2
When I run HitmanPro, it says that mpchc64.exe is a trojan. A virustotal analysis seems to show malicious flags triggered by several vendors.
What is going on? Why does a file by Media Player Classic team contain a trojan?
Isopycnal Oscillation
Posted 2013-05-21T21:31:22.807
Reputation: 462
3
That is not the version of Media Player Classic installed on your computer, and indeed is a virus. Why?
Look at the folder the executable with a virus was found in - a folder which appears to be for temporary or cached files used by Adobe Flash Player. In terms of the actual virus, it appears to be a variant of Win32/BitCoinMiner.G, which is indeed a real virus (using your computer power to mine bitcoins).
Lastly, you should be aware that the Product/Publisher/Descriptions contained in a .EXE file are set when the application is compiled. They are in no way "official" and can easily be spoofed.
If you're wondering how that file got on your computer, it could possibly have been a drive-by download. Make sure all of your antivirus software is up to date, and if you use any third-party addons in your web browser (especially Java or Flash), make sure they are always up to date (or preferably, disabled!).
Breakthrough
Posted 2013-05-21T21:31:22.807
Reputation: 32 927
2Thank you for your answer, this actually explains exactly what is going on, unlike Karan's answer which just lists the obvious and does no favors to a novice user. – Isopycnal Oscillation – 2013-05-22T03:16:01.230
3
The real MPC-HC doesn't get installed to Flash's cache folder, unless you somehow decided to place it there.
The real file is called mpc-hc64.exe
The real file is not a mere 129 KB in size (which obviously means it has a completely different SHA-256 hash).
Finally, the real version obviously is not launched on startup by a hidden batch file, as you yourself seem to have discovered.
So what makes you assert that this really is "a file by Media Player Classic team"?
Karan
Posted 2013-05-21T21:31:22.807
Reputation: 51 857
0
Friend, you may have installed a fake version. I would suggest re-downloading it from an official site, and removing the current files.
(Also, if your Anti-V has a boot scan option, run it. Those nasty bitcoins sometimes place themselves in a bunch of other locations.)
Exiled Wing
Posted 2013-05-21T21:31:22.807
Reputation: 1
sorry was still editing – Isopycnal Oscillation – 2013-05-21T21:33:51.677
3Virus creators are not constrained to only using their own files. They can and do name virus files anything that they can get away with. Windows system files were a favorite in the past. It didn't mean that Microsoft was distributing viruses. It just meant the virus creators were being creative. – EBGreen – 2013-05-21T21:36:41.677