It’s been four years since Microsoft released the free Windows Malicious Software Removal Tool (MRT.exe) and it has removed prevalent malware on systems running Windows 2000, XP, Windows Server 2003 and Vista. MRT is available via Windows Update, Automatic Updates or Microsoft Download Center.
Installation and System Requirements
Windows 7, Vista, XP and earlier operating systems by Microsoft will be able to run the Malicious Software Removal Tool (MRT). No installation is required because the tool is downloaded by Microsoft via Windows Update and placed it in the system32 directory of Windows. You can manually download the tool and extract to replace the old version. MRT is updated every second Tuesday of each month with new detection or updated detections of malware that it can detect. When downloading MRT from Windows Update, the old version is automatically replaced by newer build or version of MRT.exe.
On first run of MRT, you are presented with EULA. The EULA stated that the information on detected items is sent to Microsoft servers to help Microsoft in analyzing any errors in removing, if any and to find out how many family of malware that their free tool has removed. This activity of MRT is similar to what most anti-malware vendors have and it can be optional.
How to Use Malicious Software Removal Tool?
Automatic Mode: When you download MRT from Windows Update or Automatic Update feature in
Windows, the tool will silently run a scan for malware. Any malware it will find is automatically removed.
Detect Mode or Manual Mode: MRT can be use by simply executing mrt.exe from C:\Windows\System32 folder or by running command lines using command prompt in Windows. Newer operating systems with UAC enabled should make sure that the tool was executed with administrative privileges so that the tool can remove any malware it will find that requires admin permissions. You can also store and run MRT in any location of your hard-drive or in removable drive.
The image at the left is an example of detect mode only using the command line mrt /N, where MRT is able to detect and report but not remove the detected malware. The image at the right is an example of running MRT without any other command but to automatically remove the detected malware.
Detection and Scanning Options in MRT
MRT let you run a Quick, Full and Custom scanning. When running MRT in normal mode (without any other command), the tool will scan and remove detected malware with no interaction from you. However, if you prefer to only use MRT to scan but not remove the detected items, you should run MRT using command lines. Below are the available commands in using MRT via command prompt:
/Q or /quiet Uses quiet mode. This option suppresses the user interface of the tool
/? Displays a dialog box that lists the command-line switches
/N Runs in detect-only mode. In this mode, malicious software will be reported to the user, but it will not be removed
/F Forces an extended scan of the computer
/F:Y Forces an extended scan of the computer and automatically cleans any infections that are found
Microsoft lists the malware family that MRT will be able to detect and remove in KB890830 which you will also find more information on how the tool will run.
MRT Logging and Return Codes
MRT logs its activity by creating the file, mrt.log in C:\Windows\Debug folder. The mrt.log will show whether there is malware found, the location of malware or if there is any return codes. Below are the available return codes:
0 = No infection found
1 = OS Environment Error
2 = Not running as an Administrator
3 = Not a supported OS
4 = Error Initializing the scanner. (Download a new copy of the tool)
5 = Not used
6 = At least one infection detected. No errors.
7 = At least one infection was detected, but errors were encountered.
8 = At least one infection was detected and removed, but manual steps are required for a complete removal.
9 = At least one infection was detected and removed, but manual steps are required for complete removal and errors were encountered.
10 = At least one infection was detected and removed, but a restart is required for complete removal
11 = At least one infection was detected and removed, but a restart is required for complete removal and errors were encountered
12 = At least one infection was detected and removed, but both manual steps and a restart is required for complete removal.
13 = At least one infection was detected and removed, but a restart is required. No errors were encountered.
Malicious Software Removal Tool and Anti-Malware Scanners
MRT is not a replacement of anti-virus or anti-malware scanners because MRT will only detect and remove some family of malware that is in the wild. It is recommended to run a scan using resident malware scanner to ensure that removal of detected malware is successful or to find out if there are other malware that MRT does not detect.
MRT will not regularly run to scan the system but will only auto-scan when it is updated via Windows Update. You should scan using this free malware removal tool regularly and make sure that you have the latest build.