Irremovable process running on my laptop

Irremovable process running on my laptop
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Microsoft Antivirus Discussions    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
Irremovable process running on my laptop Bijit 04-07-2006
Posted by =?Utf-8?B?QmlqaXQ=?= on April 7, 2006, 3:33 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Hi,
A couple of processes are running on my machine that I can't terminate.
These processes register themselves as startup processes in the windows
registry and I cannot disable them using the "System Configuration Utility".
I tried booting my system in safe mode and these processes are still running
and they reset the startup configuration as soon as I disable them and close
the "System Configuration Utility" window. The NAME, COMMAND and LOCATIONS
for these are the following.

1) NAME: "xcprls"; COMMAND: "C:\Windows\system32\xcprls.exe reg_run";
LOCATION: "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"

2) NAME: "xcprls"; COMMAND: "C:\Windows\system32\xcprls.exe reg_run";
LOCATION: "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"

3) NAME: "qkcsr"; COMMAND: "C:\Documents and Settings\All Users\Start
Menu\Programs\Startup\qkcsr.exe"; LOCATION: "Common Startup"

The processes don't show up on task manager and I used the freeware process
viewer utility from
http://www.beyondlogic.org/solutions/processutil/processutil.htm to see them.

There are always 3 copies of the process called "omhvk.exe" and one
"xcprls.exe" running which I cannot kill using the "process -k ..." command
since they start right back up !!

Any suggestions to remove these programs will be extremely welcome. Thanks.


Posted by =?Utf-8?B?UGFuZGFfbWFu?= on April 7, 2006, 3:53 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
My reply is at the bottom of your message :

"Bijit" wrote:

> Hi,
> A couple of processes are running on my machine that I can't terminate.
> These processes register themselves as startup processes in the windows
> registry and I cannot disable them using the "System Configuration Utility".
> I tried booting my system in safe mode and these processes are still running
> and they reset the startup configuration as soon as I disable them and close
> the "System Configuration Utility" window. The NAME, COMMAND and LOCATIONS
> for these are the following.
>
> 1) NAME: "xcprls"; COMMAND: "C:\Windows\system32\xcprls.exe reg_run";
> LOCATION: "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
>
> 2) NAME: "xcprls"; COMMAND: "C:\Windows\system32\xcprls.exe reg_run";
> LOCATION: "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
>
> 3) NAME: "qkcsr"; COMMAND: "C:\Documents and Settings\All Users\Start
> Menu\Programs\Startup\qkcsr.exe"; LOCATION: "Common Startup"
>
> The processes don't show up on task manager and I used the freeware process
> viewer utility from
> http://www.beyondlogic.org/solutions/processutil/processutil.htm to see them.
>
> There are always 3 copies of the process called "omhvk.exe" and one
> "xcprls.exe" running which I cannot kill using the "process -k ..." command
> since they start right back up !!
>
> Any suggestions to remove these programs will be extremely welcome. Thanks.
>



Hello ! I search for these files in Google and I found no information.
Please , submit these files and all suspicious for you files to VirusTotal
Do three things :

1)
http://www.virustotal.com/flash/index_en.html

Send a suspicious file for analyze to VirusTotal
They will scan it for malware with almost all antivirus softwares with the
latest definitionsand then will send you the report.The service is FREE .
If something is suspicious they will send the file to all antivirus
companies so that they will establish signatures for disinfecting the malware.
Please , if a malicious software is found , post back the name of the threat
and exactly which scanner(s) finds it.


2)
Submit these files for free analyze to Kaspersky Labs. Virus analysts
newvirus@kaspersky.com

They will be greatful to analyze them and they will answer to you.Don't
mention you do not use Kaspersky ;-)

3)
Scan your computer for all kind of threats using Panda's free ActiveScan
http://www.activescan.com

The scanner generates a report when the scan is finished.Save the report on
your hard-drive and then post it here so we'll know what exactly you have.The
file is basic TXT so there will be no problems,I think.


Panda_man
--
Prevention is always better than cure !
--
http://pandaman.my.contact.bg
http://www.activescan.com
Please , rate posts

Posted by David H. Lipman on April 7, 2006, 3:55 pm
If you were  Registered and logged in, you could reply and use other advanced thread options

| Hi,
| A couple of processes are running on my machine that I can't terminate.
| These processes register themselves as startup processes in the windows
| registry and I cannot disable them using the "System Configuration Utility".
| I tried booting my system in safe mode and these processes are still running
| and they reset the startup configuration as soon as I disable them and close
| the "System Configuration Utility" window. The NAME, COMMAND and LOCATIONS
| for these are the following.
|
| 1) NAME: "xcprls"; COMMAND: "C:\Windows\system32\xcprls.exe reg_run";
| LOCATION: "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
|
| 2) NAME: "xcprls"; COMMAND: "C:\Windows\system32\xcprls.exe reg_run";
| LOCATION: "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
|
| 3) NAME: "qkcsr"; COMMAND: "C:\Documents and Settings\All Users\Start
| Menu\Programs\Startup\qkcsr.exe"; LOCATION: "Common Startup"
|
| The processes don't show up on task manager and I used the freeware process
| viewer utility from
| http://www.beyondlogic.org/solutions/processutil/processutil.htm to see them.
|
| There are always 3 copies of the process called "omhvk.exe" and one
| "xcprls.exe" running which I cannot kill using the "process -k ..." command
| since they start right back up !!
|
| Any suggestions to remove these programs will be extremely welcome. Thanks.


Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go
through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal
Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the
PC.

