Remove specific prevalent malware with Windows Malicious Software Removal Tool (KB890830)

Summary

The Windows Malicious Software Removal Tool (MSRT) helps remove malicious software from computers that are running any of the following operating systems:

• Windows 10
• Windows Server 2019
• Windows Server 2016
• Windows 8.1
• Windows Server 2012 R2
• Windows Server 2012
• Windows Server 2008 R2
• Windows 7
• Windows Server 2008
  Microsoft generally releases the MSRT on a monthly cadence as part of Windows Update or as a standalone tool. (For exceptions, see Skipped releases.) Use this tool to find and remove specific prevalent threats and reverse the changes that they made (see Covered malware families). For comprehensive malware detection and removal, consider using Windows Defender Offline or Microsoft Safety Scanner.

This article contains information about how the tool differs from an antivirus or antimalware product, how you can download and run the tool, what occurs when the tool finds malware, and tool release information. It also includes information for administrators and advanced users, including information about supported command-line switches.

Notes:

• In compliance with the Microsoft Support Lifecycle policy, the MSRT is no longer supported on Windows Vista or earlier platforms. For more information, go to Microsoft Support Lifecycle.
• If you are having problems in regards to an MSRT update within Windows Update, see Troubleshooting problems updating Windows 10.

More information

__

How the MSRT differs from an antivirus product

The MSRT does not replace an antivirus product. It is strictly a post-infection removal tool. Therefore, we strongly recommend that you install and use an up-to-date antivirus product.

The MSRT differs from an antivirus product in three important ways:

• The tool removes malicious software from an already-infected computer. Antivirus products block malicious software from running on a computer. It is significantly more desirable to block malicious software from running on a computer than to remove it after infection.
• The tool removes only specific prevalent malicious software. Specific prevalent malicious software is a small subset of all the malicious software that exists today.
• The tool focuses on the detection and removal of active malicious software. Active malicious software is malicious software that is currently running on the computer. The tool cannot remove malicious software that is not running. However, an antivirus product can perform this task.
  For more information about how to protect your computer, go to the Microsoft Safety & Security Center website.

Note The MSRT focuses on the detection and removal of malicious software such as viruses, worms, and Trojan horses only. It does not remove spyware.You do not have to disable or remove your antivirus program when you install the MSRT. However, if prevalent, malicious software has infected your computer, the antivirus program may detect this malicious software and may prevent the removal tool from removing it when the removal tool runs. In this case, you can use your antivirus program to remove the malicious software.

Because the MSRT does not contain a virus or a worm, the removal tool alone should not trigger your antivirus program. However, if malicious software infected the computer before you installed an up-to-date antivirus program, your antivirus program may not detect this malicious software until the tool tries to remove it.

__

How to download and run the MSRT

**Note:**Starting November 2019, MSRT will be SHA-2 signed exclusively. Your devices must be updated to support SHA-2 in order to run MSRT. To learn more, see 2019 SHA-2 Code Signing Support requirement for Windows and WSUS.

The easiest way to download and run the MSRT is to turn on Automatic Updates. Turning on Automatic Updates guarantees that you receive the tool automatically. If you have Automatic Updates turned on, you have already been receiving new versions of this tool. The tool runs in Quiet mode unless it finds an infection. If you have not been notified of an infection, no malicious software has been found that requires your attention.

Enabling automatic updates

To turn on Automatic Updates yourself, follow the steps in the following table for the operating system that your computer is running.If your computer is running:	Follow these steps:
Windows 10

1. Select the Start button, then select Settings >Update & security > Windows Update. If you want to check for updates manually, select Check for updates. 2. SelectAdvanced options, and then underChoose how updates are installed, selectAutomatic (recommended).Note Windows 10 is a service. This means that automatic updates are turned on by default and your PC always has the latest and best features.
   Windows 8.1|

2. Open Windows Update by swiping in from the right edge of the screen (or, if you’re using a mouse, pointing to the lower-right corner of the screen and moving the mouse pointer up), select Settings >Change PC settings>Update and recovery>Windows Update. If you want to check for updates manually, selectCheck now.

3. Select Choose how updates get installed, and then underImportant updates, selectInstall updates automatically (recommended).

4. Under Recommended updates, select theGive me recommended updates the same way I receive important updates check box.

5. Under Microsoft Update, select theGive me updates for other Microsoft products when I update Windowscheck box, and then selectApply.
   Windows 7|

6. Click Start , point toAll Programs, and then clickWindows Update.

7. In the left pane, click Change settings.

8. Click to select Install updates automatically (recommended).

9. Under Recommended updates, click to select theGive me recommended updates the same way I receive important updatescheck box, and then clickOK. If you are prompted for an administrative password or for confirmation, type the password or provide confirmation. Go to step 3.
   Download the MSRT. You must accept the Microsoft Software License Terms. The license terms are only displayed for the first time that you access Automatic Updates.Note After you accept the one-time license terms, you can receive future versions of the MSRT without being logged on to the computer as an administrator.

__

When the MSRT detects malicious software

The MSRT runs in Quiet mode. If it detects malicious software on your computer, the next time that you log on to your computer as a computer administrator, a balloon appears in the notification area to make you aware of the detection.

Performing a full scan

If the tool finds malicious software, you may be prompted to perform a full scan. We recommend that you perform this scan. A full scan performs a quick scan and then a full scan of the computer, regardless of whether malicious software is found during the quick scan. This scan can take several hours to complete because it will scan all fixed and removable drives. However, mapped network drives are not scanned.

