Remove specific prevalent malware with Windows Malicious Software Removal Tool (KB890830)

Note: Starting May 2020, the MSRT will be released on a Quarterly Cadence.

Summary

The Windows Malicious Software Removal Tool (MSRT) helps remove malicious software from computers that are running any of the following operating systems:

  • Windows 10

  • Windows Server 2019

  • Windows Server 2016

  • Windows 8.1

  • Windows Server 2012 R2

  • Windows Server 2012

  • Windows Server 2008 R2

  • Windows 7

  • Windows Server 2008

Starting May 2020, Microsoft releases the MSRT on a quarterly cadence as part of Windows Update or as a standalone tool. Use this tool to find and remove specific prevalent threats and reverse the changes they have made (see covered malware families). For comprehensive malware detection and removal, consider using Windows Defender Offline or Microsoft Safety Scanner.

This article contains information about how the tool differs from an antivirus or antimalware product, how you can download and run the tool, what happens when the tool finds malware, and tool release information. It also includes information for the administrators and advanced users, including information about supported command-line switches.

Notes: 

More information

MSRT is a post-infection removal tool and the monthly iteration is no longer required. We continue to monitor the malware landscape and adjust the cadence appropriately.

Note: Starting November 2019, MSRT will be SHA-2 signed exclusively. Your devices must be updated to support SHA-2 in order to run MSRT. To learn more, see 2019 SHA-2 Code Signing Support requirement for Windows and WSUS.

The easiest way to download and run the MSRT is to turn on Automatic Updates. Turning on Automatic Updates guarantees that you receive the tool automatically. If you have Automatic Updates turned on, you have already been receiving new versions of this tool. The tool runs in Quiet mode unless it finds an infection. If you have not been notified of an infection, no malicious software has been found that requires your attention.

Enabling automatic updates

To turn on Automatic Updates yourself, follow the steps in the following table for the operating system that your computer is running.

If your computer is running:

Follow these steps:

Windows 10

  1. Select the Start  button, then select Settings  > Update & security  > Windows Update . If you want to check for updates manually, select Check for updates.

  2. Select Advanced options, and then under Choose how updates are installed, select Automatic (recommended).

Note Windows 10 is a service. This means that automatic updates are turned on by default and your PC always has the latest and best features.

Windows 8.1

  1. Open Windows Update by swiping in from the right edge of the screen (or, if you're using a mouse, pointing to the lower-right corner of the screen and moving the mouse pointer up), select Settings  > Change PC settings > Update and recovery > Windows Update. If you want to check for updates manually, select Check now.

  2. Select Choose how updates get installed, and then under Important updates, select Install updates automatically (recommended).

  3. Under Recommended updates, select the Give me recommended updates the same way I receive important updates check box.

  4. Under Microsoft Update, select the Give me updates for other Microsoft products when I update Windows check box, and then select Apply.

Windows 7

  1. Click StartWin 7 start icon, point to All Programs, and then click Windows Update.

  2. In the left pane, click Change settings.

  3. Click to select Install updates automatically (recommended).

  4. Under Recommended updates, click to select the Give me recommended updates the same way I receive important updates check box, and then click OK. If you are prompted for an administrative password or for confirmation, type the password or provide confirmation. Go to step 3.

Download the MSRT. You must accept the Microsoft Software License Terms. The license terms are only displayed for the first time that you access Automatic Updates.

Note After you accept the one-time license terms, you can receive future versions of the MSRT without being logged on to the computer as an administrator.

The MSRT runs in Quiet mode. If it detects malicious software on your computer, the next time that you log on to your computer as a computer administrator, a balloon appears in the notification area to make you aware of the detection.

Performing a full scan

If the tool finds malicious software, you may be prompted to perform a full scan. We recommend that you perform this scan. A full scan performs a quick scan and then a full scan of the computer, regardless of whether malicious software is found during the quick scan. This scan can take several hours to complete because it will scan all fixed and removable drives. However, mapped network drives are not scanned.

Removing malicious files

If malicious software has modified (infected) files on your computer, the tool prompts you to remove the malicious software from those files. If the malicious software modified your browser settings, your homepage may be changed automatically to a page that gives you directions on how to restore these settings.

