Windows Malicious Software Removal Tool Annoyance

Discussion in 'other anti-malware software' started by xxJackxx, May 1, 2014.

Thread Status:
Not open for further replies.
  1. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    4,052
    Location:
    USA
    I thought this thing only ran once a month as part of Windows update. After several months of irritation, I have discovered this to be the thing that runs in the background and throttles up my CPU fan on my laptop several times a day, using 100% of CPU in the process. It has run 4 times in the last hour according to its own log. I am searching google as we speak looking for a way to get rid of it or disable it. So far the recommendation is to delete the MRT.exe file, but it doesn't seem an elegant solution. Does anyone here know of a better way?
     
  2. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    7,309
    Location:
    England
    Is it listed to start with Windows?

    Is it in system32?

    Where are you seeing the log?

    What operating system?
     
  3. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    4,052
    Location:
    USA
    Whoops, that info would have been usefull...
    No, it is not in the startup list. I think it may be a scheduled tasks but I haven't found it yet.
    It is in System32
    The log is in Windows\debug
    This is Windows 8.1 x64 update 1. This has been ongoing since I upgraded to 8.1 I do not believe it happened in 8 or 7.
    It has run 2 more times since I posted. The log says it finished in each entry, so it is not resuming, it is just running repeatedly.
    I am not concerned that this is any kind of malware. Just bad programming. The exe file is digitally signed by Microsoft.
     
  4. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    7,309
    Location:
    England
    Not sure if you use CCleaner, but if you do go to Tools-Startup and you will see a scheduled tasks tab at the top.
     
  5. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    4,052
    Location:
    USA
    Not seeing it. There aren't many listed. Autoruns shows more, but still not what I am looking for.
     
  6. SweX

    SweX Registered Member

    Joined:
    Apr 21, 2007
    Posts:
    6,429
    I did see the MRT.exe run in the task manager doing a scan every month this tool got an update that did install when I updated XP through WU. So if it runs as often as you say then I can understand that it's very annoying!
     
    Last edited: May 1, 2014
  7. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    2,434
    Location:
    Europe
    Try to see and delete it using PowerTool antirootkit
     
  8. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    7,309
    Location:
    England
    Perhaps it is caused by this folder not getting automatically deleted?

     
  9. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,088
    I've checked my log files and can confirm that mrt was started twice today. It only runs for a second, so I could never notice it. I use Windows 8.1.1 x64 also. Will try to find out what triggers this.
     
  10. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    4,052
    Location:
    USA
    For now I have deleted the exe file just to rid myself of the problem. I couldn't find any references to it anywhere and nothing is complaining. I checked the log. The thing ran 363 times since April 7, 2014.
     
  11. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    4,052
    Location:
    USA
    I saw that in my googling but there were no such files or folders on my machine.
     
  12. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,088
    It is located in task scheduler under Windows\Removal Tools. Status is ready but it says it was never run :doubt:

    EDIT: it is run with switches /EHB /Q. I can't find any useful reference to what switch EHB stands for.
     
    Last edited: May 1, 2014
  13. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    4,052
    Location:
    USA
    Ah, you are correct, thanks for finding that. Like you, I have found mention of the EHB switch but no explanation of what it means. Mine also claims to have never run from Task Scheduler but the log says something much different. I only found this was running because I set the ESET Firewall to interactive mode and it popped up asking for permissions to connect. According to the scheduled tasks it only runs if there is a network connection. I deleted the task, since I delete the executable yesterday. I checked my desktop machine last night. I had run 163 times this month on there. Considering it is on about half as many hours a month as the laptop, it runs about the same number of times per hours of PC use. Good riddance. I doubt there is any situation where something gets past all of the rest of my setup and then this thing saves me.
     
  14. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,088
    Where did you find the total number of runs? In mrt.log file? I checked it today and only found 4 runs that happened today. There was no logs form previous days. Every run was only for 1 second, so I don't know if anything was scanned at all. I will disable scheduled task and will see if that stops it from running.
     
  15. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,088
    When I disabled task, mrt.log file got deleted. Then I re-enabled the task and manually run it. The task run only for a second. It recreated the log file. Last run time stayed the same - Never. There is no trigger action defined so I don't know when system decides to run it. For now, I just disabled it...
     
    Last edited: May 2, 2014
  16. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    4,052
    Location:
    USA
    I got the total by opening the log with PSPad, searching for "Return code: 0 (0x0)" and doing a count from the search menu. That entry was present as many times as I listed. There may have been other codes but looking through it I did not see any so it seemed a reasonably valid thing to search for. My log has not been deleted. I also saw there was no trigger in the scheduled task, but it sure was doing something. If I would turn away from my laptop for a couple of minutes the fan would throttle up to full speed for several minutes. Since I have removed this it has stopped.
     
Loading...
Thread Status:
Not open for further replies.