Article ID: 890830 - View products that this article applies to.
Expand all | Collapse all

On This Page

Summary

The Microsoft Windows Malicious Software Removal Tool helps remove malicious software from your computers that are running Windows 10 Technical Preview, Windows 8.1, Windows Server 2012 R2, Windows 8, Windows Server 2012, Windows 7, Windows Vista, Windows Server 2003, Windows Server 2008, or Windows XP.

Microsoft releases a new version of the Microsoft Malicious Software Removal Tool every month. After you download the tool, the tool runs one time to check your computer for infection by specific prevalent malicious software (including Blaster, Sasser, and Mydoom) and helps remove any infection it finds.

This article contains information about how the tool differs from an antivirus product, how you can download and run the tool, and what happens when the tool finds malicious software on your computer. The advanced user section includes information for the IT administrator and additional information about how to manage and run the Malicious Software Removal Tool.

Collapse this imageExpand this image
2683283
Note In compliance with the Microsoft Support Lifecycle policy, the Windows Malicious Software Removal Tool (MSRT) will no longer be offered to or supported on Windows 2000-based systems after July 13, 2010. This date coincides with the end of the Extended Support phase for Windows 2000. For more information about the Support Lifecycle policy, go to the Microsoft Support Lifecycle website.

More information

How the Microsoft Malicious Software Removal Tool differs from an antivirus product

Collapse this imageExpand this image
assets folding start collapsed
The Microsoft Malicious Software Removal Tool does not replace an antivirus product. It is strictly a post-infection removal tool. Therefore, we strongly recommend that you install and use an up-to-date antivirus product.

The Microsoft Malicious Software Removal Tool differs from an antivirus product in three key ways:
  • The tool removes malicious software from an already-infected computer. Antivirus products block malicious software from running on a computer. It is significantly more desirable to block malicious software from running on a computer than to remove it after infection.
  • The tool removes only specific prevalent malicious software. Specific prevalent malicious software is a small subset of all the malicious software that exists today.
  • The tool focuses on the detection and removal of active malicious software. Active malicious software is malicious software that is currently running on the computer. The tool cannot remove malicious software that is not running. However, an antivirus product can perform this task.
For more information about how to protect your computer, go to the Microsoft Safety & Security Center website.


Collapse this imageExpand this image
2683283
Note The Microsoft Malicious Software Removal Tool focuses on the detection and removal of malicious software such as viruses, worms, and Trojan horses only. It does not remove spyware. However, you can use Microsoft Security Essentials to detect and remove spyware.
click here to download Microsoft Security Essentials
You do not have to disable or remove your antivirus program when you install the Microsoft Malicious Software Removal Tool. However, if prevalent, malicious software has infected your computer, the antivirus program may detect this malicious software and may prevent the removal tool from removing it when the removal tool runs. In this case, you can use your antivirus program to remove the malicious software.

Because the Microsoft Malicious Software Removal Tool does not contain a virus or a worm, the removal tool alone should not trigger your antivirus program. However, if malicious software infected the computer before you installed an up-to-date antivirus program, your antivirus program may not detect this malicious software until the tool tries to remove it.
Collapse this imageExpand this image
assets folding end collapsed

How to download and run the Microsoft Malicious Software Removal Tool

Collapse this imageExpand this image
assets folding start collapsed
You can download and run the Microsoft Malicious Software Removal Tool if your computer is running Windows 10 Technical Preview, Windows 8.1, Windows Server 2012 R2, Windows 8, Windows Server 2012, Windows 7, Windows Vista, Windows Server 2003, or Windows XP.

Collapse this imageExpand this image
2683283
Note You cannot download and run the tool if you are running Microsoft Windows 98, Windows Millennium Edition, or Microsoft Windows NT 4.0.

The easiest way to download and run the tool is to turn on Automatic Updates. Turning on Automatic Updates guarantees that you receive the tool automatically every month. If you have Automatic Updates turned on, you have already been receiving new versions of this tool monthly. The tool runs in quiet mode unless it finds an infection. If you have not been notified of an infection, no malicious software has been found that needs your attention.

Collapse this imageExpand this image
2683283
Note If your computer is running Windows XP Service Pack 2 (SP2), Automatic Updates is turned on by default.

Are you unsure whether Automatic Updates is turned on? Follow these steps to determine whether Automatic Updates is turned on: Turn on Windows Automatic Update. To have us turn on Automatic Updates for you, go to the "Fix it for me" section. If you would rather turn on Automatic Updates yourself, go to the "Let me fix it myself" section.

Fix it for me

To fix this problem automatically, click the Fix this problem link. Then click Run in the File Download dialog box, and follow the steps in this wizard.
Collapse this tableExpand this table
Turn Automatic Updates onTurn Automatic Updates off
Fix this problem
Microsoft Fix it 50362
Fix this problem
Microsoft Fix it 50363


Collapse this imageExpand this image
2683283
Note This wizard may be in English only. However, the automatic fix also works for other language versions of Windows.

Collapse this imageExpand this image
2683283
Note If you are not on the computer that has the problem, you can save the automatic fix to a flash drive or to a CD, and then you can run it on the computer that has the problem.

