The Microsoft Windows Malicious Software Removal Tool helps remove specific, prevalent malicious software from computers that are running Windows Server 2003, Windows XP, or Windows 2000 (890830)

MORE INFORMATION

Manual steps to download and run the Windows Malicious Software Removal Tool

If you are an IT administrator who wants more information about how to deploy the tool in an enterprise environment, click the following article number to view the article in the Microsoft Knowledge Base: This article includes information about Microsoft Systems Management Server (SMS), Microsoft Software Update Services (SUS), and Microsoft Baseline Security Analyzer (MBSA) support.

Microsoft Update Web site, Windows Update Web site, and Automatic Updates

Microsoft Windows XP, Windows Server 2003, or Windows 2000 users You can use the Microsoft Update Automatic Update functionality to download and run the tool, or you can visit the Microsoft Update Web site: Microsoft Windows XP or Microsoft Windows Server 2003 SP1 users who are not yet using Microsoft UpdateYou can use the Windows Update Automatic Updates functionality to download and to run the tool, or you can visit the Windows Update Web site: Notes

• The tool is offered as a critical update through the Microsoft Update, Windows Update, and Auto Update mechanisms.
• The first time that you download and run the tool by using Microsoft Update, Windows Update, or Automatic Updates, you must accept a specific end user license agreement (EULA). The EULA is displayed when you log on as a member of the Administrators group and then access Automatic Updates, the Windows Update Web site, or the Microsoft Update Web site.
• A new version of the tool will be released each month and will be made available from Automatic Updates, from the Windows Update Web site, and from the Microsoft Update Web site.

For more information about Automatic Updates, click the following article number to view the article in the Microsoft Knowledge Base:

Microsoft Download Center

You can download the Malicious Software Removal Tool manually from the Microsoft Download Center. The following file is available for download from the Microsoft Download Center:
Release Date: October 10, 2006

For more information about how to download Microsoft support files, click the following article number to view the article in the Microsoft Knowledge Base: Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file.

Malicious Software Removal Tool Web site on Microsoft.com

To run an online version of the Malicious Software Removal Tool, visit the Malicious Software Removal Tool Web site:

Known issues

• Typically, when you run the Windows Malicious Software Removal Tool, the tool creates a randomly named temporary directory in the root drive of your computer. This directory will contain several files and includes the Mrtstub.exe file. Most of the time, this folder will be automatically deleted after the tool has finished running or after the next restart. Sometimes, this folder may not be deleted automatically. In these cases, this folder can be deleted manually and has no adverse effect on the computer.
• A user may log on to a computer at the same time that the Windows Malicious Software Removal Tool is running in the background. (The tool may be running as part of a deployment that uses Windows Server Update Services.) In this case, Windows may inform the user that the current user profile is corrupted and that a new profile is being created. To resolve this issue, the new profile can be removed. The user can logon to the system again at a time when the tool is not running. This issue is most likely to occur on a Windows 2000-based computer.

Known issues in the November 8, 2005 release

When you run the November 8, 2005 release of the Windows Malicious Software Removal Tool from Windows Update, from Automatic Update, or from the Download Center, the tool may appear to stop responding. Additionally, you may experience one of the following symptoms:

• When you run the tool from Windows Update or from Automatic Update, Windows Task Manager shows that the Iexplore.exe process has high CPU usage.
• When you run the tool from the Download Center, Windows Task Manager shows that the Mrt.exe process has high CPU usage.

To resolve this issue, install the updated version of the Windows Malicious Software Removal Tool that is now available from Windows Update, from Microsoft Update, from Automatic Updates, or from the Download Center.

Note To stop the Mrt.exe process or the Iexplorer.exe process when the process has high CPU usage, follow these steps:

1. Press CTRL+ALT+DELETE.
2. Click Task Manager, and then click the Processes tab.
3. Stop the process for the task that has high CPU usage. To do this, right-click the task, and then click End Process.
4. Click Close.

