How the Microsoft Malicious Software Removal Tool differs from an antivirus product
The Microsoft Malicious Software Removal Tool does not replace an antivirus product. It is strictly a post-infection removal tool. Therefore, we strongly recommend that you install and use an up-to-date antivirus product.
The Microsoft Malicious Software Removal Tool differs from anantivirus product in three key ways:
- The tool removes malicious software from analready-infected computer. Antivirus products block malicious software fromrunning on a computer. It is significantly more desirable to block malicioussoftware from running on a computer than to remove it afterinfection.
- The tool removes only specific prevalent malicioussoftware. Specific prevalent malicious software is a small subset of all themalicious software that exists today.
- The tool focuses on the detection and removal of activemalicious software. Active malicious software is malicious software that iscurrently running on the computer. The tool cannot remove malicious softwarethat is not running. However, an antivirus product can perform thistask.
For more information about how to protect your computer, go to the Microsoft Safety & Security Center
The Microsoft Malicious Software Removal Tool focuses on the detection and removal of malicious software such as viruses, worms, and Trojan horses only. It does not remove spyware. However, you can use Microsoft Security Essentials to detect and remove spyware.
You do not have to disable or remove your antivirus program when you install the Microsoft Malicious Software Removal Tool. However, if prevalent, malicious software has infected your computer, the antivirus program may detect this malicious software and may prevent the removal tool from removing it when the removal tool runs. In this case, you can use your antivirus program to remove the malicious software.
Because the Microsoft Malicious Software Removal Tool does not contain a virus or a worm, the removal tool alone should not trigger your antivirus program. However, if malicious software infected the computer before you installed an up-to-date antivirus program, your antivirus program may not detect this malicious software until the tool tries to remove it.
How to download and run the Microsoft Malicious Software Removal Tool
You can download and run the Microsoft Malicious Software Removal Tool if your computer is running Windows 10 Technical Preview, Windows 8.1, Windows Server 2012 R2, Windows 8, Windows Server 2012, Windows 7, Windows Vista, Windows Server 2003, or Windows XP. Note
You cannot download and run the tool if you are running MicrosoftWindows 98, Windows Millennium Edition, or Microsoft Windows NT4.0.
The easiest way to download and run the tool is to turn onAutomatic Updates. Turning on Automatic Updates guarantees that you receive thetool automatically every month. If you have Automatic Updates turned on, youhave already been receiving new versions of this tool monthly. The tool runs inquiet mode unless it finds an infection. If you have not been notified of aninfection, no malicious software has been found that needs your attention.Note
If your computer is running Windows XP Service Pack 2 (SP2),Automatic Updates is turned on by default.
Are you unsure whether Automatic Updates is turned on? Follow these steps to determine whether Automatic Updates is turned on: Turn on Windows Automatic Update. To have us turn on Automatic Updates for you, go to the "Fix it for me
" section. If you would rather turn on Automatic Updates yourself, go to the "Let me fix it myself
Fix it for me
To fix this problem automatically, click the Fix this problem
link. Then click Run
in the File Download
dialog box, and follow the steps in this wizard.
|Turn Automatic Updates on||Turn Automatic Updates off|
This wizard may be in English only. However, the automatic fix also works for other language versions of Windows. Note
If you are not on the computer that has the problem, you can save the automatic fix to a flash drive or to a CD, and then you can run it on the computer that has the problem.
Let me fix it myself
To turn on Automatic Updates yourself, follow the steps in the following table for the operating system that your computer is running.
|If your computer is running||Follow these steps|
- Click Start, point to All Programs, and then clickWindows Update.
- In the left pane, click Changesettings.
- Click to select Install updatesautomatically (recommended).
- Under Recommended updates, clickto select the Give me recommended updates the same way I receive important updates check box, and then clickOK. If you are prompted for an administrative password or forconfirmation, type the password or provide confirmation. Go to step3.
- Click Start, point to All Programs, and then clickWindows Update.
- In the left pane, click Changesettings.
