# (Solved) Rapid Blaster and porno pop-ups



## lillibunny (Feb 3, 2003)

Hi,

I looked at the question regarding this issue by a user named michelle and I tried to do what the tech support guy told her to do however, this did not work for me.

I don't know how the rapid blaster got onto my computer, it is shared so it could have been one of my roommates, however I cannot remove it. 

I have tried the add/remove programs and it disappears but is still enabled some how. I tried to delete it but it tells me that another source is using it or that another program is running it and that I can't delete it. Or it tells me that the disk is full or something to that effect. 

I want to remove this as I am grealty offended by its presence and suibject matter!

Please help me,
lillibunny


----------



## $teve (Oct 9, 2001)

hello lillibunny,welcome to T.S.G
so .........you have done the add/remove dance and rapidblaster still comes back.
this is what to do.
after you uninstall in add remove programs....go to the downloaded programs folder C:/windows/downloaded programs,and delete the folder "AInst"right click and delete.now
re-start windows and delete the "rapidblaster" folder,should be in the windows folder(c:/windows).
then........and this is a little tricky but trust me,you can make it 
hit start, run type "regedit"(without the quotes) 
double click the "HKEY_LOCAL_MACHINE"\Software\and right click and delete the Rapidblaster folder.
that should be it.............post back and let us know if this works.
take care


----------



## TonyKlein (Aug 26, 2001)

SpyBot S&D and Ad-Aware 6.0 will detect and remove RapidBlaster.

For Manual removal, do this:

Go to Start > Run, and type Msconfig.

On the Startup tab locate this item:

RapidBlaster = c:\program files\RapidBlaster\rb32.exe

Click OK, close Msconfig, and reboot.

Now delete the entire Program Files\RapidBlaster directory.

Next, go to Internet Options, press "settings", then "show files", and delete the following ActiveX object, if it's there:

[AInst Class] 
InProcServer32 = C:\WINDOWS\DOWNLO~1\ACTIVE~1.DLL 
CODEBASE = htp://cnt.rapidblaster.com/install/activeinstaller.dll

Finally, go to Internet Options > Programs, and hit "Reset Web Settings".

Good luck,


----------



## lillibunny (Feb 3, 2003)

Hello all who sent me information on how to fix my Rapid Blaster problem!

Thank you, this is the best service that I have found on line.

I will definitely recommend this to all my friends who are having technical difficulties.

For those who are interested, I actually didn't use the methods completely that were suggested. I kind of used bits and pieces from them.

For those who are curious I went to start, run, typed Msconfig and couldn't find the Rapidblaster in the start up list, etc.
So then somehow I got to the properties area of the rapid blaster folder, clicked everything that I could deny access to for the program and then somehow got to the delete option area of the program folder. 

If you can't tell, I no absolutely nothing about computers, hence the layperson language. I apologize and I hope I am providing some with a little laugh.

Any how I was able to delete the program after I did all that clicking, so something worked.

That's my story. Talk to you all soon.

lillibunny


----------



## ecu39 (Mar 29, 2003)

unfortunately I've tried these and still am stuck at the part of trying to delete the [AInst Class] file. It still keeps telling me the file is being used by another program, blah blah blah...

I've deleted the c:\program files\rapidblaster....

Any more ideas? I'm running Win 2000 Pro.


----------



## TonyKlein (Aug 26, 2001)

Please do this:

Go to http://www.spywareinfo.com/downloads.php#det , and download 'Hijack This!'. 
Unzip, doubleclick HijackThis.exe, and hit "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log somewhere, and please show us its contents.


----------



## stevemacke (Mar 29, 2003)

I went into the add/remove program and did the removal process. However, when I went into the downloaded program files I was unable to remove the rb32 folder or the rapid blaster folder.

I have attempted to get more detailed removal instructions from the vendor but have had very little luck.

I am searching for the vendors address - as I wish to have my attonery demand full disclosure of how to remove this file - 

this program appeared on my computer without permission and my 10 year old daughter has been exposed to porn pop-ups. I would like to be able to make them understand that what they are doing is not only a breach of my privacy - and against the law = but that they may have concequences.

If anyone can provide there address or give me a process to formally log a complaint against this organization - please forward me the information.

All the Best - and Thanks for any assistance


----------



## mViOkPe (Oct 15, 2002)

> _Originally posted by TonyKlein:_
> *SpyBot S&D and Ad-Aware 6.0 will detect and remove RapidBlaster.
> 
> Good luck, *


----------



## Paytond20 (Apr 3, 2003)

Here is my log from Hijack...
Logfile of HijackThis v1.92.1
Scan saved at 1:53:32 PM, on 4/3/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://my.msn.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride=127.0.0.1
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrust\Antivirus\realmon.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [RapidBlaster] C:\Program Files\RapidBlaster\rb32.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: officejet 6100.lnk = ?
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {1E89F686-B78D-4C85-9EFC-3474516E3FE2} - http://directplugin.com/plugin/110313.exe
O16 - DPF: {36C66BBD-E667-4DAD-9682-58050E7C9FDC} (CDKey Class) - http://www.cdkeybonus.com/cdkey/ITCDKey.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37490.1647800926
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Please help me get rid the this RapidBlaster folder!