Let me fix it myself

To turn on Automatic Updates yourself, follow the steps in the following table for the operating system that your computer is running:
Collapse this tableExpand this table
If your computer is runningFollow these steps:
Windows 7
  1. Click Start
    Collapse this imageExpand this image
    Start
button
    , point to All Programs, and then click Windows Update.
  2. In the left pane, click Change settings.
  3. Click to select Install updates automatically (recommended).
  4. Under Recommended updates, click to select the Give me recommended updates the same way I receive important updates check box, and then click OK. If you are prompted for an administrative password or for confirmation, type the password or provide confirmation. Go to step 3.
Windows Vista
  1. Click Start
    Collapse this imageExpand this image
    Start
button
    , point to All Programs, and then click Windows Update.
  2. In the left pane, click Change settings.
  3. Click to select Install updates automatically (recommended).
  4. Under Recommended updates, click to select the Include recommended updates when downloading, installing, or notifying me about updates check box, and then click OK. If you are prompted for an administrative password or for confirmation, type the password or provide confirmation. Go to step 3.
Windows XP, or Windows Server 2003
  1. Click Start, click Control Panel, and then click Performance and Maintenance.
  2. Click System. The System Properties box appears.
  3. On the Automatic Updates tab, click to select the Automatic (recommended) check box is selected, and then click OK.

Video: How to turn on Automatic Updates in Windows 7


Collapse this imageExpand this image
assets video1
uuid=beba3f86-dff1-4b23-baaa-d94f400b2d1f
Collapse this imageExpand this image
assets video2


Download the Malicious Software Removal Tool. You must accept the Microsoft Software License Terms. The license terms are only displayed for the first time that you access Automatic Updates.

Collapse this imageExpand this image
2683283
Note After you accept the one-time license terms, you can receive future versions of the Malicious Software Removal Tool without being logged on to the computer as an administrator.
Collapse this imageExpand this image
assets folding end collapsed

When the Malicious Software Removal Tool detects malicious software

Collapse this imageExpand this image
assets folding start collapsed
The Malicious Software Removal Tool runs in quiet mode. If it detects malicious software on your computer, the next time that you log on to your computer as a computer administrator, a balloon will appear in the notification area to make you aware of the detection.

Performing a full scan

If the tool finds malicious software, you may be prompted to perform a full scan. We recommend that you perform this scan. A full scan performs a quick scan and then a full scan of the computer, regardless of whether malicious software is found during the quick scan. This scan can take several hours to complete because it will scan all fixed and removable drives. However, mapped network drives are not scanned.

Removing malicious files

If malicious software has modified (infected) files on your computer, the tool prompts you to remove the malicious software from those files. If the malicious software modified your browser settings, your homepage may be changed automatically to a page that gives you directions on how to restore these settings.

You can clean specific files or all the infected files that the tool finds. Be aware that some data loss is possible during this process. Also, be aware that the tool may be unable to restore some files to the original, pre-infection state.

The removal tool may request that you restart your computer to complete the removal of some malicious software, or it may prompt you to perform manual steps to complete the removal of the malicious software. To complete the removal, you should use an up-to-date antivirus product.

Reporting infection information to Microsoft

The Malicious Software Removal Tool will send basic information to Microsoft if the tool detects malicious software or finds an error. This information will be used for tracking virus prevalence. No identifiable personal information that is related to you or to the computer is sent together with this report.
Collapse this imageExpand this image
assets folding end collapsed

How to remove the Malicious Software Removal Tool

Collapse this imageExpand this image
assets folding start collapsed
The Malicious Software Removal Tool does not use an installer. Typically, when you run the Malicious Software Removal Tool, it creates a randomly named temporary directory on the root drive of the computer. This directory contains several files, and it includes the Mrtstub.exe file. Most of the time, this folder is automatically deleted after the tool finishes running or after the next time that you start the computer. However, this folder may not always be automatically deleted. In these cases, you can manually delete this folder, and this has no adverse effect on the computer.
Collapse this imageExpand this image
assets folding end collapsed

How to receive support

Help protect your computer that is running Windows from viruses and malware: Virus Solution and Security Center
Security solutions for IT professionals: TechNet Security Troubleshooting and Support
Help installing updates: Support for Microsoft Update
Local support according to your country: International Support.

More information for advanced users

Collapse this imageExpand this image
assets folding start collapsed
Microsoft Download Center
Deploying the Malicious Software Removal Tool in an enterprise environment
Prerequisites for running the Malicious Software Removal Tool
Support for command-line switches
Usage and release information
Reporting component
Possible scanning results
Frequently asked questions about the Malicious Software Removal Tool

This section is intended for advanced computer users. If you are not comfortable with advanced troubleshooting, you might want to ask someone for help or contact support. For more information about how to contact Microsoft support, go to the Microsoft Support website.
Collapse this imageExpand this image
assets folding end collapsed

Microsoft Download Center

You can manually download the Malicious Software Removal Tool from the Microsoft Download Center. The following files are available for download from the Microsoft Download Center:

For 32-bit x86-based systems:


Collapse this imageExpand this image
Download
Download the x86 MSRT package now.


For 64-bit x64-based systems:


Collapse this imageExpand this image
Download
Download the x64 MSRT package now.

Release Date: April 14, 2015.

For more information about how to download Microsoft support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591 How to obtain Microsoft support files from online services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file.

Deploying the Malicious Software Removal Tool in an enterprise environment

If you are an IT administrator who wants more information about how to deploy the tool in an enterprise environment, click the following article number to view the article in the Microsoft Knowledge Base:
891716 Deployment of the Microsoft Windows Malicious Software Removal Tool in an enterprise environment
This article includes information about Microsoft Systems Management Server (SMS), Microsoft Software Update Services (SUS), and Microsoft Baseline Security Analyzer (MBSA).

