I am having difficulties with virus (malware?) called mrt.exe or mrtstub.exe.
The process is defined at:
http://www.processlibrary.com/directory/files/mrtstub/. The symptom is that
it utilizes almost all the processing cycles. It installs the files
"mrt.exe", "mrtstub.exe" and "$shtdwn$.req" in a random number directory that
it creates such as "94edcd2b9002bfe3988e14886a". It also installs the file
"mrt.exe" in the C:/{windows}/system32 directory.

Neither the current version of McAfee or Microsoft AntiSpyware will catch
this virus. When either log-off/log-on or shutdown/log-on, the virus will
turn off McAfee on restart. (I don't remember if it turned off AntiSpyware.)
Since it is turning off McAfee, I would consider it a virus and not just
Adware/Spyware/Malware.

I suspect that the virus is trying to create popups and I have a popup
blocker... so when it can't create the damn popup, I suspect that it goes
into an endless loop that uses almost all my processing cycles.

To temporarily remove this virus, you must shut down and enter "Safe" mode.
You must delete the random directory (described above) plus the mrt.exe file
in system32. If you only rename the files and do not delete the directory, it
will immediately reinstall. The virus will also recreate after a few hours.
The file "$shtdwn$.req" was last created on my computer at 3:01 AM, so this
would tell me that the process can start when I am not at the computer.

Previously, I found an entry in the registry for "mrtstub.exe" and deleted
the key. I DO NOT recommend this since it totally screwed up the user profile.

A confusion of the file name "mrt.exe" exists with a file that Microsoft
provides. In the case of Microsoft, the "mrt" stands for "malicious removal
tool".

So, my question is:
1) How to get this virus on the radar screen of both McAfee and AntiSpyware?
2) How to prevent it from reinstalling itself until they do?

Hello Ron:

Try this URLs provided by Dave M.

http://wiki.castlecops.com/Malware_R...:_Introduction

http://wiki.castlecops.com/Malware_R...tion:_Overview
--
Good luck

Engel

I think this is probably already on their screens, judging from the 4 hits I
get on MRT.EXE in Symantec's site.

I think you've got a virus.

Other than trying the latest and greatest scanning engines and definitions
from major vendors--here's a new kid on the block, for example:

http://safety.live.com/site/en-US/default.htm


you might go with HijackThis analysis at one of these forums---download the
app, read some background material, create a log file, register and post the
log at the forum of your choice. This can be very effective with either
unknown or too new to be included in definitions, type stuff. Basically,
they'll weed out the good stuff from your startup entries, and remove what's
left. Chances are that an experienced person in such a forum might also
recognize your bug and have a script for handling it, as well.

Appendix 2. Forums where you can get expert advice for Hijack This! logs.
NOTE: Registration is REQUIRED before posting a log
NOTE: Web sites NOT listed in any particular order


http://aumha.net/viewforum.php?f=30
http://www.bleepingcomputer.com/forums/forum22.html
http://www.dslreports.com/forum/security
http://castlecops.com/forum67.html
http://www.wilderssecurity.com/forumdisplay.php?f=24
http://www.cybertechhelp.com/forums/...splay.php?f=25
http://www.geekstogo.com/forum/Malwa...is_Logs_Go_Her...
http://gladiator-antivirus.com/forum...?showforum=170
http://forum.iamnotageek.com/f-130.html
http://forums.maddoktor2.com/index.php?showforum=17
http://www.spywarewarrior.com/viewforum.php?f=5
http://forums.spywareinfo.com/index.php?showforum=18
http://forums.techguy.org/f54-s.html
http://forums.tomcoyote.org/index.php?showforum=27
http://forums.subratam.org/index.php?showforum=7
http://boards.cexx.org/viewforum.php?f=1
http://www.malwarebytes.biz/forums/i...hp?showforum=5


