[vorlx]

Ok as a last resort I am posting here. Here is what I have identified so far.

The other day, 2 days ago I think, I was browsing around and clicked yes to something I shouldn't have. From there on I started getting random popups, mostly casino popups, not every time I open a page but jsut enough to be annoying. As I figured I got hit with some spyware/malware. I ran adaware, it found a process and cleared it. No problems, nothing out of the ordinary. Accept when I restarted after the fact the popups still came back.

I did some investigation and here is what I have figured out:

vprpkr.exe is located in c:\windows\system32 and autocreates itself after stopping the running process and deleting it. This happens before reboot.

I found it in a !submit fold off of C:\ but it never came back after deletion. A version also appears in C:\windows\prefech off and on.

Originally it was only int he HKLM\software\microsoft\windows\current version\run which automatically returns off and on.

I also identified nkdk which was the same file size as the vprpkr.exe file being loaded in the ALL USER startup folder. This also recreates itself. The file size has also altered now.

The only reason I even noticed it was because when I was killing out processes I noticed it pop up. I have ran every scan, killed and deleted these processes as many ways as I can. It seems to morph in different locations in the registry as well.

Any help would be appreciated. Something is spawning and recreating these processes and I can't figure out what.


I have done complete searches through the registy

Logfile of HijackThis v1.99.1
Scan saved at 10:13:42 PM, on 4/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exeLogfile of HijackThis v1.99.1
Scan saved at 10:13:42 PM, on 4/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\vprpkr.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.40607\aspnet_admin.exe
C:\WINDOWS\LogWatNT.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\imapi.exe
C:\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.17:80
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O1 - Hosts: 207.43.104.192 iomeganas
O1 - Hosts: 207.43.104.193 acgfs
O1 - Hosts: 207.43.104.3 acg5
O1 - Hosts: 207.43.104.7 acg2
O1 - Hosts: 207.43.104.190 acg4
O1 - Hosts: 207.43.104.195 acg6
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\vprpkr.exe
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{611B5DDE-C3A0-4AA2-A13B-9E01D510A3DC}: NameServer = 207.43.104.2
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\WINDOWS\LogWatNT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe


C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\vprpkr.exe <---------- Here is the culprit
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.40607\aspnet_admin.exe
C:\WINDOWS\LogWatNT.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\imapi.exe
C:\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.17:80
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O1 - Hosts: 207.43.104.192 iomeganas
O1 - Hosts: 207.43.104.193 acgfs
O1 - Hosts: 207.43.104.3 acg5
O1 - Hosts: 207.43.104.7 acg2
O1 - Hosts: 207.43.104.190 acg4
O1 - Hosts: 207.43.104.195 acg6
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\vprpkr.exe
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{611B5DDE-C3A0-4AA2-A13B-9E01D510A3DC}: NameServer = 207.43.104.2
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\WINDOWS\LogWatNT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe

[Advertisements]

Any help?

[vorlx]

Any help?

[mrod]

I am having the exact same problem, exept my processes are named Xwoiu.exe and skduen.exe. As soon as I kill it morphs into different locations in the directory within 5 to 10 seconds after the kill. I initally thought it was tied into the MediaAccess app that was pushed onto my system. Is this loaded on your system.

I also need help

[vorlx]

I am having the exact same problem, exept my processes are named Xwoiu.exe and skduen.exe.  As soon as I kill it morphs into different locations in the directory within 5 to 10 seconds after the kill.  I initally thought it was tied into the MediaAccess app that was pushed onto my system.  Is this loaded on your system.

I also need help

I havn't seen anything regarding a mediaaccess app.. I was browsing the web searching for something and I said yes to some cert I didn't mean to say yes to. I wasn't paying attn at the time.

But yeah it morphs in about 10 sec, it was at least the same file size for awhile, then even that changed at some point.

I couldn't figure out anything, i went through all the registry, all startup locations. Sometimes if I rename the files, delete them, then put a dummy copy in there place before it can recreate I can restart and see it trying to open dos box windows, so something is spawing them I just can't figure out what. However this only seems to work once.

Edited by vorlx, 12 April 2005 - 09:17 AM.

[mrod]

OK Thanks

I also modified the entry within the registry to no avail. going to try and disable within msconfig see if that does anything

I am going to keep plugging, if i solve the issue you will know

[vorlx]

OK Thanks

I also modified the entry within the registry to no avail. going to try and disable within msconfig see if that does anything

I am going to keep plugging, if i solve the issue you will know

I tried killing it with killbox/hjt/modifying the startup entries in msconfig. I spent roughly 6-7 hours on it last night to no luck. I can't figure out what is restarting them. I can delete the one in the registry (but something is putting it back, sometimes.) The files in both locations auto recreate. It just makes me think that some process or service is running and keeping the files alive. I have no clue what though and I have done everything I can think of.

[vorlx]

ttt

[vorlx]

ttt

It figures i get something not only can i not fix but noone has a clue what it is. LOL.

[mrod]

I hear ya....I'm still searching

[vorlx]

I hear ya....I'm still searching 

Webroot Spysweeper identifies it as CLKOPTIMIZER, it removes them the same I do though. Its randomly morphing. I have got some of it to go away.