How to use Microsoft's Malware Removal Starter Kit

Can Microsoft's new Malware Removal Starter Kit help your shop to further rid itself of pesky invasions? Find out with these helpful setup tips from security expert Brien Posey.

This month, Microsoft released the Malware Removal Starter Kit. And let me begin by saying how funny it is when things come around full circle.

Malware removal extras
Prevent malware infection with malware detection tools

Malware removal handbook

Up until the mid-1990s, I always kept an antivirus disk in my car. The disk was simply a bootable, write-protected floppy, with a simple but effective antivirus program on it. The idea was that if a system became infected, I could use the disk to boot from a clean operating system, and then use the antivirus software to cleanse the infected machine. Although this technique worked very well, it eventually became obsolete. PCs no longer have floppy drives, antivirus programs are too large to fit on a floppy and DOS has gone the way of the dodo.

The basic idea is that you can create a bootable CD that boots using a Windows PE operating system (OS). Windows PE is a watered down version of Windows that was originally designed as an OS for running the graphical portion of Windows Setup. Even so, there are a few antivirus applications that will run in a Windows PE environment (the Malware Removal Starter Kit gives you a full list).

While the Microsoft Malware Removal Kit itself is nothing more than a text file that you can download, that text file tells you how you can create a modernized version of the boot disk that I described earlier.

There are some obvious advantages to creating a CD for the purpose of removing malware from an infected system. One drawback, however, to this technique is that Windows PE does not support network connectivity, so you will not be able to download updated antivirus signatures. One way of getting around this problem is to place an updated copy of your antivirus software on to a USB flash drive. You can run the software directly from the USB flash drive, rather than using the version on the CD.

Creating a malware removal disk requires you to download and install the Windows Automated Installation Kit. You can run the Windows AIK on Windows XP (SP2 or higher), Windows Server 2003 (SP1 or higher) and on Windows Vista. The instructions that I am about to give you are for Windows XP and Windows Vista.

Creating the CD

The first step in creating a bootable Windows PE CD is to create a Windows PE build that you can place on the CD. To do so, follow these steps:

  1. Select the Windows PE Tools Command Prompt command from the Start | All Programs | Microsoft Windows AIK menu.
  2. At the command prompt, enter the following commands:
    • copype x86 c:\WinPE
    • cd\winpe
    • imagex/mountrw winpe.wim 1 c:\WinPE\Mount
    • reg load HKLM\_WinPE_SYSTEM c:\WinPE\Mount\windows\system32\config\system
    • reg add HKLM\_WinPE_SYSTEM\ControlSet001\Services\FBWF /v WinPECacheThreshold /t REG_DWORD /d 96 /f
    • reg unload HKLM\_WinPE_SYSTEM

Now that you have configured the Windows PE environment, you must prepare the antivirus software. There are a number of antivirus products that can be used, but for the purposes of this article, I am going to use Microsoft's Malicious Software Removal Tool. If you want to use something else, then I recommend consulting the Microsoft Malware Removal Starter Kit documentation to see if your particular product can be used.

Enter the following command to create a folder named Tools beneath the C:\WinPE\mount folder:

  1. mkdir c:\WinPE\mount\Tools
  2. Go to to download the Malicious Software Removal Tool. When prompted, save the file that you are downloading to the c:\WinPE\mount\Tools folder
  3. Enter the following command: peimg /prep c:\WinPE\Mount
  4. Type the word Yes when prompted, and press Enter
  5. Enter the following command: copy c:\WinPE\WinPE.wim c:\winpe\ISO\sources\boot.wim
  6. Press Y when prompted
  7. Enter the following command: oscdimg -n -bc:\WinPE\etfsboot.com c:\WinPE\ISO c:\WinPE\WinPE_Tools.iso

Doing that will create a 200 MB ISO file. Use CD burning software to create a bootable CD from this ISO file. When you boot the CD, the Malicious Software Removal Tool will not run automatically. You can find the Malicious Software Removal Tool in the CD's \Tools folder.

About the author: Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. He has served as CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. As a freelance technical writer, he has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies.


This was first published in July 2007
This Content Component encountered an error

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchVirtualDesktop

SearchWindowsServer

SearchExchange

Close