1. Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.

rgbgp.dll pop up on start

Discussion in 'General Software' started by Taz100420, Aug 27, 2010.

  1. Taz100420

    Taz100420

    Joined:
    Oct 26, 2006
    Messages:
    1,929 (0.66/day)
    Thanks Received:
    100
    Location:
    Fremont, Ohio
    Ok I get this message everytime I start my comp up "Cannot locate rgbgp.dll" and I had a few trojans I took care of but was wondering if this could be another one of my weird problems lol. Plus Hijack This! notices it. But has anyone heard of this? a Google search came up nothing.
     
  2. Frick

    Frick Fishfaced Nincompoop

    Joined:
    Feb 27, 2006
    Messages:
    10,768 (3.41/day)
    Thanks Received:
    2,330
    Haha, Googling only brings me back here. ^^

    Have you tried Malwarebytes?
     
  3. W1zzard

    W1zzard Administrator Staff Member

    Joined:
    May 14, 2004
    Messages:
    14,944 (3.92/day)
    Thanks Received:
    11,734
    it's probably a randomized filename

    start regedit, search for that dll name. post the keys in which it appears
     
    Taz100420 says thanks.
  4. Trigger911

    Trigger911 New Member

    Joined:
    Jan 2, 2007
    Messages:
    600 (0.21/day)
    Thanks Received:
    63
    Location:
    Under Columbus, Ohio
    check these for it and just delete it I bet its one of them fake antivirus or malware viruses

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run registry key

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run registry key

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
     
    Taz100420 says thanks.
  5. W1zzard

    W1zzard Administrator Staff Member

    Joined:
    May 14, 2004
    Messages:
    14,944 (3.92/day)
    Thanks Received:
    11,734
    yes, delete it from those
     
    Taz100420 says thanks.
  6. Taz100420

    Taz100420

    Joined:
    Oct 26, 2006
    Messages:
    1,929 (0.66/day)
    Thanks Received:
    100
    Location:
    Fremont, Ohio
    Hmmmm..... Well heres the hijack this log. Im not sure

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 12:38:21 PM, on 8/27/2010
    Platform: Unknown Windows (WinNT 6.01.3504)
    MSIE: Internet Explorer v8.00 (8.00.7600.16385)
    Boot mode: Normal

    Running processes:
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\system32\taskhost.exe
    C:\Program Files\AVG\AVG9\avgtray.exe
    C:\Program Files\BOINC\boinctray.exe
    C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
    C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
    C:\Program Files\Logitech\SetPoint\SetPoint.exe
    C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
    C:\Windows\system32\wuauclt.exe
    C:\Program Files\Common Files\Java\Java Update\jucheck.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
    O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
    O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll
    O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
    O4 - HKLM\..\Run: [boinctray] "C:\Program Files\BOINC\boinctray.exe"
    O4 - HKLM\..\Run: [EVGAPrecision] "C:\Program Files\EVGA Precision\EVGAPrecisionWrapper.exe" /s
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
    O4 - HKLM\..\Run: [AvgScan] C:\Windows\system32\AvgScan.bat
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
    O4 - HKLM\..\Run: [Linksys Wireless Manager] "C:\Program Files\Linksys\Linksys Wireless Manager\LinksysWirelessManager.exe" /cm /min /lcid 1033
    O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash
    O4 - HKLM\..\Run: [sta] rundll32 "rgbgp.dll",,Run
    O4 - HKCU\..\Run: [boincmgr] "C:\Program Files\BOINC\boincmgr.exe" /a /s
    O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\DTLite.exe" -autorun
    O4 - HKCU\..\Run: [Steam] "D:\Program Files\Steam\Steam.exe" -silent
    O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [vlgrixbd] C:\Windows\system32\config\systemprofile\AppData\Local\bjnsnremd\qltafxrshdw.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [vlgrixbd] C:\Windows\system32\config\systemprofile\AppData\Local\bjnsnremd\qltafxrshdw.exe (User 'Default user')
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
    O4 - Global Startup: Logitech SetPoint.lnk = ?
    O13 - Gopher Prefix:
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O18 - Protocol: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
    O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
    O20 - AppInit_DLLs: avgrsstx.dll
    O23 - Service: AVG Security Toolbar Service - Unknown owner - C:\Program Files\AVG\AVG9\Toolbar\ToolbarBroker.exe
    O23 - Service: AVG E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
    O23 - Service: AVG WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
    O23 - Service: Pure Networks Platform Service (nmservice) - Cisco Systems, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
    O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
    O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
    O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe

    --
    End of file - 6448 bytes
     
  7. Trigger911

    Trigger911 New Member

    Joined:
    Jan 2, 2007
    Messages:
    600 (0.21/day)
    Thanks Received:
    63
    Location:
    Under Columbus, Ohio

    I bolded it for ya
     
  8. Trigger911

    Trigger911 New Member

    Joined:
    Jan 2, 2007
    Messages:
    600 (0.21/day)
    Thanks Received:
    63
    Location:
    Under Columbus, Ohio

    I bolded it for ya

    edit wont bold but this key

    O4 - HKLM\..\Run: [sta] rundll32 "rgbgp.dll",,Run

    btw get rid of the tool bars they are very exploited via cross site scripting with ads and such
     
    Taz100420 says thanks.
  9. Taz100420

    Taz100420

    Joined:
    Oct 26, 2006
    Messages:
    1,929 (0.66/day)
    Thanks Received:
    100
    Location:
    Fremont, Ohio
    Thats exactly the one I had my eye on also. Just needed confirmation to delete it. Yea I never worried about the toolbars, they are disabled on my browser, but wouldnt hurt to remove them

    EDIT: Well it seems to be back to normal now. No pop ups when idle in Firefox, no popup on start up and no BSOD when I plug in my microphone lol
     
    Last edited: Aug 27, 2010
  10. Trigger911

    Trigger911 New Member

    Joined:
    Jan 2, 2007
    Messages:
    600 (0.21/day)
    Thanks Received:
    63
    Location:
    Under Columbus, Ohio
    lol yea i seen at work the new malware ver will infect directshow pretty sweet idea ... it took me like 30 to figure it out ... btw i bet that was a profile based virus .... them hide in the user part of the run in the reg


    glad to see your problem is fixed tho ...
     

Currently Active Users Viewing This Thread: 1 (0 members and 1 guest)

Share This Page