Prerequisites for running the Malicious Software Removal Tool

Except where noted, the information in this section applies to all the ways that you can download and run the Malicious Software Removal Tool:
  • Microsoft Update
  • Windows Update
  • Automatic Updates
  • The Microsoft Download Center
  • The Malicious Software Removal Tool website on Microsoft.com
To run the Malicious Software Removal Tool, the following conditions are required:
  • The computer must be running Windows 7, Windows Vista, Windows Server 2003, or Windows XP.
  • You must log on to the computer by using an account that is a member of the Administrators group. If your logon account does not have the required permissions, the tool exits. If the tool is not being run in quiet mode, it displays a dialog box that describes the failure.
  • If the tool is more than 60 days out-of-date, the tool displays a dialog box that recommends that you download the latest version of the tool.

Support for command-line switches

The Malicious Software Removal Tool supports four command-line switches:
Collapse this tableExpand this table
SwitchPurpose
/Q or /quietUses quiet mode. This option suppresses the user interface of the tool.
/?Displays a dialog box that lists the command-line switches.
/NRuns in detect-only mode. In this mode, malicious software will be reported to the user, but it will not be removed.
/FForces an extended scan of the computer.
/F:YForces an extended scan of the computer and automatically cleans any infections that are found.

Usage and release information

When you download the tool from Microsoft Update or from Automatic Updates, and no malicious software is detected on the computer, the tool will run in quiet mode next time. If malicious software is detected on the computer, the next time that an administrator logs on to the computer, a balloon will appear in the notification area to notify you of the detection. For more information about the detection, click the balloon.

When you download the tool from the Microsoft Download Center, the tool displays a user interface when it runs. However, if you supply the /Q command-line switch, it runs in quiet mode.

Release information

The Malicious Software Removal Tool is released on the second Tuesday of every month. Each release of the tool helps detect and remove current, prevalent malicious software. This malicious software includes viruses, worms, and Trojan horses. Microsoft uses several metrics to determine the prevalence of a malicious software family and the damage that can be associated with it.

The following table lists the malicious software that the tool can remove. The tool can also remove any known variants at the time of release. The table also lists the version of the tool that first included detection and removal for the malicious software family.

Each release of the tool is cumulative. That is, each release not only helps detect and remove new malicious software families, it also helps detect and remove all the malicious software covered in earlier versions. New variants of malicious software that is detected and removed in previous releases are also covered in each monthly release.