--


--

"Ron Mauldin" <(E-Mail Removed)> wrote in message
news:E3C6E80D-FEAC-467D-96B9-(E-Mail Removed)...
>I am having difficulties with virus (malware?) called mrt.exe or
>mrtstub.exe.
> The process is defined at:
> http://www.processlibrary.com/directory/files/mrtstub/. The symptom is
> that
> it utilizes almost all the processing cycles. It installs the files
> "mrt.exe", "mrtstub.exe" and "$shtdwn$.req" in a random number directory
> that
> it creates such as "94edcd2b9002bfe3988e14886a". It also installs the file
> "mrt.exe" in the C:/{windows}/system32 directory.
>
> Neither the current version of McAfee or Microsoft AntiSpyware will catch
> this virus. When either log-off/log-on or shutdown/log-on, the virus will
> turn off McAfee on restart. (I don't remember if it turned off
> AntiSpyware.)
> Since it is turning off McAfee, I would consider it a virus and not just
> Adware/Spyware/Malware.
>
> I suspect that the virus is trying to create popups and I have a popup
> blocker... so when it can't create the damn popup, I suspect that it goes
> into an endless loop that uses almost all my processing cycles.
>
> To temporarily remove this virus, you must shut down and enter "Safe"
> mode.
> You must delete the random directory (described above) plus the mrt.exe
> file
> in system32. If you only rename the files and do not delete the directory,
> it
> will immediately reinstall. The virus will also recreate after a few
> hours.
> The file "$shtdwn$.req" was last created on my computer at 3:01 AM, so
> this
> would tell me that the process can start when I am not at the computer.
>
> Previously, I found an entry in the registry for "mrtstub.exe" and deleted
> the key. I DO NOT recommend this since it totally screwed up the user
> profile.
>
> A confusion of the file name "mrt.exe" exists with a file that Microsoft
> provides. In the case of Microsoft, the "mrt" stands for "malicious
> removal
> tool".
>
> So, my question is:
> 1) How to get this virus on the radar screen of both McAfee and
> AntiSpyware?
> 2) How to prevent it from reinstalling itself until they do?

Check if their not MS as MRT.exe & MRTSTUP.exe are the exe's used in the MS
virus check updates we receive.

Don Grover

"Ron Mauldin" <(E-Mail Removed)> wrote in message
news:E3C6E80D-FEAC-467D-96B9-(E-Mail Removed)...
>I am having difficulties with virus (malware?) called mrt.exe or
>mrtstub.exe.
> The process is defined at:
> http://www.processlibrary.com/directory/files/mrtstub/. The symptom is
> that
> it utilizes almost all the processing cycles. It installs the files
> "mrt.exe", "mrtstub.exe" and "$shtdwn$.req" in a random number directory
> that
> it creates such as "94edcd2b9002bfe3988e14886a". It also installs the file
> "mrt.exe" in the C:/{windows}/system32 directory.
>
> Neither the current version of McAfee or Microsoft AntiSpyware will catch
> this virus. When either log-off/log-on or shutdown/log-on, the virus will
> turn off McAfee on restart. (I don't remember if it turned off
> AntiSpyware.)
> Since it is turning off McAfee, I would consider it a virus and not just
> Adware/Spyware/Malware.
>
> I suspect that the virus is trying to create popups and I have a popup
> blocker... so when it can't create the damn popup, I suspect that it goes
> into an endless loop that uses almost all my processing cycles.
>
> To temporarily remove this virus, you must shut down and enter "Safe"
> mode.
> You must delete the random directory (described above) plus the mrt.exe
> file
> in system32. If you only rename the files and do not delete the directory,
> it
> will immediately reinstall. The virus will also recreate after a few
> hours.
> The file "$shtdwn$.req" was last created on my computer at 3:01 AM, so
> this
> would tell me that the process can start when I am not at the computer.
>
> Previously, I found an entry in the registry for "mrtstub.exe" and deleted
> the key. I DO NOT recommend this since it totally screwed up the user
> profile.
>
> A confusion of the file name "mrt.exe" exists with a file that Microsoft
> provides. In the case of Microsoft, the "mrt" stands for "malicious
> removal
> tool".
>
> So, my question is:
> 1) How to get this virus on the radar screen of both McAfee and
> AntiSpyware?
> 2) How to prevent it from reinstalling itself until they do?

Thanks for the reply. Yes, it is a virus that is started by MS AntiSpyware.
Somehow the real programs "MRT.EXE" and "MRTSTUB.EXE", which are "Malicious
Removal Tools", have been hijacked by a virus. MS AntiSpyware automatically
started it again this morning at 3AM, my scheduled time to run AntiSpyware.

