Malicious Software Removal Tool

Malicious Software Removal Tool
Developer(s)	Microsoft
Initial release	13 January 2005;19 years ago
Stable release	5.120 / 9 January 2024;3 months ago
Operating system	Windows 7 and later
Size	63.1 MB
Available in	English, Portuguese, Arabic, Chinese, Czech, Danish, Dutch, Finnish, French, German, Greek, Hebrew, Hungarian, Italian, Japanese, Korean, Norwegian, Polish, Portuguese, Russian, Spanish, Swedish and Turkish
Type	On-demand scanner
License	Freeware
Website	support.microsoft.com/en-us/help/890830/

Last updated April 11, 2024

Microsoft Windows Malicious Software Removal Tool (MSRT) is a freeware second-opinion malware scanner that Microsoft's Windows Update downloads and runs on Windows computers each month, independent of the install antivirus software. First released on January 13, 2005,^[2] MSRT does not offer real-time protection. It scans its host computer for specific, widespread malware, and tries to eliminate the infection. Outside its monthly deployment schedule, it can be separately downloaded from Microsoft.^[3]^[1]^[4]

Availability

Since its January 13, 2005,^[2] Microsoft releases the updated tool every second Tuesday of every month (commonly called "Patch Tuesday") through Windows Update, at which point it runs once automatically in the background and reports if malicious software is found. The tool is also available as a standalone download.^[1]

Since support for Windows 2000 ended on July 13, 2010, Microsoft stopped distributing the tool to Windows 2000 users via Windows Update. The last version of the tool that could run on Windows 2000 was 4.20, released on May 14, 2013. Starting with version 5.1, released on June 11, 2013, support for Windows 2000 was dropped altogether. Although Windows XP support ended on April 8, 2014, updates for the Windows XP version of the Malicious Software Removal Tool would be provided until August, 2016; version 5.39. The latest version of MSRT for Windows Vista is 5.47, released on 11 April 2017.

Despite Microsoft ending general support for the Windows 7 operating system in 2020, updates are still provided to Windows 7 users via the standard Windows Update delivery mechanism.^[5]

Operation

MSRT does not install a shortcut in the Start menu. Hence, users must manually execute %windir%\System32\MRT.exe. The tool records its results in a log file located at %windir%\debug\mrt.log.^[3]

The tool reports anonymized data about any detected infections to Microsoft.^[3] MSRT's EULA discloses this reporting behavior and explains how to disable it.^[6]

Impact

In a June 2006 Microsoft report,^[2] the company claimed that the tool had removed 16 million instances of malicious software from 5.7 million of 270 million total unique Windows computers since its release in January 2005. The report also stated that, on average, the tool removes malicious software from 1 in every 311 computers on which it runs. On May 19, 2009, Microsoft claimed that the software has removed password stealer threats from 859,842 machines.^[7]

In August 2013, the Malicious Software Removal Tool deleted old, vulnerable versions of the Tor client to end the spread of the Sefnit botnet (which mined for bitcoins without the host owner's approval and later engaged in click fraud). Approximately two million hosts had been cleaned by October;^[8]^[9]^[10] although this was slightly less than half of the estimated infections, the rest of the suspected machines presumably did not have their automatic Windows Updates enabled or manually run.^[9]

Related Research Articles

A rootkit is a collection of computer software, typically malicious, designed to enable access to a computer or an area of its software that is not otherwise allowed and often masks its existence or the existence of other software. The term rootkit is a compound of "root" and the word "kit". The term "rootkit" has negative connotations through its association with malware.

Antivirus software, also known as anti-malware, is a computer program used to prevent, detect, and remove malware.

A Browser Helper Object (BHO) is a DLL module designed as a plugin for the Microsoft Internet Explorer web browser to provide added functionality. BHOs were introduced in October 1997 with the release of version 4 of Internet Explorer. Most BHOs are loaded once by each new instance of Internet Explorer. However, in the case of Windows Explorer, a new instance is launched for each window.