Release information

The Malicious Software Removal Tool is released on the second Tuesday of every month. Each release of the tool helps detect and remove current, prevalent malicious software. This malicious software includes viruses, worms, and Trojan horses. Microsoft uses several metrics to determine the prevalence of a malicious software family and the damage that can be associated with it.

The following table lists the malicious software that the tool can remove. The tool can also remove any known variants at the time of release. The table also lists the version of the tool that first included detection and removal for the malicious software family.

Each release of the tool is cumulative. That is, each release not only helps detect and remove new malicious software families, it also helps detect and remove all the malicious software covered in earlier versions. New variants of malicious software that is detected and removed in previous releases are also covered in each monthly release.

This Microsoft Knowledge Base article will be updated with information for each monthly release so that the number of the relevant article remains the same. The name of the file will be changed to reflect the tool version. For example, the file name of the January 2005 version is Windows-KB890830-ENU.exe, and the file name of the February 2005 version is Windows-KB890830-V1.1-ENU.exe.

Malicious software family	Tool version	Current severity rating
Win32/Berbew	January 2005 (V 1.0)	Moderate
Win32/Doomjuice	January 2005 (V 1.0)	Low
Win32/Gaobot	January 2005 (V 1.0)	Moderate
Win32/MSBlast	January 2005 (V 1.0)	Moderate
Win32/Mydoom	January 2005 (V 1.0)	Low
Win32/Nachi	January 2005 (V 1.0)	Moderate
Win32/Sasser	January 2005 (V 1.0)	Low
Win32/Zindos	January 2005 (V 1.0)	Low
Win32/Korgo	February 2005 (V 1.1)	Low
Win32/Netsky	February 2005 (V 1.1)	Moderate
Win32/Randex	February 2005 (V 1.1)	Low
Win32/Zafi	February 2005 (V 1.1)	Low
Win32/Bagle	March 2005 (V 1.2)	Moderate
Win32/Bropia	March 2005 (V 1.2)	Low
Win32/Goweh	March 2005 (V 1.2)	Low
Win32/Sober	March 2005 (V 1.2)	Low
Win32/Sobig	March 2005 (V 1.2)	Low
Win32/Hackdef**	April 2005 (V 1.3)	Moderate
Win32/Mimail	April 2005 (V 1.3)	Low
Win32/Rbot	April 2005 (V 1.3)	Moderate
Win32/Sdbot	May 2005 (V 1.4)	Moderate
WinNT/Ispro	May 2005 (V 1.4)	Moderate
WinNT/FURootkit	May 2005 (V 1.4)	Moderate
Win32/Kelvir	June 2005 (V 1.5)	Low
Win32/Lovgate	June 2005 (V 1.5)	Moderate
Win32/Mytob	June 2005 (V 1.5)	Moderate
Win32/Spybot	June 2005 (V 1.5)	Moderate
Win32/Hacty	July 2005 (V 1.6)	Low
Win32/Optix	July 2005 (V 1.6)	Low
Win32/Optixpro	July 2005 (V 1.6)	Low
Win32/Purstiu	July 2005 (V 1.6)	Low
Win32/Wootbot	July 2005 (V 1.6)	Moderate
Win32/Bagz	August 2005 (V 1.7)	Low
Win32/Dumaru	August 2005 (V 1.7)	Low
Win32/Spyboter	August 2005 (V 1.7)	Low
Win32/Zotob.A	August 2005 A (V 1.7.1)	Low
Win32/Zotob.B	August 2005 A (V 1.7.1)	Low
Win32/Zotob.C	August 2005 A (V 1.7.1)	Low
Win32/Zotob.D	August 2005 A (V 1.7.1)	Low
Win32/Zotob.E	August 2005 A (V 1.7.1)	Low
Win32/Bobax.O	August 2005 A (V 1.7.1)	Moderate