Here are the reasons that I believe it to be a Virus rather than software
"run amuk" distributed by MS:
1) It is loading in a non-standard location that is not for system files.
(ie F:\94ea41ddd2d9d53374745d48df)
2) It is taking close to 100% of the processing cycles. It appears to be
significantly worse when Internet Explorer is running.
3)In MS AntiSpyware/Advanced Tools/System Explorers/Running Processes, the
processes are shown as MS Published software. When I try to stop the
processes, it appears they are stopped but then immediately recreated.

I do not know what the virus is doing with all the processing cycles that it
is consuming. The only malicious action that I have observed is that it will
halt McAfee on reboot.

My guess is that the only computers that can get this virus are the ones
that are running MS AntiSpyware... ironic.

My recommendation to MS for a temporary fix while awaiting a full analysis
and fix:
1) Put out a modification that would prevent your scheduler from
automatically starting MRT.exe and MRTSTUB.exe. If someone has a legit reason
to start these programs, then let them execute them manually.
2) Put out instructions to manually remove the virus. (To temporarily remove
this virus, you must shut down and enter "Safe" mode. You must delete the
random directory (described above) plus the mrt.exe file system32. If you
only rename the files and do not delete the directory, it will immediately
reinstall.)

I suspect that the virus could also be stopped by removing MS AntiVirus, but
I really would like to work with them to stop this menace... so I will give
them a few days.

"Bill Sanderson" wrote:

> I think this is probably already on their screens, judging from the 4 hits I
> get on MRT.EXE in Symantec's site.
>
> I think you've got a virus.
>
> Other than trying the latest and greatest scanning engines and definitions
> from major vendors--here's a new kid on the block, for example:
>
> http://safety.live.com/site/en-US/default.htm
>
>
> you might go with HijackThis analysis at one of these forums---download the
> app, read some background material, create a log file, register and post the
> log at the forum of your choice. This can be very effective with either
> unknown or too new to be included in definitions, type stuff. Basically,
> they'll weed out the good stuff from your startup entries, and remove what's
> left. Chances are that an experienced person in such a forum might also
> recognize your bug and have a script for handling it, as well.
>
> Appendix 2. Forums where you can get expert advice for Hijack This! logs.
> NOTE: Registration is REQUIRED before posting a log
> NOTE: Web sites NOT listed in any particular order
>
>
> http://aumha.net/viewforum.php?f=30
> http://www.bleepingcomputer.com/forums/forum22.html
> http://www.dslreports.com/forum/security
> http://castlecops.com/forum67.html
> http://www.wilderssecurity.com/forumdisplay.php?f=24
> http://www.cybertechhelp.com/forums/...splay.php?f=25
> http://www.geekstogo.com/forum/Malwa...is_Logs_Go_Her...
> http://gladiator-antivirus.com/forum...?showforum=170
> http://forum.iamnotageek.com/f-130.html
> http://forums.maddoktor2.com/index.php?showforum=17
> http://www.spywarewarrior.com/viewforum.php?f=5
> http://forums.spywareinfo.com/index.php?showforum=18
> http://forums.techguy.org/f54-s.html
> http://forums.tomcoyote.org/index.php?showforum=27
> http://forums.subratam.org/index.php?showforum=7
> http://boards.cexx.org/viewforum.php?f=1
> http://www.malwarebytes.biz/forums/i...hp?showforum=5
>
>
> --
>
>
> --
>
> "Ron Mauldin" <(E-Mail Removed)> wrote in message
> news:E3C6E80D-FEAC-467D-96B9-(E-Mail Removed)...
> >I am having difficulties with virus (malware?) called mrt.exe or
> >mrtstub.exe.
> > The process is defined at:
> > http://www.processlibrary.com/directory/files/mrtstub/. The symptom is
> > that
> > it utilizes almost all the processing cycles. It installs the files
> > "mrt.exe", "mrtstub.exe" and "$shtdwn$.req" in a random number directory
> > that
> > it creates such as "94edcd2b9002bfe3988e14886a". It also installs the file
> > "mrt.exe" in the C:/{windows}/system32 directory.
> >
> > Neither the current version of McAfee or Microsoft AntiSpyware will catch
> > this virus. When either log-off/log-on or shutdown/log-on, the virus will
> > turn off McAfee on restart. (I don't remember if it turned off
> > AntiSpyware.)
> > Since it is turning off McAfee, I would consider it a virus and not just
> > Adware/Spyware/Malware.
> >
> > I suspect that the virus is trying to create popups and I have a popup
> > blocker... so when it can't create the damn popup, I suspect that it goes
> > into an endless loop that uses almost all my processing cycles.
> >
> > To temporarily remove this virus, you must shut down and enter "Safe"
> > mode.
> > You must delete the random directory (described above) plus the mrt.exe
> > file
> > in system32. If you only rename the files and do not delete the directory,
> > it
> > will immediately reinstall. The virus will also recreate after a few
> > hours.
> > The file "$shtdwn$.req" was last created on my computer at 3:01 AM, so
> > this
> > would tell me that the process can start when I am not at the computer.
> >
> > Previously, I found an entry in the registry for "mrtstub.exe" and deleted
> > the key. I DO NOT recommend this since it totally screwed up the user
> > profile.
> >
> > A confusion of the file name "mrt.exe" exists with a file that Microsoft
> > provides. In the case of Microsoft, the "mrt" stands for "malicious
> > removal
> > tool".
> >
> > So, my question is:
> > 1) How to get this virus on the radar screen of both McAfee and
> > AntiSpyware?
> > 2) How to prevent it from reinstalling itself until they do?
>
>
>

