none
mrtstub.exe malware or not?

    Question

  •  

    So, I've been having a malware problem, and I found the file mrtstub.exe, and of course I search for it on the internet and a site says that it is malware and to remove it.  So, I did.  When I first tried to run the MS Removal Tool, it said that it could not run and something about mrtstub.exe.  A few minutes later, I tried to run it again, and it ran.  Matter of fact, it is still scanning.  Now, I've got this file on my system again (I don't know how).  What gives?  Is it legit and a valid MS file, or not?

     

    Thanks in advance for your help!

     

    --JSS

    Thursday, December 20, 2007 12:16 AM

Answers

  •  

    If it does not have a Digital Signature tab then it is likely malware that is maskerading as the Malicious Software Removal Tool. Have you run a malware scan on that computer? Why don't you submit that file to VirusTotal and see what they say? It is at http://www.virustotal.com. If it is malware that would be very interesting.
    Thursday, December 20, 2007 3:58 PM

All replies

  •  

    No, that is probably not malware. It could be if it is in an unusual location, but mrtstub.exe is a component of the Microsoft Malicious Software Removal Tool. Right-click the executable, select properties, and check the Digital Signature tab. If it says it is signed by Microsoft Corporation, it is safe.
    Thursday, December 20, 2007 1:14 AM
  • I clicked on "Properties" on the ones that I have.  They say "Unknown Application"  and no other info as to being signed by anyone or anything.  There is no info as to being unsigned by anyone, either.

     

    Thanks again!

     

    -jss

    Thursday, December 20, 2007 3:08 PM
  •  

    If it does not have a Digital Signature tab then it is likely malware that is maskerading as the Malicious Software Removal Tool. Have you run a malware scan on that computer? Why don't you submit that file to VirusTotal and see what they say? It is at http://www.virustotal.com. If it is malware that would be very interesting.
    Thursday, December 20, 2007 3:58 PM
  •  

    Everything came back fine!  Thanks Jesper!
    Thursday, December 20, 2007 6:58 PM
  • deleted.

    Sunday, May 18, 2008 10:56 PM
  • Hey I was curious too so I was looking at properties and such and it disappeared while I was looking at it.  I figured it out:  I had been installing a Vista update through Windows Update.  I think it is nothing to worry about.
    Tuesday, January 13, 2009 9:44 PM
  • Hi.  I just started a virus scan of my c:/ drive.  Within 30 minutes it found 2 Trojan Horse in separate folders.  I check each folder and they each had mrstub.exe files.  I'm using Avast anti-virus.  It recommended to put the files in the chest.  Should I remove both folders with the mrstub.exe?  Any feedback is appreciated.  Thanks.

    Friday, July 09, 2010 11:10 PM
  • This is from Computer Active Magazine

    "Make a not where the 'mrtstub.exe' is located and then swith off your computer.

    Restart your computer and press F8 before the windows logo appears. This should bring you to your Safe Mode Window.

    Press 'Safe Mode' and when you return to your desktop, seek out the location of the 'mrtstub.exe' and press delete.

    Send it to the recycle bin and restart your computer.

    Empty your recycle bin

     

    Regards

    Jim

    Monday, September 20, 2010 9:19 PM
  • MRT and MRTSTUB are associated with the Microsoft Malicious Software Removal Tool.  They will install during the Vista, Win7 and other microsoft updates.

     

     

    "MRT" as in Microsoft Removal Tool
    Tuesday, September 28, 2010 12:59 PM
  •                                                                                            http://support.microsoft.com/kb/890830


    Article ID: 890830 - Last Review: October 13, 2010 - Revision: 80.0

    The Microsoft Windows Malicious Software Removal Tool helps remove specific, prevalent malicious software from computers that are running Windows 7, Windows Vista, Windows Server 2003, Windows Server 2008, or Windows XP

    Q21: I found the Mrtstub.exe file in a randomly named directory on my computer. Is the Mrtstub.exe file a legitimate component of the tool?
    A21: The tool does use a file that is named Mrtstub.exe for certain operations. If you verify that the file is signed by Microsoft, the file is a legitimate component of the tool.

    Monday, October 18, 2010 8:46 AM
  • I have the same thing too, i think it's bad if it's in a place like this:(Dir Tree)

    C:\01ec76e9b04b69281698\

    |

    |---mrtstub.exe (72KB)

    |---mrt.exe(4965KB)

    Tuesday, April 19, 2011 7:46 AM
  • Mine is the same; looks suspicious, in a strange location (C:\bunchonumbers), no signature etc. But I sent it to

     http://www.virustotal.com - thank you, Jesper! - and it came back clean within 5 minutes!  This site and their site

    are my new favorites; thanks everybody : )

    • Proposed as answer by Jemimakitten Wednesday, May 18, 2011 6:25 PM
    • Unproposed as answer by Jemimakitten Wednesday, May 18, 2011 6:25 PM
    Saturday, April 30, 2011 4:33 AM
  • That is not what MRT stands for actually. Anything that is microsoft starts  with MS like MS word, MS Windows and so on. The Microsoft Windows Malicious Software Removal Tool starts with these letters (MSRT).  
    So There for since this strange file everyone is asking about is MRT or MRTSTUB I do NOT believe it to be associated with microsoft due to my statment above.
    As for whether it is dangerous i am still looking that up.
    Well so far I have found conflicting answers to this question. But my biggest thing is if it is related to Microsoft then why is it not MSRT? that is what I would like to know first.

    Wednesday, May 18, 2011 6:30 PM
  • One has to take ownership of the file to see all it's attributes. 

    If you do not, you do not see much of anything about it under Windows7 Professional, most likely due to security safeguards.

     If you do, you should find that it is a digitally RSA signed program from Microsoft with a description of "Malicious Software Removal Tool Update Stub", hence the Stub in the name.

    It also has details showing a Microsoft Corporation Copyright with the same Product name as the afore mentioned File description.  I also see a version of 3.22.5202.0, which is fitting with MS versioning and not something one usually sees hackers taking the time to fillout with their malware or viruses.

    If you enable to see known suffixes, the two files one observes are "mrt.exe._p" and "mrtstub.exe".

    So it would appear for the record that JemimalKitten is wrong and Galterio is correct.

    Also, if you've done any work in the kernel space of Windows, you would see that MS does NOT preceed all files produced by Microsoft.

    Take ntldr for instance which is the Windows loader that has been around since the early days of NT, hmmm no "MSntldr" there.  Same holds for "hal.dll", although the hardware abstraction layer has been fragmented more since Windows 2000 to various subsystems like pnp that has several files which begin with pnp prefix. 

    Go ahead and peruse our Windows %systemroot%\system32 to see numerous other such files which are all legit MS Windows files which do not have Ms prefix as claimed in earlier posts.

    Tuesday, November 01, 2011 3:48 AM
  • Hi,

    I have the same problem, but a strange thing happened:

    I connected my external disk (long time not connected), and I noticed on the root folder this folder with a lot of numbers HD:/d3e63189b9598d4d5ea645f2/  with the MRT.exe and mrtstub.exe inside.

    While I was checking about these strange files the whole folder dissappeared, and later re-appeared in my C:/ folder, under different series of numbers! I thought I was mistaken, but then I checked with glary undelete and found out that indeed this folder was deleted from my hard disk.

    It does have some kind of certification tab of microsoft, however some of the dates are of today. strange.

    Wouldn't that be the behaviour of a virus ?

    Friday, May 30, 2014 9:56 AM