Anybody know what rrnruk.exe reg_run is?

Author	All Replies
Boston7 join:2002-04-22	Anybody know what rrnruk.exe reg_run is? Hello, does anybody know what that file is? I am helping a friend clean off her computer it was a mess, I almost have it all clean but nothing will delete that file it keeps coming back. When I run hijack this, it list it as [kavsc] C:\WINDOWS\system32\rrnruk.exe reg_run in O4. When she boots into safe mode and try to go to that directory and tries to delete it, it says it is write protected and won't delete. Fix it in hijack this but it just comes back. Anybody know what this file is? or how to get rid of it for good? I know somebody will post the link to the FAQ, but I guess I am really just looking for info on this file as I can't find anything on it, wondering if somebody else also might of had it. I have ran ewido security suite, spybot, killbox and have her almost all the way clean except for this dang file which nothing seems to delete it. Thanks for any info,
	to forum · permalink · · 2005-06-21 15:45:59 ·
Cudni La Merma - Vigilado Premium,MVM join:2003-12-20 Someshire	I'm sure you googled for it and found no reference to it. Usually it is not a good sign. If you used all tools from the FAQ then post HJT log as it might become clearer from other entries if this particular one is bad (and i think it is) Cudni -- Help yourself so God can help you
	to forum · permalink · · 2005-06-21 16:02:03 ·
Boston7 join:2002-04-22	Here is the log, and yes nothing will get rid of it. No virus scanner, or spyware removal or even hijack this, it just keeps coming back. But here is the log if anybody has any clues, that is the only one that I see bad, thanks... Scan saved at 2:55:47 PM, on 6/21/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\ewido\security suite\ewidoctrl.exe c:\Program Files\Norton AntiVirus\navapsvc.exe C:\WINDOWS\System32\nvsvc32.exe c:\Program Files\Norton AntiVirus\SAVScan.exe C:\WINDOWS\System32\svchost.exe c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe C:\windows\system\hpsysdrv.exe C:\WINDOWS\System32\hphmon05.exe C:\HP\KBD\KBD.EXE C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\WINDOWS\AGRSMMSG.exe C:\Program Files\Multimedia Card Reader\shwicon2k.exe C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe C:\Program Files\Common Files\AOL\ACS\AOLDial.exe C:\Program Files\QuickTime\qttask.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE C:\WINDOWS\system32\rrnruk.exe C:\Program Files\AIM\aim.exe C:\PROGRA~1\COMMON~1\AOL\110781~1\EE\AOLHOS~1.EXE C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\PROGRA~1\COMMON~1\AOL\110781~1\EE\AOLServiceHost.exe C:\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »hoylegames.sierra.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [VTTimer] VTTimer.exe O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1107814833\EE\AOLHostManager.exe O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200" O4 - HKLM\..\Run: [Windows Services Host] svhostc.exe O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\rrnruk.exe reg_run O4 - HKLM\..\RunServices: [Windows Services Host] svhostc.exe O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl O4 - HKCU\..\Run: [Windows Services Host] svhostc.exe O4 - HKCU\..\RunServices: [Windows Services Host] svhostc.exe O4 - Startup: PalNetaware.lnk = C:\Program Files\Paltalk\pnetaware.exe O4 - Startup: PowerReg Scheduler V3.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing) O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing) O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - »housecall-beta.trendmicro.com/ho···an60.cab O16 - DPF: {20048BB3-DB68-11CF-9CAF-00AA006CB425} (007installer Control) - »download.007guard.com/msnnames/msnnames.cab O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - »messenger.zone.msn.com/binary/Mi···1267.cab O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - »appdirectory.messenger.msn.com/A···ctrl.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - »messenger.zone.msn.com/binary/Me···1267.cab O16 - DPF: {972BB342-14A7-4660-83C1-51DDBEE171DB} - »www.pacimedia.com/install/pcs_0029.exe O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} (WONWebLauncher Class) - »hoylegames.sierra.com/cab/WONWeb···trol.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - »messenger.msn.com/download/MsnMe···ader.cab O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - »chat.msn.com/bin/msnchat45.cab O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - »messenger.zone.msn.com/binary/So···1267.cab O21 - SSODL: System - {3C7B6EAB-16D1-4BAF-8F50-E0504B179BC5} - mcsys.dll (file missing) O23 - Service: AOL Connectivity Service - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe O23 - Service: AOL TopSpeed Monitor - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe O23 - Service: Symantec Event Manager - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Office Source Engine - Unknown - C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (file missing) O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
	to forum · permalink · · 2005-06-21 16:07:20 ·
Cudni La Merma - Vigilado Premium,MVM join:2003-12-20 Someshire	reply to Boston7 Did you try single file scanners on it? »Security »What are some web based virus scanners and encyclopedias? Cudni -- Help yourself so God can help you
	to forum · permalink · · 2005-06-21 16:17:09 ·
Boston7 join:2002-04-22	Yes I did, sorry didn't mention it, I ran Housecall from trend, and that didn't detect the file either. Not sure what else to do, I mean she was getting pop ups galore...but I got all that fixed now the pops up are gone. But that file is staying so not sure what it's really doing or tied too...but because I can't delete it and everytime I try to fix with hjt, it comes back , that tells me it is bad somehow.