Removing malicious files

If malicious software has modified (infected) files on your computer, the tool prompts you to remove the malicious software from those files. If the malicious software modified your browser settings, your homepage may be changed automatically to a page that gives you directions on how to restore these settings.

You can clean specific files or all the infected files that the tool finds. Be aware that some data loss is possible during this process. Also, be aware that the tool may be unable to restore some files to the original, pre-infection state.

The removal tool may request that you restart your computer to complete the removal of some malicious software, or it may prompt you to perform manual steps to complete the removal of the malicious software. To complete the removal, you should use an up-to-date antivirus product.Reporting infection information to Microsoft The MSRT sends basic information to Microsoft if the tool detects malicious software or finds an error. This information will be used for tracking virus prevalence. No identifiable personal information that is related to you or to the computer is sent together with this report.

__

How to remove the MSRT

The MSRT does not use an installer. Typically, when you run the MSRT, it creates a randomly named temporary directory on the root drive of the computer. This directory contains several files, and it includes the Mrtstub.exe file. Most of the time, this folder is automatically deleted after the tool finishes running or after the next time that you start the computer. However, this folder may not always be automatically deleted. In these cases, you can manually delete this folder, and this has no adverse effect on the computer.

How to receive support

Help protect your computer that is running Windows from viruses and malware: Virus Solution and Security CenterHelp installing updates: Support for Microsoft UpdateLocal support according to your country: International Support.

Microsoft Download Center

**Note:**Starting November 2019, MSRT has been SHA-2 signed exclusively. Your devices must be updated to support SHA-2 in order to run MSRT. To learn more, see 2019 SHA-2 Code Signing Support requirement for Windows and WSUS.

You can manually download the MSRT from the Microsoft Download Center. The following files are available for download:

For 32-bit x86-based systems:Download the x86 MSRT package now.For 64-bit x64-based systems:Download the x64 MSRT package now.Release Date: April 9, 2024.For more information about how to download Microsoft support files, see How to obtain Microsoft support files from online services.Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file.

Deploying the MSRT in an enterprise environment

If you are an IT administrator who wants more information about how to deploy the tool in an enterprise environment, see Deploy Windows Malicious Software Removal Tool in an enterprise environment.

This article includes information about Microsoft Systems Management Server (SMS), Microsoft Software Update Services (MSUS), and Microsoft Baseline Security Analyzer (MBSA).Except where noted, the information in this section applies to all the ways that you can download and run the MSRT:

• Microsoft Update
• Windows Update
• Automatic Updates
• The Microsoft Download Center
• The MSRT website on Microsoft.com
  To run the MSRT, the following conditions are required:
• The computer must be running a supported version of Windows.
• You must log on to the computer by using an account that is a member of the Administrators group. If your logon account does not have the required permissions, the tool exits. If the tool is not being run in quiet mode, it displays a dialog box that describes the failure.
• If the tool is more than 215 days (7 months) out of date, the tool displays a dialog box that recommends that you download the latest version of the tool.

Support for command-line switches

The MSRT supports the following command line switches.Switch	Purpose
/Q or /quiet	Uses quiet mode. This option suppresses the user interface of the tool.
/?	Displays a dialog box that lists the command-line switches.
/N	Runs in detect-only mode. In this mode, malicious software will be reported to the user, but it will not be removed.
/F	Forces an extended scan of the computer.
/F:Y	Forces an extended scan of the computer and automatically cleans any infections that are found.

Usage and release information

When you download the tool from Microsoft Update or from Automatic Updates, and no malicious software is detected on the computer, the tool will run in quiet mode next time. If malicious software is detected on the computer, the next time that an administrator logs on to the computer, a balloon will appear in the notification area to notify you of the detection. For more information about the detection, click the balloon.

When you download the tool from the Microsoft Download Center, the tool displays a user interface when it runs. However, if you supply the /Q command-line switch, it runs in quiet mode.

Release information

The MSRT is generally released on the second Tuesday of each month. Each release of the tool helps detect and remove current, prevalent malicious software. This malicious software includes viruses, worms, and Trojan horses. Microsoft uses several metrics to determine the prevalence of a malicious software family and the damage that can be associated with it.

This Microsoft Knowledge Base article will be updated with information for each release so that the number of the relevant article remains the same. The name of the file will be changed to reflect the tool version. For example, the file name of the February 2020 version is Windows-KB890830-V5.80.exe, and the file name of the May 2020 version is Windows-KB890830-V5.82-ENU.exe.

The following table lists the malicious software that the tool can remove. The tool can also remove any known variants at the time of release. The table also lists the version of the tool that first included detection and removal for the malicious software family.