You can clean specific files or all the infected files that the tool finds. Be aware that some data loss is possible during this process. Also, be aware that the tool may be unable to restore some files to the original, pre-infection state.

The removal tool may request that you restart your computer to complete the removal of some malicious software, or it may prompt you to perform manual steps to complete the removal of the malicious software. To complete the removal, you should use an up-to-date antivirus product.

Reporting infection information to Microsoft The MSRT sends basic information to Microsoft if the tool detects malicious software or finds an error. This information will be used for tracking virus prevalence. No identifiable personal information that is related to you or to the computer is sent together with this report.

The MSRT does not use an installer. Typically, when you run the MSRT, it creates a randomly named temporary directory on the root drive of the computer. This directory contains several files, and it includes the Mrtstub.exe file. Most of the time, this folder is automatically deleted after the tool finishes running or after the next time that you start the computer. However, this folder may not always be automatically deleted. In these cases, you can manually delete this folder, and this has no adverse effect on the computer.

How to receive support

Help protect your computer that is running Windows from viruses and malware: Virus Solution and Security Center

Help installing updates: Support for Microsoft Update

Local support according to your country: International Support.

Microsoft Download Center

Note: Starting November 2019, MSRT will be SHA-2 signed exclusively. Your devices must be updated to support SHA-2 in order to run MSRT. To learn more, see 2019 SHA-2 Code Signing Support requirement for Windows and WSUS.

You can manually download the MSRT from the Microsoft Download Center. The following files are available for download from the Microsoft Download Center:

For 32-bit x86-based systems:

Download icon Download the x86 MSRT package now.

For 64-bit x64-based systems:

Download icon Download the x64 MSRT package now.

Release Date: March 9, 2021. 

For more information about how to download Microsoft support files, see How to obtain Microsoft support files from online services.

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file.

Deploying the MSRT in an enterprise environment

If you are an IT administrator who wants more information about how to deploy the tool in an enterprise environment, see Deploy Windows Malicious Software Removal Tool in an enterprise environment.

This article includes information about Microsoft Systems Management Server (SMS), Microsoft Software Update Services (MSUS), and Microsoft Baseline Security Analyzer (MBSA).

Except where noted, the information in this section applies to all the ways that you can download and run the MSRT:

  • Microsoft Update

  • Windows Update

  • Automatic Updates

  • The Microsoft Download Center

  • The MSRT website on Microsoft.com

To run the MSRT, the following conditions are required:

  • The computer must be running a supported version of Windows.

  • You must log on to the computer by using an account that is a member of the Administrators group. If your logon account does not have the required permissions, the tool exits. If the tool is not being run in quiet mode, it displays a dialog box that describes the failure.

  • If the tool is more than 215 days (7 months) out of date, the tool displays a dialog box that recommends that you download the latest version of the tool.

Support for command-line switches

The MSRT supports the following command line switches.

Switch

Purpose

/Q or /quiet

Uses quiet mode. This option suppresses the user interface of the tool.

/?

Displays a dialog box that lists the command-line switches.

/N

Runs in detect-only mode. In this mode, malicious software will be reported to the user, but it will not be removed.

/F

Forces an extended scan of the computer.

/F:Y

Forces an extended scan of the computer and automatically cleans any infections that are found.

Usage and release information

When you download the tool from Microsoft Update or from Automatic Updates, and no malicious software is detected on the computer, the tool will run in quiet mode next time. If malicious software is detected on the computer, the next time that an administrator logs on to the computer, a balloon will appear in the notification area to notify you of the detection. For more information about the detection, click the balloon.

When you download the tool from the Microsoft Download Center, the tool displays a user interface when it runs. However, if you supply the /Q command-line switch, it runs in quiet mode.

Release information

The MSRT is released on the second Tuesday on a quarterly cadence (February/May/August/November). Each release of the tool helps detect and remove current, prevalent malicious software. This malicious software includes viruses, worms, and Trojan horses. Microsoft uses several metrics to determine the prevalence of a malicious software family and the damage that can be associated with it.

This Microsoft Knowledge Base article will be updated with information for each release so that the number of the relevant article remains the same. The name of the file will be changed to reflect the tool version. For example, the file name of the February 2020 version is Windows-KB890830-V5.80.exe, and the file name of the May 2020 version is Windows-KB890830-V5.82-ENU.exe.

