MRT.EXE and MRTSTUB.EXE - real or malware?

buckscaper

New member
Local time
9:36 PM
Messages
19
Hi there,

I just installed a new HDD to an HP Pavilion (removed old HDD w/Vista) and installed Win7 Home Premium SP1.

I also installed Avast and Threatfire prior to connecting the machine to the internet. All was fine.

I connected to the internet and clicked windows update and there were 29 important updates that downloaded but had not yet installed. I wanted to make sure the system was up to date before I started loading software so I clicked to install the updates. Nothing seemed to happen so I opened windows update again and told it to install but it said it couldn't do anything because it was in the process of installing updates. That seemed weird (since there was no indication at all that anything was happening).

So I left it alone and came back later and saw an alert from Threatfire about a file named MRTSTUB.EXE trying to create a file called MRT.EXE.

See attachment for screen cap showing alert (center window), "details" (left window) and Windows Explorer showing that the file isn't where it says it is.

I researched the alert and came up with 50/50 "it's malware" vs "it's part of windows" (the Windows Software Removal Tool to be exact). Not helpful at all.

The last few posts in the forum thread at the following link sums up the situation.

mrtstub.exe????? - Wilders Security Forums

The advice to check the properties of the file seemed great, except as you can see in the screen cap, the MRTSTUB.EXE file isn't where it says it is and I can't find a folder with the name (long string) shown in the details pane in the left window of the screen cap. So I can't check the properties of the file.

So THAT leads me to believe that it really is something nasty. But I can't figure out how it could be there if it didn't come in directly through windows update. I have a secure, wired router/network, it's a brand new OS that's never been used (Windows Update is the first thing I did after installing the OS). And I didn't do any web surfing or install anything else. Everything done with this new pristine system is listed above.

So I'm clueless.

I let Threatfire kill the process and quarantine the file.

Not sure what to do next. I would like to still use the Windows Software Removal Tool but I'm a bit gun shy now and to top it off, I'm not sure if I may have damaged anything or put myself at risk by killing and quarantining a process or file that SHOULD be running. I'm also not sure if the WSRT is on the machine or not at this point.

Any ideas?

Thanks
 

Attachments

  • IMG_20110725_025121.jpg
    IMG_20110725_025121.jpg
    270.6 KB · Views: 130

My Computer My Computer

At a glance

Win7 Home Premium SP1 32bitcore 2 quad
Computer Manufacturer/Model Number
HP Pavilion
OS
Win7 Home Premium SP1 32bit
CPU
core 2 quad
Hard Drives
WD Black 1Tb
I wouldnt worry too much. MRT is not a substitue for a resident AV for various reasons- 1) MRT only removes malware AFTER infection, it doesnt BLOCK malware like an AV. 2) MRT is designed to target a small set of malware only while an AV takes care of most malware out there in the world today. 3) MRT can only detect actively running malware, an AV can also detect dormant malware.

So stick to what Threatfire says and you'll be fine.
 

My Computer My Computer

At a glance

Windows 7 x64 pro/ Windows 7 x86 Pro/ XP SP3 x86
Computer Manufacturer/Model Number
Too many to describe...
OS
Windows 7 x64 pro/ Windows 7 x86 Pro/ XP SP3 x86
buckscraper,

Download and install MalwareBytes (link in my sig).

turn off all of your other anti-whatever software.

Run malware bytes.

Let us know the results.

Oh yes, after running malwarebytes you can turn your anti-everything software.

Did you know that you can simply delete your present anti-stuff and install the best free non-interfering small-footprint anit-virus software, namely, Microsoft Security Essentials (MSE) link in my sig.

When you install MSE, it weill set your system up so that MSRT is run every month. MSRT is updated by Microsoft monthly. MSRT (Malicious Software Removal Tool) removes root-kits and the likes there of. MSE is updated, sometimes several times a day (if you've enabled mse checking for updates on that frequency). Coupled with the Windows Firewall you are in good shape.
 

My Computer My Computer

At a glance

MS Windows 7 Ultimate SP1 64-bitAMD A10-4600M6.00 GB Dual-Channel DDR3 @ 798MHz (11-11-12-28)AMD Radeon HD 7660G
Computer Manufacturer/Model Number
Toshiba Satellite S875D-S7239 laptop
OS
MS Windows 7 Ultimate SP1 64-bit
CPU
AMD A10-4600M
Motherboard
AMD Pumori (Socket FT1)
Memory
6.00 GB Dual-Channel DDR3 @ 798MHz (11-11-12-28)
Graphics Card(s)
AMD Radeon HD 7660G
Sound Card
High Definition Audio Device
Monitor(s) Displays
Generic PnP Monitor (1600x900@60Hz)
Screen Resolution
1600x900@60Hz
Hard Drives
SSD 119GB Corsair CSSD-V128GB2 ATA Device
Keyboard
Standard PS/2 Keyboard
Mouse
HP Wireless Optical Mobile Mouse Model FHA-3410
Internet Speed
What the local pub, local coffee shop offers.
Other Info
Optical Drive:MATSHITA BD-CMB UJ160B ATA Device


Also have an Asus ha1002xp netbook with Win 7 Ultimate installed.
Hi,

Thanks for the replies. I've been working and using another machine so I haven't been able to run malwarebytes yet but that will be my next step. I just didn't want to leave this thread hanging. I'll post again after I run it.

Thanks.
 

My Computer My Computer

At a glance

Win7 Home Premium SP1 32bitcore 2 quad
Computer Manufacturer/Model Number
HP Pavilion
OS
Win7 Home Premium SP1 32bit
CPU
core 2 quad
Hard Drives
WD Black 1Tb
Back
Top