	to forum · permalink · · 2005-06-21 16:29:08 ·
Cudni La Merma - Vigilado Premium,MVM join:2003-12-20 Someshire	reply to Boston7 Would you consider submitting it for analysis as suspected malware on the link below? »Security »I think my computer is infected or hijacked. What should I do? Cudni Cudni -- Help yourself so God can help you
	to forum · permalink · · 2005-06-21 16:32:36 ·
Boston7 join:2002-04-22	Ok will do.
	to forum · permalink · · 2005-06-21 16:47:08 ·
muf Captain of the axe Premium join:2003-01-04 uk	reply to Boston7 I'd like to see it scanned here »virusscan.jotti.org/ Lets see if they recognise what it is. muf -- We want... a shrubbery!
	to forum · permalink · · 2005-06-21 17:07:34 ·
Boston7 join:2002-04-22	said by muf : I'd like to see it scanned here »virusscan.jotti.org/ Lets see if they recognise what it is. muf Do I zip it, or just upload the exe? And will do it once she gets back home, so I can get the file.
	to forum · permalink · · 2005-06-21 17:28:44 ·
muf Captain of the axe Premium join:2003-01-04 uk	reply to Boston7 Just upload the exe muf -- We want... a shrubbery!
	to forum · permalink · · 2005-06-21 17:29:53 ·
Kayrac Premium join:2001-09-29 Rochester, NH	reply to Boston7 also give it a go at www.virustotal.com
	to forum · permalink · · 2005-06-21 18:19:28 ·
garys_2k join:2004-05-07 Farmington, MI	reply to Boston7 Rootkit? That's the alarm that went off with the "write protected" stuff.
	to forum · permalink · · 2005-06-21 19:55:33 ·
amysheehan Premium,VIP,MVM join:1999-12-21 Huntington Beach, CA ·RoadRunner Cable 2 edits	reply to Boston7 O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\rrnruk.exe reg_run (Description: Qoologic downloader trojan variant using random file names (examples: nzkklz.exe, rzazzi.exe, ivpaan.exe) - do not confuse with the Kaspersky antivirus startup item. ) »startup.iamnotageek.com/search.p···h=kavsvc There's other stuff in your log that needs attention: NOTE: The items below are not to be confused with svchost.exe O4 - HKLM\..\Run: [Windows Services Host] svhostc.exe O4 - HKLM\..\RunServices: [Windows Services Host] svhostc.exe O4 - HKCU\..\Run: [Windows Services Host] svhostc.exe O4 - HKCU\..\RunServices: [Windows Services Host] svhostc.exe
	to forum · permalink · · 2005-06-22 05:38:40 ·
Boston7 join:2002-04-22	Thanks amy, Any clues on how to rid her of that file? I did do all the instructions I have found to get rid of it, but none seem to want to get rid of that one file. Just for reference, I ran find-qoologic, killbox, ewido security suite, she had a bunch more related to the same thing, I guess I got rid of all those as there not in her log no more. And also thanks for pointing out those other entries in the log.
	to forum · permalink · · 2005-06-22 11:23:16 ·
TheJoker Premium,VIP,MVM join:2001-04-26 Alexandria, VA	reply to Boston7 Since I don't know where you got it from, please download FindQoologic from here: http://forums.net-integration.net/index.ph...=post&id=134981 Save it to the desktop, and unzip the files to their own folder. Find Qoologic2.bat and run it, allowing the script to complete. It will save a log file and open the text in Notepad when finished (please be certain it has finished, it can take a few minutes). Please post the entire contents of the log file here for me to see in your next post along with a fresh HijackThis log. -- Proud ASAP member since 2005
	to forum · permalink · · 2005-06-23 15:49:22 ·
John2g Qui Tacet Consentit Premium join:2001-08-10 England	reply to Boston7 said by Boston7 : Any clues on how to rid her of that file? I would install BOClean. -- Better to remain silent and be thought a fool, than to speak and remove all doubt.
	to forum · permalink · · 2005-06-23 16:16:24 ·


Tuesday, 24-Nov 12:43:20	Terms of Use \| Privacy Policy \| Hosting by www.nac.net - DSL,Hosting & Co-lo \| feedback \| contact over 10 years online! © 1999-2009 dslreports.com.republican-creole page compression OFF