The following table lists the malicious software that the tool can remove. The tool can also remove any known variants at the time of release. The table also lists the version of the tool that first included detection and removal for the malicious software family.

Malicious software family

Tool version date and number

Solorigate

February 2021 (V 5.86)

AnchorBot

January 2021 (V 5.85)

AnchorDNS

January 2021 (V 5.85)

AnchorLoader

January 2021 (V 5.85)

BazaarLoader

January 2021 (V 5.85)

BazaLoder

January 2021 (V 5.85)

Bazar

January 2021 (V 5.85)

BazarBackdoor

January 2021 (V 5.85)

Bazarcrypt

January 2021 (V 5.85)

BazarLdr

January 2021 (V 5.85)

BazarldrCrypt

January 2021 (V 5.85)

Bazzarldr

January 2021 (V 5.85)

Rotaderp

January 2021 (V 5.85)

Rotocrypt

January 2021 (V 5.85)

TrickBotCrypt

January 2021 (V 5.85)

Vatet

January 2021 (V 5.85)

Zload

January 2021 (V 5.85)

ZLoader

January 2021 (V 5.85)

ZloaderCrypt

January 2021 (V 5.85)

ZloaderTeams

January 2021 (V 5.85)

ZloaderVbs

January 2021 (V 5.85)

Trojan.Win32/Ammyrat

September 2020 (V 5.83)

Cipduk

September 2020 (V 5.83)

Badaxis

September 2020 (V 5.83)

Basicape

September 2020 (V 5.83)

Mackler

September 2020 (V 5.83)

Strilix

September 2020 (V 5.83)

FlawedAmmyy

March 2020 (5.81)

Littlemetp

March 2020 (5.81)

Vatet

January 2020 (5.79)

Trilark

January 2020 (5.79)

Dopplepaymer

January 2020 (5.79)

Trickbot

October 2019 (5.76)

ShadowHammer

May 2019 (5.72)

Kryptomix

April 2019 (5.71)

Win32/GraceWire

March 2019 (5.70)

Win32/ChChes

December 2018 (5.67)

Win32/RedLeaves

December 2018 (5.67)

Win32/RedPlug

December 2018 (5.67)

Win32/RazerPitch

December 2018 (5.67)

Win32/UpperCider

December 2018 (5.67)

PowerShell/Wemaeye

October 2018 (5.65)

PowerShell/Wanascan.A

October 2018 (5.65)

PowerShell/Wannamine

October 2018 (5.65)

PowerShell/Lonit

October 2018 (5.65)

Win32/Plutruption!ARXep

June 2018 (5.61)

Win32/Plutruption!ARXbxep

June 2018 (5.61)

Win32/Adposhel

May 2018 (5.60)

Win32/CoinMiner

May 2018 (5.60)

PowerShell/Xurito

May 2018 (5.60)

Win32/Modimer

April 2018 (5.59)

Win64/Detrahere

March 2018 (5.58)

Win32/Detrahere

March 2018 (5.58)

Win32/Floxif

December 2017 (5.55)

Win32/SilverMob

December 2017 (5.55)

Win32/PhantomStar

December 2017 (5.55)

Win32/Autophyte

December 2017 (5.55)

Win32/FoggyBrass

December 2017 (5.55)

MSIL/DarkNeuron

December 2017 (5.55)

Win32/TangentCobra

December 2017 (5.55)

Win32/Wingbird

November 2017 (5.54)

Win32/ShadowPad

October 2017 (5.53)

Win32/Xeelyak

October 2017 (5.53)

Win32/Xiazai

June 2017 (5.49)

Win32/WannaCrypt

May 2017 (5.48)

Win32/Chuckenit

February 2017 (5.45)

Win32/Clodaconas

December 2016 (5.43)

Win32/Soctuseer

November 2016 (5.42)

Win32/Barlaiy

November 2016 (5.42)

Win32/Sasquor

October 2016 (5.41)

Win32/SupTab

October 2016 (5.41)

Win32/Ghokswa

October 2016 (5.41)

Win32/Xadupi

September 2016 (5.40)

Win32/Suweezy

September 2016 (5.40)

Win32/Prifou

September 2016 (5.40)

