?
Solved

MSPRC.exe: spyware?

Posted on 2005-02-24
15
Medium Priority
?
587 Views
Last Modified: 2010-04-11
I have an end user that is using a 4-year old laptop. Recently on bootup it freezes after the login screen, going to a permanent hourglass. OS is windows 2000.  alt-crtl-delete works, and one item I noticed as unfamiliar is "msprc.exe".  I have run Ad-aware, Spywareblaster and Spybot to rid their system of spyware.  Msprc still persists, and when I kill the process in the task manager the boot-up problem clears up.  Any ideas what the app is, and how to get rid of it if it's a problem?  I've done Google and Microsoft searches already. It's a very old system so it's concievable that the system is just dying.
0
Comment
Question by:ajness
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
  • 3
  • +2
15 Comments
 
LVL 10

Expert Comment

by:grakem
ID: 13396056
I don't recognise it personally but spyware has a tendency to randomise the service names that it uses.  

If you think that you probably have a spyware infection on your pc. Do the steps exactly as listed on the page below:
http://insanity.bizhat.com/drill.html



0
 
LVL 10

Expert Comment

by:grakem
ID: 13396070
Are you getting pop ups slow internet etc???
0
 

Expert Comment

by:longlazarus
ID: 13396347
What brand / model is the laptop?
0
Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

 
LVL 1

Author Comment

by:ajness
ID: 13397442
Toshiba Tecra 8200. I yanked msprc.exe out using Hijackthis, and it's booting normally now. It was odd, I could terminate msprc.exe initially using the task manager but the last two times I tried it gave me "access denied".  I rebooted again.  and pulled the msprc.exe out while in safe mode. I am wondering if it wasn't more sinister than just spyware though, since it was locking up the boot cycle.
0
 
LVL 1

Author Comment

by:ajness
ID: 13397449
on the popups/slow internet, I can't say that I noticed that.  I did bluescreen on Outlook loadup once.
0
 
LVL 1

Author Comment

by:ajness
ID: 13397470
DOH! It's back now, I rebooted and lo and behold, msprc is back and preventing boot up.
0
 
LVL 5

Expert Comment

by:Hypoviax
ID: 13397641
Can you provide me with details - where it is located on the computer, and the values present in the registry entry (location, value, command). Also see if it has version information. I will try some research if i can get some of those details

Regards,

Hypoviax

0
 
LVL 1

Author Comment

by:ajness
ID: 13398079
it is located in the win32 directory, and from Search & Destroy I can tell that it has 158 threads.  It also changes its PID every couple seconds. There are 2 instances loaded.
I'm in safe mode atm running McAfee stinger.
0
 
LVL 1

Author Comment

by:ajness
ID: 13398094
On values in the registry, I'm not sure.  I blew it away again using Hijackthis, I'm just not confident that it'll stay gone.
0
 
LVL 10

Expert Comment

by:grakem
ID: 13399071
Have you tried the microsoft antispyware solution, it will stop it from reinstalling on the startup

http://www.microsoft.com/athome/security/spyware/software/default.mspx
0
 
LVL 5

Expert Comment

by:Hypoviax
ID: 13399220
Changin PID every second is perhaps one of the most odd things i have heard. I can only presume that this occurs because it closes and then opens (perhaps causingf the boot problem), as i don't think it is possible to alter the PID of a process. 158 threads is also a lot. From this it is either an app gone crazy or most definetely a bad program. I will post a number of possible solutions soon
0
 
LVL 5

Accepted Solution

by:
Hypoviax earned 1000 total points
ID: 13399398
Ok, try this:

In safe mode :

- Remove start value from registry using whatever tool you want (HijackThis)
- Run spybot and adaware (www.lavasoftusa.com) after updating both
- Run your antivirus software after updating
- Open the file in notepad and delete the first two characters (mz). This way it won't run and if you need it you can just add mz back on again.
- Rename the file to a standard non-exe extension e.g. .txt or a new extension say .abc
- If the file happens to be recreated examin what other processes are running on startup as these may cause the creation of the file. If so repeat the above steps for any other suspicious files.

Hope this helps,

Hypoviax

0
 
LVL 4

Expert Comment

by:FalconHawk
ID: 13401139
"it is located in the win32 directory"
Thats the nasty catch.... All files in the win32 directory are executed automaticly at startup, without needing to be in the registery as a startup. i can also guess that if you remove it, its just re-appering.

What to do against it? well, just blowing away the APP isnt going to be enough here. There also is a high change the AV wont be able to remove it. it just removes the .exe, but leaves the other files. i advice you to have a look in the win32 directory, and sort the files on last times changed. The legal windows files should all be around 4 years old. the illegal however, will all be recently dated. this makes it very easy to see them. You might ask, see what? well, im pretty sure there are a few new .DLL files, that are responsible for making a new exe file ones thats deleted. those DLL files wont for some reason, show up in most of the AVs. just delete the new ones (make sure it arent windows files). Second, do it in safe mode, to make sure the DLLs arent loaded.  

"158 threads is also a lot"
Its what causing the slow behavior. there are SO many times a tread asked CPU time each cycle, other processes cant run. its certainly programmed in the virus, since no computer would assign so much treads itsself to 1 single progam.
0
 
LVL 1

Author Comment

by:ajness
ID: 13405660
Thank you all for your help! Community Response, please give Falconhawk assisted answer credit as well.  The end user had let his antivirus subscription lapse, and after running stinger I found 2 worms on the system. Removing the worms and running HijackThis again seems to have fixed the problem, I've rebooted a few times now with no recurrence.
0
 
LVL 5

Expert Comment

by:Hypoviax
ID: 13407224
Thanks,

If you wish to split points with myself and FalconHawk you will need to place a comment in community support referencing this question. The other option is to place a "Points for Falconhawk" question. Although this option is frowned upon by EE

Regards,

Hypoviax

0

Featured Post

Ransomware Attacks Keeping You Up at Night?

Will your organization be ransomware's next victim?  The good news is that these attacks are predicable and therefore preventable. Learn more about how you can  stop a ransomware attacks before encryption takes place with our Ransomware Prevention Kit!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There is a lot to be said for protecting yourself and your accounts with 2 factor authentication.  I found to my own chagrin, that there is a big downside as well.
With the rising number of cyber attacks in recent years, keeping your personal data safe has become more important than ever. The tips outlined in this article will help you keep your identitfy safe.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question