Tags

, , ,

We ran into a problem while finishing a malware removal, in which the Malicious Software Removal tool (MSRT) would not run.  We first noticed the problem while downloading Windows updates — all the other updates would install, but Windows Update kept reoffering the August 2011 MSRT.  We tried many different things, such as reseting Windows Updates, double checking for root kits, rescanning the machines,  manually checking files in %windir%, and an assortment of other things.  One of the things we tried was downloading the standalone MSRT from http://support.microsoft.com/kb/890830.  The file would download fine, but it would not run.  The extraction dialog boxes would show up, then it would just disappear.  Watching Task Manager while extracting the MSRT standalone package show the package would start running and then just disappear.  We could not find any information in Event viewer, mrt.log, or mrteng.log. 

We double checked the permissions on HKEY_LOCAL_MACHINESOFTWAREMicrosoftRemovalTools to make sure acces was not denied, since the MSRT package updates the Version subkey when a new verison successfully finishes.  Our final idea was to take ownership of %windir%system32mrt.exe and rename the file to %windir%system32mrt.old.  To do this we used the following commands:

takeown /f %windir%system32mrt.exe /a
icacls %windir%system32mrt.exe /grant Administrators:F
ren %windir%system32mrt.exe mrt.old

After successfully taking ownership and renaming the file, We reran the MSRT standalone package.  This time MSRT actually continued to run, and allowed us to complete a scan.   After MSRT finished a scan Windows Update stopped reoffering the the August 2011 MSRT package and offered new Windows Updates.   I am not sure whether the problem was acutally permission or a corrupted mrt.exe, since I was time crunched to fix the problem before the customer returned. 

Advertisements