This Microsoft Knowledge Base article will be updated with information for each monthly release so that the number of the relevant article remains the same. The name of the file will be changed to reflect the tool version. For example, the file name of the January 2005 version is Windows-KB890830-ENU.exe, and the file name of the February 2005 version is Windows-KB890830-V1.1-ENU.exe.
Collapse this tableExpand this table
Malicious software familyTool versionCurrent severity rating
Win32/BerbewJanuary 2005 (V 1.0)Low
Win32/Doomjuice January 2005 (V 1.0)Low
Win32/Gaobot January 2005 (V 1.0)Moderate
Win32/MSBlast January 2005 (V 1.0)Low
Win32/MydoomJanuary 2005 (V 1.0)Low
Win32/Nachi January 2005 (V 1.0)Low
Win32/SasserJanuary 2005 (V 1.0)Low
Win32/ZindosJanuary 2005 (V 1.0)Low
Win32/KorgoFebruary 2005 (V 1.1)Low
Win32/Netsky February 2005 (V 1.1)Moderate
Win32/RandexFebruary 2005 (V 1.1)Low
Win32/ZafiFebruary 2005 (V 1.1)Low
Win32/BagleMarch 2005 (V 1.2)Moderate
Win32/BropiaMarch 2005 (V 1.2)Low
Win32/GowehMarch 2005 (V 1.2)Low
Win32/SoberMarch 2005 (V 1.2)Moderate
Win32/SobigMarch 2005 (V 1.2)Low
Win32/Hackdef**April 2005 (V 1.3)Moderate
Win32/MimailApril 2005 (V 1.3)Low
Win32/RbotApril 2005 (V 1.3)Moderate
Win32/SdbotMay 2005 (V 1.4) Moderate
WinNT/IsproMay 2005 (V 1.4)Low
WinNT/FURootkitMay 2005 (V 1.4)Moderate
Win32/KelvirJune 2005 (V 1.5)Low
Win32/LovgateJune 2005 (V 1.5)Low
Win32/MytobJune 2005 (V 1.5)Low
Win32/SpybotJune 2005 (V 1.5)Moderate
Win32/HactyJuly 2005 (V 1.6)Low
Win32/OptixJuly 2005 (V 1.6)Low
Win32/OptixproJuly 2005 (V 1.6)Low
Win32/Purstiu July 2005 (V 1.6)Low
Win32/Wootbot July 2005 (V 1.6)Low
Win32/BagzAugust 2005 (V 1.7)Low
Win32/DumaruAugust 2005 (V 1.7)Low
Win32/SpyboterAugust 2005 (V 1.7)Low
Win32/Zotob.AAugust 2005 A (V 1.7.1)Low
Win32/Zotob.BAugust 2005 A (V 1.7.1)Low
Win32/Zotob.CAugust 2005 A (V 1.7.1)Low
Win32/Zotob.DAugust 2005 A (V 1.7.1)Low
Win32/Zotob.EAugust 2005 A (V 1.7.1)Low
Win32/Bobax.OAugust 2005 A (V 1.7.1)Moderate
Win32/Esbot.AAugust 2005 A (V 1.7.1)Low
Win32/Rbot.MAAugust 2005 A (V 1.7.1)Low
Win32/Rbot.MBAugust 2005 A (V 1.7.1)Low
Win32/Rbot.MCAugust 2005 A (V 1.7.1)Low
Win32/BobaxSeptember 2005 (V 1.8) Moderate
Win32/EsbotSeptember 2005 (V 1.8) Low
Win32/GaelSeptember 2005 (V 1.8) Moderate
Win32/YahaSeptember 2005 (V 1.8) Low
Win32/ZotobSeptember 2005 (V 1.8) Low
Win32/AntinnyOctober 2005 (V 1.9) Moderate
Win32/GibeOctober 2005 (V 1.9) Low
Win32/MywifeOctober 2005 (V 1.9) Low
Win32/WukillOctober 2005 (V 1.9) Moderate
Win32/BugbearNovember 2005 (V 1.10) Low
Win32/CodbotNovember 2005 (V 1.10) Low
Win32/MabutuNovember 2005 (V 1.10) Low
Win32/OpaservNovember 2005 (V 1.10) Low
Win32/SwenNovember 2005 (V 1.10) Low
Win32/IRCBotDecember 2005 (V 1.11)Moderate
Win32/RyknosDecember 2005 (V 1.11)Low
WinNT/F4IRootkitDecember 2005 (V 1.11)Moderate
Win32/BofraJanuary 2006 (V 1.12)Low
Win32/MaslanJanuary 2006 (V 1.12)Low
Win32/PariteJanuary 2006 (V 1.12)Moderate
Win32/AlcanFebruary 2006 (V 1.13)Moderate
Win32/BadtransFebruary 2006 (V 1.13)Low
Win32/EyevegFebruary 2006 (V 1.13)Low
Win32/MagistrFebruary 2006 (V 1.13)Low
Win32/AtakMarch 2006 (V 1.14)Low
Win32/TorvilMarch 2006 (V 1.14)Low
Win32/ZlobMarch 2006 (V 1.14)Moderate
Win32/LockskyApril 2006 (V 1.15)Moderate
Win32/ReatleApril 2006 (V 1.15)Low
Win32/VallaApril 2006 (V 1.15)Low
Win32/EvamanMay 2006 (V 1.16)Low
Win32/GandaMay 2006 (V 1.16)Low
Win32/PlexusMay 2006 (V 1.16)Low
Win32/CissiJune 2006 (V 1.17)Low
Win32/FizzerJune 2006 (V 1.17)Low
Win32/AlemodJuly 2006 (V 1.18)Moderate
Win32/ChirJuly 2006 (V 1.18)Moderate
Win32/HupigonJuly 2006 (V 1.18)Moderate
Win32/NsagJuly 2006 (V 1.18)Low
Win32/BankerAugust 2006 (V 1.19)Moderate
Win32/JeefoAugust 2006 (V 1.19)Moderate
Win32/BancosSeptember 2006 (V 1.20)Moderate
Win32/SinowalSeptember 2006 (V 1.20) Moderate
