Re: Pprekop.exe Mystery
- From: penguinUK <penguin666@xxxxxxxxx>
- Date: Mon, 31 Mar 2008 16:27:34 +0000
If people want to know more about pprekop.exe I did some investigating
and have a rough idea of what is going on with it and the event log
error:
Event Type: Error
Event Source: Application Error
Event Category: None
Event ID: 1000
Date: 30/03/2008
Time: 17:26:29
User: N/A
Computer: HomeComputer
Description:
Faulting application pprekop.exe, version 4.2.0.172, faulting module
ole32.dll, version 5.1.2600.2182, fault address 0x10017bed.
Using this 'strings' (http://tinyurl.com/yjlnjl) program, looking in
PartyGaming.exe it finds a pprekop.exe string. And just below it are
other suspicious strings "4.2.0.172", "ole32.dll", "5.1.2600.2182",
"10017bed", which are other data found in the error log messages.
Next I loaded PartyPoker up in a debugger and stepped through till
around those strings were referenced. What appears to happen is that
some variable takes those strings as values then the library
Advapi32.dll is loaded and the function ReportEvent is used to create
an event with them strings in it.
So basically the error message is the same no matter what; there has
been no fault in the ole32 module at address 0x10017bed. Whether the
error message is triggered because of an error or not I was not sure.
Using 'process monitor'
(http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx) reveals
that just after the ReportEvent function is loaded the PartyPoker
software checks the value of
HKEY_LOCAL_MACHINE\SOFTWARE\Notepad\mode\UCID in the registry. Part of
this is what appears as the data in the event log that is created.
Deleting that registry value leads to the error message not being
reported, however the PartyPoker software takes you to a "first
connection" page.
Altogether, pprekop.exe seems to not actually be a real executable, and
the party poker software just creates a "fake" entry (containing the
UCID) in the application event log on startup as long as a UCID entry
already exists in the registry. There may be a reason why the error
message is created but it seems suspicious that the info it gives does
not relate to a real error. It is possible that it was put in there by
the programmers for debugging-like purposes and was forgot about when
it should have been removed. So all the claims on other forums of
rootkits and spyware causing the error message seem to be unfounded.
--
penguinUK
.
- Prev by Date: Re: Command Line/ .bat - Registry Update / Switches ?
- Next by Date: Re: searching old Microsoft word files for text string
- Previous by thread: Re: Command Line/ .bat - Registry Update / Switches ?
- Next by thread: Display Adpter Drive (NVIDIA RIVA TNT2 Model 64 (Sony)
- Index(es):
