How to use Microsoft's Malware Removal Starter Kit

Up until the mid-1990s, I always kept an antivirus disk in my car. The disk was simply a bootable, write-protected floppy, with a simple but effective antivirus program on it. The idea was that if a system became infected, I could use the disk to boot from a clean operating system, and then use the antivirus software to cleanse the infected machine. Although this technique worked very well, it eventually became obsolete. PCs no longer have floppy drives, antivirus programs are too large to fit on a floppy and DOS has gone the way of the dodo.

The basic idea is that you can create a bootable CD that boots using a Windows PE operating system (OS). Windows PE is a watered down version of Windows that was originally designed as an OS for running the graphical portion of Windows Setup. Even so, there are a few antivirus applications that will run in a Windows PE environment (the Malware Removal Starter Kit gives you a full list).

While the Microsoft Malware Removal Kit itself is nothing more than a text file that you can download, that text file tells you how you can create a modernized version of the boot disk that I described earlier.

There are some obvious advantages to creating a CD for the purpose of removing malware from an infected system. One drawback, however, to this technique is that Windows PE does not support network connectivity, so you will not be able to download updated antivirus signatures. One way of getting around this problem is to place an updated copy of your antivirus software on to a USB flash drive. You can run the software directly from the USB flash drive, rather than using the version on the CD.

Creating a malware removal dis...

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Endpoint security management tools 20 days to a more secure enterprise How to get -- and keep -- user support with security MDOP for Windows 7 available now Microsoft's Online Desktop Manager caters to small IT shops Monitoring user activity with network analyzers Using third-party technologies with Microsoft's NAP Understanding Microsoft's NAP's internal and external components Microsoft's NAP can ensure security compliance Top 5 registry keys for Windows XP Microsoft releases WSUS 3 SP2 with Win 7, R2 support Windows desktop security tips 20 days to a more secure enterprise Improvements to offline file synchronization in Windows 7 How to get -- and keep -- user support with security Structuring patch management in seven steps Underlying causes of inconsistent patch management Monitoring user activity with network analyzers Microsoft's Patch Tuesday brings a bumper crop of security fixes Using third-party technologies with Microsoft's NAP Understanding Microsoft's NAP's internal and external components Microsoft's NAP can ensure security compliance

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary system tray  (SearchEnterpriseDesktop.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

k requires you to download and install the Windows Automated Installation Kit. You can run the Windows AIK on Windows XP (SP2 or higher), Windows Server 2003 (SP1 or higher) and on Windows Vista. The instructions that I am about to give you are for Windows XP and Windows Vista.

Creating the CD

The first step in creating a bootable Windows PE CD is to create a Windows PE build that you can place on the CD. To do so, follow these steps:

1. Select the Windows PE Tools Command Prompt command from the Start | All Programs | Microsoft Windows AIK menu.
2. At the command prompt, enter the following commands:
   • copype x86 c:\WinPE
   • cd\winpe
   • imagex/mountrw winpe.wim 1 c:\WinPE\Mount
   • reg load HKLM\_WinPE_SYSTEM c:\WinPE\Mount\windows\system32\config\system
   • reg add HKLM\_WinPE_SYSTEM\ControlSet001\Services\FBWF /v WinPECacheThreshold /t REG_DWORD /d 96 /f
   • reg unload HKLM\_WinPE_SYSTEM

Now that you have configured the Windows PE environment, you must prepare the antivirus software. There are a number of antivirus products that can be used, but for the purposes of this article, I am going to use Microsoft's Malicious Software Removal Tool. If you want to use something else, then I recommend consulting the Microsoft Malware Removal Starter Kit documentation to see if your particular product can be used.

Enter the following command to create a folder named Tools beneath the C:\WinPE\mount folder:

1. mkdir c:\WinPE\mount\Tools
2. Go to to download the Malicious Software Removal Tool. When prompted, save the file that you are downloading to the c:\WinPE\mount\Tools folder
3. Enter the following command: peimg /prep c:\WinPE\Mount
4. Type the word Yes when prompted, and press Enter
5. Enter the following command: copy c:\WinPE\WinPE.wim c:\winpe\ISO\sources\boot.wim
6. Press Y when prompted
7. Enter the following command: oscdimg -n -bc:\WinPE\etfsboot.com c:\WinPE\ISO c:\WinPE\WinPE_Tools.iso

Doing that will create a 200 MB ISO file. Use CD burning software to create a bootable CD from this ISO file. When you boot the CD, the Malicious Software Removal Tool will not run automatically. You can find the Malicious Software Removal Tool in the CD's \Tools folder.

About the author: Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. He has served as CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. As a freelance technical writer, he has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies.