How to prevent MRT.exe and mrtstub.exe from re-installing?

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

I am having difficulties with virus (malware?) called mrt.exe or mrtstub.exe.
The process is defined at:
http://www.processlibrary.com/directory/files/mrtstub/. The symptom is that
it utilizes almost all the processing cycles. It installs the files
"mrt.exe", "mrtstub.exe" and "$shtdwn$.req" in a random number directory that
it creates such as "94edcd2b9002bfe3988e14886a". It also installs the file
"mrt.exe" in the C:/{windows}/system32 directory.

Neither the current version of McAfee or Microsoft AntiSpyware will catch
this virus. When either log-off/log-on or shutdown/log-on, the virus will
turn off McAfee on restart. (I don't remember if it turned off AntiSpyware.)
Since it is turning off McAfee, I would consider it a virus and not just
Adware/Spyware/Malware.

I suspect that the virus is trying to create popups and I have a popup
blocker... so when it can't create the damn popup, I suspect that it goes
into an endless loop that uses almost all my processing cycles.

To temporarily remove this virus, you must shut down and enter "Safe" mode.
You must delete the random directory (described above) plus the mrt.exe file
in system32. If you only rename the files and do not delete the directory, it
will immediately reinstall. The virus will also recreate after a few hours.
The file "$shtdwn$.req" was last created on my computer at 3:01 AM, so this
would tell me that the process can start when I am not at the computer.

Previously, I found an entry in the registry for "mrtstub.exe" and deleted
the key. I DO NOT recommend this since it totally screwed up the user profile.

A confusion of the file name "mrt.exe" exists with a file that Microsoft
provides. In the case of Microsoft, the "mrt" stands for "malicious removal
tool".

So, my question is:
1) How to get this virus on the radar screen of both McAfee and AntiSpyware?
2) How to prevent it from reinstalling itself until they do?
 
I think this is probably already on their screens, judging from the 4 hits I
get on MRT.EXE in Symantec's site.

I think you've got a virus.

Other than trying the latest and greatest scanning engines and definitions
from major vendors--here's a new kid on the block, for example:

http://safety.live.com/site/en-US/default.htm


you might go with HijackThis analysis at one of these forums---download the
app, read some background material, create a log file, register and post the
log at the forum of your choice. This can be very effective with either
unknown or too new to be included in definitions, type stuff. Basically,
they'll weed out the good stuff from your startup entries, and remove what's
left. Chances are that an experienced person in such a forum might also
recognize your bug and have a script for handling it, as well.

Appendix 2. Forums where you can get expert advice for Hijack This! logs.
NOTE: Registration is REQUIRED before posting a log
NOTE: Web sites NOT listed in any particular order


http://aumha.net/viewforum.php?f=30
http://www.bleepingcomputer.com/forums/forum22.html
http://www.dslreports.com/forum/security
http://castlecops.com/forum67.html
http://www.wilderssecurity.com/forumdisplay.php?f=24
http://www.cybertechhelp.com/forums/forumdisplay.php?f=25
http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Her...
http://gladiator-antivirus.com/forum/index.php?showforum=170
http://forum.iamnotageek.com/f-130.html
http://forums.maddoktor2.com/index.php?showforum=17
http://www.spywarewarrior.com/viewforum.php?f=5
http://forums.spywareinfo.com/index.php?showforum=18
http://forums.techguy.org/f54-s.html
http://forums.tomcoyote.org/index.php?showforum=27
http://forums.subratam.org/index.php?showforum=7
http://boards.cexx.org/viewforum.php?f=1
http://www.malwarebytes.biz/forums/index.php?showforum=5
 
Check if their not MS as MRT.exe & MRTSTUP.exe are the exe's used in the MS
virus check updates we receive.

Don Grover
 
Thanks for the reply. Yes, it is a virus that is started by MS AntiSpyware.
Somehow the real programs "MRT.EXE" and "MRTSTUB.EXE", which are "Malicious
Removal Tools", have been hijacked by a virus. MS AntiSpyware automatically
started it again this morning at 3AM, my scheduled time to run AntiSpyware.

Here are the reasons that I believe it to be a Virus rather than software
"run amuk" distributed by MS:
1) It is loading in a non-standard location that is not for system files.
(ie F:\94ea41ddd2d9d53374745d48df)
2) It is taking close to 100% of the processing cycles. It appears to be
significantly worse when Internet Explorer is running.
3)In MS AntiSpyware/Advanced Tools/System Explorers/Running Processes, the
processes are shown as MS Published software. When I try to stop the
processes, it appears they are stopped but then immediately recreated.