Win32/HarnigOctober 2006 (V 1.21) Low
Win32/PassalertOctober 2006 (V 1.21) Low
Win32/TibsOctober 2006 (V 1.21) Moderate
Win32/BrontokNovember 2006 (V 1.22) Moderate
Win32/Beenut December 2006 (V 1.23) Low
Win32/HaxdoorJanuary 2007 (V 1.24) Moderate
WinNT/HaxdoorJanuary 2007 (V 1.24) Moderate
Win32/StrationFebruary 2007 (V 1.25)Moderate
Win32/MitgliederFebruary 2007 (V 1.25)Low
Win32/AlureonMarch 2007 (V 1.27)Moderate
Win32/FunnerApril 2007 (V 1.28)Low
Win32/RenosMay 2007 (V 1.29)Moderate
Win32/AllapleJune 2007 (V 1.30)Moderate
Win32/BuskyJuly 2007 (V 1.31)Moderate
Win32/Virut.AAugust 2007 (V 1.32)Moderate
Win32/Virut.BAugust 2007 (V 1.32)Moderate
Win32/ZonebacAugust 2007 (V 1.32)Moderate
Win32/NuwarSeptember 2007 (V 1.33)Moderate
Win32/RJumpOctober 2007 (V 1.34)Moderate
Win32/ConHookNovember 2007 (V 1.35) Moderate
Win32/FotomotoDecember 2007 (V 1.36)Moderate
Win32/CutwailJanuary 2008 (V 1.37)Moderate
Win32/LdpinchFebruary 2008 (V 1.38)Moderate
Win32/VirtumondeMarch 2008 (V 1.39) Moderate
Win32/VundoMarch 2008 (V 1.39) Moderate
Win32/NewaccMarch 2008 (V 1.39) Moderate
Win32/OderoorMay 2008 (V 1.41)Moderate
Win32/CaptiyaMay 2008 (V 1.41)Moderate
Win32/CorripioJune 2008 (V 1.42)Moderate
Win32/FrethogJune 2008 (V 1.42) Moderate
Win32/TaterfJune 2008 (V 1.42) Moderate
Win32/StorarkJune 2008 (V 1.42) Moderate
Win32/TilcunJune 2008 (V 1.42) Moderate
Win32/ZutenJune 2008 (V 1.42) Moderate
Win32/CeekatJune 2008 (V 1.42) Moderate
Win32/LolydaJune 2008 (V 1.42) Moderate
Win32/HorstJuly 2008 (V 2.0)Moderate
Win32/MatcashAugust 2008 (V 2.1) Moderate
Win32/SlenfbotSeptember 2008 (V 2.2)Moderate
Win32/RustockOctober 2008 (V 2.3)Moderate
Win32/FakeSecSenNovember 2008 (V 2.4 )Moderate
Win32/GimmivNovember 2008 (V 2.4)Moderate
Win32/FakeXPADecember 2008 (V 2.5)Moderate
Win32/YektelDecember 2008 (V 2.5)Moderate
Win32/BanloadJanuary 2009 (V 2.6)Moderate
Win32/ConfickerJanuary 2009 (V 2.6)High
Win32/SrizbiFebruary 2009 (V 2.7 )Moderate
Win32/KoobfaceMarch 2009 (V 2.8)Moderate
Win32/WaledacApril 2009 (V 2.9)Moderate
Win32/WinwebsecMay 2009 (V 2.10) Moderate
Win32/InternetAntivirusJune 2009 (V 2.11)Moderate
Win32/FakeSpyproJuly 2009 (V 2.12)Moderate
Win32/FakeReanAugust 2009 (V 2.13)Moderate
Win32/BredolabSeptember 2009 (V 2.14)Moderate
Win32/DaursoSeptember 2009 (V 2.14)Moderate
Win32/FakeScantiOctober 2009 (V 3.0)Moderate
Win32/FakeVimesNovember 2009 (V 3.1)Moderate
Win32/PrivacyCenterNovember 2009 (V 3.1) Moderate
Win32/HamweqDecember 2009 (V 3.2) Moderate
Win32/RimecudJanuary 2010 (V 3.3) Moderate
Win32/PushbotFebruary 2010 (V 3.4) Moderate
Win32/HelpudMarch 2010 (V 3.5) Moderate
Win32/MaganiaApril 2010 (V 3.6) Moderate
Win32/OficlaMay 2010 (V 3.7)Moderate
Win32/FakeInitJune 2010 (V 3.8)Moderate
Win32/BubnixJuly 2010 (V 3.9) Moderate
Win32/StuxnetAugust 2010 (V 3.10)Moderate
Win32/CplLnkAugust 2010 (V 3.10)Moderate
Worm:Win32/Vobfus.gen!AAugust 2010 (V 3.10)Moderate
Worm:Win32/Vobfus.gen!BAugust 2010 (V 3.10)Moderate
Worm:Win32/Vobfus.gen!CAugust 2010 (V 3.10)Moderate
Worm:Win32/Vobfus!dllAugust 2010 (V 3.10)Moderate
Worm:Win32/Sality.AUAugust 2010 (V 3.10)Moderate
Virus:Win32/Sality.AUAugust 2010 (V 3.10)Moderate
Trojan:WinNT/SalityAugust 2010 (V 3.10)Moderate
Win32/FakeCogSeptember 2010 (V 3.11)Moderate
Win32/VobfusSeptember 2010 (V 3.11) Moderate
Win32/ZbotOctober 2010 (V 3.12) Moderate
Win32/FakePAVNovember 2010 (V 3.13)Moderate
Worm:Win32/Sality.ATNovember 2010 (V 3.13)Moderate
Virus:Win32/Sality.ATNovember 2010 (V 3.13)Moderate
Win32/QakbotDecember 2010 (V 3.14)Moderate
Win32/LethicJanuary 2011 (V 3.15)Moderate
Win32/CycbotFebruary 2011 (V 3.16)Moderate
Win32/RenocideMarch 2011 (V 3.17)Moderate
Win32/AfcoreApril 2011 (V 3.18) Moderate
Win32/RamnitMay 2011 (V 3.19) Moderate
Win32/RorpianJune 2011 (V 3.20) Moderate
Win32/YimfocaJune 2011 (V 3.20) Moderate
