Help! Some of my MRT files are not digitally signed
Okay, let me give you the run down. Last night I was on the computer at 3AM.
No, I was not looking at ****! I was on some very legitimate sites.
Anyway, all of a sudden I notice that the hard drive light is steadily on and
my computer has really slowed down. I look at Task Manager and see that
there are two processes taking up a lot of the CPU, "MRT.exe" and
"mrtstub.exe." "Uh oh, never seen these two before," I think to myself. I
do a quick google search for MRT, discover that it's short for Malicious
Software Removal Tool and find that it can be legitimate so I don't shutdown
the process. Only after it's finished do I google mrtstub. "Uh oh, I don't
like what I'm reading on google," I say. But then I come to the Microsoft
site and find that mrtstub can in fact be a legitimate file. So I stop
worrying. But then I do some more researching today and find on the
Microsoft site that if mrtstub isn't signed by Microsoft it's not legitimate.
You can read that here: http://support.microsoft.com/kb/890830
It's the last question under FAQ, "Q21: I found the Mrtstub.exe file in a
randomly named directory on my computer. Is the Mrtstub.exe file a legitimate
component of the tool?
A21: The tool does use a file that is named Mrtstub.exe for certain
operations. If you verify that the file is signed by Microsoft, the file is a
legitimate component of the tool."
So I find mrtstub.exe on my computer. It's called MRTSTUB.EXE-2B0B9591.
It's located under C:\WINDOWS\Prefetch and it's a PF file. I right-clicked
on it and went to Properties and it's NOT signed by Microsoft. I also find
MRT.EXE-1B4A8D49. It too is located under C:\WINDOWS\Prefetch and is a PF
file. It is NOT signed by Microsoft either. I did however find another MRT
on my computer. It's approximately 16MB. It's located at
C:\WINDOWS\SYSTEM32 and is listed as an Application. I right-clicked it and
it IS signed by Microsoft so no worries there. I think I can safely assume
it's the legitimate MRT application.
But I am obviously worried about the two PF files listed above. I suspect
they are malware, virus, etc. What do you think and what do you suggest I do?
Re: Help! Some of my MRT files are not digitally signed
What happened after the MRT finished running? Any prompts or error
messages?
Sheila wrote:
> Okay, let me give you the run down. Last night I was on the computer at
> 3AM. No, I was not looking at ****! I was on some very legitimate sites.
> Anyway, all of a sudden I notice that the hard drive light is steadily on
> and my computer has really slowed down. I look at Task Manager and see
> that
> there are two processes taking up a lot of the CPU, "MRT.exe" and
> "mrtstub.exe." "Uh oh, never seen these two before," I think to myself.
> I
> do a quick google search for MRT, discover that it's short for Malicious
> Software Removal Tool and find that it can be legitimate so I don't
> shutdown
> the process. Only after it's finished do I google mrtstub. "Uh oh, I
> don't
> like what I'm reading on google," I say. But then I come to the Microsoft
> site and find that mrtstub can in fact be a legitimate file. So I stop
> worrying. But then I do some more researching today and find on the
> Microsoft site that if mrtstub isn't signed by Microsoft it's not
> legitimate. You can read that here:
> http://support.microsoft.com/kb/890830
>
> It's the last question under FAQ, "Q21: I found the Mrtstub.exe file in a
> randomly named directory on my computer. Is the Mrtstub.exe file a
> legitimate component of the tool?
> A21: The tool does use a file that is named Mrtstub.exe for certain
> operations. If you verify that the file is signed by Microsoft, the file
> is
> a legitimate component of the tool."
>
> So I find mrtstub.exe on my computer. It's called MRTSTUB.EXE-2B0B9591.
> It's located under C:\WINDOWS\Prefetch and it's a PF file. I
> right-clicked
> on it and went to Properties and it's NOT signed by Microsoft. I also
> find
> MRT.EXE-1B4A8D49. It too is located under C:\WINDOWS\Prefetch and is a PF
> file. It is NOT signed by Microsoft either. I did however find another
> MRT
> on my computer. It's approximately 16MB. It's located at
> C:\WINDOWS\SYSTEM32 and is listed as an Application. I right-clicked it
> and
> it IS signed by Microsoft so no worries there. I think I can safely
> assume
> it's the legitimate MRT application.
>
> But I am obviously worried about the two PF files listed above. I suspect
> they are malware, virus, etc. What do you think and what do you suggest I
> do?
Re: Help! Some of my MRT files are not digitally signed
"Sheila" <Sheila@discussions.microsoft.com> wrote in message
news:4E4C3A42-8B77-4724-B474-8C65E87A9D78@microsoft.com...
> Okay, let me give you the run down. Last night I was on the computer at 3AM.
> No, I was not looking at ****! I was on some very legitimate sites.
> Anyway, all of a sudden I notice that the hard drive light is steadily on and
> my computer has really slowed down. I look at Task Manager and see that
> there are two processes taking up a lot of the CPU, "MRT.exe" and
> "mrtstub.exe." "Uh oh, never seen these two before," I think to myself. I
> do a quick google search for MRT, discover that it's short for Malicious
> Software Removal Tool and find that it can be legitimate so I don't shutdown
> the process. Only after it's finished do I google mrtstub. "Uh oh, I don't
> like what I'm reading on google," I say. But then I come to the Microsoft
> site and find that mrtstub can in fact be a legitimate file. So I stop
> worrying. But then I do some more researching today and find on the
> Microsoft site that if mrtstub isn't signed by Microsoft it's not legitimate.
