Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I can't delete MPC Cleaner folder


  • Please log in to reply
9 replies to this topic

#1 Pat(rick)

Pat(rick)

  • Members
  • 477 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North America
  • Local time:03:06 AM

Posted 23 June 2016 - 09:27 PM

Apparently, I use torrent and then my computer got infected :(

 

I used Malwarebytes and AdwCleaner to remove almost all of them except for MPC Cleaner.

 

In the path C:\Program Files (x86)\MPC Cleaner everything is empty, but I cannot delete the folder. So I try AdwCleaner. Even with AdwCleaner, I am unable to get rid of MPC Cleaner folder. I think I'm still infected.

 

I can't get rid of the following:

 

Path of folder:  C:\Program Files (x86)\MPC Cleaner
Services:  MPCKpt
Registry?:  HKLM\SOFTWARE\MPC

 

 

Second Problem, I tried to solve my problems to fix my computer but I come across a command: notepad %windir%/system32/Drivers/etc/hosts

 

In the hosts text file, I see:

      down.baidu2016.com
      123.sogou.com
       www.czzsyzgm.com
       www.czzsyzxl.com
       union.baidu2019.com
       down.baidu2016.com
       123.sogou.com
       www.czzsyzgm.com
       www.czzsyzxl.com
       union.baidu2019.com
       down.baidu2016.com
       123.sogou.com
       www.czzsyzgm.com
       www.czzsyzxl.com
       union.baidu2019.com

 

What is it???

 



BC AdBot (Login to Remove)

 


#2 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,238 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:06:06 PM

Posted 23 June 2016 - 10:04 PM

Hi Pat,

 

Please download Junkware Removal Tool to your desktop.

  • Shut down your protection software now to avoid potential conflicts.
  • Right click and "Run as Administrator".
  • The tool will open and start scanning your system.
  • On completion a log will open, note the saved JRT.txt on your desktop to copy into your reply

Please download and run RogueKiller

  • Click Scan and then Scan again to start the application
  • Please be patient the scan can take quite some time
  • When it completes close the browser pop up.
  • Check all of the check boxes and Remove Items
  • When completed click Open Report then Open TXT
  • Copy and paste the output into your next reply

Now let's get rid of that file and service if it still exists.

 

Download FileAssassin and delete the unwanted folder with that.

 

Then from an elevated command prompt run these commands

sc stop MPCKpt
sc delete MPCKpt
del C:\WINDOWS\system32\drivers\mpckpt.sys
reg delete HKLM\SOFTWARE\MPC /f

Alternatively you can save them to a text file and rename the file as anything.bat , then right click and run as admin.

 

Next, let's do a bit of a cleanup and see if there's any leftovers

 

ESET Online scanner

 

Follow this link or right click and "copy link location", then paste the link into the address bar on your newly opened browser instance

Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.

  • Firstly, Accept the Terms and click Start
  • Click Enable detection of potentially unwanted applications and click Start again.

 

ESET will then download updates, install and begin scanning your computer. Please be patient as this can take some time.

 

  • When the scan completes, click List of found threats. Note: If no malware was found you will not get a list.

 

1446ya9.jpg

  • Click Export to text file and save the log on your desktop. Then click the Back button.

hry77t.jpg

  • Check Uninstall application on close and Delete quarantined files, then click the Finish button.

 

106x9g7.jpg

 

When you click finish the browser will not close but will offer you ESET products. Be aware the scan has actually finished and you need to close the browser window and reboot your computer to complete the process.

  • Please copy the log in your reply.

 

As far as the hosts go there should be 2 parts, the list of sites and what they are routed to. I highly suspect those hosts will route to 127.0.0.1. This is a common list installed by anti-virus software to stop you going to malicious sites.

 

Regards

 

TsVk!


Edited by TsVk!, 23 June 2016 - 10:24 PM.