<span class="mw-page-title-main">Microsoft Defender Antivirus</span> Anti-malware software

Microsoft Defender Antivirus is an antivirus software component of Microsoft Windows. It was first released as a downloadable free anti-spyware program for Windows XP and was shipped with Windows Vista and Windows 7. It has evolved into a full antivirus program, replacing Microsoft Security Essentials in Windows 8 or later versions.

Norton Internet Security, developed by Symantec Corporation, is a discontinued computer program that provides malware protection and removal during a subscription period. It uses signatures and heuristics to identify viruses. Other features include a personal firewall, email spam filtering, and phishing protection. With the release of the 2015 line in summer 2014, Symantec officially retired Norton Internet Security after 14 years as the chief Norton product. It was superseded by Norton Security, a rechristened adaptation of the Norton 360 security suite.

AutoRun and the companion feature AutoPlay are components of the Microsoft Windows operating system that dictate what actions the system takes when a drive is mounted.

Windows Live OneCare was a computer security and performance enhancement service developed by Microsoft for Windows. A core technology of OneCare was the multi-platform RAV, which Microsoft purchased from GeCAD Software Srl in 2003, but subsequently discontinued. The software was available as an annual paid subscription, which could be used on up to three computers.

<span class="mw-page-title-main">WinFixer</span> Rogue security software

WinFixer was a family of scareware rogue security programs developed by Winsoftware which claimed to repair computer system problems on Microsoft Windows computers if a user purchased the full version of the software. The software was mainly installed without the user's consent. McAfee claimed that "the primary function of the free version appears to be to alarm the user into paying for registration, at least partially based on false or erroneous detections." The program prompted the user to purchase a paid copy of the program.

The Windows Metafile vulnerability—also called the Metafile Image Code Execution and abbreviated MICE—is a security vulnerability in the way some versions of the Microsoft Windows operating system handled images in the Windows Metafile format. It permits arbitrary code to be executed on affected computers without the permission of their users. It was discovered on December 27, 2005, and the first reports of affected computers were announced within 24 hours. Microsoft released a high-priority update to eliminate this vulnerability via Windows Update on January 5, 2006. Attacks using this vulnerability are known as WMF exploits.

Security and Maintenance is a component of the Windows NT family of operating systems that monitors the security and maintenance status of the computer. Its monitoring criteria includes optimal operation of antivirus software, personal firewall, as well as the working status of Backup and Restore, Network Access Protection (NAP), User Account Control (UAC), Windows Error Reporting (WER), and Windows Update. It notifies the user of any problem with the monitored criteria, such as when an antivirus program is not up-to-date or is offline.

Kaspersky Anti-Virus is a proprietary antivirus program developed by Kaspersky Lab. It is designed to protect users from malware and is primarily designed for computers running Microsoft Windows and macOS, although a version for Linux is available for business consumers.

Torpig, also known as Anserin or Sinowal is a type of botnet spread through systems compromised by the Mebroot rootkit by a variety of trojan horses for the purpose of collecting sensitive personal and corporate data such as bank account and credit card information. It targets computers that use Microsoft Windows, recruiting a network of zombies for the botnet. Torpig circumvents antivirus software through the use of rootkit technology and scans the infected system for credentials, accounts and passwords as well as potentially allowing attackers full access to the computer. It is also purportedly capable of modifying data on the computer, and can perform man-in-the-browser attacks.

The Storm botnet or Storm worm botnet was a remotely controlled network of "zombie" computers that had been linked by the Storm Worm, a Trojan horse spread through e-mail spam. At its height in September 2007, the Storm botnet was running on anywhere from 1 million to 50 million computer systems, and accounted for 8% of all malware on Microsoft Windows computers. It was first identified around January 2007, having been distributed by email with subjects such as "230 dead as storm batters Europe," giving it its well-known name. The botnet began to decline in late 2007, and by mid-2008 had been reduced to infecting about 85,000 computers, far less than it had infected a year earlier.

<span class="mw-page-title-main">Computer virus</span> Computer program that modifies other programs to replicate itself and spread

A computer virus is a type of malware that, when executed, replicates itself by modifying other computer programs and inserting its own code into those programs. If this replication succeeds, the affected areas are then said to be "infected" with a computer virus, a metaphor derived from biological viruses.