__

Covered malware families

Malicious software family	Tool version date and number
Trojan:Win64/ZLoaderE.A	April 2024 (v 5.123)
Plephij	April 2024 (v 5.123)
Pikabot	March 2024 (v 5.122)
Wireload	March 2024 (v 5.122)
FineCrash	March 2024 (v 5.122)
AgeDown	February 2024 (v 5.121)
PowStart	February 2024 (v 5.121)
Wabot	February 2024 (v 5.121)
ClipBanker	February 2024 (v 5.121)
ZorRoar	January 2024 (v 5.120)
ZorSaw	January 2024 (v 5.120)
ZorKey	January 2024 (v 5.120)
ZorHeard	January 2024 (v 5.120)
ZorCook	January 2024 (v 5.120)
DarkGate	January 2024 (v 5.120)
DarkGateLoader	January 2024 (v 5.120)
Trojan:Win32/ForestTiger.A!dha	January 2024 (v 5.120)
Trojan:Win32/ForestTiger.B!dha	January 2024 (v 5.120)
DeliveryCheck	November 2023 (v 5.119)
Telebot	October 2023 (v 5.118)
ShinnyShield	September 2023 (v 5.117)
TrojanDownloader:Win32/BulbSoup.A!dha	May 2023 (v 5.113)
Snake	May 2023 (v 5.113)
SamScissors	May 2023 (v 5.113)
Trojan:Win32/SystemBC.D!MTB	April 2023 (v 5.112)
Trojan:Win32/Bumblebee	April 2023 (v 5.112)
Trojan:Win64/Blister.A	March 2023 (v 5.111)
Trojan:Win32/IcedId!MSR	March 2023 (v 5.111)
Backdoor:Win64/Vankul.ZA	March 2023 (v 5.111)
Backdoor:MSIL/DCRat!MTB	March 2023 (v 5.111)
Backdoor:Win32/RewriteHttp.A	November 2022 (v 5.107)
Backdoor:APS/Webshell.Y	November 2022 (v 5.107)
Backdoor:JS/SimChocexShell.A!dha	November 2022 (v 5.107)
Trojan:Win32/Dopdekaf.A	September 2022 (v 5.105)
SiennaPurple	September 2022 (v 5.105)
SiennaBlue	September 2022 (v 5.105)
Cryptpu	July 2022 (v 5.103)
CreepyBox	July 2022 (v 5.103)
CreepyRing	July 2022 (v 5.103)
BassBreaker	July 2022 (v 5.103)
Pterodo	May 2022 (v 5.101)
Decimec	April 2022 (v 5.100)
SonicVote	April 2022 (v 5.100)
FoxBlade	April 2022 (v 5.100)
DesertBlade	April 2022 (v 5.100)
WhisperGate	April 2022 (v 5.100)
LasainWpr	April 2022 (v 5.100)
DynamicOverload	April 2022 (v 5.100)
Misplice	April 2022 (v 5.100)
Dizzyvoid	April 2022 (v 5.100)
Win32/DinoTrain	March 2022 (V5.99)
Trojan:MSIL/QuietSieve	March 2022 (V5.99)
Win32/DilongTrash	March 2022 (V5.99)
Win32/PterodoGen	March 2022 (V5.99)
VBS/ObfuMerry	March 2022 (V5.99)
TrojanDropper:Win32/SiBrov.A.	February 2022 (V 5.98)
Caspetlod	July 2021 (V 5.91)
CobaltStrike	July 2021 (V 5.91)
CobaltStrikeLoader	July 2021 (V 5.91)
TurtleLoader	July 2021 (V 5.91)
TurtleSimple	July 2021 (V 5.91)
Kwampirs	April 2021 (V 5.88)
SiBot	April 2021 (V 5.88)
GoldMax	April 2021 (V 5.88)
GoldFinder	April 2021 (V 5.88)
Exmann	April 2021 (V 5.88)
Chopper	April 2021 (V 5.88)
DoejoCrypt	April 2021 (V 5.88)
SecChecker	April 2021 (V 5.88)
Trojan:Win32/CalypsoDropper.A!ibt	April 2021 (V 5.88)
Trojan:Win32/ShadowPad.A!ibt	April 2021 (V 5.88)
Webshell	April 2021 (V 5.88)
TwoFaceVar	April 2021 (V 5.88)
Exploit:Script/SSNewman.A!dha	April 2021 (V 5.88)
Exploit:Script/SSNewman.C!dha	April 2021 (V 5.88)
CVE-2021-27065	April 2021 (V 5.88)
CVE-2021-26855	April 2021 (V 5.88)
CVE-2021-16855	April 2021 (V 5.88)
Trojan:Win32/IISExchgSpawnCMD.A	April 2021 (V 5.88)
Trojan:Win32/CobaltLoader.A	April 2021 (V 5.88)
Trojan:BAT/CobaltLauncher.A	April 2021 (V 5.88)
CoinMiner	April 2021 (V 5.88)
Trojan:PowerShell/PoshExecEnc.A	April 2021 (V 5.88)
MinerDom	April 2021 (V 5.88)
Dumroc	April 2021 (V 5.88)
Chopdrop	April 2021 (V 5.88)
Jscript.EvalASPNET	April 2021 (V 5.88)
Backdoor:Win32/Toksor.A	April 2021 (V 5.88)
Timestomp	April 2021 (V 5.88)
Ggey	April 2021 (V 5.88)
Trojan:Win64/Shamian.A!dha	April 2021 (V 5.88)
Trojan:Win32/Shellcloader.A	April 2021 (V 5.88)
VirTool:Win32/Positu.A	April 2021 (V 5.88)
HackTool:PowerShell/LoadHandler.A	April 2021 (V 5.88)
Solorigate	February 2021 (V 5.86)
AnchorBot	January 2021 (V 5.85)
AnchorDNS	January 2021 (V 5.85)
AnchorLoader	January 2021 (V 5.85)
BazaarLoader	January 2021 (V 5.85)
BazaLoder	January 2021 (V 5.85)
Bazar	January 2021 (V 5.85)
BazarBackdoor	January 2021 (V 5.85)
Bazarcrypt	January 2021 (V 5.85)
BazarLdr	January 2021 (V 5.85)
BazarldrCrypt	January 2021 (V 5.85)
Bazzarldr	January 2021 (V 5.85)