Ron - I don't believe there's any direct connection between the virus you
are seeing and Microsoft Antispyware as a general rule.

Here's another route to getting this fixed.

If you are in the U.S. or Canada, call 1-866-pcsafety.

This is a free service from Microsoft Product Support Services for issues
with viruses, or problems relating to security patches.

They cannot provide support for Microsoft Antispyware--but your issue is
with virus removal, and they can help with that.

If you are elsewhere in the world, call your local Microsoft subsidiary, or
the number for paid support in your locale. Equivalent help is available
worldwide, although the phone call may not be free.

--

"Ron Mauldin" <(E-Mail Removed)> wrote in message
news:8E41DEFA-19DA-4B92-813E-(E-Mail Removed)...
> Thanks for the reply. Yes, it is a virus that is started by MS
> AntiSpyware.
> Somehow the real programs "MRT.EXE" and "MRTSTUB.EXE", which are
> "Malicious
> Removal Tools", have been hijacked by a virus. MS AntiSpyware
> automatically
> started it again this morning at 3AM, my scheduled time to run
> AntiSpyware.
>
> Here are the reasons that I believe it to be a Virus rather than software
> "run amuk" distributed by MS:
> 1) It is loading in a non-standard location that is not for system files.
> (ie F:\94ea41ddd2d9d53374745d48df)
> 2) It is taking close to 100% of the processing cycles. It appears to be
> significantly worse when Internet Explorer is running.
> 3)In MS AntiSpyware/Advanced Tools/System Explorers/Running Processes, the
> processes are shown as MS Published software. When I try to stop the
> processes, it appears they are stopped but then immediately recreated.
>
> I do not know what the virus is doing with all the processing cycles that
> it
> is consuming. The only malicious action that I have observed is that it
> will
> halt McAfee on reboot.
>
> My guess is that the only computers that can get this virus are the ones
> that are running MS AntiSpyware... ironic.
>
> My recommendation to MS for a temporary fix while awaiting a full analysis
> and fix:
> 1) Put out a modification that would prevent your scheduler from
> automatically starting MRT.exe and MRTSTUB.exe. If someone has a legit
> reason
> to start these programs, then let them execute them manually.
> 2) Put out instructions to manually remove the virus. (To temporarily
> remove
> this virus, you must shut down and enter "Safe" mode. You must delete the
> random directory (described above) plus the mrt.exe file system32. If you
> only rename the files and do not delete the directory, it will immediately
> reinstall.)
>
> I suspect that the virus could also be stopped by removing MS AntiVirus,
> but
> I really would like to work with them to stop this menace... so I will
> give
> them a few days.
>
> "Bill Sanderson" wrote:
>
>> I think this is probably already on their screens, judging from the 4
>> hits I
>> get on MRT.EXE in Symantec's site.
>>
>> I think you've got a virus.
>>
>> Other than trying the latest and greatest scanning engines and
>> definitions
>> from major vendors--here's a new kid on the block, for example:
>>
>> http://safety.live.com/site/en-US/default.htm
>>
>>
>> you might go with HijackThis analysis at one of these forums---download
>> the
>> app, read some background material, create a log file, register and post
>> the
>> log at the forum of your choice. This can be very effective with either
>> unknown or too new to be included in definitions, type stuff. Basically,
>> they'll weed out the good stuff from your startup entries, and remove
>> what's
>> left. Chances are that an experienced person in such a forum might also