Win32/Esbot.A	August 2005 A (V 1.7.1)	Low
Win32/Rbot.MA	August 2005 A (V 1.7.1)	Low
Win32/Rbot.MB	August 2005 A (V 1.7.1)	Low
Win32/Rbot.MC	August 2005 A (V 1.7.1)	Low
Win32/Bobax	September 2005 (V 1.8)	Moderate
Win32/Esbot	September 2005 (V 1.8)	Low
Win32/Gael	September 2005 (V 1.8)	Moderate
Win32/Yaha	September 2005 (V 1.8)	Low
Win32/Zotob	September 2005 (V 1.8)	Low
Win32/Antinny	October 2005 (V 1.9)	Moderate
Win32/Gibe	October 2005 (V 1.9)	Low
Win32/Mywife	October 2005 (V 1.9)	Moderate
Win32/Wukill	October 2005 (V 1.9)	Moderate
Win32/Bugbear	November 2005 (V 1.10)	Moderate
Win32/Codbot	November 2005 (V 1.10)	Low
Win32/Mabutu	November 2005 (V 1.10)	Low
Win32/Opaserv	November 2005 (V 1.10)	Low
Win32/Swen	November 2005 (V 1.10)	Low
Win32/IRCBot	December 2005 (V 1.11)	Moderate
Win32/Ryknos	December 2005 (V 1.11)	Low
WinNT/F4IRootkit	December 2005 (V 1.11)	Moderate
Win32/Bofra	January 2006 (V 1.12)	Low
Win32/Maslan	January 2006 (V 1.12)	Low
Win32/Parite	January 2006 (V 1.12)	Moderate
Win32/Alcan	February 2006 (V 1.13)	Moderate
Win32/Badtrans	February 2006 (V 1.13)	Low
Win32/Eyeveg	February 2006 (V 1.13)	Low
Win32/Magistr	February 2006 (V 1.13)	Low
Win32/Atak	March 2006 (V 1.14)	Low
Win32/Torvil	March 2006 (V 1.14)	Low
Win32/Zlob	March 2006 (V 1.14)	Moderate
Win32/Locksky	April 2006 (V 1.15)	Low
Win32/Reatle	April 2006 (V 1.15)	Low
Win32/Valla	April 2006 (V 1.15)	Low
Win32/Evaman	May 2006 (V 1.16)	Low
Win32/Ganda	May 2006 (V 1.16)	Low
Win32/Plexus	May 2006 (V 1.16)	Low
Win32/Cissi	June 2006 (V 1.17)	Low
Win32/Fizzer	June 2006 (V 1.17)	Low
Win32/Alemod	July 2006 (V 1.18)	Moderate
Win32/Chir	July 2006 (V 1.18)	Moderate
Win32/Hupigon	July 2006 (V 1.18)	Moderate
Win32/Nsag	July 2006 (V 1.18)	Moderate
Win32/Banker	August 2006 (V 1.19)	Moderate
Win32/Jeefo	August 2006 (V 1.19)	Moderate
Win32/Bancos	September 2006 (V 1.20)	Moderate
Win32/Sinowal	September 2006 (V 1.20)	Moderate
Win32/Harnig	October 2006 (V 1.21)	Moderate
Win32/Passalert	October 2006 (V 1.21)	Moderate
Win32/Tibs	October 2006 (V 1.21)	Moderate

* The severity rating refers to the virus alert severity ratings that appear on the following Microsoft Web site:Note that the severity ratings of threats may be updated occasionally to account for changes in prevalence and other factors.

**W32/HackDef typically hides other potentially unwanted software on the computer. If the cleaner tool reports that W32/HackDef was detected on the computer, we strongly recommend that you run a scan with up-to-date antivirus and antispyware programs (see http://www.microsoft.com/athome/security/spyware/default.mspx). If you want to view the software that W32/HackDef was hiding, first open the log file for the cleaner tool (%WINDIR%\debug\mrt.log). Next, in the Scanning Results section, find the line or lines that note the folder in which Win32/Hackdef was found. In that same folder, you should find the Win32/Hackdef configuration file that has the .ini file name extension. View this file to determine the software that Win32/HackDef was hiding on the computer.

