27 February 2010

Fixing mpsvc.exe and mpclient.exe

Posted in computers, websites tagged , , , , , at 14:31 by Crisu

I found a solution at http://forums.techguy.org/malware-removal-hijackthis-logs/901616-cant-kill-infected-process-just.html and wanted to thank the original poster, but I’m having problems with my registration on that forum.

Well anyway, I wanted to put another post on the Internet about the issue. My dad’s laptop — an old one still running Windows XP Service Pack 3, came upon a situation where five instances of MPClient.exe were running and taking up 100% of the processor.

Deleting one would make it reappear again.

Deleting the parent process, MPSvc.exe would only cause it to restart and generate FIVE MORE MPClient.exe

The files are hidden, located in C:\Program Files\Windows Defender

but that didn’t make a lot of sense at all; it’s likely a fake, a spoof. I read elsewhere that Windows Defender is for Vista and above, not XP. So I think it’s just pretending to be something important to cause you problems.

So as per the TechGuy posting, I went to http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx and downloaded Process Explorer. This free, easy-to-use program provides a much better visualization of the processes on your computer than the standard Windows Task Manager (which I use Ctrl+Shift+Esc to pull up, not the common Ctrl+Alt+Del).

I discovered that the MPSvc.exe was a child process of Adobe Updater. That is even weirder to me; why would Adobe do that? ….Or perhaps that was just another part of the malware’s trickery, to hide within Adobe, which a majority of computer users have.

Well anyway, killing the Adobe Updater process tree stopped MPSvc from respawning. And that allowed me to force-delete “C:\Program Files\Windows Defender” and the hidden programs in it. I also went ahead into ‘regedit’ and deleted any mention of MPClient and MPSvc from my registry.

Restarted the computer, and I think everything is fine now. Another copy of MPSvc seems to still be lurking around, but it is not spawning processor-hogging MPClients, so I think it’s okay. Maybe there is a legitimate MPSvc, so I’ll leave it alone until it causes problems again.

But yes, I hope this can help a few more people who happen to be experiencing this.

Advertisement

4 Comments »

  1. anonymous said,

    27 February 2010 at 20:27

    Thanks, this helped a lot.

    Reply

  2. botelho said,

    1 March 2010 at 8:25

    Helped me a lot too.

    Thanks! :)

    Reply

  3. glitch177k said,

    3 March 2010 at 13:26

    Thank you! I knew what was casuing my problem but couldn’t find the parent process. Process explorer did the trick. Thanks!!!!

    Reply

  4. FRporscheman said,

    4 March 2010 at 1:15

    Thanks, I’ve been struggling with that BS for weeks, I knew it was fishy but I just could not get those processes to stay closed! This page helped me a lot, and my computer is back to normal.

    I also went through the registry and deleted all mention of adobe updater. Also deleted the entry for table text service, whatever that is, I never saw it before a few weeks ago so its gone now.

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Cancel

Connecting to %s

Follow

Get every new post delivered to your Inbox.