Developer(s) | Microsoft |
---|---|
Initial release | 13 January 2005 |
Stable release | 5.130 / 12 November 2024 [1] |
Operating system | Windows 7 and later |
Size | 65.8 MB |
Available in | English, Portuguese, Arabic, Chinese, Czech, Danish, Dutch, Finnish, French, German, Greek, Hebrew, Hungarian, Italian, Japanese, Korean, Norwegian, Polish, Portuguese, Russian, Spanish, Swedish and Turkish |
Type | On-demand scanner |
License | Freeware |
Website | support |
Microsoft Windows Malicious Software Removal Tool (MSRT) is a freeware second-opinion malware scanner that Microsoft's Windows Update downloads and runs on Windows computers each month, independent of the installed antivirus software. First released on January 13, 2005, [2] MSRT does not offer real-time protection. It scans its host computer for specific, widespread malware, and tries to eliminate the infection. Outside its monthly deployment schedule, it can be separately downloaded from Microsoft. [3] [1] [4]
Since its January 13, 2005, [2] Microsoft releases the updated tool every second Tuesday of every month (commonly called "Patch Tuesday") through Windows Update, at which point it runs once automatically in the background and reports if malicious software is found. The tool is also available as a standalone download. [1]
Since support for Windows 2000 ended on July 13, 2010, Microsoft stopped distributing the tool to Windows 2000 users via Windows Update. The last version of the tool that could run on Windows 2000 was 4.20, released on May 14, 2013. Starting with version 5.1, released on June 11, 2013, support for Windows 2000 was dropped altogether. Although Windows XP support ended on April 8, 2014, updates for the Windows XP version of the Malicious Software Removal Tool would be provided until August, 2016; version 5.39. The latest version of MSRT for Windows Vista is 5.47, released on 11 April 2017.
Despite Microsoft ending general support for the Windows 7 operating system in 2020, updates are still provided to Windows 7 users via the standard Windows Update delivery mechanism. [3]
MSRT does not install a shortcut in the Start menu. Hence, users must manually execute %windir%\System32\MRT.exe
. The tool records its results in a log file located at %windir%\debug\mrt.log
. [3]
The tool reports anonymized data about any detected infections to Microsoft. [3] MSRT's EULA discloses this reporting behavior and explains how to disable it. [5]
In a June 2006 Microsoft report, [2] the company claimed that the tool had removed 16 million instances of malicious software from 5.7 million of 270 million total unique Windows computers since its release in January 2005. The report also stated that, on average, the tool removes malicious software from 1 in every 311 computers on which it runs. On May 19, 2009, Microsoft claimed that the software has removed password stealer threats from 859,842 machines. [6]
In August 2013, the Malicious Software Removal Tool deleted old, vulnerable versions of the Tor client to end the spread of the Sefnit botnet (which mined for bitcoins without the host owner's approval and later engaged in click fraud). Approximately two million hosts had been cleaned by October; [7] [8] [9] although this was slightly less than half of the estimated infections, the rest of the suspected machines presumably did not have their automatic Windows Updates enabled or manually run. [8]
A rootkit is a collection of computer software, typically malicious, designed to enable access to a computer or an area of its software that is not otherwise allowed and often masks its existence or the existence of other software. The term rootkit is a compound of "root" and the word "kit". The term "rootkit" has negative connotations through its association with malware.
Antivirus software, also known as anti-malware, is a computer program used to prevent, detect, and remove malware.
A Browser Helper Object (BHO) is a DLL module designed as a plugin for the Microsoft Internet Explorer web browser to provide added functionality. BHOs were introduced in October 1997 with the release of version 4 of Internet Explorer. Most BHOs are loaded once by each new instance of Internet Explorer. However, in the case of Windows Explorer, a new instance is launched for each window.
Microsoft Defender Antivirus is an antivirus software component of Microsoft Windows. It was first released as a downloadable free anti-spyware program for Windows XP and was shipped with Windows Vista and Windows 7. It has evolved into a full antivirus program, replacing Microsoft Security Essentials in Windows 8 or later versions.
Norton Internet Security, developed by Symantec Corporation, is a discontinued computer program that provides malware protection and removal during a subscription period. It uses signatures and heuristics to identify viruses. Other features include a personal firewall, email spam filtering, and phishing protection. With the release of the 2015 line in summer 2014, Symantec officially retired Norton Internet Security after 14 years as the chief Norton product. It was superseded by Norton Security, a rechristened adaptation of the original Norton 360 security suite. The suite was once again rebranded to Norton 360 in 2019.
AutoRun and the companion feature AutoPlay are components of the Microsoft Windows operating system that dictate what actions the system takes when a drive is mounted.
Windows Live OneCare was a computer security and performance enhancement service developed by Microsoft for Windows. A core technology of OneCare was the multi-platform RAV, which Microsoft purchased from GeCAD Software Srl in 2003, but subsequently discontinued. The software was available as an annual paid subscription, which could be used on up to three computers.
System Restore is a feature in Microsoft Windows that allows the user to revert their computer's state to that of a previous point in time, which can be used to recover from system malfunctions or other problems. First included in Windows Me, it has been included in all following desktop versions of Windows released since, excluding Windows Server. In Windows 10, System Restore is turned off by default and must be enabled by users in order to function. This does not affect personal files such as documents, music, pictures, and videos.
Graybird is a Trojan horse that hides its presence on compromised computers and downloads files from remote Web sites. There are many variations of this virus.