>> recognize your bug and have a script for handling it, as well.
>>
>> Appendix 2. Forums where you can get expert advice for Hijack This! logs.
>> NOTE: Registration is REQUIRED before posting a log
>> NOTE: Web sites NOT listed in any particular order
>>
>>
>> http://aumha.net/viewforum.php?f=30
>> http://www.bleepingcomputer.com/forums/forum22.html
>> http://www.dslreports.com/forum/security
>> http://castlecops.com/forum67.html
>> http://www.wilderssecurity.com/forumdisplay.php?f=24
>> http://www.cybertechhelp.com/forums/...splay.php?f=25
>> http://www.geekstogo.com/forum/Malwa...is_Logs_Go_Her...
>> http://gladiator-antivirus.com/forum...?showforum=170
>> http://forum.iamnotageek.com/f-130.html
>> http://forums.maddoktor2.com/index.php?showforum=17
>> http://www.spywarewarrior.com/viewforum.php?f=5
>> http://forums.spywareinfo.com/index.php?showforum=18
>> http://forums.techguy.org/f54-s.html
>> http://forums.tomcoyote.org/index.php?showforum=27
>> http://forums.subratam.org/index.php?showforum=7
>> http://boards.cexx.org/viewforum.php?f=1
>> http://www.malwarebytes.biz/forums/i...hp?showforum=5
>>
>>
>> --
>>
>>
>> --
>>
>> "Ron Mauldin" <(E-Mail Removed)> wrote in message
>> news:E3C6E80D-FEAC-467D-96B9-(E-Mail Removed)...
>> >I am having difficulties with virus (malware?) called mrt.exe or
>> >mrtstub.exe.
>> > The process is defined at:
>> > http://www.processlibrary.com/directory/files/mrtstub/. The symptom is
>> > that
>> > it utilizes almost all the processing cycles. It installs the files
>> > "mrt.exe", "mrtstub.exe" and "$shtdwn$.req" in a random number
>> > directory
>> > that
>> > it creates such as "94edcd2b9002bfe3988e14886a". It also installs the
>> > file
>> > "mrt.exe" in the C:/{windows}/system32 directory.
>> >
>> > Neither the current version of McAfee or Microsoft AntiSpyware will
>> > catch
>> > this virus. When either log-off/log-on or shutdown/log-on, the virus
>> > will
>> > turn off McAfee on restart. (I don't remember if it turned off
>> > AntiSpyware.)
>> > Since it is turning off McAfee, I would consider it a virus and not
>> > just
>> > Adware/Spyware/Malware.
>> >
>> > I suspect that the virus is trying to create popups and I have a popup
>> > blocker... so when it can't create the damn popup, I suspect that it
>> > goes
>> > into an endless loop that uses almost all my processing cycles.
>> >
>> > To temporarily remove this virus, you must shut down and enter "Safe"
>> > mode.
>> > You must delete the random directory (described above) plus the mrt.exe
>> > file
>> > in system32. If you only rename the files and do not delete the
>> > directory,
>> > it
>> > will immediately reinstall. The virus will also recreate after a few
>> > hours.
>> > The file "$shtdwn$.req" was last created on my computer at 3:01 AM, so
>> > this
>> > would tell me that the process can start when I am not at the computer.
>> >
>> > Previously, I found an entry in the registry for "mrtstub.exe" and
>> > deleted
>> > the key. I DO NOT recommend this since it totally screwed up the user
>> > profile.
>> >
>> > A confusion of the file name "mrt.exe" exists with a file that
>> > Microsoft
>> > provides. In the case of Microsoft, the "mrt" stands for "malicious
>> > removal
>> > tool".
>> >
>> > So, my question is:
>> > 1) How to get this virus on the radar screen of both McAfee and
>> > AntiSpyware?
>> > 2) How to prevent it from reinstalling itself until they do?
>>
>>
>>

This is intentional on the part of the virus writer. There's still a small
chance, pehaps, that what Ron is seeing is the genuine Microsoft code doing
some cleaning operation, I suppose, but I think that chance is very
small....

