pprekop.exe / killing Comodo / BSOD's ?

Help for v2
#1

Something has been causing more than its fair share of instabilities, BSODs and Comodo crashes on my machine. This time I think I caught it, something called ppkerop.exe. This file does not exist locally. There is no .dmp or Dr Watson. There is much chatter online about the same problem, but no answers or acknowledgment by Party Poker (who’s users I assume are the target) -

App log -

===
Event Type: Error
Event Source: Application Error
Event Category: None
Event ID: 1000
Date: 2/09/2007
Time: 11:22:02 AM
User: N/A
Computer: ■■■■■
Description:
The description for Event ID ( 1000 ) in Source ( Application Error ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. The following information is part of the event: pprekop.exe, 4.2.0.172, ole32.dll, 5.1.2600.2182, 10017bed.
Data:
0000: 66 00 78 00 31 00 6e 00 f.x.1.n.
0008: 55 00 32 00 6b 00 33 00 U.2.k.3.
0010: 75 00 53 00 2b 00 65 00 u.S.+.e.
0018: 63 c

Firewall log (it killed the firewall) -

===
Date/Time :2007-09-02 11:22:01
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 125.196.223.238, Port = ms-rpc(135))
Protocol: TCP Incoming
Source: 125.196.223.238:2116
Destination: 125.253.33.10:ms-rpc(135)
TCP Flags: SYN
Reason: Network Control Rule ID = 7

Culprit doing it (in this case) -

===
Name: FLH1Afc238.chb.mesh.ad.jp
Address: 125.196.223.238

Whether its mere coincidence, or work of the devil, I have also started noticing a much higher frequency of SQL port probes at the same time.

Has anyone experienced this or heard anything about it ? My system hasn’t actually been penetrated that I know of, but it has been killed dead. Repeatedly. I’ve run multiple rootkit / malware scanners. Nothing. Log atached - pprekop.rar

[attachment deleted by admin]

#2
This time I think I caught it, something called ppkerop.exe. This file does not exist locally.

Sure looks like a rootkit nasty …

I think your best bet is to post this at http://www.castlecops.com/f233-Rootkit_Revelations.html

I've run multiple rootkit / malware scanners. Nothing.

Seems the consensus is that RootKitUnhooker, GMER, and RootKitRevealer are the top scanners. I’d suggest trying all 3. software AVG Antirootkit – Rootkit Trends & Prevention Blog

Edit: these tools are potentially dangerous. Do not use any of them unless you know what you’re doing.

#3

Thanks. I’m trying several angles of investigation as it has my curiosity piqued. The sysinternals scanner found nothing.

My primary concern is that the incoming rpc call brought Comodo down - thats why I posted here. And that’s in the rare instance that it intervenes before a BSOD.

#4

Heh, this is the 3rd robotic response I’ve received from Party Poker -

Dear ■■■■■,

Thank you for contacting us.

I can assure you that we have read the details and the advice we
provided you is the resolution for the problem.
If you do not follow the instructions below then the problem you are
experiencing will unfortunately continue.

As we have already suggested you shall need to uninstall the software,
create a new user profile on your system and then reinstall the
software.

They refuse to acknowledge any problem, however they have just released a patch without any release notes. Will keep monitoring.