You find a suspicious folder on your computer or removable hard drive which is a long string of numbers/letters and the folder contains the files mrtstub.exe and / or mrt.exe._p and some hidden files such as $shtdwn$.req
These files are the leftovers from when the Microsoft Malicious Software Removal Tool was run. Normally the folder is deleted automatically, but if the program was stopped in the middle of running or due to some other unexpected system behavior the files may remain behind. You can delete this folder / files.
For more information, see Microsoft’s article on the subject. In particular the section which states:
How to remove the Malicious Software Removal Tool
The Malicious Software Removal Tool does not use an installer. Typically, when you run the Malicious Software Removal Tool, it creates a randomly named temporary directory on the root drive of the computer. This directory contains several files, and it includes the Mrtstub.exe file. Most of the time, this folder is automatically deleted after the tool finishes running or after the next time that you start the computer. However, this folder may not always be automatically deleted. In these cases, you can manually delete this folder, and this has no adverse effect on the computer.
I have two of these directories (empty) and a third with the exact files you described – they are only on my external hard drive. However; I have never run the Microsoft Malicious Software Removal Tool. It would help, if you stated the exact file sizes for the legitimate files in you analysis. Thank you for your efforts and for making them public.
Hello RC and thank you for your comment.
I am afraid I don’t see how the file sizes have any bearing on the course of action you decide to take when you find a folder/file as described above.
If you’re not comfortable deleting the folder then simply leave it be, it won’t impact your system at all.
The MSRT does run once in the background upon first download, so it is possible you didn’t know it had run when it did.
I presume the files will be the same as anyone else, I have the following files
my operating system is windows 7 64bit
the folder these files are in is named, 0ce8f791df5208f193271e3f49 and its locked
$shtdwn$.req , REQ File ……1KB
it was easily deleted
I have 2 folders on D/ with same files but diff numbered folders but they aint doing no harm to pc and 1’s been on there since 2009 so as long as its doing no harm i cant see the point in deleting it just in case it does do some harm.Dont break something that ain’t broke espec when its doing no harm or taking up space,to you lot it just looks annoying and you don’t know what it is,ask MS and ask if you can delete it safely or not.
I like to keep my file system clean so I can know at a glance whether everything is ship shape. But that being said, if it doesn’t bother you to have the folder there then by all means, leave it alone…won’t hurt a thing 🙂
My operating system is 32-bit Windows XP Professional. The directory in which these files were located was named 97a318e4f5e1b16796a73a66224d9d06. It was in the root directory of a USB hard drive. I had no problem deleting the directory. These are the files and their sizes:
$shtdwn$.req — 1 KB
mrt.exe._p — 5956 KB
mrtstub.exe — 88 KB
thanks for info. I have been able to delete all of the folders save one which I cannot gain access/permission. any suggestions?
follow-up: I was forced to changed ownership of all of the files (tedious) in the folder & was finally able to delete; see no evidence that this was virus related, they all appear to be interrupted MSR files, is that possible/probable? thanks, Ron
I have never seen any .MSR files in that directory on any of my machines so I am not sure what their content or function is. Maybe they are malicious code snippets found by the tool? Your trouble getting access to that folder is probably due to the version of Windows you’re using. Probably denied by UAC (User access control) which is why you had to take ownership first before you could manage those files. Either way sounds like you figured it out.
I came across these mrt.exe files as you described on an external HD used for back-up. I am unable to remove them, need administrator rights. Tried everything (changing rights etc) but cannot delete them. Scanned with F-secure, no malicious software detected.
How can I delete these files? I am running W8.1, updates are all on auto.
As far as I can see these files are not on my C or D drive in the PC.
Not being there myself to reproduce the problem, I’d say walking that external hd over to another computer may be the answer. Or just leave the files, your call.
My client has 3 of these folders on her hard drive. They are locked. How do I delete locked folders?
Depends on the OS. For XP I would boot into safe mode with command prompt so that whatever program has locked the folders isn’t loaded into memory locking the folders.