#3 Pat(rick)

Pat(rick)
  • Topic Starter

  • Members
  • 477 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North America
  • Local time:03:06 AM

Posted 23 June 2016 - 11:54 PM

Hello, TsVk!

 

Here are the logs:

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.0.6 (04.25.2016)
Operating System: Windows 10 Home x64
Ran by Patrick (Administrator) on 2016-06-24 at  0:14:29.28
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




File System: 2

Failed to delete: C:\Program Files (x86)\mpc cleaner (Folder)
Successfully deleted: C:\Users\Patrick\AppData\Local\{B5F70934-5E12-42d2-882D-62D42EA1FA67} (Empty Folder)



Registry: 1

Failed to delete: HKLM\SYSTEM\CurrentControlSet\services\MPCKpt (Registry Key)




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 2016-06-24 at  0:17:42.99
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

 

 

 

 

 

 

 

 

RogueKiller V12.3.5.0 [Jun 22 2016] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/software/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 10 (10.0.10586) 64 bits version
Started in : Normal mode
User : Patrick [Administrator]
Started from : C:\Users\Patrick\Desktop\RogueKiller.exe
Mode : Delete -- Date : 06/24/2016 00:42:30

¤¤¤ Processes : 1 ¤¤¤
[PUP] (SVC) MPCKpt -- system32\DRIVERS\MPCKpt.sys[7] -> ERROR [41c]

¤¤¤ Registry : 9 ¤¤¤
[PUP] (X86) HKEY_LOCAL_MACHINE\Software\MPC -> ERROR [5]
[PUP] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MPCKpt (system32\DRIVERS\MPCKpt.sys) -> ERROR [5]
[PUP] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MPCKpt (system32\DRIVERS\MPCKpt.sys) -> ERROR [5]
[PUM.Proxy] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NlaSvc\Parameters\Internet\ManualProxies | (default) :   -> Deleted
[PUM.Proxy] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NlaSvc\Parameters\Internet\ManualProxies | (default) :   -> ERROR [2]
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 192.168.0.1 24.201.245.77 24.200.241.37 ([-][X][X])  -> Replaced ()
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 192.168.0.1 24.201.245.77 24.200.241.37 ([-][X][X])  -> Replaced ()
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3ee29445-6dac-4dd0-832b-7673e00fd87b} | DhcpNameServer : 192.168.0.1 24.201.245.77 24.200.241.37 ([-][X][X])  -> Replaced ()
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{3ee29445-6dac-4dd0-832b-7673e00fd87b} | DhcpNameServer : 192.168.0.1 24.201.245.77 24.200.241.37 ([-][X][X])  -> Replaced ()

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Not loaded [0xc000036b]) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: WDC WD10 EZEX-60ZF5A0 SATA Disk Device +++++
--- User ---
[MBR] 7d29ee6c05f486dea2224dcd683d7c13
[BSP] f0a992933421d7a14e3482193757d778 : Empty MBR Code
Partition table:
0 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 2048 | Size: 1023 MB
1 - [MAN-MOUNT] EFI system partition | Offset (sectors): 2097152 | Size: 360 MB
2 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 2834432 | Size: 128 MB
3 - Basic data partition | Offset (sectors): 3096576 | Size: 935903 MB
4 - [SYSTEM][MAN-MOUNT]  | Offset (sectors): 1919825920 | Size: 450 MB
5 - [SYSTEM] Basic data partition | Offset (sectors): 1920747520 | Size: 15999 MB
User = LL1 ... OK
User = LL2 ... OK
 

 

 

 

 

I'm still unable to delete the folder with FileASSASSIN. It says the file is doesn't exist or is not visible to FileAssassin.

 

 

I try the commands and I got this:

sc stop MPCKpt

[SC] ControlService FAILED 1052:

The requested control is not valid for this service.

sc delete MPCKpt

[SC] DeleteService SUCCESS

del C:\WINDOWS\system32\drivers\mpckpt.sys

Access is denied.

reg delete HKLM\SOFTWARE\MPC /f

ERROR: The system was unable to find the specified registry key or value.

