I just found an explanation about this utility at (WS.10).aspx It might explain, why this RunOnce never get reset. User S-1-5-20 is a legitimate NetworkService user. Date stamp and Properties appears to be in line with other files in this directory. There is no documentation on Microsoft site about this file. The is located in %WinDir%\System32\mctadmin.exe HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\RunOnce I fount link to this file in Windows 7 registry at:
There is one reference to this company on Microsoft social blog – eMPIA Technology Inc. It appears to be a device driver for “eMPIA Technology” (?) This is a company in Taiwan that doesn’t have an English web site (Very suspicious. %WinDir%\System32\DriverStore\FileRepository\etvideo.inf_amd64_neutral_e44d40c741c6982c modified on. I found this file link in registry at, but no actual file in %WinDir%\etMon.exe exists.Īfter extensive search, I found a reference to this file inside: – Demonstrate how to rename your CMD.EXE to prevent brutal attacks. – Describe how to secure your Internet Explorer to lower possibility of malware infection – Show how to write a small CMD script that will continuously clean your registry Run locations – Accumulate information about annoying files that push themselves in the registry Once again, to run Malicious Software Removal Tool type MRT in your Start – Run box.
The program is located in %WinDir%\System32\ MRT.exe Why they hide it so deep? Why there is no easy answer anywhere on the Internet? That is right, just type MRT.exe in you Start – Run box.