We won again!

Great victory for the People - Tax Cut!

How to Run Malicious Software Removal Tool?


Just 3 letters you need to know – MRT

That is right, just type MRT.exe in you Start – Run box.  Why they hide it so deep?  Why there is no easy answer anywhere on the Internet?

The program is located in %WinDir%\System32\MRT.exe

Once again, to run Malicious Software Removal Tool type MRT in your  Start – Run box.

In this article I am going to:

– Accumulate information about annoying files that push themselves in the registry;
– Show how to write a small CMD script that will continuously clean your registry Run locations;
– Describe how to secure your Internet Explorer to lower possibility of malware infection;
– Demonstrate how to rename your CMD.EXE to prevent brutal attacks.


I found this file link  in registry at [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run], but no actual file in %WinDir%\etMon.exe exists.

After extensive search, I found a reference to this file inside:

%WinDir%\System32\DriverStore\FileRepository\etvideo.inf_amd64_neutral_e44d40c741c6982c modified on 9/21/2010.


C:\0W7WIN\inf\oem7.inf also modified 9/21/2010

It appears to be a device driver for “eMPIA Technology”  (?)  This is a company in Taiwan that doesn’t have an English web site (www.empiatech.com).  Very suspicious.  There is one reference to this company on Microsoft social blog – eMPIA Technology Inc.

Took this one out of the registry.


I fount link to this file in Windows 7 registry at:


The is located in %WinDir%\System32\mctadmin.exe

There is no documentation on Microsoft site about this file.  Date stamp and Properties appears to be in line with other files in this directory.

User S-1-5-20 is a legitimate NetworkService user.  It might explain, why this RunOnce never get reset.  This user never logins in interactively.  Only as a service.  I am leaving this one along.

I just found an explanation about this utility at  http://technet.microsoft.com/en-us/library/dd799277(WS.10).aspx

This appears to be a legitimate Microsoft tool related to manipulation of Windows 7 installation packs (installation images).


This EXE runs as a service in Windows 7 64-bit.

File is located in %ProgramFiles(x86)%\Internet Explorer\ielowutil.exe

File is dated 7/13/2009 as many other files in that directory.

There is not such file on Windows XP with IE8.

Microsoft gives a very technical answer about this file (sharing cookies across integrity levels), but it is confirmed on a legitimate Microsoft site:


Summary: no action is needed.  Let it run as a service in Windows 7.

(Visited 9 times, 1 visits today)

Be the first to comment

Your question, correction or clarification Ваш вопрос, поправка или уточнение

Editor on duty will review your comment. Can't wait? Discuss your topic right now in forums, if you register and login.     Required fields are marked with * Ваше послание пойдет на просмотр в редакцию. Не можете ждать? Обсудите ваш вопрос прямо сейчас в форуме Русский Круг , ecли вы зарегистрируетесь и войдёте под своим именем.     Поля, обязательные для заполнения, помечены *
* *