I do not know what the virus is doing with all the processing cycles that it
is consuming. The only malicious action that I have observed is that it will
halt McAfee on reboot.

My guess is that the only computers that can get this virus are the ones
that are running MS AntiSpyware... ironic.

My recommendation to MS for a temporary fix while awaiting a full analysis
and fix:
1) Put out a modification that would prevent your scheduler from
automatically starting MRT.exe and MRTSTUB.exe. If someone has a legit reason
to start these programs, then let them execute them manually.
2) Put out instructions to manually remove the virus. (To temporarily remove
this virus, you must shut down and enter "Safe" mode. You must delete the
random directory (described above) plus the mrt.exe file system32. If you
only rename the files and do not delete the directory, it will immediately
reinstall.)

I suspect that the virus could also be stopped by removing MS AntiVirus, but
I really would like to work with them to stop this menace... so I will give
them a few days.
 
Ron - I don't believe there's any direct connection between the virus you
are seeing and Microsoft Antispyware as a general rule.

Here's another route to getting this fixed.

If you are in the U.S. or Canada, call 1-866-pcsafety.

This is a free service from Microsoft Product Support Services for issues
with viruses, or problems relating to security patches.

They cannot provide support for Microsoft Antispyware--but your issue is
with virus removal, and they can help with that.

If you are elsewhere in the world, call your local Microsoft subsidiary, or
the number for paid support in your locale. Equivalent help is available
worldwide, although the phone call may not be free.

--
 
This is intentional on the part of the virus writer. There's still a small
chance, pehaps, that what Ron is seeing is the genuine Microsoft code doing
some cleaning operation, I suppose, but I think that chance is very
small....

--
 
Ron - I've just learned that Microsoft has identified an issue with the real
MRT.EXE which can result in excessive CPU usage.

The revised version has been posted:

http://www.microsoft.com/downloads/...e0-e72d-4f54-9ab3-75b8eb148356&displaylang=en

and a discussion of the issue is available here:

http://groups.google.com/group/micr...t&q=mrt.exe+cpu&rnum=1&hl=en#e87b349e4c8d4bf2

So: One possible explanation for the issue you are seeing is a problem with
the genuine Microsoft MRT.EXE tool.

The fix for this is to run the revised downloadable version at the first URL
I've posted, above.


--
 
Hmm - looks like the may, in fact, have been a bug in the genuine
MRT.EXE--see my response to Ron.

--
 
I have this weird also, I suddenly saw that dir (the numbered one) on my externe hard drive where I only keep audio on. But the files seemed to be Microsoft.
The mrt.exe is also Microsoft Windows Malicious Software Removal Tool and 15/04 I have installed Windows program for remove malicious software (KB890830) via Windows update.

In C:\Windows\Debug I have file mrt.txt wich sais :


Microsoft Windows Malicious Software Removal Tool v2.9, April 2009
Started On Wed Apr 15 02:23:36 2009
Security policy adjusted. Engine requests reboot and try again, ignoring.->Scan ERROR: resource process://pid:1332 (code 0x00000005 (5))

Results Summary:
----------------
No infection found.

Return code: 0
Microsoft Windows Malicious Software Removal Tool Finished On Wed Apr 15 02:24:45 2009

The time is the same as that numbered directory was created on my externe hard drive where I would never place anything else then Audio myself.
Now I have no idea what it is and I deleted that one map I hope is not wrong to done :p I dunno much about virus normally if I have one I reinstall the laptop complete.
 
Mine was a virus. I was trying to root the files out and I saw a config file in my system32, I click on it and it my mass effect 2 logo on it, I was curious so I click on it and when I did my computer literally screamed at me andthen said my ip was sent to a different user. And start popping up all this virus info so I just hard shut it down.
 
I had this exact same file/s on my hard drive and tried various methods to remove/delete it. I managed to rename the file as 'stupid file' removed the hard drive and rebooted my pc with a 'Ubuntu' bootable USB drive. With this I found the 'stupid file' and it deleted it. Put the hard drive back in and deleted the .999trash file left over from 'Ubuntu'.
Problem solved! :thumb:
 
Back
Top