MRTStub: False trigger from WinTasks Pro?

Discussion in 'other security issues & news' started by TalWolfe, Nov 14, 2005.

Thread Status:
Not open for further replies.
  1. TalWolfe

    TalWolfe Registered Member

    Joined:
    Jul 11, 2005
    Posts:
    14
    On the D: drive of a system, I found a folder named:
    5ec701f66482def943876fa2b83616
    It contains files:
    -- $shtdwn$.req
    -- mrt.exe._p
    -- mrtstub.exe

    Google search for MRTStub turns up mention of WinTasks Pro,
    and their site claims that it is malware. I'm not so sure...

    I loaded the files above in a hex editor. Turned up the text:
    -- "Microsoft Malicios Software Removal Tool Update Stub
    -- Internal Name MRTStub"

    I searched the registry for the folder name above. No hits.
    I did find mention of the file MRTStub in the registry:

    - HKLM->Software->Microsoft->Windows NT->CurrentVersion->
    ------ Tracing->Microsoft->MRTStub->MRTTrace
    ------ BitNames: TL_ERROR TL_WARN TL_INFO TL_FUNC TL_LOCKS
    ----------- TL_MEMORY TL_REFS TL_RULES TL_DO_ASSERT
    ------ Guid: 1f93370d-29ef-4f94-9a67-ea12a1b80313
    - HKLM->Software->Microsoft->Windows NT->CurrentVersion->
    ------ Tracing->Microsoft->MRT->
    --------- AVTitanTrace:
    ----------- BitNames: TL_ERROR TL_WARN TL_INFO TL_FUNC
    --------------- TL_LOCKS TL_MEMORY TL_REFS TL_RULES TL_DO_ASSERT
    ----------- Guid: 1f93370d-29ef-4f94-9a67-ea12a1b80313
    --------- MRTTrace:
    --------------- BitNames: TL_ERROR TL_WARN TL_INFO TL_FUNC TL_LOCKS
    ------------------- TL_MEMORY TL_REFS TL_RULES TL_DO_ASSERT
    --------------- Guid: 1f93370d-29ef-4f94-9a67-ea12a1b80313

    ---------

    I don't see any running processes that seem to relate.

    Can anyone confirm what this is? I'm not sure if Microsoft's "Malicious
    Software Removal tool" has been run on this particular machine, but this
    looks like orphaned files from that.

    By the way, WinTasks Pro seems crash-prone. (Yes, AV software was
    unloaded)

    (Sorry for all the dashes above. I couldn't get preview to keep indents)
     
  2. TalWolfe

    TalWolfe Registered Member

    Joined:
    Jul 11, 2005
    Posts:
    14
    Oops...The file text does not misspell "Malicious."
     
  3. FanJ

    FanJ Guest

  4. StevieO

    StevieO Guest

  5. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    IMHO that's exactly what you have. There were none of those files on my system a little bit ago when I first started looking @ this thread. During my searches I finally ended up at Microsoft® Windows® Malicious Software Removal Tool (KB890830) and said what the heck....I ain't done that tool this month so I ran the tool. Before selecting Finish I found I now have the created folder below and those three files. When I do select Finish it removes that folder and files.

    IMHO you simply have left over orphaned folder\files from Microsoft's "Malicious Software Removal tool" that did not get removed on completion.
     

    Attached Files:

    • MSRT.gif
      MSRT.gif
      File size:
      7.2 KB
      Views:
      8,369
  6. bansheeeee

    bansheeeee Guest

    Well, looks like there's been a blunder...

    Searching mrt.exe and mrtstub.exe on Google will get you results of "Malware" and "Disable immediately" because apparently, these are the executables of some sort of malware.

    But, hello, Malicious Software Removal tool creates 2 temp files under C:\[temp-gibberish]\ along with some system file. I'm assuming the only way to find if you have genuine malware is if mrt.exe and mrtstub.exe exist when you're not running Malicious Software Removal Tool.

    Heh, a bit ironic, don't you think?
     
Loading...
Thread Status:
Not open for further replies.