Microsoft Security Essentials (MSE) is a discontinued antivirus software (AV) product that provides protection against different types of malicious software, such as computer viruses, spyware, rootkits, and Trojan horses. Prior to version 4.5, MSE ran on Windows XP, Windows Vista, and Windows 7, but not on Windows 8 and later versions, which have built-in AV components known as Windows Defender. MSE 4.5 and later versions do not run on Windows XP. The license agreement allows home users and small businesses to install and use the product free of charge.

<span class="mw-page-title-main">Conficker</span> Computer worm

Conficker, also known as Downup, Downadup and Kido, is a computer worm targeting the Microsoft Windows operating system that was first detected in November 2008. It uses flaws in Windows OS software and dictionary attacks on administrator passwords to propagate while forming a botnet, and has been unusually difficult to counter because of its combined use of many advanced malware techniques. The Conficker worm infected millions of computers including government, business and home computers in over 190 countries, making it the largest known computer worm infection since the 2003 SQL Slammer worm.

MS Antivirus is a scareware rogue anti-virus which purports to remove virus infections found on a computer running Microsoft Windows. It attempts to scam the user into purchasing a "full version" of the software. The company and the individuals behind Bakasoftware operated under other different 'company' names, including Innovagest2000, Innovative Marketing Ukraine, Pandora Software, LocusSoftware, etc.

Alureon is a trojan and rootkit created to steal data by intercepting a system's network traffic and searching for banking usernames and passwords, credit card data, PayPal information, social security numbers, and other sensitive user data. Following a series of customer complaints, Microsoft determined that Alureon caused a wave of BSoDs on some 32-bit Microsoft Windows systems. The update, MS10-015, triggered these crashes by breaking assumptions made by the malware author(s).

Sality is the classification for a family of malicious software (malware), which infects Microsoft Windows systems files. Sality was first discovered in 2003 and has advanced to become a dynamic, enduring and full-featured form of malicious code. Systems infected with Sality may communicate over a peer-to-peer (P2P) network to form a botnet to relay spam, proxying of communications, exfiltrating sensitive data, compromising web servers and/or coordinating distributed computing tasks to process intensive tasks. Since 2010, certain variants of Sality have also incorporated rootkit functions as part of an ongoing evolution of the malware family. Because of its continued development and capabilities, Sality is considered one of the most complex and formidable forms of malware to date.

Slenfbot is the classification for a family of malicious software (malware), which infects files on Microsoft Windows systems. Slenfbot was first discovered in 2007 and, since then, numerous variants have followed; each with slightly different characteristics and new additions to the worm's payload, such as the ability to provide the attacker with unauthorized access to the compromised host. Slenfbot primarily spreads by luring users to follow links to websites, which contain a malicious payload. Slenfbot propagates via instant messaging applications, removable drives and/or the local network via network shares. The code for Slenfbot appears to be closely managed, which may provide attribution to a single group and/or indicate that a large portion of the code is shared amongst multiple groups. The inclusion of other malware families and variants as well as its own continuous evolution, makes Slenfbot a highly effective downloader with a propensity to cause even more damage to compromised systems.

