• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 614
  • Last Modified:

MSPRC.exe: spyware?

I have an end user that is using a 4-year old laptop. Recently on bootup it freezes after the login screen, going to a permanent hourglass. OS is windows 2000.  alt-crtl-delete works, and one item I noticed as unfamiliar is "msprc.exe".  I have run Ad-aware, Spywareblaster and Spybot to rid their system of spyware.  Msprc still persists, and when I kill the process in the task manager the boot-up problem clears up.  Any ideas what the app is, and how to get rid of it if it's a problem?  I've done Google and Microsoft searches already. It's a very old system so it's concievable that the system is just dying.
0
ajness
Asked:
ajness
  • 6
  • 4
  • 3
  • +2
1 Solution
 
grakemCommented:
I don't recognise it personally but spyware has a tendency to randomise the service names that it uses.  

If you think that you probably have a spyware infection on your pc. Do the steps exactly as listed on the page below:
http://insanity.bizhat.com/drill.html



0
 
grakemCommented:
Are you getting pop ups slow internet etc???
0
 
longlazarusCommented:
What brand / model is the laptop?
0
SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

 
ajnessAuthor Commented:
Toshiba Tecra 8200. I yanked msprc.exe out using Hijackthis, and it's booting normally now. It was odd, I could terminate msprc.exe initially using the task manager but the last two times I tried it gave me "access denied".  I rebooted again.  and pulled the msprc.exe out while in safe mode. I am wondering if it wasn't more sinister than just spyware though, since it was locking up the boot cycle.
0
 
ajnessAuthor Commented:
on the popups/slow internet, I can't say that I noticed that.  I did bluescreen on Outlook loadup once.
0
 
ajnessAuthor Commented:
DOH! It's back now, I rebooted and lo and behold, msprc is back and preventing boot up.
0
 
HypoviaxCommented:
Can you provide me with details - where it is located on the computer, and the values present in the registry entry (location, value, command). Also see if it has version information. I will try some research if i can get some of those details

Regards,

Hypoviax

0
 
ajnessAuthor Commented:
it is located in the win32 directory, and from Search & Destroy I can tell that it has 158 threads.  It also changes its PID every couple seconds. There are 2 instances loaded.
I'm in safe mode atm running McAfee stinger.
0
 
ajnessAuthor Commented:
On values in the registry, I'm not sure.  I blew it away again using Hijackthis, I'm just not confident that it'll stay gone.
0
 
grakemCommented:
Have you tried the microsoft antispyware solution, it will stop it from reinstalling on the startup

http://www.microsoft.com/athome/security/spyware/software/default.mspx
0
 
HypoviaxCommented:
Changin PID every second is perhaps one of the most odd things i have heard. I can only presume that this occurs because it closes and then opens (perhaps causingf the boot problem), as i don't think it is possible to alter the PID of a process. 158 threads is also a lot. From this it is either an app gone crazy or most definetely a bad program. I will post a number of possible solutions soon
0
 
HypoviaxCommented:
Ok, try this:

In safe mode :

- Remove start value from registry using whatever tool you want (HijackThis)
- Run spybot and adaware (www.lavasoftusa.com) after updating both
- Run your antivirus software after updating
- Open the file in notepad and delete the first two characters (mz). This way it won't run and if you need it you can just add mz back on again.
- Rename the file to a standard non-exe extension e.g. .txt or a new extension say .abc
- If the file happens to be recreated examin what other processes are running on startup as these may cause the creation of the file. If so repeat the above steps for any other suspicious files.

Hope this helps,

Hypoviax

0
 
FalconHawkCommented:
"it is located in the win32 directory"
Thats the nasty catch.... All files in the win32 directory are executed automaticly at startup, without needing to be in the registery as a startup. i can also guess that if you remove it, its just re-appering.

What to do against it? well, just blowing away the APP isnt going to be enough here. There also is a high change the AV wont be able to remove it. it just removes the .exe, but leaves the other files. i advice you to have a look in the win32 directory, and sort the files on last times changed. The legal windows files should all be around 4 years old. the illegal however, will all be recently dated. this makes it very easy to see them. You might ask, see what? well, im pretty sure there are a few new .DLL files, that are responsible for making a new exe file ones thats deleted. those DLL files wont for some reason, show up in most of the AVs. just delete the new ones (make sure it arent windows files). Second, do it in safe mode, to make sure the DLLs arent loaded.  

"158 threads is also a lot"
Its what causing the slow behavior. there are SO many times a tread asked CPU time each cycle, other processes cant run. its certainly programmed in the virus, since no computer would assign so much treads itsself to 1 single progam.
0
 
ajnessAuthor Commented:
Thank you all for your help! Community Response, please give Falconhawk assisted answer credit as well.  The end user had let his antivirus subscription lapse, and after running stinger I found 2 worms on the system. Removing the worms and running HijackThis again seems to have fixed the problem, I've rebooted a few times now with no recurrence.
0
 
HypoviaxCommented:
Thanks,

If you wish to split points with myself and FalconHawk you will need to place a comment in community support referencing this question. The other option is to place a "Points for Falconhawk" question. Although this option is frowned upon by EE

Regards,

Hypoviax

0

Featured Post

Receive 1:1 tech help

Solve your biggest tech problems alongside global tech experts with 1:1 help.

  • 6
  • 4
  • 3
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now