 

 

(I didn't do the ESET scanning part yet. will do tomorrow)

 

 

 

I randomly check the task manager and i saw 2 running .exe. Are these two suspicious?

C:\Windows\CpuEssentials\165271

process: CpuEssentials.exe

C:\Windows\SysWOW64\CpuHeatMapping\16641

process: CpuHeatMapping.exe

 

Sorry for editing my post too much :/


Edited by Pat(rick), 24 June 2016 - 12:47 AM.


#4 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,238 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:06:06 PM

Posted 24 June 2016 - 01:25 AM

Hi Pat,

 

That's right, those processes are not legitimate.

 

As there are things that are not being detected by removal software I would like you please follow the instructions on this page, starting from step 6, to create a malware removal topic. I think it will be the best way for you to address these issues.

 

Please link this topic in your new topic.

 

Best wishes

 

TsVk!



#5 al1963

al1963

  • Members
  • 893 posts
  • OFFLINE
  •  
  • Local time:02:06 PM

Posted 24 June 2016 - 03:01 AM

Hi,

 

Universal virus sniffer perfectly removes MPC cleaner

http://dsrt.dyndns.org/files/uvs_v387eng.zip

 

This program was developed by Dmitry Kuznetsov of Russia.

 

however, I add that this program is for advanced users,

but can it create an image of the system startup, and then you can be assisted in writing the script removed from system MPC  Cleaner and other debris.


Edited by al1963, 24 June 2016 - 03:10 AM.


#6 joerobin47

joerobin47

  • Banned Spammer
  • 2 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:06 AM

Posted 24 June 2016 - 03:03 AM

Step 1:Reboot in Safe Mode

Step 2: it’s extremely important you do this. MPC Cleaner may have hidden some of its files and you need to see them to delete them.
Hold the Start Key and R together. Write appwiz.cpl in the field, then click OK.
You are now in the Control Panel. Search around for MPC Cleaner and suspicious-looking programs. Uninstall it/them. Also, be extremely careful. Viruses often spend one last ditch effort to trick you into installing more of their kind. If you see a screen like this when you click to uninstall MPC Cleaner, choose "NO".

Hold the Start Key and R again – but this time copy + paste the following and click OK:

notepad %windir%/system32/Drivers/etc/hosts
A .txt file will open – don’t type or change it.
Step 3:
Open the Task Manager by right clicking on the Taskbar and choosing Start Task Manager.

Once it opens, choose the Processes Tab. Look at all of the processes in front of you and try to determine which ones are a virus.
Right click on each of the virus processes separately and select Open File Location. End the process after you open the folder. Just to make sure we don’t delete any programs you mistakenly took for a virus, copy the folders somewhere, then delete the directories you were sent to.

Step 4:Type msconfig in the search field and hit enter: you will be transported to a Pop Up window.
Go in the Startup tab and Uncheck entries that have “Unknown” as Manufacturer.
Type Regedit in the windows search field and press Enter.
Once inside, press CTRL and F together and type the virus’s Name. Right click and delete any entries you find with a similar name. If you can’t find them this way, look in these directories, and delete/uninstall the registries manually:

    HKEY_CURRENT_USER—-Software—–Random Directory. It could be any one of them – ask us if you can’t discern which ones are malicious, but bear in mind they are always different.
    HKEY_CURRENT_USER—-Software—Microsoft—-Windows—CurrentVersion—Run– Random
    HKEY_CURRENT_USER—-Software—Microsoft—Internet Explorer—-Main—- Random

Step 5:If these things fail to help you find MPC Cleaner you need to consult with professional technical support team such as inextsquad.



#7 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,238 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:06:06 PM

Posted 24 June 2016 - 03:19 AM

Hi,

 

Universal virus sniffer perfectly removes MPC cleaner

http://dsrt.dyndns.org/files/uvs_v387eng.zip

 

This program was developed by Dmitry Kuznetsov of Russia.