- Click to select Install updatesautomatically (recommended).
- Under Recommended updates, clickto select the Include recommended updates when downloading, installing,or notifying me about updates check box, and then clickOK. If you are prompted for an administrative password or forconfirmation, type the password or provide confirmation. Go to step3.
|Windows XP, or Windows Server 2003|
- Click Start, clickControl Panel, and then click Performance andMaintenance.
- Click System. The SystemProperties box appears.
- On the Automatic Updates tab,click to select the Automatic (recommended) check box isselected, and then click OK.
Video: How to turn on Automatic Updates in Windows 7
Download the Malicious Software Removal Tool. You mustaccept the Microsoft Software License Terms. The license terms are onlydisplayed for the first time that you access Automatic Updates. Note
After you accept the one-time license terms, you can receive future versions of the Malicious Software Removal Tool without being logged on to the computer as an administrator.
When the Malicious Software Removal Tool detects malicious software
The Malicious Software Removal Tool runs in quiet mode. If it detects malicious software on your computer, the next time that you log on to your computer as a computer administrator, a balloon will appear in the notification area to make you aware of the detection.
Performing a full scanIf the tool finds malicious software, you may be prompted to perform a full scan. We recommend that you perform this scan. A full scan performs a quick scan and then a full scan of the computer, regardless of whether malicious software is found during the quick scan. This scan can take several hours to complete because it will scan all fixed and removable drives. However, mapped network drives are not scanned.
Removing malicious files If malicious software has modified (infected) files on yourcomputer, the tool prompts you to remove the malicious software from thosefiles. If the malicious software modified your browser settings, your homepagemay be changed automatically to a page that gives you directions on how torestore these settings.
You can clean specific files or all theinfected files that the tool finds. Be aware that some data loss is possibleduring this process. Also, be aware that the tool may be unable to restore somefiles to the original, pre-infection state.
The removal tool mayrequest that you restart your computer to complete the removal of somemalicious software, or it may prompt you to perform manual steps to completethe removal of the malicious software. To complete the removal, you should usean up-to-date antivirus product.
Reporting infection information to MicrosoftThe Malicious Software Removal Tool will send basic information to Microsoft if the tool detects malicious software or finds an error. This information will be used for tracking virus prevalence. No identifiable personal information that is related to you or to the computer is sent together with this report.
How to remove the Malicious Software Removal Tool
The Malicious Software Removal Tool does not use an installer. Typically, when you run the Malicious Software Removal Tool, it creates a randomly named temporary directory on the root drive of the computer. This directory contains several files, and it includes the Mrtstub.exe file. Most of the time, this folder is automatically deleted after the tool finishes running or after the next time that you start the computer. However, this folder may not always be automatically deleted. In these cases, you can manually delete this folder, and this has no adverse effect on the computer.
How to receive support
Help protect your computer that is running Windows from viruses and malware: Virus Solution and Security Center
Security solutions for IT professionals: TechNet Security Troubleshooting and Support
Help installing updates: Support for Microsoft Update
Local support according to your country: International Support
More information for advanced users
Microsoft Download Center
You can manually download the Malicious Software Removal Tool from the Microsoft Download Center. The following files are available for download from the Microsoft Download Center:For 32-bit x86-based systems:For 64-bit x64-based systems:
Release Date: October 13, 2015.
For more information about how to download Microsoft support files, go to the following article in the Microsoft Knowledge Base:
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file.
Deploying the Malicious Software Removal Tool in an enterprise environment
If you are an IT administrator who wants more information about how to deploy the tool in an enterprise environment, go to the following article in the Microsoft Knowledge Base:
This article includes information aboutMicrosoft Systems Management Server (SMS), Microsoft Software Update Services(SUS), and Microsoft Baseline Security Analyzer (MBSA).