Any malicious software that is not listed in this table is not detected and not removed by the tool. To scan for and remove other malicious software, use an up-to-date antivirus product. For more information, visit the following Microsoft Protect Your PC Web site:

Prerequisites

Except where noted, the information in this section applies to all the ways that you can download and run the Malicious Software Removal Tool:

• Microsoft Update
• Windows Update
• Automatic Updates
• The Microsoft Download Center
• The Malicious Software Removal Tool Web site on Microsoft.com

For you to run the Malicious Software Removal Tool, the following conditions are required:

• The computer must be running Windows Server 2003, Windows XP, or Windows 2000.
• You must log on to the computer by using an account that is a member of the Administrators group.
  
  Note The first time that you download and run the tool by using Automatic Updates, Microsoft Update, or Windows Update, you must be logged on to the computer by using an account that is a member of the Administrators group. After you accept the one-time EULA, you can receive future versions of the tool without being logged on to the computer as an administrator.

If the computer and logon account do not meet these conditions, the tool will not run on the computer.

Command-line switches

The Malicious Software Removal Tool supports four command-line switches:

• /Q or /quiet - Use quiet mode. This option suppresses the user interface of the tool.
• /? - Display a dialog box that lists the command-line switches.
• /N - Run in detect-only mode. In this mode, malicious software will be reported to the user but will not be removed.
• /F - Force an extended scan of the computer.
• /F:Y - Force an extended scan of the computer and automatically clean any infections found.

Usage information

Important Before you follow these steps, make sure that you have backed up all important data.

When the Malicious Software Removal Tool runs, the tool performs the following functions. Except where noted, the tool has the same behavior independent of what command-line switches you use or how you download and run the tool. Note that the tool is not actually installed on a computer. Therefore, no entry is created for it in the Programs folder or in Add or Remove Programs.

Notes

• When you download the tool from Microsoft Update, Windows Update, or from Automatic Updates, and no malicious software is detected on the computer, the tool will run in quiet mode. If malicious software is detected on the computer, the next time that an administrator logs on to the computer, a balloon will appear in the notification area to notify you of the detection. To find more details about the detection, click the balloon.
• When you run the tool from the Web site http://www.microsoft.com, the tool always displays a user interface (UI).
• When you download the tool from the Microsoft Download Center, the tool ordinarily displays a UI when it runs. However, if you supply the /Q command-line switch, it runs in quiet mode.
• Extended scan and file disinfection functionality currently are not supported when you run the tool from the Malicious Software Removal Tool Web site. Run the tool from the Download Center, from Microsoft Update, from Windows Update, or from Automatic Updates to enable this functionality.

Prerequisite check

• If your logon account does not have the required permissions, the tool exits. If the tool is not being run in quiet mode, it displays a dialog box that describes the failure.
• If the computer is not running a required operating system, the tool exits.
• If the tool is more than 60 days out-of-date, the tool displays a dialog box that recommends that you download the latest version of the tool.

EULA display

If the prerequisites are met, the tool displays the EULA. For the tool to continue to run, you must accept the EULA.

• If you receive the tool from Microsoft Update, from Windows Update, or from Automatic Updates, the EULA is displayed only the first time that you run the tool.
• If you download the tool from the Download Center, you only have to accept the EULA once. After the EULA is accepted once, it will not be displayed again. The EULA is not displayed if you run the tool in quiet mode.
• If you download the tool from the Microsoft.com Web site, the EULA is displayed every time that you run the tool.

Select a type of scan

• After the EULA has been accepted, the user can select a type of scan to perform. Only users of the Download Center version of the tool will see this screen.
• A quick scan is the default scan type. Sometimes, if malicious software is found, the user may be prompted to perform a full scan also.
• A full scan performs a quick scan and then a full scan of the computer, regardless of whether malicious software is found during the quick scan.
• A customized scan performs a quick scan and then a scan of a specific folder and its subfolders on the computer.

