Remove specific prevalent malware with Windows Malicious Software Removal Tool (KB890830)
Windows
Summary
The Windows Malicious Software Removal Tool (MSRT) helps remove malicious software from computers that are running any of the following operating systems:
- Windows 10
- Windows Server 2019
- Windows Server 2016
- Windows 8.1
- Windows Server 2012 R2
- Windows Server 2012
- Windows Server 2008 R2
- Windows 7
- Windows Server 2008
Microsoft releases the MSRT on a monthly cadence as part of Windows Update or as a standalone tool. Use this tool to find and remove specific prevalent threats and reverse the changes they have made (see
covered malware families). For comprehensive malware detection and removal, consider using
Windows Defender Offline or
Microsoft Safety Scanner.
This article contains information about how the tool differs from an antivirus or antimalware product, how you can download and run the tool, what happens when the tool finds malware, and tool release information. It also includes information for the administrators and advanced users, including information about supported command-line switches.
Notes:
More information
Enabling automatic updates
To turn on Automatic Updates yourself, follow the steps in the following table for the operating system that your computer is running.
If your computer is running:
Follow these steps:
Windows 10
- Select the Start button, then select Settings > Update & security > Windows Update . If you want to check for updates manually, select Check for updates.
- Select Advanced options, and then under Choose how updates are installed, select Automatic (recommended).
Note Windows 10 is a service. This means that automatic updates are turned on by default and your PC always has the latest and best features.
Windows 8.1
- Open Windows Update by swiping in from the right edge of the screen (or, if you're using a mouse, pointing to the lower-right corner of the screen and moving the mouse pointer up), select Settings > Change PC settings > Update and recovery > Windows Update. If you want to check for updates manually, select Check now.
- Select Choose how updates get installed, and then under Important updates, select Install updates automatically (recommended).
- Under Recommended updates, select the Give me recommended updates the same way I receive important updates check box.
- Under Microsoft Update, select the Give me updates for other Microsoft products when I update Windows check box, and then select Apply.
Windows 7
- Click Start
, point to All Programs, and then click Windows Update.
- In the left pane, click Change settings.
- Click to select Install updates automatically (recommended).
- Under Recommended updates, click to select the Give me recommended updates the same way I receive important updates check box, and then click OK. If you are prompted for an administrative password or for confirmation, type the password or provide confirmation. Go to step 3.
Download the MSRT. You must accept the Microsoft Software License Terms. The license terms are only displayed for the first time that you access Automatic Updates.
Note After you accept the one-time license terms, you can receive future versions of the MSRT without being logged on to the computer as an administrator.
[paste:font size="3"]Performing a full scan
If the tool finds malicious software, you may be prompted to perform a full scan. We recommend that you perform this scan. A full scan performs a quick scan and then a full scan of the computer, regardless of whether malicious software is found during the quick scan. This scan can take several hours to complete because it will scan all fixed and removable drives. However, mapped network drives are not scanned.
Removing malicious files
If malicious software has modified (infected) files on your computer, the tool prompts you to remove the malicious software from those files. If the malicious software modified your browser settings, your homepage may be changed automatically to a page that gives you directions on how to restore these settings.
You can clean specific files or all the infected files that the tool finds. Be aware that some data loss is possible during this process. Also, be aware that the tool may be unable to restore some files to the original, pre-infection state.
The removal tool may request that you restart your computer to complete the removal of some malicious software, or it may prompt you to perform manual steps to complete the removal of the malicious software. To complete the removal, you should use an up-to-date antivirus product.
Reporting infection information to Microsoft The MSRT sends basic information to Microsoft if the tool detects malicious software or finds an error. This information will be used for tracking virus prevalence. No identifiable personal information that is related to you or to the computer is sent together with this report.
[/paste:font]
How to receive support
Help protect your computer that is running Windows from viruses and malware:
Virus Solution and Security Center
Help installing updates:
Support for Microsoft Update
Local support according to your country:
International Support.
Microsoft Download Center
Note: Starting November 2019, MSRT will be SHA-2 signed exclusively. Your devices must be updated to support SHA-2 in order to run MSRT. To learn more, see
2019 SHA-2 Code Signing Support requirement for Windows and WSUS.
You can manually download the MSRT from the Microsoft Download Center. The following files are available for download from the Microsoft Download Center:
For 32-bit x86-based systems:
Download the x86 MSRT package now.
