Hell from pbrrol.exe

Discussion in 'Windows Desktop Systems' started by Admiral Michael, Jul 21, 2005.

  1. Admiral Michael

    Admiral Michael Michaelsoft Systems CEO Folding Team

    Im trying to fix a friend's computer. Theres a program called pbrrol.exe thats in C:\WINDOWS\System32 that wont let firefox to load. The windows task manager doesnt show it, I have to use the task view from the makers of HiJack This to see it. When I end the program with the secondary task manager Firefox loads no prob otherwise it doesnt show but firefox.exe shows in the task manager.

    I cant find the file in the folder, I can find it with windows find, but when I delete it, it respawns. Another file appears in the registry for startup - rikk.exe. This file is loated in the startup folder but cannot be seen even with show hidden file (shows via Windows Find).

    I've ran adaware and spybot to no avail.

    His laptop runs Windows XP Pro SP2, he uses the windows firewall.
     
  2. Xie

    Xie - geek - Subscribed User Folding Team

    Messages:
    5,275
    Location:
    NY, USA
    You mention running adware programs and nothing, what anti-virus programs have you run?
     
  3. Admiral Michael

    Admiral Michael Michaelsoft Systems CEO Folding Team

    Sorry, he (as well as I) runs Norton AntiVirus 2003

    He said NAV picked up a virus and removed it. I don't kno the name of the virus.
     
  4. Xie

    Xie - geek - Subscribed User Folding Team

    Messages:
    5,275
    Location:
    NY, USA
    Sounds like it didn't get all of it. I'd try another AV, give housecall a shot, it's free and works rather well. Trying more then 1 AV sometimes does the trick.
     
  5. gonaads

    gonaads Beware the G-Man Political User Folding Team

    Delete both files but don't empty trash and also delete the entry in the reg, but first export that entry (just in case it is a legit file). Also search the reg for any instances of either file and delete them, backup/export them first to be safe. Then reboot and see what happens. Sounds like virus goings on in that Laptop.
     
    Last edited: Jul 21, 2005
    Admiral Michael likes this.
  6. Admiral Michael

    Admiral Michael Michaelsoft Systems CEO Folding Team

    I agree that it sounds like a virus. I'll try your suggestions next time he's over.
     
  7. Admiral Michael

    Admiral Michael Michaelsoft Systems CEO Folding Team

    I tried your suggestion gonaads and no luck. Im gonna try the symantec online scanner to see if its a virus. He has to go home now so I'll have to ait til next time.

    Thanks for the updates so far :) Much appreciated.
     
  8. kcnychief

    kcnychief █▄█ ▀█▄ █ Political User Folding Team

    Messages:
    16,948
    Location:
    Massachusetts
    From my experience if this file is a virus, it sounds like you are only finding the droppings. The best way to delete that file since it seems to keep coming back is through recovery console. This is an absolute deletion, obviously skipping over the recycyle bin.

    In regards to your AV protection, while 2003 may have the updated .DAT files, this day and age I would strongly recommend upgrading to 2004 at least, if not 2005. I have seen both version for <$20 on eBay buying just the CD and the sleeve. My logic behind that being the updated worm protection, which gives you a double-edged sword for the XPSP2 Firewall.

    Also, have you checked your hosts file? (nevermind, sorry my mind is scattered).

    I just re-read your post, you should definitely go to Recovery Console. While in Windows, write down the path and names of the file. Go to Recovery Console...

    (if you are not familiar, here is how)

    1. Boot to a Windows XP CD
    2. Press "r" to repair
    3. It will prompt you to choose which Windows installation you want to login to, type "c:"
    4. It will then prompt you for the Administrator password (so either make sure he knows it, or reset it before getting this far)
    5. Then, you are pretty much at the CMD prompt from within XP, but on steroids :)
    What I would do BEFORE that is make sure that the AV and Windows Security updates are fully patched. Download MS Anti-Spyware, and Stinger from McAfee. Once all updates and patches are all set, go to Recover Console, delete the files, reboot into safe mode WITHOUT networking, do scans like it's your job. They should be gone, but just to be sure. Also, while there, use similar search methods you performed above to ensure they are gone.