Prerequisites for running the Malicious Software Removal Tool
Except where noted, the information in this section applies to allthe ways that you can download and run the Malicious Software Removal Tool:
- Microsoft Update
- Windows Update
- Automatic Updates
- The Microsoft Download Center
- The Malicious Software Removal Tool website on Microsoft.com
To run the Malicious Software Removal Tool, the followingconditions are required:
- The computer must be running Windows 7, Windows Vista, Windows Server 2003, or Windows XP.
- You must log on to the computer by using an account that isa member of the Administrators group. If your logon account does not have therequired permissions, the tool exits. If the tool is not being run in quietmode, it displays a dialog box that describes the failure.
- If the tool is more than 60 days out-of-date, the tooldisplays a dialog box that recommends that you download the latest version ofthe tool.
Support for command-line switches
The Malicious Software Removal Tool supports four command-line switches.
|/Q or /quiet||Uses quiet mode. This option suppresses the userinterface of the tool. |
|/?||Displays a dialog box that lists the command-lineswitches. |
|/N||Runs in detect-only mode. In this mode, malicioussoftware will be reported to the user, but it will not be removed. |
|/F||Forces an extended scan of the computer. |
|/F:Y||Forces an extended scan of the computer and automaticallycleans any infections that are found. |
Usage and release information
When you download the tool from Microsoft Update or from AutomaticUpdates, and no malicious software is detected on the computer, the tool willrun in quiet mode next time. If malicious software is detected on the computer,the next time that an administrator logs on to the computer, a balloon willappear in the notification area to notify you of the detection. For moreinformation about the detection, click the balloon.
When you download thetool from the Microsoft Download Center, the tool displays a user interfacewhen it runs. However, if you supply the /Q
command-line switch, it runs in quiet mode.
The Malicious Software Removal Tool is released on the secondTuesday of every month. Each release of the tool helps detect and removecurrent, prevalent malicious software. This malicious software includesviruses, worms, and Trojan horses. Microsoft uses several metrics to determinethe prevalence of a malicious software family and the damage that can beassociated with it.
The following table lists the malicious softwarethat the tool can remove. The tool can also remove any known variants at thetime of release. The table also lists the version of the tool that firstincluded detection and removal for the malicious software family.
This Microsoft Knowledge Base article will be updated with information for each monthly release so that the number of the relevant article remains the same. The name of the file will be changed to reflect the tool version. For example, the file name of the January 2005 version is Windows-KB890830-ENU.exe, and the file name of the February 2005 version is Windows-KB890830-V1.1-ENU.exe.
* The severity rating refers to the virus alert severity ratings that appear on the following Microsoft website:
Be aware that the severity ratings of threats may be updated occasionally to account for changes in prevalence and other factors.
** W32/Hackdef typically hides other potentially unwantedsoftware on the computer. If the cleaner tool reports that W32/Hackdef wasdetected on the computer, we strongly recommend that you run a scan withup-to-date antivirus and antispyware programs (seehttp://www.microsoft.com/security/pc-security/spyware-prevent.aspx
).If you want to view the software that W32/Hackdef was hiding, first open thelog file for the cleaner tool (%Windir%\Debug\Mrt.log). Next, in the "Possiblescanning results" section, find the line or lines that note the folder in whichWin32/Hackdef was found. In that same folder, you should find the Win32/Hackdefconfiguration file that has the .ini file name extension. View this file todetermine the software that Win32/Hackdef was hiding on the computer.
To scan for and remove more malicious software, use an up-to-date antivirus product. For more information, go to the following Microsoft Protect Your PC website:
We maximize customer protection by regularly reviewing and prioritizing our signatures. Each month we add or remove detections as the threat landscape evolves.
The Malicious Software Removal Tool sends information to Microsoftif it detects malicious software or finds an error. The specific informationthat is sent to Microsoft consists of the following items:
- The name of the malicious software that isdetected
- The result of malicious software removal
- The operating system version
- The operating system locale
- The processor architecture
- The version number of the tool
- An indicator that notes whether the tool is being run by Microsoft Update, Windows Update, Automatic Updates, the Download Center, or from the website
- An anonymous GUID
- A cryptographic one-way hash (MD5) of the path and filename of each malicious software file that is removed from thecomputer
If apparently malicious software is found on the computer, thetool prompts you to send information to Microsoft beyond what is listed here.You are prompted in each of these instances, and this information is sent onlywith your consent. The additional information includes the following:
- The files that are suspected to be malicious software. Thetool will identify the files for you.