References

1 2 3 "Windows Malicious Software Removal Tool 64-bit". microsoft.com. Microsoft . Retrieved 2024-01-11.
1 2 3 "Windows Malicious Software Removal Tool: Progress Made, Trends Observed". Microsoft. Retrieved 10 March 2010. Microsoft delivered the first version of the MSRT on January 13, 2005 in 24 languages to users of Windows 2000, Windows XP, and Windows Server 2003 computers.
1 2 3 "Remove specific prevalent malware with Windows Malicious Software Removal Tool (KB890830)". Support. Microsoft. 8 December 2009.
↑ Savill, John (2005). "What's the Microsoft Windows Malicious Software Removal Tool?". Windows IT Pro. Archived from the original on 2017-05-11.
↑ "Remove specific prevalent malware with Windows Malicious Software Removal Tool (KB890830)". support.microsoft.com. Retrieved 2021-11-07.
↑ "Deployment of the Microsoft Windows Malicious Software Removal Tool in an enterprise environment". Support. Microsoft. 8 December 2009. Retrieved 22 December 2009. Q3. How can I disable the infection-reporting component of the tool so that the report is not sent back to Microsoft? A3. An administrator can choose to disable the infection-reporting component of the tool by adding the following registry key value to computers [~snip~]
↑ Protalinski, Emil (22 May 2009). "Microsoft cleans password stealer tools from 859,842 PCs". Ars Technica . Condé Nast.
↑ McHugh, Molly (2014-01-17). "Microsoft's secret battle against the Tor botnet". The Daily Dot. Retrieved 2014-02-10.
1 2 Stevenson, Alastair (26 September 2013). "Microsoft uncovers Sefnit Trojan return after Groupon click-fraud scam - IT News from". V3.co.uk. Archived from the original on 7 August 2014.
↑ "Tackling the Sefnit botnet Tor hazard". Microsoft Malware Protection Center Threat Research & Response Blog. Microsoft. 9 January 2014. Archived from the original on 8 March 2016.

External links

Official website

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[ms-web-download-1] 1 2 3 "Windows Malicious Software Removal Tool 64-bit". microsoft.com. Microsoft . Retrieved 2024-01-11.

[MSRT_microsoft_report-2] 1 2 3 "Windows Malicious Software Removal Tool: Progress Made, Trends Observed". Microsoft. Retrieved 10 March 2010. Microsoft delivered the first version of the MSRT on January 13, 2005 in 24 languages to users of Windows 2000, Windows XP, and Windows Server 2003 computers.

[ms-web-support1-3] 1 2 3 "Remove specific prevalent malware with Windows Malicious Software Removal Tool (KB890830)". Support. Microsoft. 8 December 2009.

[4] Savill, John (2005). "What's the Microsoft Windows Malicious Software Removal Tool?". Windows IT Pro. Archived from the original on 2017-05-11.

[5] "Remove specific prevalent malware with Windows Malicious Software Removal Tool (KB890830)". support.microsoft.com. Retrieved 2021-11-07.

[6] "Deployment of the Microsoft Windows Malicious Software Removal Tool in an enterprise environment". Support. Microsoft. 8 December 2009. Retrieved 22 December 2009. Q3. How can I disable the infection-reporting component of the tool so that the report is not sent back to Microsoft? A3. An administrator can choose to disable the infection-reporting component of the tool by adding the following registry key value to computers [~snip~]

[7] Protalinski, Emil (22 May 2009). "Microsoft cleans password stealer tools from 859,842 PCs". Ars Technica . Condé Nast.

[8] McHugh, Molly (2014-01-17). "Microsoft's secret battle against the Tor botnet". The Daily Dot. Retrieved 2014-02-10.

[Sefnit-9] 1 2 Stevenson, Alastair (26 September 2013). "Microsoft uncovers Sefnit Trojan return after Groupon click-fraud scam - IT News from". V3.co.uk. Archived from the original on 7 August 2014.

[10] "Tackling the Sefnit botnet Tor hazard". Microsoft Malware Protection Center Threat Research & Response Blog. Microsoft. 9 January 2014. Archived from the original on 8 March 2016.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

v t e Microsoft security products
Numbers in brackets are the years of the initial release of the product.
For Windows	Windows Firewall [2001] Baseline Security Analyzer [2004] Malicious Software Removal Tool [2005] Microsoft Defender [2006] Microsoft SmartScreen [2006] Microsoft Safety Scanner [2011]
For Windows Server	Exchange Online Protection [2007] System Center Data Protection Manager [2007] Identity Manager [2010]
Discontinued	MSAV [1993] Threat Management Gateway [1997] Microsoft Security Essentials [2009] OneCare Safety Scanner [2006] Unified Access Gateway [2007] Windows Live OneCare [2006] RootkitRevealer [2006] Enhanced Mitigation Experience Toolkit [2009]
Related topics	Data Execution Prevention Kernel Patch Protection Mandatory Integrity Control MS Antivirus (malware) User Account Control