So, I've been having a malware problem, and I found the file mrtstub.exe, and of course I search for it on the internet and a site says that it is malware and to remove it. So, I did. When I first tried to run the MS Removal Tool, it said that it could not run and something about mrtstub.exe. A few minutes later, I tried to run it again, and it ran. Matter of fact, it is still scanning. Now, I've got this file on my system again (I don't know how). What gives? Is it legit and a valid MS file, or not?
Thanks in advance for your help!
Hi. I just started a virus scan of my c:/ drive. Within 30 minutes it found 2 Trojan Horse in separate folders. I check each folder and they each had mrstub.exe files. I'm using Avast anti-virus. It recommended to put the files in the chest. Should I remove both folders with the mrstub.exe? Any feedback is appreciated. Thanks.
This is from Computer Active Magazine
"Make a not where the 'mrtstub.exe' is located and then swith off your computer.
Restart your computer and press F8 before the windows logo appears. This should bring you to your Safe Mode Window.
Press 'Safe Mode' and when you return to your desktop, seek out the location of the 'mrtstub.exe' and press delete.
Send it to the recycle bin and restart your computer.
Empty your recycle bin
Article ID: 890830 - Last Review: October 13, 2010 - Revision: 80.0
The Microsoft Windows Malicious Software Removal Tool helps remove specific, prevalent malicious software from computers that are running Windows 7, Windows Vista, Windows Server 2003, Windows Server 2008, or Windows XP
Q21: I found the Mrtstub.exe file in a randomly named directory on my computer. Is the Mrtstub.exe file a legitimate component of the tool?
A21: The tool does use a file that is named Mrtstub.exe for certain operations. If you verify that the file is signed by Microsoft, the file is a legitimate component of the tool.
- Proposed as answer by VB Developer since 1995 Monday, October 18, 2010 8:47 AM
Mine is the same; looks suspicious, in a strange location (C:\bunchonumbers), no signature etc. But I sent it to
http://www.virustotal.com - thank you, Jesper! - and it came back clean within 5 minutes! This site and their site
are my new favorites; thanks everybody : )
That is not what MRT stands for actually. Anything that is microsoft starts with MS like MS word, MS Windows and so on. The Microsoft Windows Malicious Software Removal Tool starts with these letters (MSRT).So There for since this strange file everyone is asking about is MRT or MRTSTUB I do NOT believe it to be associated with microsoft due to my statment above.As for whether it is dangerous i am still looking that up.Well so far I have found conflicting answers to this question. But my biggest thing is if it is related to Microsoft then why is it not MSRT? that is what I would like to know first.
One has to take ownership of the file to see all it's attributes.
If you do not, you do not see much of anything about it under Windows7 Professional, most likely due to security safeguards.
If you do, you should find that it is a digitally RSA signed program from Microsoft with a description of "Malicious Software Removal Tool Update Stub", hence the Stub in the name.
It also has details showing a Microsoft Corporation Copyright with the same Product name as the afore mentioned File description. I also see a version of 3.22.5202.0, which is fitting with MS versioning and not something one usually sees hackers taking the time to fillout with their malware or viruses.
If you enable to see known suffixes, the two files one observes are "mrt.exe._p" and "mrtstub.exe".
So it would appear for the record that JemimalKitten is wrong and Galterio is correct.
Also, if you've done any work in the kernel space of Windows, you would see that MS does NOT preceed all files produced by Microsoft.
Take ntldr for instance which is the Windows loader that has been around since the early days of NT, hmmm no "MSntldr" there. Same holds for "hal.dll", although the hardware abstraction layer has been fragmented more since Windows 2000 to various subsystems like pnp that has several files which begin with pnp prefix.
Go ahead and peruse our Windows %systemroot%\system32 to see numerous other such files which are all legit MS Windows files which do not have Ms prefix as claimed in earlier posts.
I have the same problem, but a strange thing happened:
I connected my external disk (long time not connected), and I noticed on the root folder this folder with a lot of numbers HD:/d3e63189b9598d4d5ea645f2/ with the MRT.exe and mrtstub.exe inside.
While I was checking about these strange files the whole folder dissappeared, and later re-appeared in my C:/ folder, under different series of numbers! I thought I was mistaken, but then I checked with glary undelete and found out that indeed this folder was deleted from my hard disk.
It does have some kind of certification tab of microsoft, however some of the dates are of today. strange.
Wouldn't that be the behaviour of a virus ?