- A cryptographic one-way hash (MD5) of any suspicious filesthat are detected.
You can disable the reporting feature. For information about how to disable the reporting component and how to prevent this tool from sending information to Microsoft, see Microsoft Knowledge Base article
Possible scanning results
After the tool runs, there are four main results that the removaltool can report to the user:
- No infection was found.
- At least one infection was found and wasremoved.
- An infection was found but was not removed. This resultwill be displayed if suspicious files were found on the computer. To helpremove these files, you should use an up-to-date antivirus product.
- An infection was found and was partially removed. Tocomplete this removal, you should use an up-to-date antivirusproduct.
Frequently asked questions about the Malicious Software Removal Tool
- Q1: Is this tool digitally signed by Microsoft?
- Q2: What kind of information does the log file contain?
A2: For information about the log file, go to the following Microsoft Knowledge Base article:
- Q3: Can this tool be redistributed?
A3: Yes. Per the terms of this tool's license terms, the tool can be redistributed. However, make sure that you are redistributing the latest version of the tool.
- Q4: How do I know that I'm using the latest version of the tool?
A4: If you are a Windows 7, Windows Vista, Windows XP, or Windows Server 2003 user, use Microsoft Update or the Microsoft Update Automatic Updates functionality to test whether you are using the latest version of the tool. If you have chosen not to use Microsoft Update, and you are a Windows 7, Windows Vista, Windows XP, or Windows Server 2003 Service Pack 1 (SP1) user, use Windows Update. Or, use the Windows Update Automatic Updates functionality to test whether you are using the latest version of the tool. Additionally, you can visit the Microsoft Download Center. Also, if the tool is more than 60 days out-of-date, the tool will remind you to look for a new version of the tool.
- Q5: Will the Microsoft Knowledge Base article number of the tool change with each new version?
A5: No. The Microsoft Knowledge Base article number for the tool willremain as 890830 for future versions of the tool. The file name of the toolwhen it is downloaded from the Microsoft Download Center will change with eachrelease to reflect the month and the year when that version of the tool wasreleased.
- Q6: Is there any way I can request that new malicious software be targeted in the tool?
A6: Currently, no. Malicious software that is targeted in the tool isbased on metrics that track the prevalence and damage of malicioussoftware.
- Q7: Can I determine whether the tool has been run on a computer?
A7: Yes. By checking a registry key, you can determine whether thetool has been run on a computer and which version was the latest version thatwas used. For more information, go to the following article in the Microsoft Knowledge Base:
- Q8: Why don't I see the tool on Microsoft Update, Windows Update, or Automatic Updates?
A8: Several scenarios may prevent you from the seeing the tool onMicrosoft Update, Windows Update, or Automatic Updates:
- Only Windows 7, Windows Vista, Windows XP, and Windows Server 2003SP1 users are offered the tool on Windows Update or AutomaticUpdates.
- If you have already run the current version of the toolfrom Windows Update, Microsoft Update, Automatic Updates, or from either of theother two release mechanisms, it will not be reoffered on Windows Update orAutomatic Updates.
- For Automatic Updates, the first time that you run thetool, you must be logged on as a member of the Administrators group to acceptthe license terms.
- Q9: How do Microsoft Update, Windows Update, and Automatic Updates determine who the tool is offered to?
A9: All Windows 7, Windows Vista, Windows XP, and Windows Server 2003 users are offered the tool if the following conditions are true:
All Windows 7, Windows Vista, Windows XP, and Windows Server 2003 SP1users are offered the tool if the following conditions are true:
- The users are running the latest version of MicrosoftUpdate or the Microsoft Update Automatic Updates feature.
