Computer worms, Trojan horses and rogue programs are known to target legitimate malware scanners. If you've seen Microsoft Malicious Software Removal tool ended before completion of a scan, you are at risk from security threats. Here's how to deal with it.
Windows Malicious Software Removal Tool
The Microsoft Windows Malicious Software Removal Tool is a free malware scanner and remover which is updated every first Tuesday of each month. The tool (mrt.exe) is located in the system32 directory of Windows and it silently scans the computer after being updated via Windows Update. MRT or MSRT does not run to scan the system all the time but any PC user can manually scan the PC to check the system from Trojans, worms and other malware that MRT can identify. Note that MRT does not detect all type of threats but was developed by Microsoft to detect and remove malware that is in the wild, especially from worms that targets vulnerable components in Windows.
MRT can be run using a quick, full or custom scan and it does not prompt the user for actions if a threat is detected. The goal of MRT is to detect and remove found threats. Activities by MRT are logged and stored in C:\WINDOWS\Debug with a file name mrt.log. Read on to find out what to do if the Microsoft Malicious Software Removal Tool ended before completion of a system scan.
Worm Infection in Windows System
Several computer worms are known to block or stop processes by antivirus and anti-malware programs. Examples would be Kolab, Conficker and Autorun IRC worms. There are also Trojans that can stop processes of legitimate scanners e.g. Trojan Buzus. They actually turn off your security software to allow themselves to run.
MRT.exe, when run in an infected computer, may end before a scan is finished and this can happen if the malware targets mrt.exe. The image at the left shows the MRT scan found an infection, but it failed to finish scanning because it was shut down by a computer worm, Kolab. The worm has terminated the mrt.exe process which is the reason why the scan ended without giving notice to the user or any error message.
Scareware or Rogue Program Infection
Like computer worms, a rogue program can terminate the processes of legitimate malware scanners including mrt.exe by Microsoft. Most anti-malware program is vulnerable to program crashes or shutdown if targeted by scareware. It does not mean that the legitimate anti-malware programs are at fault or have bugs but it is simply because a PC is infected with something that targets legitimate anti-virus and anti-malware software.
I was testing the effects of a rogue program infection in a system and I decided to scan the computer using Malicious Software Removal tools' full system scan, but it was terminated by the PC Defender virus, and then the system restarted by itself. I tested other anti-malware programs by running a full system scan, but again they were terminated by PC Defender by restarting the computer. This is a known issue when a user runs a full system scan or if the scanner runs a quick scan but it is taking too long to finish the scan. That's why it is important for anti-virus and anti-malware vendors to upgrade their security tools by improving the scanner to run a faster scan before the malware does its job by terminating everything that is actively running.
What to Do if MRT Scan Ended Before Completion?
If you have seen the Malicious Software Removal tool or any other scanners stop scanning or have the process ended before a scan is complete, try the following steps to fix the problem:
- Reboot the computer to safe mode, then run a system scan (a quick scan will do) using MRT.exe or another scanner that is already installed in Windows.
- If a threat has been removed by MRT.exe, reboot the PC in normal mode.
- Try scanning the computer again using a full system scan of MRT.exe.
- If MRT has failed to detect or properly remove an infection, try another anti-malware program for scanning the PC.
- When the computer is free from any infection, visit Windows Update to install the available security updates. This will prevent worm infection that targets vulnerable components in Windows. You should also update all software in your PC that is also vulnerable to 0-day viruses.
Image credit: Screenshot taken by the author.