--

"Don Grover" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Check if their not MS as MRT.exe & MRTSTUP.exe are the exe's used in the
> MS virus check updates we receive.
>
> Don Grover
>
> "Ron Mauldin" <(E-Mail Removed)> wrote in message
> news:E3C6E80D-FEAC-467D-96B9-(E-Mail Removed)...
>>I am having difficulties with virus (malware?) called mrt.exe or
>>mrtstub.exe.
>> The process is defined at:
>> http://www.processlibrary.com/directory/files/mrtstub/. The symptom is
>> that
>> it utilizes almost all the processing cycles. It installs the files
>> "mrt.exe", "mrtstub.exe" and "$shtdwn$.req" in a random number directory
>> that
>> it creates such as "94edcd2b9002bfe3988e14886a". It also installs the
>> file
>> "mrt.exe" in the C:/{windows}/system32 directory.
>>
>> Neither the current version of McAfee or Microsoft AntiSpyware will catch
>> this virus. When either log-off/log-on or shutdown/log-on, the virus will
>> turn off McAfee on restart. (I don't remember if it turned off
>> AntiSpyware.)
>> Since it is turning off McAfee, I would consider it a virus and not just
>> Adware/Spyware/Malware.
>>
>> I suspect that the virus is trying to create popups and I have a popup
>> blocker... so when it can't create the damn popup, I suspect that it goes
>> into an endless loop that uses almost all my processing cycles.
>>
>> To temporarily remove this virus, you must shut down and enter "Safe"
>> mode.
>> You must delete the random directory (described above) plus the mrt.exe
>> file
>> in system32. If you only rename the files and do not delete the
>> directory, it
>> will immediately reinstall. The virus will also recreate after a few
>> hours.
>> The file "$shtdwn$.req" was last created on my computer at 3:01 AM, so
>> this
>> would tell me that the process can start when I am not at the computer.
>>
>> Previously, I found an entry in the registry for "mrtstub.exe" and
>> deleted
>> the key. I DO NOT recommend this since it totally screwed up the user
>> profile.
>>
>> A confusion of the file name "mrt.exe" exists with a file that Microsoft
>> provides. In the case of Microsoft, the "mrt" stands for "malicious
>> removal
>> tool".
>>
>> So, my question is:
>> 1) How to get this virus on the radar screen of both McAfee and
>> AntiSpyware?
>> 2) How to prevent it from reinstalling itself until they do?
>
>

Ron - I've just learned that Microsoft has identified an issue with the real
MRT.EXE which can result in excessive CPU usage.

The revised version has been posted:

http://www.microsoft.com/downloads/d...displaylang=en

and a discussion of the issue is available here:

http://groups.google.com/group/micro...7b349e4c8d4bf2

So: One possible explanation for the issue you are seeing is a problem with
the genuine Microsoft MRT.EXE tool.

The fix for this is to run the revised downloadable version at the first URL
I've posted, above.