Rotaderp	January 2021 (V 5.85)
Rotocrypt	January 2021 (V 5.85)
TrickBotCrypt	January 2021 (V 5.85)
Vatet	January 2021 (V 5.85)
Zload	January 2021 (V 5.85)
ZLoader	January 2021 (V 5.85)
ZloaderCrypt	January 2021 (V 5.85)
ZloaderTeams	January 2021 (V 5.85)
ZloaderVbs	January 2021 (V 5.85)
Trojan.Win32/Ammyrat	September 2020 (V 5.83)
Cipduk	September 2020 (V 5.83)
Badaxis	September 2020 (V 5.83)
Basicape	September 2020 (V 5.83)
Mackler	September 2020 (V 5.83)
Strilix	September 2020 (V 5.83)
FlawedAmmyy	March 2020 (5.81)
Littlemetp	March 2020 (5.81)
Vatet	January 2020 (5.79)
Trilark	January 2020 (5.79)
Dopplepaymer	January 2020 (5.79)
Trickbot	October 2019 (5.76)
ShadowHammer	May 2019 (5.72)
Kryptomix	April 2019 (5.71)
Win32/GraceWire	March 2019 (5.70)
Win32/ChChes	December 2018 (5.67)
Win32/RedLeaves	December 2018 (5.67)
Win32/RedPlug	December 2018 (5.67)
Win32/RazerPitch	December 2018 (5.67)
Win32/UpperCider	December 2018 (5.67)
PowerShell/Wemaeye	October 2018 (5.65)
PowerShell/Wanascan.A	October 2018 (5.65)
PowerShell/Wannamine	October 2018 (5.65)
PowerShell/Lonit	October 2018 (5.65)
Win32/Plutruption!ARXep	June 2018 (5.61)
Win32/Plutruption!ARXbxep	June 2018 (5.61)
Win32/Adposhel	May 2018 (5.60)
Win32/CoinMiner	May 2018 (5.60)
PowerShell/Xurito	May 2018 (5.60)
Win32/Modimer	April 2018 (5.59)
Win64/Detrahere	March 2018 (5.58)
Win32/Detrahere	March 2018 (5.58)
Win32/Floxif	December 2017 (5.55)
Win32/SilverMob	December 2017 (5.55)
Win32/PhantomStar	December 2017 (5.55)
Win32/Autophyte	December 2017 (5.55)
Win32/FoggyBrass	December 2017 (5.55)
MSIL/DarkNeuron	December 2017 (5.55)
Win32/TangentCobra	December 2017 (5.55)
Win32/Wingbird	November 2017 (5.54)
Win32/ShadowPad	October 2017 (5.53)
Win32/Xeelyak	October 2017 (5.53)
Win32/Xiazai	June 2017 (5.49)
Win32/WannaCrypt	May 2017 (5.48)
Win32/Chuckenit	February 2017 (5.45)
Win32/Clodaconas	December 2016 (5.43)
Win32/Soctuseer	November 2016 (5.42)
Win32/Barlaiy	November 2016 (5.42)
Win32/Sasquor	October 2016 (5.41)
Win32/SupTab	October 2016 (5.41)
Win32/Ghokswa	October 2016 (5.41)
Win32/Xadupi	September 2016 (5.40)
Win32/Suweezy	September 2016 (5.40)
Win32/Prifou	September 2016 (5.40)
Win32/NightClick	September 2016 (5.40)
Win32/Rovnix	August 2016 (5.39)
Win32/Neobar	August 2016 (5.39)
Win32/Cerber	July 2016 (5.38)
Win32/Ursnif	June 2016 (5.37)
Win32/Locky	May 2016 (5.36)
Win32/Kovter	May 2016 (5.36)
Win32/Samas	April 2016 (5.35)
Win32/Bedep	April 2016 (5.35)
Win32/Upatre	April 2016 (5.35)
Win32/Vonteera	March 2016 (5.34)
Win32/Fynloski	March 2016 (5.34)
Win32/Winsec	December 2015 (5.31)
Win32/Drixed	October 2015 (5.29)
Win32/Brambul	October 2015 (5.29)
Win32/Escad	October 2015 (5.29)
Win32/Joanap	October 2015 (5.29)
Win32/Diplugem	October 2015 (5.29)
Win32/Blakamba	October 2015 (5.29)
Win32/Tescrypt	October 2015 (5.29)
Win32/Teerac	September 2015 (5.28)
Win32/Kasidet	August 2015 (5.27)
Win32/Critroni	August 2015 (5.27)
Win32/Vawtrak	August 2015 (5.27)
Win32/Crowti	July 2015 (5.26)
Win32/Reveton	July 2015 (5.26)
Win32/Enterak	July 2015 (5.26)
Win32/Bagopos	June 2015 (5.25)
Win32/BrobanDel	June 2015 (5.25)
Win32/OnlineGames	June 2015 (5.25)
Win32/Gatak	June 2015 (5.25)
Win32/IeEnablerCby	April 2015 (5.23)
Win32/Dexter	April 2015 (5.23)
Win32/Unskal	April 2015 (5.23)
Win32/Saluchtra	April 2015 (5.23)
Win32/CompromisedCert	March 2015 (5.22)
Win32/Alinaos	March 2015 (5.22)
Win32/NukeSped	February 2015 (5.21)
Win32/Jinupd	February 2015 (5.21)
Win32/Escad	February 2015 (5.21)
Win32/Dyzap	January 2015 (5.20)
Win32/Emotet	January 2015 (5.20)
Win32/Zoxpng	November 2014 (5.18)
Win32/Winnti	November 2014 (5.18)
Win32/Tofsee	November 2014 (5.18)
Win32/Derusbi	October 2014 (5.17)
Win32/Sensode	October 2014 (5.17)
Win32/Plugx	October 2014 (5.17)
Win32/Moudoor	October 2014 (5.17)
Win32/Mdmbot	October 2014 (5.17)
Win32/Hikiti	October 2014 (5.17)
Win32/Zemot	September 2014 (5.16)
Win32/Lecpetex	August 2014 (5.15)
Win32/Bepush	July 2014 (5.14)
Win32/Caphaw	July 2014 (5.14)
Win32/Necurs	June 2014 (5.13)