Win32/NightClick

September 2016 (5.40)

Win32/Rovnix

August 2016 (5.39)

Win32/Neobar

August 2016 (5.39)

Win32/Cerber

July 2016 (5.38)

Win32/Ursnif

June 2016 (5.37)

Win32/Locky

May 2016 (5.36)

Win32/Kovter

May 2016 (5.36)

Win32/Samas

April 2016 (5.35)

Win32/Bedep

April 2016 (5.35)

Win32/Upatre

April 2016 (5.35)

Win32/Vonteera

March 2016 (5.34)

Win32/Fynloski

March 2016 (5.34)

Win32/Winsec

December 2015 (5.31)

Win32/Drixed

October 2015 (5.29)

Win32/Brambul

October 2015 (5.29)

Win32/Escad

October 2015 (5.29)

Win32/Joanap

October 2015 (5.29)

Win32/Diplugem

October 2015 (5.29)

Win32/Blakamba

October 2015 (5.29)

Win32/Tescrypt

October 2015 (5.29)

Win32/Teerac

September 2015 (5.28)

Win32/Kasidet

August 2015 (5.27)

Win32/Critroni

August 2015 (5.27)

Win32/Vawtrak

August 2015 (5.27)

Win32/Crowti

July 2015 (5.26)

Win32/Reveton

July 2015 (5.26)

Win32/Enterak

July 2015 (5.26)

Win32/Bagopos

June 2015 (5.25)

Win32/BrobanDel

June 2015 (5.25)

Win32/OnlineGames

June 2015 (5.25)

Win32/Gatak

June 2015 (5.25)

Win32/IeEnablerCby

April 2015 (5.23)

Win32/Dexter

April 2015 (5.23)

Win32/Unskal

April 2015 (5.23)

Win32/Saluchtra

April 2015 (5.23)

Win32/CompromisedCert

March 2015 (5.22)

Win32/Alinaos

March 2015 (5.22)

Win32/NukeSped

February 2015 (5.21)

Win32/Jinupd

February 2015 (5.21)

Win32/Escad

February 2015 (5.21)

Win32/Dyzap

January 2015 (5.20)

Win32/Emotet

January 2015 (5.20)

Win32/Zoxpng

November 2014 (5.18)

Win32/Winnti

November 2014 (5.18)

Win32/Tofsee

November 2014 (5.18)

Win32/Derusbi

October 2014 (5.17)

Win32/Sensode

October 2014 (5.17)

Win32/Plugx

October 2014 (5.17)

Win32/Moudoor

October 2014 (5.17)

Win32/Mdmbot

October 2014 (5.17)

Win32/Hikiti

October 2014 (5.17)

Win32/Zemot

September 2014 (5.16)

Win32/Lecpetex

August 2014 (5.15)

Win32/Bepush

July 2014 (5.14)

Win32/Caphaw

July 2014 (5.14)

Win32/Necurs

June 2014 (5.13)

Win32/Filcout

May 2014 (5.12)

Win32/Miuref

May 2014 (5.12)

Win32/Kilim

April 2014 (5.11)

Win32/Ramdo

April 2014 (5.11)

MSIL/Spacekito

March 2014 (5.10)

Win32/Wysotot

March 2014 (5.10)

VBS/Jenxcus

February 2014 (5.9)

MSIL/Bladabindi

January 2014 (5.8)

Win32/Rotbrow

December 2013 (5.7)

Win32/Napolar

November 2013 (5.6)

Win32/Deminnix

November 2013 (5.6)

Win32/Foidan

October 2013 (5.5)

Win32/Shiotob

October 2013 (5.5)

Win32/Simda

September 2013 (5.4)

Win32/Tupym

June 2013 (4.21)

Win32/Kexqoud

May 2013 (4.20)

Win32/Vicenor

May 2013 (4.20)

Win32/fakedef

May 2013 (4.20)

Win32/Vesenlosow

April 2013 (4.19)

Win32/Redyms

April 2013 (4.19)

Win32/Babonock

April 2013 (4.19)

Win32/Wecykler

March 2013 (4.18)

Win32/Sirefef

February 2013 (4.17)

Win32/Lefgroo

January 2013 (4.16)

Win32/Ganelp

January 2013 (4.16)