You can choose to go to each menu item and just download the needed files or you
can
download the files and perform a scan in Normal Mode. Once you have downloaded
the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode
[F8 key
during boot] and re-run the menu again and choose which scanner you want to run
in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive
PDF help
file. http://www.ik-cs.com/multi-av.htm

Additional Instructions:
http://harrisonrj.home.comcast.net/step_by_step_pc_cleaning_process.htm#Step_3_%96_Getting_Help


* * * Please report back your results * * *


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Posted by Steve Winograd [MVP] on April 8, 2006, 3:20 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
>Hi,
> A couple of processes are running on my machine that I can't terminate.
>These processes register themselves as startup processes in the windows
>registry and I cannot disable them using the "System Configuration Utility".
>I tried booting my system in safe mode and these processes are still running
>and they reset the startup configuration as soon as I disable them and close
>the "System Configuration Utility" window. The NAME, COMMAND and LOCATIONS
>for these are the following.
>
>1) NAME: "xcprls"; COMMAND: "C:\Windows\system32\xcprls.exe reg_run";
>LOCATION: "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
>
>2) NAME: "xcprls"; COMMAND: "C:\Windows\system32\xcprls.exe reg_run";
>LOCATION: "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
>
>3) NAME: "qkcsr"; COMMAND: "C:\Documents and Settings\All Users\Start
>Menu\Programs\Startup\qkcsr.exe"; LOCATION: "Common Startup"
>
>The processes don't show up on task manager and I used the freeware process
>viewer utility from
>http://www.beyondlogic.org/solutions/processutil/processutil.htm to see them.
>
>There are always 3 copies of the process called "omhvk.exe" and one
>"xcprls.exe" running which I cannot kill using the "process -k ..." command
>since they start right back up !!
>
>Any suggestions to remove these programs will be extremely welcome. Thanks.

Some malware processes monitor each other, so that they can instantly
re-start a process that gets killed.

A possible solution is to use Process Explorer from
http://www.sysinternals.com/ProcessesAndThreadsUtilities.html

Instead of killing suspicious processes one-by-one, suspend all of
them first, which prevents them from doing anything. Then kill them.
--
Best Wishes,
Steve Winograd, MS-MVP (Windows Networking)

Please post any reply as a follow-up message in the news group
for everyone to see. I'm sorry, but I don't answer questions
addressed directly to me in E-mail or news groups.

Microsoft Most Valuable Professional Program
http://mvp.support.microsoft.com

Posted by =?Utf-8?B?QmlqaXQ=?= on April 8, 2006, 8:17 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Thanks,
Finally it seems I have gotten rid of these programs. I downloaded the
"Security Task Manager v1.6f" from www.neuber.com and used it to detect the
processes and quarantine them. It detected the proceses right away as 100%
security risks. It also detected the registry entries where the program would
register itself as startup programs, though these were much lower in the
security risk
scale. But once the processes were killed, it was easy to remove these
registry entries as well.

"Steve Winograd [MVP]" wrote:

> >Hi,
> > A couple of processes are running on my machine that I can't terminate.
> >These processes register themselves as startup processes in the windows
> >registry and I cannot disable them using the "System Configuration Utility".
> >I tried booting my system in safe mode and these processes are still running
> >and they reset the startup configuration as soon as I disable them and close
> >the "System Configuration Utility" window. The NAME, COMMAND and LOCATIONS
> >for these are the following.
> >
> >1) NAME: "xcprls"; COMMAND: "C:\Windows\system32\xcprls.exe reg_run";
> >LOCATION: "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
> >
> >2) NAME: "xcprls"; COMMAND: "C:\Windows\system32\xcprls.exe reg_run";
> >LOCATION: "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
> >
> >3) NAME: "qkcsr"; COMMAND: "C:\Documents and Settings\All Users\Start
> >Menu\Programs\Startup\qkcsr.exe"; LOCATION: "Common Startup"
> >
> >The processes don't show up on task manager and I used the freeware process
> >viewer utility from
> >http://www.beyondlogic.org/solutions/processutil/processutil.htm to see them.
> >
> >There are always 3 copies of the process called "omhvk.exe" and one
> >"xcprls.exe" running which I cannot kill using the "process -k ..." command
> >since they start right back up !!
> >
> >Any suggestions to remove these programs will be extremely welcome. Thanks.
>
> Some malware processes monitor each other, so that they can instantly
> re-start a process that gets killed.
>
> A possible solution is to use Process Explorer from
> http://www.sysinternals.com/ProcessesAndThreadsUtilities.html
>
> Instead of killing suspicious processes one-by-one, suspend all of
> them first, which prevents them from doing anything. Then kill them.
> --
> Best Wishes,
> Steve Winograd, MS-MVP (Windows Networking)
>
> Please post any reply as a follow-up message in the news group
> for everyone to see. I'm sorry, but I don't answer questions
> addressed directly to me in E-mail or news groups.
>
> Microsoft Most Valuable Professional Program
> http://mvp.support.microsoft.com
>

Similar ThreadsPosted
Keyboard problem on laptop April 30, 2006, 8:23 pm
CSW Trojan Horse on Gateway Laptop September 16, 2006, 1:14 am
What are these mToolkit programs on my Dell laptop (Can I just remove them?)? October 7, 2006, 7:47 pm
Re: What are these mToolkit programs on my Dell laptop (Can I just remove them?)? October 7, 2006, 9:29 pm
A problem with a process CRCAB.exe July 5, 2005, 11:55 am
Generic Host Process for Win 32 August 6, 2005, 2:29 pm
Process remover/killer May 6, 2007, 9:37 pm
Annoying virus - can't tell what process it's associated with... July 16, 2008, 6:04 pm
Does anyone know how to see if NTLM is running on a web site? December 16, 2005, 10:04 am
Does anyone know how to see if NTLM is running on a web site? December 16, 2005, 10:04 am

The site map in XML format XML site map

Contact Us | Privacy Policy