Win32/Filcout	May 2014 (5.12)
Win32/Miuref	May 2014 (5.12)
Win32/Kilim	April 2014 (5.11)
Win32/Ramdo	April 2014 (5.11)
MSIL/Spacekito	March 2014 (5.10)
Win32/Wysotot	March 2014 (5.10)
VBS/Jenxcus	February 2014 (5.9)
MSIL/Bladabindi	January 2014 (5.8)
Win32/Rotbrow	December 2013 (5.7)
Win32/Napolar	November 2013 (5.6)
Win32/Deminnix	November 2013 (5.6)
Win32/Foidan	October 2013 (5.5)
Win32/Shiotob	October 2013 (5.5)
Win32/Simda	September 2013 (5.4)
Win32/Tupym	June 2013 (4.21)
Win32/Kexqoud	May 2013 (4.20)
Win32/Vicenor	May 2013 (4.20)
Win32/fakedef	May 2013 (4.20)
Win32/Vesenlosow	April 2013 (4.19)
Win32/Redyms	April 2013 (4.19)
Win32/Babonock	April 2013 (4.19)
Win32/Wecykler	March 2013 (4.18)
Win32/Sirefef	February 2013 (4.17)
Win32/Lefgroo	January 2013 (4.16)
Win32/Ganelp	January 2013 (4.16)
Win32/Phdet	December 2012 (4.15)
Win32/Phorpiex	November 2012 (4.14)
Win32/Weelsof	November 2012 (4.14)
Win32/Folstart	November 2012 (4.14)
Win32/OneScan	October 2012 (4.13)
Win32/Nitol	October 2012 (4.13)
Win32/Medfos	September 2012 (4.12)
Win32/Matsnu	August 2012 (4.11)
Win32/Bafruz	August 2012 (4.11)
Win32/Kuluoz	June 2012 (4.9)
Win32/Cleaman	June 2012 (4.9)
Win32/Dishigy	May 2012 (4.8)
Win32/Unruy	May 2012 (4.8)
Win32/Gamarue	April 2012 (4.7)
Win32/Bocinex	April 2012 (4.7)
Win32/Claretore	April 2012 (4.7)
Win32/Pluzoks.A	March 2012 (4.6)
Win32/Yeltminky	March 2012 (4.6)
Win32/Hioles	March 2012 (4.6)
Win32/Dorkbot	March 2012 (4.6)
Win32/Fareit	February 2012 (4.5)
Win32/Pramro	February 2012 (4.5)
Win32/Sefnit	January 2012 (4.4)
Win32/Helompy	December 2011 (4.3)
Win32/Cridex	November 2011 (4.2)
Win32/Carberp	November 2011 (4.2)
Win32/Dofoil	November 2011 (4.2)
Win32/Poison	October 2011 (4.1)
Win32/EyeStye	October 2011 (4.1)
Win32/Kelihos	September 2011 (4.0)
Win32/Bamital	September 2011 (4.0)
Win32/Hiloti	August 2011 (3.22)
Win32/FakeSysdef	August 2011 (3.22)
Win32/Dursg	July 2011 (3.21)
Win32/Tracur	July 2011 (3.21)
Win32/Nuqel	June 2011 (3.20)
Win32/Yimfoca	June 2011 (3.20)
Win32/Rorpian	June 2011 (3.20)
Win32/Ramnit	May 2011 (3.19)
Win32/Afcore	April 2011 (3.18)
Win32/Renocide	March 2011 (3.17)
Win32/Cycbot	February 2011 (3.16)
Win32/Lethic	January 2011 (3.15)
Win32/Qakbot	December 2010 (3.14)
Virus:Win32/Sality.AT	November 2010 (3.13)
Worm:Win32/Sality.AT	November 2010 (3.13)
Win32/FakePAV	November 2010 (3.13)
Win32/Zbot	October 2010 (3.12)
Win32/Vobfus	September 2010 (3.11)
Win32/FakeCog	September 2010 (3.11)
Trojan:WinNT/Sality	August 2010 (3.10)
Virus:Win32/Sality.AU	August 2010 (3.10)
Worm:Win32/Sality.AU	August 2010 (3.10)
Worm:Win32/Vobfus!dll	August 2010 (3.10)
Worm:Win32/Vobfus.gen!C	August 2010 (3.10)
Worm:Win32/Vobfus.gen!B	August 2010 (3.10)
Worm:Win32/Vobfus.gen!A	August 2010 (3.10)
Win32/CplLnk	August 2010 (3.10)
Win32/Stuxnet	August 2010 (3.10)
Win32/Bubnix	July 2010 (3.9)
Win32/FakeInit	June 2010 (3.8)
Win32/Oficla	May 2010 (3.7)
Win32/Magania	April 2010 (3.6)
Win32/Helpud	March 2010 (3.5)
Win32/Pushbot	February 2010 (3.4)
Win32/Rimecud	January 2010 (3.3)
Win32/Hamweq	December 2009 (3.2)
Win32/PrivacyCenter	November 2009 (3.1)
Win32/FakeVimes	November 2009 (3.1)
Win32/FakeScanti	October 2009 (3.0)
Win32/Daurso	September 2009 (2.14)
Win32/Bredolab	September 2009 (2.14)
Win32/FakeRean	August 2009 (2.13)
Win32/FakeSpypro	July 2009 (2.12)
Win32/InternetAntivirus	June 2009 (2.11)
Win32/Winwebsec	May 2009 (2.10)
Win32/Waledac	April 2009 (2.9)
Win32/Koobface	March 2009 (2.8)
Win32/Srizbi	February 2009 (2.7 )
Win32/Conficker	January 2009 (2.6)
Win32/Banload	January 2009 (2.6)
Win32/Yektel	December 2008 (2.5)
Win32/FakeXPA	December 2008 (2.5)
Win32/Gimmiv	November 2008 (2.4)
Win32/FakeSecSen	November 2008 (2.4 )
Win32/Rustock	October 2008 (2.3)
Win32/Slenfbot	September 2008 (2.2)
Win32/Matcash	August 2008 (2.1)
Win32/Horst	July 2008 (2.0)
Win32/Lolyda	June 2008 (1.42)
Win32/Ceekat	June 2008 (1.42)
Win32/Zuten	June 2008 (1.42)
Win32/Tilcun	June 2008 (1.42)
Win32/Storark	June 2008 (1.42)