Win32/Phdet

December 2012 (4.15)

Win32/Phorpiex

November 2012 (4.14)

Win32/Weelsof

November 2012 (4.14)

Win32/Folstart

November 2012 (4.14)

Win32/OneScan

October 2012 (4.13)

Win32/Nitol

October 2012 (4.13)

Win32/Medfos

September 2012 (4.12)

Win32/Matsnu

August 2012 (4.11)

Win32/Bafruz

August 2012 (4.11)

Win32/Kuluoz

June 2012 (4.9)

Win32/Cleaman

June 2012 (4.9)

Win32/Dishigy

May 2012 (4.8)

Win32/Unruy

May 2012 (4.8)

Win32/Gamarue

April 2012 (4.7)

Win32/Bocinex

April 2012 (4.7)

Win32/Claretore

April 2012 (4.7)

Win32/Pluzoks.A

March 2012 (4.6)

Win32/Yeltminky

March 2012 (4.6)

Win32/Hioles

March 2012 (4.6)

Win32/Dorkbot

March 2012 (4.6)

Win32/Fareit

February 2012 (4.5)

Win32/Pramro

February 2012 (4.5)

Win32/Sefnit

January 2012 (4.4)

Win32/Helompy

December 2011 (4.3)

Win32/Cridex

November 2011 (4.2)

Win32/Carberp

November 2011 (4.2)

Win32/Dofoil

November 2011 (4.2)

Win32/Poison

October 2011 (4.1)

Win32/EyeStye

October 2011 (4.1)

Win32/Kelihos

September 2011 (4.0)

Win32/Bamital

September 2011 (4.0)

Win32/Hiloti

August 2011 (3.22)

Win32/FakeSysdef

August 2011 (3.22)

Win32/Dursg

July 2011 (3.21)

Win32/Tracur

July 2011 (3.21)

Win32/Nuqel

June 2011 (3.20)

Win32/Yimfoca

June 2011 (3.20)

Win32/Rorpian

June 2011 (3.20)

Win32/Ramnit

May 2011 (3.19)

Win32/Afcore

April 2011 (3.18)

Win32/Renocide

March 2011 (3.17)

Win32/Cycbot

February 2011 (3.16)

Win32/Lethic

January 2011 (3.15)

Win32/Qakbot

December 2010 (3.14)

Virus:Win32/Sality.AT

November 2010 (3.13)

Worm:Win32/Sality.AT

November 2010 (3.13)

Win32/FakePAV

November 2010 (3.13)

Win32/Zbot

October 2010 (3.12)

Win32/Vobfus

September 2010 (3.11)

Win32/FakeCog

September 2010 (3.11)

Trojan:WinNT/Sality

August 2010 (3.10)

Virus:Win32/Sality.AU

August 2010 (3.10)

Worm:Win32/Sality.AU

August 2010 (3.10)

Worm:Win32/Vobfus!dll

August 2010 (3.10)

Worm:Win32/Vobfus.gen!C

August 2010 (3.10)

Worm:Win32/Vobfus.gen!B

August 2010 (3.10)

Worm:Win32/Vobfus.gen!A

August 2010 (3.10)

Win32/CplLnk

August 2010 (3.10)

Win32/Stuxnet

August 2010 (3.10)

Win32/Bubnix

July 2010 (3.9)

Win32/FakeInit

June 2010 (3.8)

Win32/Oficla

May 2010 (3.7)

Win32/Magania

April 2010 (3.6)

Win32/Helpud

March 2010 (3.5)

Win32/Pushbot

February 2010 (3.4)

Win32/Rimecud

January 2010 (3.3)

Win32/Hamweq

December 2009 (3.2)

Win32/PrivacyCenter

November 2009 (3.1)

Win32/FakeVimes

November 2009 (3.1)

Win32/FakeScanti

October 2009 (3.0)

Win32/Daurso

September 2009 (2.14)

Win32/Bredolab

September 2009 (2.14)

Win32/FakeRean

August 2009 (2.13)

Win32/FakeSpypro

July 2009 (2.12)

Win32/InternetAntivirus

June 2009 (2.11)

Win32/Winwebsec

May 2009 (2.10)

Win32/Waledac

April 2009 (2.9)

Win32/Koobface

March 2009 (2.8)