Quick scan for malicious software

• After the EULA has been accepted, the tool scans computer memory for known malicious software and stops any malicious processes that are found. It also deletes files and registry keys that are associated with processes that are identified as malicious.
• The scan searches only for malicious software that is active on a system. The tool does not perform an extended scan at this point.
• If you download the tool from the Download Center, you will see a status bar that indicates the scan is progressing.
• If the malicious software modified your browser settings, your homepage may be changed automatically to a page that gives you directions on how to restore these settings.

Extended scan for malicious software

• If certain malicious software is detected on the computer, the tool will prompt you to perform an extended scan of the computer. We recommend that you perform this scan.
• This scan can take several hours to complete because it will scan all fixed and removable drives for malicious software.
• Mapped network drives will not be scanned.

To clean infected files

• If malicious software has modified (or infected) user files on the computer, the tool will prompt you to remove the malicious software from those files. You can choose to clean specific files or all infected files found.
• Note that some data loss is possible during this process and that the tool may not be able to restore some files to the original, pre-infection state.

Recording scan data

• After the scan is complete, the tool creates a log file that contains the results of the scan. The name of the file is Mrt.log. The file is in the %windir%\Debug folder.
• This log file is available in English only.

Displaying results

• After the tool has run and if quiet mode is not active, the tool displays the results of the scan.
• See the "Possible results" section for a description of the information that the removal tool can return.

Reporting infection information

• If the tool detects malicious software or if an error occurs when the tool is running, the tool sends a report to Microsoft that contains basic information about the malicious software or about the error. No identifiable personal information that is related to you or to the computer is sent together with this report.
• For details about the information that is sent to Microsoft, see the "Reporting component" section.
• If you do not want to send this information to Microsoft, you can disable the reporting component. For more information about disabling the reporting component, click the following article number to view the article in the Microsoft Knowledge Base:

  891716 Deployment of the Microsoft Windows Malicious Software Removal Tool in an enterprise environment

• If suspicious files are found on the computer, you will be prompted to submit additional information about these files.

Possible results

After the tool runs, there are four main results that the removal tool can report to the user:

• No infection was found.
• At least one infection was found and was removed.
• An infection was found but was not removed. This result will be displayed if suspicious files were found on the computer. To help remove these files, you should use an up-to-date antivirus product.
• An infection was found and was partially removed. To complete this removal, you should use an up-to-date antivirus product.

The removal tool may also suggest the following additional actions to the user:

• Computer restart The removal tool may request a restart to complete the removal of some malicious software.
• Manual steps The removal tool may prompt you to perform manual steps to complete the removal of some malicious software

Reporting component

As noted in the "Usage information" section, the Malicious Software Removal Tool will send information back to Microsoft if the tool detects malicious software or finds an error. This information will be used for tracking virus prevalence. For information about how to disable the reporting component and how to prevent this tool from sending information to Microsoft, click the following article number to view the article in the Microsoft Knowledge Base: The specific information that is sent to Microsoft consists of the following items:

• The name of the malicious software that is detected
• The result of malicious software removal
• The operating system version
• The operating system locale
• The processor architecture
• The version number of the tool
• An indicator that notes whether the tool is being run from Microsoft Update, from Windows Update, from Automatic Updates, from the Download Center, or from the Web site.
• An anonymous GUID
• A cryptographic one-way hash (MD5) of the path and file name of each malicious software file that is removed from the computer

If apparently malicious software is found on your computer, the tool prompts you to send information to Microsoft beyond what is listed above. You are prompted in each of these instances, and this information is sent only with your consent. The additional information is:

• The files that are suspected to be malicious software. The tool will identify the files for you.
• A cryptographic one-way hash (MD5) of any suspicious files that are detected.

No other information is sent to Microsoft.