Win32/Taterf	June 2008 (1.42)
Win32/Frethog	June 2008 (1.42)
Win32/Corripio	June 2008 (1.42)
Win32/Captiya	May 2008 (1.41)
Win32/Oderoor	May 2008 (1.41)
Win32/Newacc	March 2008 (1.39)
Win32/Vundo	March 2008 (1.39)
Win32/Virtumonde	March 2008 (1.39)
Win32/Ldpinch	February 2008 (1.38)
Win32/Cutwail	January 2008 (1.37)
Win32/Fotomoto	December 2007 (1.36)
Win32/ConHook	November 2007 (1.35)
Win32/RJump	October 2007 (1.34)
Win32/Nuwar	September 2007 (1.33)
Win32/Zonebac	August 2007 (1.32)
Win32/Virut.B	August 2007 (1.32)
Win32/Virut.A	August 2007 (1.32)
Win32/Busky	July 2007 (1.31)
Win32/Allaple	June 2007 (1.30)
Win32/Renos	May 2007 (1.29)
Win32/Funner	April 2007 (1.28)
Win32/Alureon	March 2007 (1.27)
Win32/Mitglieder	February 2007 (1.25)
Win32/Stration	February 2007 (1.25)
WinNT/Haxdoor	January 2007 (1.24)
Win32/Haxdoor	January 2007 (1.24)
Win32/Beenut	December 2006 (1.23)
Win32/Brontok	November 2006 (1.22)
Win32/Tibs	October 2006 (1.21)
Win32/Passalert	October 2006 (1.21)
Win32/Harnig	October 2006 (1.21)
Win32/Sinowal	September 2006 (1.20)
Win32/Bancos	September 2006 (1.20)
Win32/Jeefo	August 2006 (1.19)
Win32/Banker	August 2006 (1.19)
Win32/Nsag	July 2006 (1.18)
Win32/Hupigon	July 2006 (1.18)
Win32/Chir	July 2006 (1.18)
Win32/Alemod	July 2006 (1.18)
Win32/Fizzer	June 2006 (1.17)
Win32/Cissi	June 2006 (1.17)
Win32/Plexus	May 2006 (1.16)
Win32/Ganda	May 2006 (1.16)
Win32/Evaman	May 2006 (1.16)
Win32/Valla	April 2006 (1.15)
Win32/Reatle	April 2006 (1.15)
Win32/Locksky	April 2006 (1.15)
Win32/Zlob	March 2006 (1.14)
Win32/Torvil	March 2006 (1.14)
Win32/Atak	March 2006 (1.14)
Win32/Magistr	February 2006 (1.13)
Win32/Eyeveg	February 2006 (1.13)
Win32/Badtrans	February 2006 (1.13)
Win32/Alcan	February 2006 (1.13)
Win32/Parite	January 2006 (1.12)
Win32/Maslan	January 2006 (1.12)
Win32/Bofra	January 2006 (1.12)
WinNT/F4IRootkit	December 2005 (1.11)
Win32/Ryknos	December 2005 (1.11)
Win32/IRCBot	December 2005 (1.11)
Win32/Swen	November 2005 (1.10)
Win32/Opaserv	November 2005 (1.10)
Win32/Mabutu	November 2005 (1.10)
Win32/Codbot	November 2005 (1.10)
Win32/Bugbear	November 2005 (1.10)
Win32/Wukill	October 2005 (1.9)
Win32/Mywife	October 2005 (1.9)
Win32/Gibe	October 2005 (1.9)
Win32/Antinny	October 2005 (1.9)
Win32/Zotob	September 2005 (1.8)
Win32/Yaha	September 2005 (1.8)
Win32/Gael	September 2005 (1.8)
Win32/Esbot	September 2005 (1.8)
Win32/Bobax	September 2005 (1.8)
Win32/Rbot.MC	August 2005 A (1.7.1)
Win32/Rbot.MB	August 2005 A (1.7.1)
Win32/Rbot.MA	August 2005 A (1.7.1)
Win32/Esbot.A	August 2005 A (1.7.1)
Win32/Bobax.O	August 2005 A (1.7.1)
Win32/Zotob.E	August 2005 A (1.7.1)
Win32/Zotob.D	August 2005 A (1.7.1)
Win32/Zotob.C	August 2005 A (1.7.1)
Win32/Zotob.B	August 2005 A (1.7.1)
Win32/Zotob.A	August 2005 A (1.7.1)
Win32/Spyboter	August 2005 (1.7)
Win32/Dumaru	August 2005 (1.7)
Win32/Bagz	August 2005 (1.7)
Win32/Wootbot	July 2005 (1.6)
Win32/Purstiu	July 2005 (1.6)
Win32/Optixpro	July 2005 (1.6)
Win32/Optix	July 2005 (1.6)
Win32/Hacty	July 2005 (1.6)
Win32/Spybot	June 2005 (1.5)
Win32/Mytob	June 2005 (1.5)
Win32/Lovgate	June 2005 (1.5)
Win32/Kelvir	June 2005 (1.5)
WinNT/FURootkit	May 2005 (1.4)
WinNT/Ispro	May 2005 (1.4)
Win32/Sdbot	May 2005 (1.4)
Win32/Rbot	April 2005 (1.3)
Win32/Mimail	April 2005 (1.3)
Win32/Hackdef**	April 2005 (1.3)
Win32/Sobig	March 2005 (1.2)
Win32/Sober	March 2005 (1.2)
Win32/Goweh	March 2005 (1.2)
Win32/Bropia	March 2005 (1.2)
Win32/Bagle	March 2005 (1.2)
Win32/Zafi	February 2005 (1.1)
Win32/Randex	February 2005 (1.1)
Win32/Netsky	February 2005 (1.1)
Win32/Korgo	February 2005 (1.1)
Win32/Zindos	January 2005 (1.0)
Win32/Sasser	January 2005 (1.0)
Win32/Nachi	January 2005 (1.0)
Win32/Mydoom	January 2005 (1.0)
Win32/MSBlast	January 2005 (1.0)
Win32/Gaobot	January 2005 (1.0)
Win32/Doomjuice	January 2005 (1.0)
Win32/Berbew	January 2005 (1.0)
We maximize customer protection by regularly reviewing and prioritizing our signatures. We add or remove detections as the threat landscape evolves.