Win32/Srizbi

February 2009 (2.7 )

Win32/Conficker

January 2009 (2.6)

Win32/Banload

January 2009 (2.6)

Win32/Yektel

December 2008 (2.5)

Win32/FakeXPA

December 2008 (2.5)

Win32/Gimmiv

November 2008 (2.4)

Win32/FakeSecSen

November 2008 (2.4 )

Win32/Rustock

October 2008 (2.3)

Win32/Slenfbot

September 2008 (2.2)

Win32/Matcash

August 2008 (2.1)

Win32/Horst

July 2008 (2.0)

Win32/Lolyda

June 2008 (1.42)

Win32/Ceekat

June 2008 (1.42)

Win32/Zuten

June 2008 (1.42)

Win32/Tilcun

June 2008 (1.42)

Win32/Storark

June 2008 (1.42)

Win32/Taterf

June 2008 (1.42)

Win32/Frethog

June 2008 (1.42)

Win32/Corripio

June 2008 (1.42)

Win32/Captiya

May 2008 (1.41)

Win32/Oderoor

May 2008 (1.41)

Win32/Newacc

March 2008 (1.39)

Win32/Vundo

March 2008 (1.39)

Win32/Virtumonde

March 2008 (1.39)

Win32/Ldpinch

February 2008 (1.38)

Win32/Cutwail

January 2008 (1.37)

Win32/Fotomoto

December 2007 (1.36)

Win32/ConHook

November 2007 (1.35)

Win32/RJump

October 2007 (1.34)

Win32/Nuwar

September 2007 (1.33)

Win32/Zonebac

August 2007 (1.32)

Win32/Virut.B

August 2007 (1.32)

Win32/Virut.A

August 2007 (1.32)

Win32/Busky

July 2007 (1.31)

Win32/Allaple

June 2007 (1.30)

Win32/Renos

May 2007 (1.29)

Win32/Funner

April 2007 (1.28)

Win32/Alureon

March 2007 (1.27)

Win32/Mitglieder

February 2007 (1.25)

Win32/Stration

February 2007 (1.25)

WinNT/Haxdoor

January 2007 (1.24)

Win32/Haxdoor

January 2007 (1.24)

Win32/Beenut

December 2006 (1.23)

Win32/Brontok

November 2006 (1.22)

Win32/Tibs

October 2006 (1.21)

Win32/Passalert

October 2006 (1.21)

Win32/Harnig

October 2006 (1.21)

Win32/Sinowal

September 2006 (1.20)

Win32/Bancos

September 2006 (1.20)

Win32/Jeefo

August 2006 (1.19)

Win32/Banker

August 2006 (1.19)

Win32/Nsag

July 2006 (1.18)

Win32/Hupigon

July 2006 (1.18)

Win32/Chir

July 2006 (1.18)

Win32/Alemod

July 2006 (1.18)

Win32/Fizzer

June 2006 (1.17)

Win32/Cissi

June 2006 (1.17)

Win32/Plexus

May 2006 (1.16)

Win32/Ganda

May 2006 (1.16)

Win32/Evaman

May 2006 (1.16)

Win32/Valla

April 2006 (1.15)

Win32/Reatle

April 2006 (1.15)

Win32/Locksky

April 2006 (1.15)

Win32/Zlob

March 2006 (1.14)

Win32/Torvil

March 2006 (1.14)

Win32/Atak

March 2006 (1.14)

Win32/Magistr

February 2006 (1.13)

Win32/Eyeveg

February 2006 (1.13)

Win32/Badtrans

February 2006 (1.13)

Win32/Alcan

February 2006 (1.13)

Win32/Parite

January 2006 (1.12)

Win32/Maslan

January 2006 (1.12)

Win32/Bofra

January 2006 (1.12)

WinNT/F4IRootkit

December 2005 (1.11)

Win32/Ryknos

December 2005 (1.11)

Win32/IRCBot

December 2005 (1.11)

Win32/Swen

November 2005 (1.10)

Win32/Opaserv

November 2005 (1.10)

Win32/Mabutu

November 2005 (1.10)

Win32/Codbot

November 2005 (1.10)

Win32/Bugbear

November 2005 (1.10)

Win32/Wukill

October 2005 (1.9)