WinFixer was a family of scareware rogue security programs developed by Winsoftware which claimed to repair computer system problems on Microsoft Windows computers if a user purchased the full version of the software. The software was mainly installed without the user's consent. McAfee claimed that "the primary function of the free version appears to be to alarm the user into paying for registration, at least partially based on false or erroneous detections." The program prompted the user to purchase a paid copy of the program.
The Windows Metafile vulnerability—also called the Metafile Image Code Execution and abbreviated MICE—is a security vulnerability in the way some versions of the Microsoft Windows operating system handled images in the Windows Metafile format. It permits arbitrary code to be executed on affected computers without the permission of their users. It was discovered on December 27, 2005, and the first reports of affected computers were announced within 24 hours. Microsoft released a high-priority update to eliminate this vulnerability via Windows Update on January 5, 2006. Attacks using this vulnerability are known as WMF exploits.
Security and Maintenance is a component of the Windows NT family of operating systems that monitors the security and maintenance status of the computer. Its monitoring criteria includes optimal operation of antivirus software, personal firewall, as well as the working status of Backup and Restore, Network Access Protection (NAP), User Account Control (UAC), Windows Error Reporting (WER), and Windows Update. It notifies the user of any problem with the monitored criteria, such as when an antivirus program is not up-to-date or is offline.
Kaspersky Anti-Virus is a proprietary antivirus program developed by Kaspersky Lab. It is designed to protect users from malware and is primarily designed for computers running Microsoft Windows and macOS, although a version for Linux is available for business consumers.
The Storm botnet or Storm Worm botnet was a remotely controlled network of "zombie" computers that had been linked by the Storm Worm, a Trojan horse spread through e-mail spam. At its height in September 2007, the Storm botnet was running on anywhere from 1 million to 50 million computer systems, and accounted for 8% of all malware on Microsoft Windows computers. It was first identified around January 2007, having been distributed by email with subjects such as "230 dead as storm batters Europe," giving it its well-known name. The botnet began to decline in late 2007, and by mid-2008 had been reduced to infecting about 85,000 computers, far less than it had infected a year earlier.
Microsoft Security Essentials (MSE) is a discontinued antivirus software (AV) product that provides protection against different types of malicious software, such as computer viruses, spyware, rootkits, and Trojan horses. Prior to version 4.5, MSE ran on Windows XP, Windows Vista, and Windows 7, but not on Windows 8 and later versions, which have built-in AV components known as Windows Defender. MSE 4.5 and later versions do not run on Windows XP. The license agreement allows home users and small businesses to install and use the product free of charge.
Conficker, also known as Downup, Downadup and Kido, is a computer worm targeting the Microsoft Windows operating system that was first detected in November 2008. It uses flaws in Windows OS software and dictionary attacks on administrator passwords to propagate while forming a botnet, and has been unusually difficult to counter because of its combined use of many advanced malware techniques. The Conficker worm infected millions of computers including government, business and home computers in over 190 countries, making it the largest known computer worm infection since the 2003 SQL Slammer worm.
MS Antivirus is a scareware rogue anti-virus which purports to remove virus infections found on a computer running Microsoft Windows. It attempts to scam the user into purchasing a "full version" of the software. The company and the individuals behind Bakasoftware operated under other different 'company' names, including Innovagest2000, Innovative Marketing Ukraine, Pandora Software, LocusSoftware, etc.
Alureon is a trojan and rootkit created to steal data by intercepting a system's network traffic and searching for banking usernames and passwords, credit card data, PayPal information, social security numbers, and other sensitive user data. Following a series of customer complaints, Microsoft determined that Alureon caused a wave of BSoDs on some 32-bit Microsoft Windows systems. The update, MS10-015, triggered these crashes by breaking assumptions made by the malware author(s).
Sality is the classification for a family of malicious software (malware), which infects Microsoft Windows systems files. Sality was first discovered in 2003 and has advanced to become a dynamic, enduring and full-featured form of malicious code. Systems infected with Sality may communicate over a peer-to-peer (P2P) network to form a botnet to relay spam, proxying of communications, exfiltrating sensitive data, compromising web servers and/or coordinating distributed computing tasks to process intensive tasks. Since 2010, certain variants of Sality have also incorporated rootkit functions as part of an ongoing evolution of the malware family. Because of its continued development and capabilities, Sality is considered one of the most complex and formidable forms of malware to date.
Slenfbot is the classification for a family of malicious software (malware), which infects files on Microsoft Windows systems. Slenfbot was first discovered in 2007 and, since then, numerous variants have followed; each with slightly different characteristics and new additions to the worm's payload, such as the ability to provide the attacker with unauthorized access to the compromised host. Slenfbot primarily spreads by luring users to follow links to websites, which contain a malicious payload. Slenfbot propagates via instant messaging applications, removable drives and/or the local network via network shares. The code for Slenfbot appears to be closely managed, which may provide attribution to a single group and/or indicate that a large portion of the code is shared amongst multiple groups. The inclusion of other malware families and variants as well as its own continuous evolution, makes Slenfbot a highly effective downloader with a propensity to cause even more damage to compromised systems.
Microsoft delivered the first version of the MSRT on January 13, 2005 in 24 languages to users of Windows 2000, Windows XP, and Windows Server 2003 computers.
Q3. How can I disable the infection-reporting component of the tool so that the report is not sent back to Microsoft? A3. An administrator can choose to disable the infection-reporting component of the tool by adding the following registry key value to computers [~snip~]