Interaction with antivirus software

You do not have to disable or to remove your antivirus program when you install this tool. However, if your antivirus program is running on a computer that is infected with prevalent malicious software, the antivirus program may detect this malicious software and may prevent the removal tool from removing it when the removal tool runs. In this case, you can use your antivirus program to remove the malicious software.

The Microsoft Malicious Software Removal tool does not contain a virus or a worm. Therefore, the removal tool alone should not trigger your antivirus program. However, if malicious software infected your computer before an up-to-date antivirus program was installed, and if scheduled virus scanning or background virus scanning is disabled, your antivirus program may not detect this malicious software until the tool tries to remove it.

FAQ: Frequently asked questions

• Q1: Does this tool provide my computer with protection against infection from malicious software like viruses, worms, and Trojan horses?
  A1: No. This tool is strictly a post-infection removal tool.
• Q2: What installer does this tool use?
  A2: The tool does not install or update files on a computer. Therefore the tool does not use an installer, such as Windows Installer or Update.exe. It is packaged within a self-extracting CAB executable to reduce the size of the package.
• Q3: How do I uninstall the tool?
  A3:The tool is not installed on the computer. No Program folder entry or Add / Remove Programs entry is created when the tool is run.
• Q4: Is this tool digitally signed by Microsoft?
  A4: Yes.
• Q5: What type of information does the log file contain?
  A5: For information about the log file, click the following article number to view the article in the Microsoft Knowledge Base:

  891716 Deployment of the Microsoft Windows Malicious Software Removal Tool in an enterprise environment

• Q6: Does this tool require a restart?
  A6: When run from Microsoft Update, from Windows Update, or from Automatic Updates, the tool may trigger a restart prompt. However, the prompt is triggered only when the restart is required to remove malicious software.
• Q7: Is this tool a replacement for an antivirus product?
  A7: No. We strongly recommend that you install and use an up-to-date antivirus product. For more information, visit the following Microsoft Protect Your PC Web site:
  
  http://www.microsoft.com/athome/security/protect/windowsxpsp2/Default.mspx
• Q8: Can this tool be redistributed?
  A8: Yes. Per the terms of this tool's EULA, the tool can be redistributed. However, make sure you are redistributing the latest version of the tool.
• Q9: Can the tool run on a computer that is running Microsoft Windows 98, Microsoft Windows Millennium, or Microsoft Windows NT 4.0?
  A9: No.
• Q10: What is the difference between this tool and an antivirus product?
  A10: There are three key differences between the Malicious Software Removal tool and an antivirus product:
  • The tool provides post-infection removal of malicious software. It can only remove malicious software from an already-infected computer. Antivirus products are also able to block malicious software from running on a computer. It is significantly more desirable for malicious software to be blocked from running on a computer than being removed post-infection.
  • The tool removes only specific, prevalent malicious software. See "Release information" for the specific list. Specific, prevalent malicious software is a small subset of all the malicious software in the wild today. An antivirus product can remove significantly more-malicious software.
  • The tool focuses on the detection and removal of active malicious software. Active malicious software is malicious software that is currently running. The tool cannot remove malicious software that is not running. An antivirus product can perform this task.
• Q11: When do new versions of the tool become available?
  A11: New versions become available on the second Tuesday of every month. Microsoft may also release an updated version of the tool to supplement these releases if an emergency occurs.
• Q12: Where can I obtain new versions of the tool?
  A12: If you are a Windows XP user, a Windows Server 2003 user, or a Windows 2000 user, use Microsoft Update or the Microsoft Update Automatic Updates functionality. If you have chosen not to use Microsoft Update, and you are a Windows XP user or Windows Server 2003 Service Pack 1 (SP1) user, use Windows Update or use the Windows Update Automatic Updates functionality. Additionally, you can download the tool from the Download Center or run the tool from Microsoft.com. See the "Download and setup information" section for more information.
• Q13: How do I know that I am using the latest version of the tool?
  A13: If you are a Windows XP user, a Windows Server 2003 user, or a Windows 2000 user, use Microsoft Update or the Microsoft Update Automatic Updates functionality to test whether you are using the latest version of the tool. If you have chosen not to use Microsoft Update, and you are a Windows XP user or Windows Server 2003 Service Pack 1 (SP1) user, use Windows Update, or use the Windows Update Automatic Updates functionality to test whether you are using the latest version of the tool. Additionally, you can visit the Microsoft Download Center. Also, if the tool is more than 60 days out-of-date, the tool will remind you to look for a new version of the tool.
• Q14: I ran the tool, and it found nothing on my computer. But my computer is still exhibiting strange behavior. What should I do now?
  A14: Visit the following Protect Your PC Web site, and then follow the steps:

  http://www.microsoft.com/athome/security/protect/windowsxpsp2/Default.mspx

  Scan your computer with an up-to-date antivirus product, and then visit the following Microsoft Web site:

  http://www.microsoft.com/athome/security/spyware/default.mspx

• Q15: Will the Microsoft Knowledge Base article number of the tool change with each new version?
  A15: No. The Microsoft Knowledge Base article number for the tool will remain as 890830 for future versions of the tool. The file name of the tool when downloaded from the Microsoft Download Center will change with each release to reflect the month and the year when that version of the tool was released.
• Q16: Is there any way I can request that new malicious software be targeted in the tool?
  A16: Currently, no. Malicious software that is targeted in the tool is based on metrics that track the prevalence and damage of malicious software.
• Q17: How does the Malicious Software Removal Tool relate to Microsoft Windows AntiSpyware (Beta)?
  A17: The Malicious Software Removal Tool is a different release than Microsoft Windows AntiSpyware (Beta). To download this antispyware tool, visit the following Microsoft Web site:

  http://www.microsoft.com/athome/security/spyware/default.mspx

  The Malicious Software Removal Tool focuses on the detection and removal of malicious software. For example, malicious software includes viruses, worms, and Trojan horses. Windows AntiSpyware (Beta) detects and removes spyware.
• Q18: Does this tool send back any information to Microsoft?
  A18: Yes. If the tool finds an infection or an error, anonymous information is sent back to Microsoft. See the "Reporting component" section for more information.
• Q19: Can I prevent this tool from sending information back to Microsoft?
  A19: Yes. The reporting component can be disabled by setting a specific registry key. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

  891716 Deployment of the Microsoft Windows Malicious Software Removal Tool in an enterprise environment

• Q20: Can I determine whether the tool has been run on a computer?
  A20: Yes. By checking a registry key, you can determine whether the tool has been run on a computer and which version was the latest version that was used. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

  891716 Deployment of the Microsoft Windows Malicious Software Removal Tool in an enterprise environment

• Q21: Why don't I see the tool on Microsoft Update, Windows Update, or Automatic Updates?
  A21: Several scenarios may prevent you from the seeing the tool on Microsoft Update, Windows Update, or Automatic Updates:
  • Only Windows XP users and Windows Server 2003 SP1 users are offered the tool on Windows Update or Automatic Updates.
  • If you have already run the current version of the tool (from Windows Update, Microsoft Update or Automatic Updates, or from either of the other two release mechanisms), it will not be reoffered on Windows Update or Automatic Updates.
  • For Automatic Updates, the first time that you run the tool, you must be logged on as a member of the Administrators group to accept the EULA.
• Q22: How does Microsoft Update, Windows Update, and Automatic Updates determine who is offered the tool?
  A22: All Windows XP users, Windows Server 2003 users, and Windows 2000 users are offered the tool if the following conditions are true:
  • The users are running the latest version of Microsoft Update or the Microsoft Update Automatic Updates feature.
  • The users have not already run the current version of the tool.
  All Windows XP users and Windows Server 2003 SP1 users are offered the tool if the following conditions are true:
  • The users are not running Microsoft Update.
  • The users are running the latest version of Windows Update or Windows Update Automatic Updates.
  • The users have not already run the current version of the tool.
• Q23: When I look in the log file, it tells me that errors were found during the scan. How do I resolve them?
  A23: For information about the errors, click the following article number to view the article in the Microsoft Knowledge Base:

  891717 You receive an error when you run the Microsoft Windows Malicious Software Removal Tool

• Q24: Will you rerelease the tool even if there are no new security bulletins for a particular month?
  A24: Yes. Even if there are no new security bulletins for a particular month, the Malicious Software Removal Tool will be rereleased with detection/removal support for the latest prevalent malicious software.
• Q25: How do I prevent this tool from being offered to me by using Microsoft Update, Windows Update, or Automatic Updates?
  A25: When you are first offered the Malicious Software Removal Tool from Microsoft Update, Windows Update, or Automatic Updates, you can choose to decline downloading and running the tool by declining the EULA. This decline can apply to just the current version of the tool or to both the current version of the tool and any future versions, depending on the options you choose. If you have already accepted the EULA and if you would prefer not to install the tool through Windows Update, click to clear the check box that corresponds to the tool in the Windows Update UI.
• Q26: After I run the tool from Microsoft Update, Windows Update, or Automatic Updates, where are the tool files stored? Can I rerun the tool?
  A26: When downloaded from Microsoft Update or from Windows Update, the tool runs only once a month. To run the tool manually, more than once a month, run the tool from the Download Center or from the following Microsoft Web site:

  http://www.microsoft.com/security/malwareremove/default.mspx

• Q27: Can I run this tool on a Windows Embedded computer?
  A27: Currently, the Malicious Software Removal Tool is not supported on a Windows Embedded computer.
• Q28: Does running of the tool require any security updates to be installed on the computer?
  A28: No. Unlike most previous cleaner tools that were produced by Microsoft, the Malicious Software Removal tool does not require any security update prerequisites. However, it is strongly recommended that all critical updates be installed before using the tool, to help prevent reinfection by malicious software that takes advantage of security vulnerabilities.
• Q29: Why did my taskbar disappear and reappear when I ran the tool?
  A29: If the tool finds malicious software on a computer, the Malicious Software Removal Tool may have to restart Windows Explorer to remove the malicious software. This causes the taskbar to disappear and reappear but does not affect any part of your data.
• Q30: Can I deploy this tool by using SUS or SMS? Is it compatible with MBSA?
  A30: For information about deploying this tool, click the following article number to view the article in the Microsoft Knowledge Base:

  891716 Deployment of the Microsoft Windows Malicious Software Removal Tool in an enterprise environment

• Q31: Do I need the previous cleaner tools installed to run the Malicious Software Removal Tool?
  A31: No.
• Q32: Is there a newsgroup available to discuss this tool?
  A32: Yes. You can use the microsoft.public.security.virus newsgroup.
• Q33: Why did the "Windows File Protection" window appear when I ran the tool?
  A33: In some cases, when specific viruses are found on a system, the cleaner tool attempts to repair infected Windows system files. Although this action removes the malicious software from these files, it may also trigger the Windows File Protection feature. If you see the Windows File Protection window, we strongly recommend that you follow the directions and insert your Microsoft Windows CD. This will restore the cleaned files to their original, pre-infection state.
• Q34: Are localized versions of this tool available?
  A34: Yes, the tool is available in 24 languages. Before the February 2006 release, each localized version of the tool was available as a separate download. Starting in February 2006, the tool is now offered as a multilingual download.. Therefore, only one version of the tool is available and the appropriate language is displayed, based on the language of the current operating system.
• Q35: I found the Mrtstub.exe file in a randomly named directory on my computer. Is the Mrtstub.exe file a legitimate component of the tool?
  A35: The tool does use a file that is named Mrtstub.exe for certain operations. If you verify that the file is signed by Microsoft, the file is a legitimate component of the tool.