Win32/Mywife

October 2005 (1.9)

Win32/Gibe

October 2005 (1.9)

Win32/Antinny

October 2005 (1.9)

Win32/Zotob

September 2005 (1.8)

Win32/Yaha

September 2005 (1.8)

Win32/Gael

September 2005 (1.8)

Win32/Esbot

September 2005 (1.8)

Win32/Bobax

September 2005 (1.8)

Win32/Rbot.MC

August 2005 A (1.7.1)

Win32/Rbot.MB

August 2005 A (1.7.1)

Win32/Rbot.MA

August 2005 A (1.7.1)

Win32/Esbot.A

August 2005 A (1.7.1)

Win32/Bobax.O

August 2005 A (1.7.1)

Win32/Zotob.E

August 2005 A (1.7.1)

Win32/Zotob.D

August 2005 A (1.7.1)

Win32/Zotob.C

August 2005 A (1.7.1)

Win32/Zotob.B

August 2005 A (1.7.1)

Win32/Zotob.A

August 2005 A (1.7.1)

Win32/Spyboter

August 2005 (1.7)

Win32/Dumaru

August 2005 (1.7)

Win32/Bagz

August 2005 (1.7)

Win32/Wootbot

July 2005 (1.6)

Win32/Purstiu

July 2005 (1.6)

Win32/Optixpro

July 2005 (1.6)

Win32/Optix

July 2005 (1.6)

Win32/Hacty

July 2005 (1.6)

Win32/Spybot

June 2005 (1.5)

Win32/Mytob

June 2005 (1.5)

Win32/Lovgate

June 2005 (1.5)

Win32/Kelvir

June 2005 (1.5)

WinNT/FURootkit

May 2005 (1.4)

WinNT/Ispro

May 2005 (1.4)

Win32/Sdbot

May 2005 (1.4)

Win32/Rbot

April 2005 (1.3)

Win32/Mimail

April 2005 (1.3)

Win32/Hackdef**

April 2005 (1.3)

Win32/Sobig

March 2005 (1.2)

Win32/Sober

March 2005 (1.2)

Win32/Goweh

March 2005 (1.2)

Win32/Bropia

March 2005 (1.2)

Win32/Bagle

March 2005 (1.2)

Win32/Zafi

February 2005 (1.1)

Win32/Randex

February 2005 (1.1)

Win32/Netsky

February 2005 (1.1)

Win32/Korgo

February 2005 (1.1)

Win32/Zindos

January 2005 (1.0)

Win32/Sasser

January 2005 (1.0)

Win32/Nachi

January 2005 (1.0)

Win32/Mydoom

January 2005 (1.0)

Win32/MSBlast

January 2005 (1.0)

Win32/Gaobot

January 2005 (1.0)

Win32/Doomjuice

January 2005 (1.0)

Win32/Berbew

January 2005 (1.0)

We maximize customer protection by regularly reviewing and prioritizing our signatures. We add or remove detections as the threat landscape evolves.

Note: It is recommended to have an up to date next-gen antimalware product installed for continuous protection.

Reporting component

The MSRT sends information to Microsoft if it detects malicious software or finds an error. The specific information that is sent to Microsoft consists of the following items:

  • The name of the malicious software that is detected

  • The result of malicious software removal

  • The operating system version

  • The operating system locale

  • The processor architecture

  • The version number of the tool

  • An indicator that notes whether the tool is being run by Microsoft Update, Windows Update, Automatic Updates, the Download Center, or from the website

  • An anonymous GUID

  • A cryptographic one-way hash (MD5) of the path and file name of each malicious software file that is removed from the computer

If apparently malicious software is found on the computer, the tool prompts you to send information to Microsoft beyond what is listed here. You are prompted in each of these instances, and this information is sent only with your consent. The additional information includes the following:

  • The files that are suspected to be malicious software. The tool will identify the files for you.

  • A cryptographic one-way hash (MD5) of any suspicious files that are detected.

You can disable the reporting feature. For information about how to disable the reporting component and how to prevent this tool from sending information to Microsoft, see Deploy Windows Malicious Software Removal Tool in an enterprise environment.

Possible scanning results

After the tool runs, there are four main results that the removal tool can report to the user:

  • No infection was found.

  • At least one infection was found and was removed.