> You can read that here: http://support.microsoft.com/kb/890830
>
> It's the last question under FAQ, "Q21: I found the Mrtstub.exe file in a
> randomly named directory on my computer. Is the Mrtstub.exe file a legitimate
> component of the tool?
> A21: The tool does use a file that is named Mrtstub.exe for certain
> operations. If you verify that the file is signed by Microsoft, the file is a
> legitimate component of the tool."
>
> So I find mrtstub.exe on my computer. It's called MRTSTUB.EXE-2B0B9591.
> It's located under C:\WINDOWS\Prefetch and it's a PF file. I right-clicked
> on it and went to Properties and it's NOT signed by Microsoft. I also find
> MRT.EXE-1B4A8D49. It too is located under C:\WINDOWS\Prefetch and is a PF
> file. It is NOT signed by Microsoft either. I did however find another MRT
> on my computer. It's approximately 16MB. It's located at
> C:\WINDOWS\SYSTEM32 and is listed as an Application. I right-clicked it and
> it IS signed by Microsoft so no worries there. I think I can safely assume
> it's the legitimate MRT application.
>
> But I am obviously worried about the two PF files listed above. I suspect
> they are malware, virus, etc. What do you think and what do you suggest I do?
Go to Control Panel and double click the Automatic Updates icon.
Based on the time that the Malicious Software Removal Tool ran, I'm guessing you
have the Automatic option selected where files are downloaded automatically and
will be installed every day @ 3 AM. That is why mrt.exe ran at that time.
As for the two files in the Prefetch folder, they were created when the
Malicious Software Removal Tool ran. The Prefetch folder is like an index
created by Windows so that it can launch programs faster the next time they run.
This folder is constantly changing. Odds are those two files would have been
deleted by Windows some time soon.
Bottom line is that you can sleep tonight. None of the files you found are
malware.
Re: Help! Some of my MRT files are not digitally signed
Okay Nepatsfan, I checked Automatic Updates and indeed 3AM is selected as the
time to download them. I'm still wondering why the PF files aren't signed by
Microsoft when Microsoft expressly says on their website that the file will
be signed if it's legitimate.
>
>
> Go to Control Panel and double click the Automatic Updates icon.
>
> Based on the time that the Malicious Software Removal Tool ran, I'm guessing you
> have the Automatic option selected where files are downloaded automatically and
> will be installed every day @ 3 AM. That is why mrt.exe ran at that time.
>
> As for the two files in the Prefetch folder, they were created when the
> Malicious Software Removal Tool ran. The Prefetch folder is like an index
> created by Windows so that it can launch programs faster the next time they run.
> This folder is constantly changing. Odds are those two files would have been
> deleted by Windows some time soon.
>
> Bottom line is that you can sleep tonight. None of the files you found are
> malware.
>
> Good luck
>
> Nepatsfan
>
>
>
Re: Help! Some of my MRT files are not digitally signed
Sheila wrote:
> "PA Bear [MS MVP]" wrote:
>> What happened after the MRT finished running? Any prompts or error
>> messages?
>
> I got no prompts or error messages when it stopped running.
Then everything's fine so don't worry about anything else.
Re: Help! Some of my MRT files are not digitally signed
The Microsoft article warns about finding a copy of mrstub.exe in a randomly
named folder. First off, the file you found is a .pf file, not an executable.
Second, it's not in a randomly named folder. It's in the Prefetch folder, which
is a legitimate Windows folder. While this is no iron-clad guarantee, it's
pretty good evidence that the files you're concerned about aren't malware.
I don't know what else to tell you other than to delete the two .pf files you're
concerned about and wait until next month. On the second Tuesday of June, a new
version of the Malicious Software Removal Tool will be offered through Windows
Update. Be at your computer before 3AM the next few mornings. On one of those
days, the tool will run. After it's completed check your Prefetch folder. Odds
are you'll find a file named MRTSTUB.EXE-XXXXXXXX.pf in the folder. The portion
of the file name represented by the Xs should be different than the one you
found in May. Check the Modified time and date of the file. It should be around
the time the tool ran.
Nepatsfan
"Sheila" <Sheila@discussions.microsoft.com> wrote in message
news:2EA97F4D-3C35-446D-9B0A-93837A272F9A@microsoft.com...
> Okay Nepatsfan, I checked Automatic Updates and indeed 3AM is selected as the
> time to download them. I'm still wondering why the PF files aren't signed by
> Microsoft when Microsoft expressly says on their website that the file will
> be signed if it's legitimate.
>
>
>>
>>
>> Go to Control Panel and double click the Automatic Updates icon.
>>
>> Based on the time that the Malicious Software Removal Tool ran, I'm guessing
>> you
>> have the Automatic option selected where files are downloaded automatically
>> and
>> will be installed every day @ 3 AM. That is why mrt.exe ran at that time.
>>
>> As for the two files in the Prefetch folder, they were created when the
>> Malicious Software Removal Tool ran. The Prefetch folder is like an index
>> created by Windows so that it can launch programs faster the next time they
>> run.
>> This folder is constantly changing. Odds are those two files would have been
>> deleted by Windows some time soon.
>>
>> Bottom line is that you can sleep tonight. None of the files you found are
>> malware.
>>
>> Good luck
>>
>> Nepatsfan
>>
>>
>>
Help! Some of my MRT files are not digitally signed 
Linear Mode