Win32/NuqelJune 2011 (V 3.20) Moderate
Win32/TracurJuly 2011 (V 3.21) Moderate
Win32/DursgJuly 2011 (V 3.21) Moderate
Win32/FakeSysdefAugust 2011 (V 3.22) Moderate
Win32/HilotiAugust 2011 (V 3.22) Moderate
Win32/BamitalSeptember 2011 (V 4.0)Moderate
Win32/KelihosSeptember 2011 (V 4.0) Moderate
Win32/EyeStyeOctober 2011 (V 4.1) Moderate
Win32/PoisonOctober 2011 (V 4.1) Moderate
Win32/DofoilNovember 2011 (V 4.2) Moderate
Win32/CarberpNovember 2011 (V 4.2) Moderate
Win32/CridexNovember 2011 (V 4.2) Moderate
Win32/HelompyDecember 2011 (V 4.3) Moderate
Win32/SefnitJanuary 2012 (V 4.4) Moderate
Win32/PramroFebruary 2012 (V 4.5) Moderate
Win32/FareitFebruary 2012 (V 4.5) Moderate
Win32/DorkbotMarch 2012 (V 4.6) Moderate
Win32/HiolesMarch 2012 (V 4.6) Moderate
Win32/YeltminkyMarch 2012 (V 4.6) Moderate
Win32/Pluzoks.AMarch 2012 (V 4.6) Moderate
Win32/ClaretoreApril 2012 (V 4.7) Moderate
Win32/BocinexApril 2012 (V 4.7) Moderate
Win32/GamarueApril 2012 (V 4.7) Moderate
Win32/UnruyMay 2012 (V 4.8) Moderate
Win32/DishigyMay 2012 (V 4.8) Moderate
Win32/CleamanJune 2012 (V 4.9) Moderate
Win32/KuluozJune 2012 (V 4.9) Moderate
Win32/BafruzAugust 2012 (V 4.11)Severe
Win32/MatsnuAugust 2012 (V 4.11)Severe
Win32/MedfosSeptember 2012 (V 4.12) Severe
Win32/NitolOctober 2012 (V 4.13)Severe
Win32/OneScanOctober 2012 (V 4.13)Severe
Win32/FolstartNovember 2012 (V 4.14) Severe
Win32/WeelsofNovember 2012 (V 4.14) Severe
Win32/PhorpiexNovember 2012 (V 4.14) Severe
Win32/PhdetDecember 2012 (V 4.15) Severe
Win32/GanelpJanuary 2013 (V 4.16) Severe
Win32/LefgrooJanuary 2013 (V 4.16) Severe
Win32/SirefefFebruary 2013 (V 4.17)Severe
Win32/WecyklerMarch 2013 (V 4.18) Severe
Win32/BabonockApril 2013 (V 4.19) Severe
Win32/RedymsApril 2013 (V 4.19) Severe
Win32/VesenlosowApril 2013 (V 4.19) Severe
Win32/fakedefMay 2013 (V 4.20) Severe
Win32/VicenorMay 2013 (V 4.20) Severe
Win32/KexqoudMay 2013 (V 4.20) Severe
Win32/TupymJune 2013 (V 4.21) Severe
Win32/SimdaSeptember 2013 (V 5.4) Severe
Win32/ShiotobOctober 2013 (V 5.5)Severe
Win32/FoidanOctober 2013 (V 5.5)Severe
Win32/DeminnixNovember 2013 (V 5.6)Severe
Win32/NapolarNovember 2013 (V 5.6)Severe
Win32/RotbrowDecember 2013 (V 5.7)Severe
MSIL/BladabindiJanuary 2014 (V 5.8)Severe
VBS/JenxcusFebruary 2014 (V 5.9)Severe
Win32/WysototMarch 2014 (V 5.10)Severe
MSIL/SpacekitoMarch 2014 (V 5.10)Severe
Win32/RamdoApril 2014 (V 5.11)Severe
Win32/KilimApril 2014 (V 5.11)Severe
Win32/MiurefMay 2014 (V 5.12)Severe
Win32/FilcoutMay 2014 (V 5.12)Severe
Win32/NecursJune 2014 (V 5.13)Severe
Win32/CaphawJuly 2014 (V 5.14)Severe
Win32/BepushJuly 2014 (V 5.14)Severe
Win32/LecpetexAugust 2014 (V 5.15)Severe
Win32/ZemotSeptember 2014 (V 5.16)Severe
Win32/HikitiOctober 2014 (V 5.17)Severe
Win32/MdmbotOctober 2014 (V 5.17)Severe
Win32/MoudoorOctober 2014 (V 5.17)Severe
Win32/PlugxOctober 2014 (V 5.17)Severe
Win32/SensodeOctober 2014 (V 5.17)Severe
Win32/DerusbiOctober 2014 (V 5.17)Severe
Win32/TofseeNovember 2014 (V 5.18)Severe
Win32/WinntiNovember 2014 (V 5.18)Severe
Win32/ZoxpngNovember 2014 (V 5.18)Severe
Win32/EmotetJanuary 2015 (V 5.20)Severe
Win32/DyzapJanuary 2015 (V 5.20)Severe
Win32/EscadFebruary 2015 (V 5.21)Severe
Win32/JinupdFebruary 2015 (V 5.21)Severe
Win32/NukeSpedFebruary 2015 (V 5.21)Severe
Win32/AlinaosMarch 2015 (V 5.22)Severe
Win32/CompromisedCertMarch 2015 (V 5.22)Severe
Win32/SaluchtraApril 2015 (V 5.23)Severe
Win32/UnskalApril 2015 (V 5.23)Severe
Win32/DexterApril 2015 (V 5.23)Severe
Win32/IeEnablerCbyApril 2015 (V 5.23)High
*The severity rating refers to the virus alert severity ratings that appear on the following Microsoft website:
http://www.microsoft.com/technet/security/bulletin/rating.mspx
Be aware that the severity ratings of threats may be updated occasionally to account for changes in prevalence and other factors.

