mrtstub.exe?????

[CJsDad]

I've tried looking it up (google.com) and now I'm even more confused.

Is this malware or not??

From what I've read Its 50/50, half the websites I have read say to remove it because it is malware but then the other half say its part of Microsoft Windows Malicious Software Removal Tool.

So which is it?

I've ran all of my security scans (AV, AS, AT) and nothing shows up on any of them so I really dont know what to do.

[Bob D]

mrtstub.exe DOES seem to have something to do with M$'s Malicious Software Removal Tool.
From Microsoft Security Discussion:
http://www.microsoft.com/communities...a6c4eee208&p=1

[CJsDad]

I saw that website, that was one of them that came up in the google search.
Kind of confusing though and I still dont know if I should leave the file or remove it.

[Bob D]

If you're using M$'s Malicious Software Removal Tool, you'll probably need to keep it.
Per Microsoft:
"mrtstub is part of the Malicious Software Removal Tool. It is responsible
for copying mrt.exe to the correct location and launching it."

Those sites you visited that caused alarm with results like:

Quote:

Description:
mrtstub.exe is a process belonging to an unclassified malware which can download other malicious processes and cause unwanted behavior on your computer. Should be terminated immediately

Oh my gosh!
Now that they've your attention, their advice is:

Quote:

Recommendation for mrtstub.exe:
DISABLE AND REMOVE IMMEDIATELY. This process is most likely an adware or spyware.
To get control over your running programs we suggest.....

suggest "their" spyware removal software (for a fee, of course).
To alleviate any trepidation, I'd do a search at Symantec, Kaspersky and see if anything related to mrtstub comes up.

[Bubba]

Quote:

Originally Posted by CJsDad

I still dont know if I should leave the file or remove it.

What location is the file found in ?

If you right click the file and check it's properties it should give info that should help you decide whether it's a legit MS file or not.

[CJsDad]

Glad this has been cleared up, it is for MS Malicious Software Removal Tool.
Thanks to Bob D and Bubba for the help.

[merkwurdigliebe]

This program is supposed to be a binary patcher for MRT.EXE, the Mailicious Software Removal Tool. It is apparently a genuine MS binary, but it is apparently being used by a rootkit to do evil things.

I found a copy of it loaded in memory from a file in a temp directory. The file was a duplicate of mrtstub.exe but it was named ~WRS001.TMP and it was well hidden from the usual process and file tools from Sysinternals. It was launched by an unknown process and logged itself as a Windows Update task - patching MRT.exe. Unfortunately, I had never installed that software on this machine as I found it to cause more problems than it solved on others.

Several hours after the fake WU job completed, I found the same PID still up and running as a service, attached to the NTP port, and opening tens of thousands of files on my system disk.

MRTSTUB.EXE is not supposed to do anything but patch MRT.EXE. However, by hooking the function calls in its process space to tell the utility that the file it has open is MRT.EXE and that the file it is downloading for the patch is coming from MS, it is possible for someone to patch any file that process has access to, and since the utility is digitally signed by MS, the system trusts it and lets it proceed.

So, MRTSTUB.EXE is a genuine MS file, but it has enormous potential as a blackhat's dream tool - a general purpose binary patch tool signed by MS and trusted by the system.

I have confirmed that this is loose in the wild, and no one is apparently doing a thing about it. I informed MS of this several weeks ago.