--

"Ron Mauldin" <(E-Mail Removed)> wrote in message
news:8E41DEFA-19DA-4B92-813E-(E-Mail Removed)...
> Thanks for the reply. Yes, it is a virus that is started by MS
> AntiSpyware.
> Somehow the real programs "MRT.EXE" and "MRTSTUB.EXE", which are
> "Malicious
> Removal Tools", have been hijacked by a virus. MS AntiSpyware
> automatically
> started it again this morning at 3AM, my scheduled time to run
> AntiSpyware.
>
> Here are the reasons that I believe it to be a Virus rather than software
> "run amuk" distributed by MS:
> 1) It is loading in a non-standard location that is not for system files.
> (ie F:\94ea41ddd2d9d53374745d48df)
> 2) It is taking close to 100% of the processing cycles. It appears to be
> significantly worse when Internet Explorer is running.
> 3)In MS AntiSpyware/Advanced Tools/System Explorers/Running Processes, the
> processes are shown as MS Published software. When I try to stop the
> processes, it appears they are stopped but then immediately recreated.
>
> I do not know what the virus is doing with all the processing cycles that
> it
> is consuming. The only malicious action that I have observed is that it
> will
> halt McAfee on reboot.
>
> My guess is that the only computers that can get this virus are the ones
> that are running MS AntiSpyware... ironic.
>
> My recommendation to MS for a temporary fix while awaiting a full analysis
> and fix:
> 1) Put out a modification that would prevent your scheduler from
> automatically starting MRT.exe and MRTSTUB.exe. If someone has a legit
> reason
> to start these programs, then let them execute them manually.
> 2) Put out instructions to manually remove the virus. (To temporarily
> remove
> this virus, you must shut down and enter "Safe" mode. You must delete the
> random directory (described above) plus the mrt.exe file system32. If you
> only rename the files and do not delete the directory, it will immediately
> reinstall.)
>
> I suspect that the virus could also be stopped by removing MS AntiVirus,
> but
> I really would like to work with them to stop this menace... so I will
> give
> them a few days.
>
> "Bill Sanderson" wrote:
>
>> I think this is probably already on their screens, judging from the 4
>> hits I
>> get on MRT.EXE in Symantec's site.
>>
>> I think you've got a virus.
>>
>> Other than trying the latest and greatest scanning engines and
>> definitions
>> from major vendors--here's a new kid on the block, for example:
>>
>> http://safety.live.com/site/en-US/default.htm
>>
>>
>> you might go with HijackThis analysis at one of these forums---download
>> the
>> app, read some background material, create a log file, register and post
>> the
>> log at the forum of your choice. This can be very effective with either
>> unknown or too new to be included in definitions, type stuff. Basically,
>> they'll weed out the good stuff from your startup entries, and remove
>> what's
>> left. Chances are that an experienced person in such a forum might also
>> recognize your bug and have a script for handling it, as well.
>>
>> Appendix 2. Forums where you can get expert advice for Hijack This! logs.
>> NOTE: Registration is REQUIRED before posting a log
>> NOTE: Web sites NOT listed in any particular order
>>
>>
>> http://aumha.net/viewforum.php?f=30
>> http://www.bleepingcomputer.com/forums/forum22.html
>> http://www.dslreports.com/forum/security
>> http://castlecops.com/forum67.html
>> http://www.wilderssecurity.com/forumdisplay.php?f=24
>> http://www.cybertechhelp.com/forums/...splay.php?f=25
>> http://www.geekstogo.com/forum/Malwa...is_Logs_Go_Her...
>> http://gladiator-antivirus.com/forum...?showforum=170
>> http://forum.iamnotageek.com/f-130.html
>> http://forums.maddoktor2.com/index.php?showforum=17
>> http://www.spywarewarrior.com/viewforum.php?f=5
>> http://forums.spywareinfo.com/index.php?showforum=18
>> http://forums.techguy.org/f54-s.html
>> http://forums.tomcoyote.org/index.php?showforum=27
>> http://forums.subratam.org/index.php?showforum=7
>> http://boards.cexx.org/viewforum.php?f=1
>> http://www.malwarebytes.biz/forums/i...hp?showforum=5
>>
>>
>> --
>>
>>
>> --
>>
>> "Ron Mauldin" <(E-Mail Removed)> wrote in message
>> news:E3C6E80D-FEAC-467D-96B9-(E-Mail Removed)...
>> >I am having difficulties with virus (malware?) called mrt.exe or
>> >mrtstub.exe.
>> > The process is defined at:
>> > http://www.processlibrary.com/directory/files/mrtstub/. The symptom is
>> > that
>> > it utilizes almost all the processing cycles. It installs the files
>> > "mrt.exe", "mrtstub.exe" and "$shtdwn$.req" in a random number
>> > directory
>> > that
>> > it creates such as "94edcd2b9002bfe3988e14886a". It also installs the
>> > file
>> > "mrt.exe" in the C:/{windows}/system32 directory.
>> >
>> > Neither the current version of McAfee or Microsoft AntiSpyware will
>> > catch
>> > this virus. When either log-off/log-on or shutdown/log-on, the virus
>> > will
>> > turn off McAfee on restart. (I don't remember if it turned off
>> > AntiSpyware.)
>> > Since it is turning off McAfee, I would consider it a virus and not
>> > just
>> > Adware/Spyware/Malware.
>> >
>> > I suspect that the virus is trying to create popups and I have a popup
>> > blocker... so when it can't create the damn popup, I suspect that it
>> > goes
>> > into an endless loop that uses almost all my processing cycles.
>> >
>> > To temporarily remove this virus, you must shut down and enter "Safe"
>> > mode.
>> > You must delete the random directory (described above) plus the mrt.exe
>> > file
>> > in system32. If you only rename the files and do not delete the
>> > directory,
>> > it
>> > will immediately reinstall. The virus will also recreate after a few
>> > hours.
>> > The file "$shtdwn$.req" was last created on my computer at 3:01 AM, so
>> > this
>> > would tell me that the process can start when I am not at the computer.
>> >
>> > Previously, I found an entry in the registry for "mrtstub.exe" and
>> > deleted
>> > the key. I DO NOT recommend this since it totally screwed up the user
>> > profile.
>> >
>> > A confusion of the file name "mrt.exe" exists with a file that
>> > Microsoft
>> > provides. In the case of Microsoft, the "mrt" stands for "malicious
>> > removal
>> > tool".
>> >
>> > So, my question is:
>> > 1) How to get this virus on the radar screen of both McAfee and
>> > AntiSpyware?
>> > 2) How to prevent it from reinstalling itself until they do?
>>
>>
>>