**W32/Hackdef typically hides other potentially unwanted software on the computer. If the cleaner tool reports that W32/Hackdef was detected on the computer, we strongly recommend that you run a scan with up-to-date antivirus and antispyware programs (see http://www.microsoft.com/security/pc-security/spyware-prevent.aspx). If you want to view the software that W32/Hackdef was hiding, first open the log file for the cleaner tool (%Windir%\Debug\Mrt.log). Next, in the "Possible scanning results" section, find the line or lines that note the folder in which Win32/Hackdef was found. In that same folder, you should find the Win32/Hackdef configuration file that has the .ini file name extension. View this file to determine the software that Win32/Hackdef was hiding on the computer.

Any malicious software that is not listed in this table is not detected and not removed by the tool. To scan for and remove other malicious software, use an up-to-date antivirus product. For more information, go to the following Microsoft Protect Your PC website:
http://www.microsoft.com/security/scanner/en-us/default.aspx

Reporting component

The Malicious Software Removal Tool sends information to Microsoft if it detects malicious software or finds an error. The specific information that is sent to Microsoft consists of the following items:
  • The name of the malicious software that is detected
  • The result of malicious software removal
  • The operating system version
  • The operating system locale
  • The processor architecture
  • The version number of the tool
  • An indicator that notes whether the tool is being run by Microsoft Update, Windows Update, Automatic Updates, the Download Center, or from the website
  • An anonymous GUID
  • A cryptographic one-way hash (MD5) of the path and file name of each malicious software file that is removed from the computer
If apparently malicious software is found on the computer, the tool prompts you to send information to Microsoft beyond what is listed here. You are prompted in each of these instances, and this information is sent only with your consent. The additional information includes the following:
  • The files that are suspected to be malicious software. The tool will identify the files for you.
  • A cryptographic one-way hash (MD5) of any suspicious files that are detected.
You can disable the reporting feature. For information about how to disable the reporting component and how to prevent this tool from sending information to Microsoft, see Microsoft Knowledge Base article
891716 Deployment of the Microsoft Windows Malicious Software Removal Tool in an enterprise environment

Possible scanning results

After the tool runs, there are four main results that the removal tool can report to the user:
  • No infection was found.
  • At least one infection was found and was removed.
  • An infection was found but was not removed. This result will be displayed if suspicious files were found on the computer. To help remove these files, you should use an up-to-date antivirus product.
  • An infection was found and was partially removed. To complete this removal, you should use an up-to-date antivirus product.

Frequently asked questions about the Malicious Software Removal Tool

  • Q1: Is this tool digitally signed by Microsoft?
    A1: Yes.
  • Q2: What kind of information does the log file contain?
    A2: For information about the log file, see Microsoft Knowledge Base article
    891716 Deployment of the Microsoft Windows Malicious Software Removal Tool in an enterprise environment
  • Q3: Can this tool be redistributed?
    A3: Yes. Per the terms of this tool's license terms, the tool can be redistributed. However, make sure that you are redistributing the latest version of the tool.
  • Q4: How do I know that I am using the latest version of the tool?
    A4: If you are a Windows 7, Windows Vista, Windows XP, or Windows Server 2003 user, use Microsoft Update or the Microsoft Update Automatic Updates functionality to test whether you are using the latest version of the tool. If you have chosen not to use Microsoft Update, and you are a Windows 7, Windows Vista, Windows XP, or Windows Server 2003 Service Pack 1 (SP1) user, use Windows Update. Or, use the Windows Update Automatic Updates functionality to test whether you are using the latest version of the tool. Additionally, you can visit the Microsoft Download Center. Also, if the tool is more than 60 days out-of-date, the tool will remind you to look for a new version of the tool.
  • Q5: Will the Microsoft Knowledge Base article number of the tool change with each new version?
    A5: No. The Microsoft Knowledge Base article number for the tool will remain as 890830 for future versions of the tool. The file name of the tool when it is downloaded from the Microsoft Download Center will change with each release to reflect the month and the year when that version of the tool was released.
  • Q6: Is there any way I can request that new malicious software be targeted in the tool?
    A6: Currently, no. Malicious software that is targeted in the tool is based on metrics that track the prevalence and damage of malicious software.
  • Q7: Can I determine whether the tool has been run on a computer?
    A7: Yes. By checking a registry key, you can determine whether the tool has been run on a computer and which version was the latest version that was used. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
    891716 Deployment of the Microsoft Windows Malicious Software Removal Tool in an enterprise environment
  • Q8: Why do not I see the tool on Microsoft Update, Windows Update, or Automatic Updates?
    A8: Several scenarios may prevent you from the seeing the tool on Microsoft Update, Windows Update, or Automatic Updates:
    • Only Windows 7, Windows Vista, Windows XP, and Windows Server 2003 SP1 users are offered the tool on Windows Update or Automatic Updates.
    • If you have already run the current version of the tool from Windows Update, Microsoft Update, Automatic Updates, or from either of the other two release mechanisms, it will not be reoffered on Windows Update or Automatic Updates.
    • For Automatic Updates, the first time that you run the tool, you must be logged on as a member of the Administrators group to accept the license terms.
  • Q9: How do Microsoft Update, Windows Update, and Automatic Updates determine who is offered the tool?
    A9: All Windows 7, Windows Vista, Windows XP, and Windows Server 2003 users are offered the tool if the following conditions are true:
    • The users are running the latest version of Microsoft Update or the Microsoft Update Automatic Updates feature.
    • The users have not already run the current version of the tool.
    All Windows 7, Windows Vista, Windows XP, and Windows Server 2003 SP1 users are offered the tool if the following conditions are true:
    • The users are not running Microsoft Update.
    • The users are running the latest version of Windows Update or Windows Update Automatic Updates.
    • The users have not already run the current version of the tool.
  • Q10: When I look in the log file, it tells me that errors were found during the scan. How do I resolve them?
    A10: For information about the errors, see Microsoft Knowledge Base article
    891717 How to troubleshoot an error when you run the Microsoft Windows Malicious Software Removal Tool
  • Q11: Will you rerelease the tool even if there are no new security bulletins for a particular month?
    A11: Yes. Even if there are no new security bulletins for a particular month, the Malicious Software Removal Tool will be rereleased with detection and removal support for the latest prevalent malicious software.
  • Q12: How do I prevent this tool from being offered to me by using Microsoft Update, Windows Update, or Automatic Updates?
    A12: When you are first offered the Malicious Software Removal Tool from Microsoft Update, Windows Update, or Automatic Updates, you can decline downloading and running the tool by declining the license terms. This decline can apply to only the current version of the tool or to both the current version of the tool and any future versions, depending on the options that you choose. If you have already accepted the license terms and would prefer not to install the tool through Windows Update, click to clear the check box that corresponds to the tool in the Windows Update UI.
  • Q13: After I run the tool from Microsoft Update, Windows Update, or Automatic Updates, where are the tool files stored? Can I rerun the tool?
    A13: When it is downloaded from Microsoft Update or from Windows Update, the tool runs only one time each month. To manually run the tool multiple times a month, download the tool from the Download Center or by visiting the Microsoft Safety & Security Center website.