**Note:**It is recommended to have an up to date next-gen antimalware product installed for continuous protection.

Reporting component

The MSRT sends information to Microsoft if it detects malicious software or finds an error. The specific information that is sent to Microsoft consists of the following items:

• The name of the malicious software that is detected
• The result of malicious software removal
• The operating system version
• The operating system locale
• The processor architecture
• The version number of the tool
• An indicator that notes whether the tool is being run by Microsoft Update, Windows Update, Automatic Updates, the Download Center, or from the website
• An anonymous GUID
• A cryptographic one-way hash (MD5) of the path and file name of each malicious software file that is removed from the computer
  If apparently malicious software is found on the computer, the tool prompts you to send information to Microsoft beyond what is listed here. You are prompted in each of these instances, and this information is sent only with your consent. The additional information includes the following:
• The files that are suspected to be malicious software. The tool will identify the files for you.
• A cryptographic one-way hash (MD5) of any suspicious files that are detected.
  You can disable the reporting feature. For information about how to disable the reporting component and how to prevent this tool from sending information to Microsoft, see Deploy Windows Malicious Software Removal Tool in an enterprise environment.

Possible scanning results

After the tool runs, there are four main results that the removal tool can report to the user:

• No infection was found.
• At least one infection was found and was removed.
• An infection was found but was not removed.

Note This result is displayed if suspicious files were found on the computer. To help remove these files, you should use an up-to-date antivirus product.

• An infection was found and was partially removed.

Note To complete this removal, you should use an up-to-date antivirus product.

Frequently asked questions about the MSRT

__

Q1: Is this tool digitally signed by Microsoft?

A1: Yes.

__

Q2: What kind of information does the log file contain?

A2: For information about the log file, see Deploy Windows Malicious Software Removal Tool in an enterprise environment.

__

Q3: Can this tool be redistributed?

A3: Yes. Per the terms of this tool’s license terms, the tool can be redistributed. However, make sure that you are redistributing the latest version of the tool.

__

Q4: How do I know that I’m using the latest version of the tool?