Hmm - looks like the may, in fact, have been a bug in the genuine
MRT.EXE--see my response to Ron.

--

"Don Grover" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Check if their not MS as MRT.exe & MRTSTUP.exe are the exe's used in the
> MS virus check updates we receive.
>
> Don Grover
>
> "Ron Mauldin" <(E-Mail Removed)> wrote in message
> news:E3C6E80D-FEAC-467D-96B9-(E-Mail Removed)...
>>I am having difficulties with virus (malware?) called mrt.exe or
>>mrtstub.exe.
>> The process is defined at:
>> http://www.processlibrary.com/directory/files/mrtstub/. The symptom is
>> that
>> it utilizes almost all the processing cycles. It installs the files
>> "mrt.exe", "mrtstub.exe" and "$shtdwn$.req" in a random number directory
>> that
>> it creates such as "94edcd2b9002bfe3988e14886a". It also installs the
>> file
>> "mrt.exe" in the C:/{windows}/system32 directory.
>>
>> Neither the current version of McAfee or Microsoft AntiSpyware will catch
>> this virus. When either log-off/log-on or shutdown/log-on, the virus will
>> turn off McAfee on restart. (I don't remember if it turned off
>> AntiSpyware.)
>> Since it is turning off McAfee, I would consider it a virus and not just
>> Adware/Spyware/Malware.
>>
>> I suspect that the virus is trying to create popups and I have a popup
>> blocker... so when it can't create the damn popup, I suspect that it goes
>> into an endless loop that uses almost all my processing cycles.
>>
>> To temporarily remove this virus, you must shut down and enter "Safe"
>> mode.
>> You must delete the random directory (described above) plus the mrt.exe
>> file
>> in system32. If you only rename the files and do not delete the
>> directory, it
>> will immediately reinstall. The virus will also recreate after a few
>> hours.
>> The file "$shtdwn$.req" was last created on my computer at 3:01 AM, so
>> this
>> would tell me that the process can start when I am not at the computer.
>>
>> Previously, I found an entry in the registry for "mrtstub.exe" and
>> deleted
>> the key. I DO NOT recommend this since it totally screwed up the user
>> profile.
>>
>> A confusion of the file name "mrt.exe" exists with a file that Microsoft
>> provides. In the case of Microsoft, the "mrt" stands for "malicious
>> removal
>> tool".
>>
>> So, my question is:
>> 1) How to get this virus on the radar screen of both McAfee and
>> AntiSpyware?
>> 2) How to prevent it from reinstalling itself until they do?
>
>

[chris3]

I have this weird also, I suddenly saw that dir (the numbered one) on my externe hard drive where I only keep audio on. But the files seemed to be Microsoft.
The mrt.exe is also Microsoft Windows Malicious Software Removal Tool and 15/04 I have installed Windows program for remove malicious software (KB890830) via Windows update.

In C:\Windows\Debug I have file mrt.txt wich sais :


Microsoft Windows Malicious Software Removal Tool v2.9, April 2009
Started On Wed Apr 15 02:23:36 2009
Security policy adjusted. Engine requests reboot and try again, ignoring.->Scan ERROR: resource process://pid:1332 (code 0x00000005 (5))

Results Summary:
----------------
No infection found.

Return code: 0
Microsoft Windows Malicious Software Removal Tool Finished On Wed Apr 15 02:24:45 2009

The time is the same as that numbered directory was created on my externe hard drive where I would never place anything else then Audio myself.
Now I have no idea what it is and I deleted that one map I hope is not wrong to done I dunno much about virus normally if I have one I reinstall the laptop complete.