  • For an online scan of your system by using the Windows Live OneCare safety scanner, go to the Microsoft Safety Scanner website.
    http://safety.live.com
  • Q14: Can I run this tool on a Windows Embedded computer?
    A14: Currently, the Malicious Software Removal Tool is not supported on a Windows Embedded computer.
  • Q15: Does running of the tool require any security updates to be installed on the computer?
    A15: No. Unlike most previous cleaner tools that were produced by Microsoft, the Malicious Software Removal tool requires no security update prerequisites. However, we strongly recommend that you install all critical updates before you use the tool, to help prevent reinfection by malicious software that takes advantage of security vulnerabilities.
  • Q16: Can I deploy this tool by using SUS or SMS? Is it compatible with MBSA?
    A16: For information about how to deploy this tool, see Microsoft Knowledge Base article
    891716 Deployment of the Microsoft Windows Malicious Software Removal Tool in an enterprise environment
  • Q17: Do I need the previous cleaner tools installed to run the Malicious Software Removal Tool?
    A17: No.
  • Q18: Is there a newsgroup available to discuss this tool?
    A18: Yes. You can use the microsoft.public.security.virus newsgroup.
  • Q19: Why did the "Windows File Protection" window appear when I ran the tool?
    A19: In some cases, when specific viruses are found on a system, the cleaner tool tries to repair infected Windows system files. Although this action removes the malicious software from these files, it may also trigger the Windows File Protection feature. If you see the Windows File Protection window, we strongly recommend that you follow the directions and insert your Microsoft Windows CD. This will restore the cleaned files to their original, pre-infection state.
  • Q20: Are localized versions of this tool available?
    A20: Yes, the tool is available in 24 languages. Before the February 2006 release, each localized version of the tool was available as a separate download. Starting in February 2006, the tool is now offered as a multilingual download. Therefore, only one version of the tool is available, and the appropriate language appears based on the language of the current operating system.
  • Q21: I found the Mrtstub.exe file in a randomly named directory on my computer. Is the Mrtstub.exe file a legitimate component of the tool?
    A21: The tool does use a file that is named Mrtstub.exe for certain operations. If you verify that the file is signed by Microsoft, the file is a legitimate component of the tool.
  • Q22: Can the MSRT run in safe mode?
    A22: Yes. If you have run MSRT before you start the computer to safe mode, you can access MSRT at %windir%\system32\mrt.exe. Double-click the mrt.exe file to run MSRT, and then follow the on-screen instructions.

Properties

Article ID: 890830 - Last Review: April 30, 2015 - Revision: 149.2
Applies to
  • Microsoft Windows XP Professional
  • Microsoft Windows XP Home Edition
  • Windows Vista Home Basic
  • Windows Vista Home Premium
  • Windows Vista Business
  • Windows Vista Enterprise
  • Windows Vista Ultimate
  • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
  • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
  • Windows Server 2008 Standard
  • Windows Server 2008 Enterprise
  • Windows 7 Enterprise
  • Windows 7 Enterprise N
  • Windows 7 Home Basic
  • Windows 7 Home Premium
  • Windows 7 Home Premium N
  • Windows 7 Professional
  • Windows 7 Professional N
  • Windows 7 Starter
  • Windows 7 Starter N
  • Windows 7 Ultimate
  • Windows 7 Ultimate N
  • Windows 8
  • Windows 8 Enterprise
  • Windows 8 Pro
  • Windows Server 2012 Datacenter
  • Windows Server 2012 Essentials
  • Windows Server 2012 Foundation
  • Windows Server 2012 Standard
  • Windows 8.1 Enterprise
  • Windows 8.1 Pro
  • Windows 8.1
  • Windows Server 2012 R2 Datacenter
  • Windows Server 2012 R2 Standard
  • Windows Server 2012 R2 Essentials
  • Windows Server 2012 R2 Foundation
  • Windows 10 Technical Preview
Keywords: 
kbmsnpartnerportal kbhowto kbacwsurvey kbsecurity kbinfo kbfixme kbmsifixme kbvideocontent KB890830

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com