 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
Windows Forum / Windows XP / General Topics 1 / May 2008Help! Some of my MRT files are not digitally signed
Okay, let me give you the run down. Last night I was on the computer at 3AM. No, I was not looking at porn! I was on some very legitimate sites. Anyway, all of a sudden I notice that the hard drive light is steadily on and my computer has really slowed down. I look at Task Manager and see that there are two processes taking up a lot of the CPU, "MRT.exe" and "mrtstub.exe." "Uh oh, never seen these two before," I think to myself. I do a quick google search for MRT, discover that it's short for Malicious Software Removal Tool and find that it can be legitimate so I don't shutdown the process. Only after it's finished do I google mrtstub. "Uh oh, I don't like what I'm reading on google," I say. But then I come to the Microsoft site and find that mrtstub can in fact be a legitimate file. So I stop worrying. But then I do some more researching today and find on the Microsoft site that if mrtstub isn't signed by Microsoft it's not legitimate. You can read that here: http://support.microsoft.com/kb/890830 It's the last question under FAQ, "Q21: I found the Mrtstub.exe file in a randomly named directory on my computer. Is the Mrtstub.exe file a legitimate component of the tool? A21: The tool does use a file that is named Mrtstub.exe for certain operations. If you verify that the file is signed by Microsoft, the file is a legitimate component of the tool." So I find mrtstub.exe on my computer. It's called MRTSTUB.EXE-2B0B9591. It's located under C:\WINDOWS\Prefetch and it's a PF file. I right-clicked on it and went to Properties and it's NOT signed by Microsoft. I also find MRT.EXE-1B4A8D49. It too is located under C:\WINDOWS\Prefetch and is a PF file. It is NOT signed by Microsoft either. I did however find another MRT on my computer. It's approximately 16MB. It's located at C:\WINDOWS\SYSTEM32 and is listed as an Application. I right-clicked it and it IS signed by Microsoft so no worries there. I think I can safely assume it's the legitimate MRT application. But I am obviously worried about the two PF files listed above. I suspect they are malware, virus, etc. What do you think and what do you suggest I do? What happened after the MRT finished running? Any prompts or error messages? > Okay, let me give you the run down. Last night I was on the computer at > 3AM. No, I was not looking at porn! I was on some very legitimate sites. [quoted text clipped - 42 lines] > they are malware, virus, etc. What do you think and what do you suggest I > do? > What happened after the MRT finished running? Any prompts or error > messages? I got no prompts or error messages when it stopped running. >> What happened after the MRT finished running? Any prompts or error >> messages? > > I got no prompts or error messages when it stopped running. Then everything's fine so don't worry about anything else. > Okay, let me give you the run down. Last night I was on the computer at 3AM. > No, I was not looking at porn! I was on some very legitimate sites. [quoted text clipped - 30 lines] > But I am obviously worried about the two PF files listed above. I suspect > they are malware, virus, etc. What do you think and what do you suggest I do? Go to Control Panel and double click the Automatic Updates icon. Based on the time that the Malicious Software Removal Tool ran, I'm guessing you have the Automatic option selected where files are downloaded automatically and will be installed every day @ 3 AM. That is why mrt.exe ran at that time. As for the two files in the Prefetch folder, they were created when the Malicious Software Removal Tool ran. The Prefetch folder is like an index created by Windows so that it can launch programs faster the next time they run. This folder is constantly changing. Odds are those two files would have been deleted by Windows some time soon. Bottom line is that you can sleep tonight. None of the files you found are malware. Good luck Nepatsfan Okay Nepatsfan, I checked Automatic Updates and indeed 3AM is selected as the time to download them. I'm still wondering why the PF files aren't signed by Microsoft when Microsoft expressly says on their website that the file will be signed if it's legitimate. > Go to Control Panel and double click the Automatic Updates icon. > [quoted text clipped - 14 lines] > > Nepatsfan The Microsoft article warns about finding a copy of mrstub.exe in a randomly named folder. First off, the file you found is a .pf file, not an executable. Second, it's not in a randomly named folder. It's in the Prefetch folder, which is a legitimate Windows folder. While this is no iron-clad guarantee, it's pretty good evidence that the files you're concerned about aren't malware. I don't know what else to tell you other than to delete the two .pf files you're concerned about and wait until next month. On the second Tuesday of June, a new version of the Malicious Software Removal Tool will be offered through Windows Update. Be at your computer before 3AM the next few mornings. On one of those days, the tool will run. After it's completed check your Prefetch folder. Odds are you'll find a file named MRTSTUB.EXE-XXXXXXXX.pf in the folder. The portion of the file name represented by the Xs should be different than the one you found in May. Check the Modified time and date of the file. It should be around the time the tool ran. Nepatsfan > Okay Nepatsfan, I checked Automatic Updates and indeed 3AM is selected as the > time to download them. I'm still wondering why the PF files aren't signed by [quoted text clipped - 22 lines] >> >> Nepatsfan |
Reply to this Message |
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.