A4: If you are a Windows 7 user, use Microsoft Update or the Microsoft Update Automatic Updates functionality to test whether you are using the latest version of the tool. If you have chosen not to use Microsoft Update, and you are a Windows 7 user, use Windows Update. Or, use the Windows Update Automatic Updates functionality to test whether you are using the latest version of the tool. Additionally, you can visit the Microsoft Download Center. Also, if the tool is more than 60 days out of date, the tool reminds you to look for a new version of the tool.

__

Q5: Will the Microsoft Knowledge Base article number of the tool change with each new version?

A5: No. The Microsoft Knowledge Base article number for the tool will remain as 890830 for future versions of the tool. The file name of the tool when it is downloaded from the Microsoft Download Center will change with each release to reflect the month and the year when that version of the tool was released.

__

Q6: Is there any way I can request that new malicious software be targeted in the tool?

A6: Currently, no. Malicious software that is targeted in the tool is based on metrics that track the prevalence and damage of malicious software.

__

Q7: Can I determine whether the tool has been run on a computer?

A7: Yes. By checking a registry key, you can determine whether the tool has been run on a computer and which version was the latest version that was used. For more information, see Deploy Windows Malicious Software Removal Tool in an enterprise environment.

__

Q8: Why do not I see the tool on Microsoft Update, Windows Update, or Automatic Updates?

A8: Several scenarios may prevent you from seeing the tool on Microsoft Update, Windows Update, or Automatic Updates:

• If you have already run the current version of the tool from Windows Update, Microsoft Update, Automatic Updates, or from either of the other two release mechanisms, it will not be reoffered on Windows Update or Automatic Updates.
• For Automatic Updates, the first time that you run the tool, you must be logged on as a member of the Administrators group to accept the license terms.

__

Q9: How do Microsoft Update, Windows Update, and Automatic Updates determine who the tool is offered to?

A9: The tool is offered to all supported Windows and Windows Server versions that are listed in the “Summary” section if the following conditions are true:

• The users are running the latest version of Windows Update or Windows Update Automatic Updates.
• The users have not already run the current version of the tool.

__

Q10: When I look in the log file, it tells me that errors were found during the scan. How do I resolve the errors?

A10: For information about the errors, see How to troubleshoot an error when you run the Microsoft Windows Malicious Software Removal Tool.

__

Q11: Will you rerelease the tool even if there are no new security bulletins for a particular month?

A11: Yes. Even if there are no new security bulletins for a particular month, the Malicious Software Removal Tool will be rereleased with detection and removal support for the latest prevalent malicious software.

__

Q12: How do I prevent this tool from being offered to me by using Microsoft Update, Windows Update, or Automatic Updates?

A12: When you are first offered the Malicious Software Removal Tool from Microsoft Update, Windows Update, or Automatic Updates, you can decline downloading and running the tool by declining the license terms. This action can apply to only the current version of the tool or to both the current version of the tool and any future versions, depending on the options that you choose. If you have already accepted the license terms and prefer not to install the tool through Windows Update, clear the checkbox that corresponds to the tool in the Windows Update UI.

__

Q13: After I run the tool from Microsoft Update, Windows Update, or Automatic Updates, where are the tool files stored? Can I rerun the tool?

A13: If it is downloaded from Microsoft Update or from Windows Update, the tool runs only one time each month. To manually run the tool multiple times a month, download the tool from the Download Center or by visiting the Microsoft Safety & Security Center website.

For an online scan of your system by using the Windows Live OneCare safety scanner, go to the Microsoft Safety Scanner website.

__

Q14: Can I run this tool on a Windows Embedded computer?

A14: Currently, the Malicious Software Removal Tool is not supported on a Windows Embedded computer.

__

Q15: Does running this tool require any security updates to be installed on the computer?

A15: No. Unlike most previous cleaner tools that were produced by Microsoft, the MSRT has no security update prerequisites. However, we strongly recommend that you install all critical updates before you use the tool, to help prevent reinfection by malicious software that takes advantage of security vulnerabilities.

__

Q16: Can I deploy this tool by using WSUS or SCCM? Is it compatible with MBSA?

A16: For information about how to deploy this tool, see Deploy Windows Malicious Software Removal Tool in an enterprise environment.

__

Q17: Do I have to have the previous cleaner tools installed to run the Malicious Software Removal Tool?

A17: No.

__

Q18: Is there a newsgroup available to discuss this tool?

A18: Yes. You can use the microsoft.public.security.virus newsgroup.

__

Q19: Why does the “Windows File Protection” window appear when I run the tool?

A19: In some cases, when specific viruses are found on a system, the cleaner tool tries to repair infected Windows system files. Although this action removes the malicious software from these files, it may also trigger the Windows File Protection feature. If you see the Windows File Protection window, we strongly recommend that you follow the directions and insert your Microsoft Windows CD. This will restore the cleaned files to their original, pre-infection state.

__

Q20: Are localized versions of this tool available?

A20: Yes, the tool is available in 24 languages.

__

Q21: I found the Mrtstub.exe file in a randomly named directory on my computer. Is the Mrtstub.exe file a legitimate component of the tool?

A21: The tool does use a file that is named Mrtstub.exe for certain operations. If you verify that the file is signed by Microsoft, the file is a legitimate component of the tool.

__

Q22: Can the MSRT run in Safe mode?

A22: Yes. If you have run the MSRT before you start the computer to Safe mode, you can access MSRT at %windir%\system32\mrt.exe. Double-click the Mrt.exe file to run the MSRT, and then follow the on-screen instructions.

Skipped releases

No MSRT update was released in the following months:

• December 2023