 

however, I add that this program is for advanced users,

but can it create an image of the system startup, and then you can be assisted in writing the script of the purification MPC  Cleaner and other debris.

There's more going on here than MPC Cleaner.

 

Step 5:If these things fail to help you find MPC Cleaner you need to consult with professional technical support team such as inextsquad.

This isn't a script kiddie forum.

 

The reason I advise Pat to go to the removal logs forum is so we can remove the infection manually, that's not what we do in this particular section.



#8 joerobin47

joerobin47

  • Banned Spammer
  • 2 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:06 AM

Posted 24 June 2016 - 03:23 AM

For your kind information nothing wrong in it Mr. Malware study....



#9 al1963

al1963

  • Members
  • 893 posts
  • OFFLINE
  •  
  • Local time:02:06 PM

Posted 24 June 2016 - 03:39 AM

>>>There's more going on here than MPC Cleaner.

 

 

I understand that the main problem with the protected MPС сleaner keys that UVs can be removed.

In addition, UVs can much in removing malware from startup and processes.

We use it at a technical forum ESET Russia.

After UVS can still perform a check in malwarebytes and AdvCleaner.

 

 

is an example of the script execution log removal mps Cleaner, though some messages here in Russian
 

 

--------------------------------------------------------
delref %SystemDrive%\PROGRAM FILES\MPC CLEANER\MPCPROTECTSERVICE.EXE
--------------------------------------------------------
Удаление ссылок на файл: C:\PROGRAM FILES\MPC CLEANER\MPCPROTECTSERVICE.EXE
Активирую ASA...
Второй этап провалился
(!) Не удалось удалить ключ [Отказано в доступе. ]
\REGISTRY\MACHINE\SYSTEM\ControlSet004\Services\MP CProtectService
--------------------------------------------------------
Activated extreme delmode:
\REGISTRY\MACHINE\SYSTEM\ControlSet004\Services\MP CProtectService
--------------------------------------------------------
Phase 1 completed.
Phase 2 completed.
Phase 3 completed, key deleted.
Изменено/удалено объектов автозапуска 1 из 1 | Удалено файлов: 0 из 0
--------------------------------------------------------
del %SystemDrive%\PROGRAM FILES\MPC CLEANER\MPCPROTECTSERVICE.EXE
--------------------------------------------------------
C:\PROGRAM FILES\MPC CLEANER\MPCPROTECTSERVICE.EXE будет удален после перезагрузки
--------------------------------------------------------


--------------------------------------------------------
delref %Sys32%\DRIVERS\MPCBASE.SYS
--------------------------------------------------------
Удаление ссылок на файл: C:\WINDOWS\SYSTEM32\DRIVERS\MPCBASE.SYS
Активирую ASA...
Второй этап провалился
(!) Не удалось удалить ключ [Отказано в доступе. ]
\REGISTRY\MACHINE\SYSTEM\ControlSet004\Services\MP CBase
--------------------------------------------------------
Activated extreme delmode:
\REGISTRY\MACHINE\SYSTEM\ControlSet004\Services\MP CBase
--------------------------------------------------------
Phase 1 completed.
Phase 2 completed.
Phase 3 completed, key deleted.
Изменено/удалено объектов автозапуска 1 из 1 | Удалено файлов: 0 из 0
--------------------------------------------------------
del %Sys32%\DRIVERS\MPCBASE.SYS
--------------------------------------------------------
Операция успешно завершена.

 


Edited by al1963, 24 June 2016 - 03:53 AM.


#10 Pat(rick)

Pat(rick)
  • Topic Starter

  • Members
  • 477 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North America
  • Local time:03:06 AM

Posted 24 June 2016 - 11:28 AM

Thank you guys, but I think I will follow what TsVk! told me to do first.

 

Thank you very much TsVK! for the support.

 

I just make a new thread on the other section


Edited by Pat(rick), 24 June 2016 - 11:29 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users