    These things are a pain, but at the same time rather interesting to get rid of sometimes. Good luck, post back which I'm sure you will :)
     
  9. Admiral Michael

    Admiral Michael Michaelsoft Systems CEO Folding Team

    Where to begin :p

    Xie:

    Ill give you suggestion a shot as well as using the symantec online scanner.

    kcnychief:


    I use NAV 2003 because I trhink its the best norton version, I tried newer versions and they seem to be memory hogs. I may consider to switching to AVG but Ive always used NAV and never had any problems with it myself.

    I have checked the hosts file, only one entry which is localhost.

    Ive tried deleting the file in safemode, but it still runs while in safemode. I never thought of using the recovery console. I just hope it can find it.
     
  10. kcnychief

    kcnychief █▄█ ▀█▄ █ Political User Folding Team

    Messages:
    16,948
    Location:
    Massachusetts
    I couldn't agree more on the memory hog, but that is evident on *most* newer applications. I have found that McAfee works quite well, and is a bit easier on the resources.

    It would still run in safe mode, so that would not be an initial option. Within the recovery console, every file is viewable. So, you would want to write down the path, such as

    C:\windows\system32\filethatiskillingmymachine.exe

    navigate to there within the Recovery console, delete it. If you get access denied, the file might be read only. At that point, from the CMD prompt, type out the path again...

    C:\windows\system32\attrib -r -h -a filethatiskillingmymachine.exe

    try to delete again, and you should be set.
     
  11. Johnny

    Johnny .. Commodore .. Political User

    Messages:
    5,015
    Location:
    Happy Valley
    did you try something like bartpe, to delete it off line ? or even going to safe mode.
     
  12. Admiral Michael

    Admiral Michael Michaelsoft Systems CEO Folding Team

    As mentioned I have tried safe mode and the app is running while in safe mode. I will be trying the recovery console method kncychief suggested.
     
  13. kcnychief

    kcnychief █▄█ ▀█▄ █ Political User Folding Team

    Messages:
    16,948
    Location:
    Massachusetts
    Here is a little more information incase you want to familiarize yourself before attempting...

    http://support.microsoft.com/?kbid=314058
     
    Admiral Michael likes this.
  14. lancer

    lancer There is no answer! Political User Folding Team

    Messages:
    3,093
    Location:
    FL, USA
    Try this program its little known but wonderful.

    http://www.ewido.net/en/download/ uodate it in normal mode, but then go into safe mode and run the full scans it will pick everything up and kill it all. ITs never failed me and its free at:

    http://www.ewido.net/en/download/

    also use the recovery to delete the files as well as suggested before.
     
    Admiral Michael likes this.
  15. Admiral Michael

    Admiral Michael Michaelsoft Systems CEO Folding Team

    thanks for the help, Ive used the recovery console once of twice before.
     
  16. kcnychief

    kcnychief █▄█ ▀█▄ █ Political User Folding Team

    Messages:
    16,948
    Location:
    Massachusetts
    Just making sure, good luck :)
     
  17. lancer

    lancer There is no answer! Political User Folding Team

    Messages:
    3,093
    Location:
    FL, USA
    let me know how the ewido program works out?

    also i search google for both those programs and nothing came up... strange.
     
  18. kcnychief

    kcnychief █▄█ ▀█▄ █ Political User Folding Team

    Messages:
    16,948
    Location:
    Massachusetts
    I have tried that program before, reminds me of Sunbelt Software's Counterspy.. http://www.sunbelt-software.com/

    Even the icons are similar! :eek:
     
  19. lancer

    lancer There is no answer! Political User Folding Team

    Messages:
    3,093
    Location:
    FL, USA
    is that good or bad? :)
     
  20. kcnychief

    kcnychief █▄█ ▀█▄ █ Political User Folding Team

    Messages:
    16,948
    Location:
    Massachusetts
    eh, neither. I'm not a fan of counterspy, it created a lot of false positives. I only tried it b/c I read an article saying it was "the bomb"