MRTStub: False trigger from WinTasks Pro?

On the D: drive of a system, I found a folder named:
5ec701f66482def943876fa2b83616
It contains files:
-- $shtdwn$.req
-- mrt.exe._p
-- mrtstub.exe

Google search for MRTStub turns up mention of WinTasks Pro,
and their site claims that it is malware. I'm not so sure...

I loaded the files above in a hex editor. Turned up the text:
-- "Microsoft Malicios Software Removal Tool Update Stub
-- Internal Name MRTStub"

I searched the registry for the folder name above. No hits.
I did find mention of the file MRTStub in the registry:

- HKLM->Software->Microsoft->Windows NT->CurrentVersion->
------ Tracing->Microsoft->MRTStub->MRTTrace
------ BitNames: TL_ERROR TL_WARN TL_INFO TL_FUNC TL_LOCKS
----------- TL_MEMORY TL_REFS TL_RULES TL_DO_ASSERT
------ Guid: 1f93370d-29ef-4f94-9a67-ea12a1b80313
- HKLM->Software->Microsoft->Windows NT->CurrentVersion->
------ Tracing->Microsoft->MRT->
--------- AVTitanTrace:
----------- BitNames: TL_ERROR TL_WARN TL_INFO TL_FUNC
--------------- TL_LOCKS TL_MEMORY TL_REFS TL_RULES TL_DO_ASSERT
----------- Guid: 1f93370d-29ef-4f94-9a67-ea12a1b80313
--------- MRTTrace:
--------------- BitNames: TL_ERROR TL_WARN TL_INFO TL_FUNC TL_LOCKS
------------------- TL_MEMORY TL_REFS TL_RULES TL_DO_ASSERT
--------------- Guid: 1f93370d-29ef-4f94-9a67-ea12a1b80313

---------

I don't see any running processes that seem to relate.

Can anyone confirm what this is? I'm not sure if Microsoft's "Malicious
Software Removal tool" has been run on this particular machine, but this
looks like orphaned files from that.

By the way, WinTasks Pro seems crash-prone. (Yes, AV software was
unloaded)

(Sorry for all the dashes above. I couldn't get preview to keep indents)

 

Oops...The file text does not misspell "Malicious."

 

Hi TalWolfe,

Have you scanned those files on some online scanners?
For example at Jotti and VirusTotal.
http://virusscan.jotti.org/
http://www.virustotal.com/xhtml/index_en.html

 

Hi TW,

That $shtdwn$.req looks very suspicious to me, too much like the dreaded SONY $sys$

Take a look at this thread and see what i mean.

https://www.wilderssecurity.com/showthread.php?t=107012


StevieO

 

IMHO that's exactly what you have. There were none of those files on my system a little bit ago when I first started looking @ this thread. During my searches I finally ended up at Microsoft® Windows® Malicious Software Removal Tool (KB890830) and said what the heck....I ain't done that tool this month so I ran the tool. Before selecting Finish I found I now have the created folder below and those three files. When I do select Finish it removes that folder and files.

IMHO you simply have left over orphaned folder\files from Microsoft's "Malicious Software Removal tool" that did not get removed on completion.

 

Well, looks like there's been a blunder...

Searching mrt.exe and mrtstub.exe on Google will get you results of "Malware" and "Disable immediately" because apparently, these are the executables of some sort of malware.

But, hello, Malicious Software Removal tool creates 2 temp files under C:\[temp-gibberish]\ along with some system file. I'm assuming the only way to find if you have genuine malware is if mrt.exe and mrtstub.exe exist when you're not running Malicious Software Removal Tool.

Heh, a bit ironic, don't you think?