For 64-bit x64-based systems:
Download the x64 MSRT package now.
Release Date: August 9, 2022.
For more information about how to download Microsoft support files, see
How to obtain Microsoft support files from online services.
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file.
Deploying the MSRT in an enterprise environment
If you are an IT administrator who wants more information about how to deploy the tool in an enterprise environment, see
Deploy Windows Malicious Software Removal Tool in an enterprise environment.
This article includes information about Microsoft Systems Management Server (SMS), Microsoft Software Update Services (MSUS), and Microsoft Baseline Security Analyzer (MBSA).
Except where noted, the information in this section applies to all the ways that you can download and run the MSRT:
- Microsoft Update
- Windows Update
- Automatic Updates
- The Microsoft Download Center
- The MSRT website on Microsoft.com
To run the MSRT, the following conditions are required:
- The computer must be running a supported version of Windows.
- You must log on to the computer by using an account that is a member of the Administrators group. If your logon account does not have the required permissions, the tool exits. If the tool is not being run in quiet mode, it displays a dialog box that describes the failure.
- If the tool is more than 215 days (7 months) out of date, the tool displays a dialog box that recommends that you download the latest version of the tool.
Support for command-line switches
The MSRT supports the following command line switches.
Switch
Purpose
/Q or /quiet
Uses quiet mode. This option suppresses the user interface of the tool.
/?
Displays a dialog box that lists the command-line switches.
/N
Runs in detect-only mode. In this mode, malicious software will be reported to the user, but it will not be removed.
/F
Forces an extended scan of the computer.
/F:Y
Forces an extended scan of the computer and automatically cleans any infections that are found.
Usage and release information
When you download the tool from Microsoft Update or from Automatic Updates, and no malicious software is detected on the computer, the tool will run in quiet mode next time. If malicious software is detected on the computer, the next time that an administrator logs on to the computer, a balloon will appear in the notification area to notify you of the detection. For more information about the detection, click the balloon.
When you download the tool from the Microsoft Download Center, the tool displays a user interface when it runs. However, if you supply the /Q command-line switch, it runs in quiet mode.
Release information
The MSRT is released on the second Tuesday of each month. Each release of the tool helps detect and remove current, prevalent malicious software. This malicious software includes viruses, worms, and Trojan horses. Microsoft uses several metrics to determine the prevalence of a malicious software family and the damage that can be associated with it.
This Microsoft Knowledge Base article will be updated with information for each release so that the number of the relevant article remains the same. The name of the file will be changed to reflect the tool version. For example, the file name of the February 2020 version is Windows-KB890830-V5.80.exe, and the file name of the May 2020 version is Windows-KB890830-V5.82-ENU.exe.
The following table lists the malicious software that the tool can remove. The tool can also remove any known variants at the time of release. The table also lists the version of the tool that first included detection and removal for the malicious software family.
[paste:font size="4"]Reporting component
The MSRT sends information to Microsoft if it detects malicious software or finds an error. The specific information that is sent to Microsoft consists of the following items:
- The name of the malicious software that is detected
- The result of malicious software removal
- The operating system version
- The operating system locale
- The processor architecture
- The version number of the tool
- An indicator that notes whether the tool is being run by Microsoft Update, Windows Update, Automatic Updates, the Download Center, or from the website
- An anonymous GUID
- A cryptographic one-way hash (MD5) of the path and file name of each malicious software file that is removed from the computer
If apparently malicious software is found on the computer, the tool prompts you to send information to Microsoft beyond what is listed here. You are prompted in each of these instances, and this information is sent only with your consent. The additional information includes the following:
- The files that are suspected to be malicious software. The tool will identify the files for you.
- A cryptographic one-way hash (MD5) of any suspicious files that are detected.
You can disable the reporting feature. For information about how to disable the reporting component and how to prevent this tool from sending information to Microsoft, see Deploy Windows Malicious Software Removal Tool in an enterprise environment.
Possible scanning results
After the tool runs, there are four main results that the removal tool can report to the user:
- No infection was found.
- At least one infection was found and was removed.
- An infection was found but was not removed.
Note This result is displayed if suspicious files were found on the computer. To help remove these files, you should use an up-to-date antivirus product.
- An infection was found and was partially removed.
Note To complete this removal, you should use an up-to-date antivirus product.
Frequently asked questions about the MSRT[/paste:font]