  • An infection was found but was not removed.

    Note This result is displayed if suspicious files were found on the computer. To help remove these files, you should use an up-to-date antivirus product.

  • An infection was found and was partially removed.

    Note To complete this removal, you should use an up-to-date antivirus product.

Frequently asked questions about the MSRT

A1: Yes.

A3: Yes. Per the terms of this tool's license terms, the tool can be redistributed. However, make sure that you are redistributing the latest version of the tool.

A4: If you are a Windows 7 user, use Microsoft Update or the Microsoft Update Automatic Updates functionality to test whether you are using the latest version of the tool. If you have chosen not to use Microsoft Update, and you are a Windows 7 user, use Windows Update. Or, use the Windows Update Automatic Updates functionality to test whether you are using the latest version of the tool. Additionally, you can visit the Microsoft Download Center. Also, if the tool is more than 60 days out of date, the tool reminds you to look for a new version of the tool.

A5: No. The Microsoft Knowledge Base article number for the tool will remain as 890830 for future versions of the tool. The file name of the tool when it is downloaded from the Microsoft Download Center will change with each release to reflect the month and the year when that version of the tool was released.

A6: Currently, no. Malicious software that is targeted in the tool is based on metrics that track the prevalence and damage of malicious software.

A7: Yes. By checking a registry key, you can determine whether the tool has been run on a computer and which version was the latest version that was used. For more information, see Deploy Windows Malicious Software Removal Tool in an enterprise environment.

A8: Several scenarios may prevent you from seeing the tool on Microsoft Update, Windows Update, or Automatic Updates:

  • If you have already run the current version of the tool from Windows Update, Microsoft Update, Automatic Updates, or from either of the other two release mechanisms, it will not be reoffered on Windows Update or Automatic Updates.

  • For Automatic Updates, the first time that you run the tool, you must be logged on as a member of the Administrators group to accept the license terms.

A9: The tool is offered to all supported Windows and Windows Server versions that are listed in the "Summary" section if the following conditions are true:

  • The users are running the latest version of Windows Update or Windows Update Automatic Updates.

  • The users have not already run the current version of the tool.

A11: Yes. Even if there are no new security bulletins for a particular month, the Malicious Software Removal Tool will be rereleased with detection and removal support for the latest prevalent malicious software.

A12: When you are first offered the Malicious Software Removal Tool from Microsoft Update, Windows Update, or Automatic Updates, you can decline downloading and running the tool by declining the license terms. This action can apply to only the current version of the tool or to both the current version of the tool and any future versions, depending on the options that you choose. If you have already accepted the license terms and prefer not to install the tool through Windows Update, clear the checkbox that corresponds to the tool in the Windows Update UI.

A14: Currently, the Malicious Software Removal Tool is not supported on a Windows Embedded computer.

A15: No. Unlike most previous cleaner tools that were produced by Microsoft, the MSRT has no security update prerequisites. However, we strongly recommend that you install all critical updates before you use the tool, to help prevent reinfection by malicious software that takes advantage of security vulnerabilities.

A16: For information about how to deploy this tool, see Deploy Windows Malicious Software Removal Tool in an enterprise environment.

A17: No.

A18: Yes. You can use the microsoft.public.security.virus newsgroup.

A19: In some cases, when specific viruses are found on a system, the cleaner tool tries to repair infected Windows system files. Although this action removes the malicious software from these files, it may also trigger the Windows File Protection feature. If you see the Windows File Protection window, we strongly recommend that you follow the directions and insert your Microsoft Windows CD. This will restore the cleaned files to their original, pre-infection state.

A20: Yes, the tool is available in 24 languages.

A21: The tool does use a file that is named Mrtstub.exe for certain operations. If you verify that the file is signed by Microsoft, the file is a legitimate component of the tool.

A22: Yes. If you have run the MSRT before you start the computer to Safe mode, you can access MSRT at %windir%\system32\mrt.exe. Double-click the Mrt.exe file to run the MSRT, and then follow the on-screen instructions.

Need more help?

Expand your skills
Explore Training
Get new features first
Join Microsoft Insiders

Was this information helpful?

Thank you for your feedback!

Thank you for your feedback! It sounds like it might be helpful to connect you to one of our Office support agents.

×