- The users have not already run the current version ofthe tool.
- The users are not running Microsoft Update.
- The users are running the latest version of WindowsUpdate or Windows Update Automatic Updates.
- The users have not already run the current version ofthe tool.
- Q10: When I look in the log file, it tells me that errors were found during the scan. How do I resolve the errors?
A10: For information about the errors, see Microsoft Knowledge Base article
How to troubleshoot an error when you run the Microsoft Windows Malicious Software Removal Tool
- Q11: Will you rerelease the tool even if there are no new security bulletins for a particular month?
A11: Yes. Even if there are no new security bulletins for a particular month, the Malicious Software Removal Tool will be rereleased with detection and removal support for the latest prevalent malicious software.
- Q12: How do I prevent this tool from being offered to me by using Microsoft Update, Windows Update, or Automatic Updates?
A12: When you are first offered the Malicious Software Removal Toolfrom Microsoft Update, Windows Update, or Automatic Updates, you can declinedownloading and running the tool by declining the license terms. This declinecan apply to only the current version of the tool or to both the currentversion of the tool and any future versions, depending on the options that youchoose. If you have already accepted the license terms and would prefer not toinstall the tool through Windows Update, click to clear the check box thatcorresponds to the tool in the Windows Update UI.
- Q13: After I run the tool from Microsoft Update, Windows Update, or Automatic Updates, where are the tool files stored? Can I rerun the tool?
A13: When it is downloaded from Microsoft Update or from Windows Update, the tool runs only one time each month. To manually run the tool multiple times a month, download the tool from the Download Center or by visiting the Microsoft Safety & Security Center website.
For an online scan of your system by using the Windows Live OneCare safety scanner, go to the Microsoft Safety Scanner website.
- Q14: Can I run this tool on a Windows Embedded computer?
A14: Currently, the Malicious Software Removal Tool is not supported on a Windows Embedded computer.
- Q15: Does running this tool require any security updates to be installed on the computer?
A15: No. Unlike most previous cleaner tools that were produced by Microsoft, the Malicious Software Removal tool requires no security update prerequisites. However, we strongly recommend that you install all critical updates before you use the tool, to help prevent reinfection by malicious software that takes advantage of security vulnerabilities.
- Q16: Can I deploy this tool by using SUS or SMS? Is it compatible with MBSA?
A16: For information about how to deploy this tool, see Microsoft Knowledge Base article
- Q17: Do I have to have the previous cleaner tools installed to run the Malicious Software Removal Tool?
- Q18: Is there a newsgroup available to discuss this tool?
A18: Yes. You can use the microsoft.public.security.virus newsgroup.
- Q19: Why does the "Windows File Protection" window appear when I run the tool?
A19: In some cases, when specific viruses are found on a system, thecleaner tool tries to repair infected Windows system files. Although thisaction removes the malicious software from these files, it may also trigger theWindows File Protection feature. If you see the Windows File Protection window,we strongly recommend that you follow the directions and insert your MicrosoftWindows CD. This will restore the cleaned files to their original,pre-infection state.
- Q20: Are localized versions of this tool available?
A20: Yes, the tool is available in 24 languages. Before the February2006 release, each localized version of the tool was available as a separatedownload. Starting in February 2006, the tool is now offered as a multilingualdownload. Therefore, only one version of the tool is available, and theappropriate language appears based on the language of the current operatingsystem.
- Q21: I found the Mrtstub.exe file in a randomly named directory on my computer. Is the Mrtstub.exe file a legitimate component of the tool?
A21: The tool does use a file that is named Mrtstub.exe for certain operations. If you verify that the file is signed by Microsoft, the file is a legitimate component of the tool.
- Q22: Can the MSRT run in safe mode?
A22: Yes. If you have run the MSRT before you start the computer to safe mode, you can access MSRT at %windir%\system32\mrt.exe. Double-click the mrt.exe file to run the MSRT, and then follow the on-screen instructions.