MSRT adds more Unwanted Software to its detection capability

Sometimes, in addition to the software we want to install, software developers often bundle unwanted programs along with it. Some of them do not stop at this point. They go to the extent of changing your browser settings without seeking your permission. This behavior is not desirable as it affects your computing experience. Such software is called as Potentially Unwanted Software, and the software that pushes them, is referred to as Bundleware.

The Malicious Software Removal Tool or MSRT is a free tool from Microsoft that helps you eliminate this unwanted risk.  The tool removes specific, prevalent malicious & potentially unwanted software from Windows computers.

Daily, we learn about new variants of malware coming up and causing harm to computer users. As such, it is imperative for the security tools to keep themselves updated. Microsoft regularly keeps a tab on malware and accordingly updates its security tools as may be required. MSRT happens to be one of them. The program is capable of removing unwanted software that comes bundled authenticated tools and avoid detection by posing as legitimate software or application. A recent update for the tool has added detection capabilities for few new trojans that attempt to modify the behavior of the browser and change its settings without seeking permission of the user.

  1. BrowserModifier:Win32/Sasquor
  2. BrowserModifier:Win32/SupTab
  3. Trojan:Win32/Ghokswa.

MSRT October Release 2016

Rogue elements like the above-,mentioned malware families often find an entry into your computer via various software bundlers such as:

  • SoftwareBundler:Win32/Mizenota, S
  • oftwareBundler:Win32/ICLoader and
  • SoftwareBundler:Win32/InstallMonster.

SupTab and Sasquor have been offered by bundlers under many names, including:

  • Istartpageing
  • Omniboxes
  • Yoursearching
  • iStart123
  • Hohosearch
  • Yessearches
  • Youndoo
  • Trotux

Some bundlers such as SupTab or Sasquor make changes to your browser search and homepage settings. These threats usually escape a user’s attention.

In comparison to the above two, Xadupi malware family is a different variant that comes in three different forms:

  1. CornserSunshine
  2. WinZipper
  3. QKSee

The trojan gets silently installed by BrowserModifier:Win32/Sasquor or BrowserModifier:Win32/SupTab. The software bundler under which it comes packed, poses as a useful application, but downloads and installs rogue elements.

This silent mode of attack by Sasquor, SupTab and Xadupi bears some resemblance to each other as they all install services and/or scheduled tasks that regularly query remote servers for instructions, and are occasionally advised to download/install additional apps.

In addition to these designs, each family serves multiple purposes and change over time. Here’s a brief summary.

BrowserModifier:Win32/Sasquor:  it mainly targets popular and widely used browsers like Google Chrome and Mozilla Firefox users. The browser modifier is designed to install services and scheduled tasks that regularly install other malware like Trojan:Win32/Xadupi and sometimes installs Trojan:Win32/Suweezy.

Trojan:Win32/Suweezy: This browser modifier somewhat follows a different approach. Unlike changing the behavior of the browser, it attempts to modify settings for Windows Defender, Microsoft Security Essentials, AVG Antivirus, Avast Antivirus and Avira Antivirus, to escape detection and exclude certain folders from being scanned. Evasion prohibits the removal of the related malware like Sasquor and SupTab.

Trojan:Win32/Ghokswa: This threat is a member of the Win32/Ghokswa family. It is capable of installing a customized version of Chrome or Firefox browsers. The version of the Google Chrome itself represents as Google Chrome, but is modified to use a different home page and search engine front-end.

Trojan:Win32/Xadupi: It leads to a snowball effect. How? Trojan: Win32/Xadupi installs a service that in turn, installs other unwanted apps, including Ghokswa and SupTab.

Collectively, these malware families can do more harm and in certain cases, seriously downgrade users’ computer security by tampering with anti-virus apps, evading detection and introducing new harmful software over time.


How can one stay protected? Microsoft suggests the following:

The simplest and most reliable solution for the above problem is to keep your Windows Operating System and antivirus up-to-date. Windows 10 keeps your PC safe from most modern security threats. It features significant architectural changes that are capable of addressing most of the tactics used in the attacks. So, upgrade to Windows 10.

Microsoft also recommends that you use Edge. The browser warns you about sites that are not trusted and believed to host exploits. Apart from this, the browser offers protection against socially-engineered attacks such as phishing and malware downloads.

The settings of the browser can also be used to configure to reset to Microsoft recommended defaults, in case the defaults were changed or modified. To do so, launch the Settings app and navigate to the Default apps page. Then, from Home go to System > Default apps. Under it, find Reset option and click it.

You should also avoid browsing websites that are likely to host malware, such as pirated software download sites.

While Windows Defender alone is capable of detecting and removing this unwanted software, running Malicious Software Removal Tool too is a good idea.

For more information, see TechNet blogs.

Posted by on , in Category Security with Tags
Anand Khanse is the Admin of, a 10-year Microsoft MVP Awardee in Windows (2006-16) & a Windows Insider MVP. Please read the entire post & the comments first, create a System Restore Point before making any changes to your system & be careful about any 3rd-party offers while installing freeware.

One Comment

  1. Ziggy

    Very useful article, Anand! Thanks. To initiate one’s own scan in Windows 10 just search for mrt in Cortana (Search Box) and click on the mrt command to proceed with the type of scan you want. I usually choose “quick scan” as the other options can be quite long to complete. At the end of the scanning you can view a report of of the scan results.

Leave a Reply

Your email address will not be published. Required fields are marked *

7 + 8 =