What is: Mrtstub

If you are a Windows user then you might see mrt.exe_p and mtrstub.exe in one of your drives. These files will be in a folder with an alphanumeric name like 890fhg08erut (or a variation of it). You might notice that these files/folder appear and disappear on their own. And, if you try to delete these files then you won’t be able to. In some cases, you might be able to delete these files but you will notice that these files come back on their own. Another thing that you might notice is that these files are present in your external hard drive as well. In these cases, you might see that all of your original files are placed into a new folder along with these two files. However, this isn’t common for everyone with the external hard drive.

The mrt.exe and mtrstub files are Windows own files. These files are associated with the Malicious Software Removal Tool. Since these files are a part of Microsoft Windows, it’s common to find these in the C drive (or the drive where you installed your Windows). The usual location of these files is C:\Windows\System32. If you are seeing these files in some other drive then it might be a red flag. Now, the reason why you are seeing the files disappearing and repeating, that is actually because of the Windows Malicious Software Removal Tool runs on every Windows update and it automatically deletes the files it creates during its run/scan. So, if you see the files and then they disappear then that usually means the tool was running and it deleted the files once it finished running. However, it can also be a virus/malware acting like the original tool but there is a way to check that as well (given in the methods below). This also explains why the files reappear once these are deleted. Lastly, if you are wondering why you can’t delete the files then it might simply be because the tool might be running at that time.

In short, the mrtstub is a Windows own file but it can be a virus/malware depending on its behavior and location. The methods given below will help you determine whether the file is legitimate or a virus/malware.

Method 1: Check Digital Signature

The best way to check whether the file is legitimate or a virus is to check the properties. In the properties, you can check the Digital Signature of the file. If the Digital Signature belongs to the Microsoft then there is no need to worry.

Here are the steps for checking the Digital Signature

  1. Go to the location where you are seeing the files.
  2. Right click the mrtstub.exe and select Properties
  3. Click the Digital Signatures tab
  4. Check if the Name of Signer is Microsoft Windows. If it is then the file is fine. If there is anything else then you should download a good antivirus/malware tool and scan your PC immediately.


Method 2: Check Mrt.log

Whenever the Windows Malicious Software Removal Tool runs, it reports the findings in the mrt.log file. If you are seeing the file appearing and disappearing, and you aren’t sure whether the files are legitimate or not then this method will work for you. You can simply check the mrt.log file and see if the reports were given at the time when the files appeared. This makes sense because whenever the files appear this means that Windows Malicious Software Removal Tool is running and whenever this tool runs it creates a report in the mrt.log. So, if there is no report in the mrt.log at the time you saw the files then it is a red flag.

This method should also be useful for people who can’t see the signature of the files because they disappear quickly. So, if you couldn’t follow the instructions in the method 1 then this should resolve that issue as well.

Gere are the steps for location and checking the mrt.log file

  1. Hold Windows key and press R
  2. Type %systemroot%\debug and press Enter

  1. Locate and double click the file named log

Check the time stamp on the reporting. If the time of the scan matches the time when you saw the files then there is no need to worry. Otherwise, scan your computer immediately.

Method 3: Scan your Computer

This should be done without saying but you should scan your computer in this situation. Even if you followed the instructions in the methods given above, it is advised to perform a full system scan just to be on the safe side. The worst that can happen is that you’ll waste a few hours of your day.

So, download an antivirus and malware detecting tools of your choice and run a full system scan. If you aren’t sure then we will recommend Malwarebytes.

  1. Click here to download the Malwarebytes for Windows.
  2. Once downloaded, run the Malwarebytes and scan your system.

Once done, your system should be free of any malware.

Note: If you saw the files appearing in your external hard drive then there is no need to panic. Scan your external drive as well. You can check the signatures of the files and check the time in the mrt.log as well. All of these methods will work for an external drive as well.

Kevin Arrows
Kevin is a dynamic and self-motivated information technology professional, with a Thorough knowledge of all facets pertaining to network infrastructure design, implementation and administration. Superior record of delivering simultaneous large-scale mission critical projects on time and under budget.
Back to top button

Expert Tip

What is: Mrtstub

If the issue is with your Computer or a Laptop you should try using Restoro which can scan the repositories and replace corrupt and missing files. This works in most cases, where the issue is originated due to a system corruption. You can download Restoro by clicking the Download button below.

Download Now

I'm not interested