaster Removal tool was. It runs, removes the
worms if they exist, and disappears. It does not install itself to the
hard drive.

The Microsoft AntiSpyware tool is based on the Giant antispyware tool
and discussions about it are here:

At this time, support for the beta version of Microsoft Windows
AntiSpyware is being provided through the following Microsoft
newsgroups:

- microsoft.private.security.spyware.announcements
- microsoft.private.security.spyware.appcompat
- microsoft.private.security.spyware.general
- microsoft.private.security.spyware.install
- microsoft.private.security.spyware.networking
- microsoft.private.security.spyware.signatures
- microsoft.private.security.spyware.onlinecommunity

These newsgroups can be accessed via NNTP or HTTP. To access these
newsgroups using HTTP, please go to the following location:

http://communities.microsoft.com/newsgroups/default.asp?ICP=spyware&sLCID=us

To access these newsgroups using NNTP, please use the following
information for your NNTP client (such as Microsoft Outlook Express):

- NNTP Server: privatenews.microsoft.com
- Account name: privatenews\spyware
- Password: spyware

NOTE: No password will be required via the HTTP link.

Malke