----------



## TonyKlein (Aug 26, 2001)

Well, there you are:

Check, and have HT fix this one:

*O4 - HKLM\..\Run: [RapidBlaster] C:\Program Files\RapidBlaster\rb32.exe*

Next, reboot and delete the entire Program Files\RapidBlaster folder.

Cheers,


----------



## Paytond20 (Apr 3, 2003)

I'm 95% sure it worked. when I did a search of my hard drive afterwards the only file that came up was...

RB32.EXE-1FE480B1.pf

And it was in...

C:\WINDOWS\Prefetch






RapidBlaster, and rb32.exe are both gone though!


----------



## TonyKlein (Aug 26, 2001)

That's good! 

Don't worry about the Prefetch folder. It's content gets refreshed on a regular basis, but if you'd like you can remove that file there as well.


----------



## mjordan2001 (May 22, 2003)

I too, have acquired the wonderful rapid blaster with no knowledge of whence it came.
I cannot get rid of it. It does not show up in the Add/Remove Programs of the Control Panel and I cannot delete the Program File Folder as "access is denied because the file is in use".
I followed one of the previous suggestions and downloaded the HIJACK THIS program and ran it. Here is the log it generated.
Any help greatly appreciated!!

Sys. Specs.
AMD 500
Win2k Pro

Log:
Logfile of HijackThis v1.94.0
Scan saved at 11:45:49 PM, on 5/21/2003
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://www.comcast.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title=Microsoft Internet Explorer provided by Comcast
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINDOWS\System32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: WebFerret - {A58686ED-FC46-44C3-95C6-4A812AB776F1} - C:\Program Files\FerretSoft\WebFerret\FerretBand.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {69550BE2-9A78-11D2-BA91-00600827878D} - C:\WINDOWS\System32\shdocvw.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [SAClient] "C:\Program Files\Comcast\BBClient\Programs\RegCon.exe" /admincheck
O4 - HKLM\..\Run: [SAUpdate] "C:\Program Files\Comcast\BBClient\Programs\SAUpdate.exe"
O4 - HKLM\..\Run: [ComcastSUPPORT] C:\Program Files\Support.com\bin\tgkill.exe /cleaneahtioga /start
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [CleanUp] C:\PROGRA~1\McAfee.com\Shared\mcappins.exe /v=3 /cleanup
O4 - HKLM\..\Run: [rb32 lptt01] "C:\Program Files\rb32\rb32.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\Smc.exe -startgui
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [AutoUpdater] C:\WINDOWS\System32\aupdate.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Help (HKCU)
O9 - Extra button: ComcastHSI (HKCU)
O9 - Extra button: Support (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {0713E8D2-850A-101B-AFC0-4210102A8DA7} (Microsoft ProgressBar Control, version 5.0 (SP2)) - http://download.mcafee.com/molbin/Shared/ComCtl32/6,0,80,22/ComCtl32.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {3B240FE6-F3DC-4E56-954D-257471ABF8F8} (Artwork Player) - http://www.geecreations.com/cab/artworkplayer.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,64/mcinsctl.cab
O16 - DPF: {69FD62B1-0216-4C31-8D55-840ED86B7C8F} (HbInstObj Class) - http://installs.hotbar.com/installs/hotbar/programs/hotbar.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37683.8331018519
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab


----------



## IMM (Feb 1, 2002)

*mjordan2001* - As TonyKlein indicates earlier in this post SpybotSD will remove it. Download from http://tomcoyote.com/SPYBOT/ 
Install it - and update it online before you run it.
It should handle this one. Post back with a new HJT log after SpyBot fixes what it can. For instance this one looks like a TinyBar clsid
69550BE2-9A78-11D2-BA91-00600827878D


----------



## Top Banana (Nov 11, 2002)

Close IE. Scan with HT, tick and "Fix" *all* the following entries:

O3 - Toolbar: (no name) - {69550BE2-9A78-11D2-BA91-00600827878D} - C:\WINDOWS\System32\shdocvw.dll
O4 - HKLM\..\Run: [rb32 lptt01] "C:\Program Files\rb32\rb32.exe"
O4 - HKCU\..\Run: [AutoUpdater] C:\WINDOWS\System32\aupdate.exe
O16 - DPF: {69FD62B1-0216-4C31-8D55-840ED86B7C8F} (HbInstObj Class) - http://installs.hotbar.com/installs...rams/hotbar.cab

*Reboot* and remove/delete:

Program Files\rb32
aupdate.exe


----------



## mjordan2001 (May 22, 2003)

I did as suggested. Installed and ran SpyBot S&D, fixed all problems, then ran HGT and got a new log.

I *think* I got rid of the rapid blaster but am not sure so if someone could take a look at the new log and let me know I would much appreciate it.

Logfile of HijackThis v1.94.0
Scan saved at 6:12:49 PM, on 5/22/2003
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://www.comcast.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title=Microsoft Internet Explorer provided by Comcast
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINDOWS\System32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: WebFerret - {A58686ED-FC46-44C3-95C6-4A812AB776F1} - C:\Program Files\FerretSoft\WebFerret\FerretBand.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [SAClient] "C:\Program Files\Comcast\BBClient\Programs\RegCon.exe" /admincheck
O4 - HKLM\..\Run: [ComcastSUPPORT] C:\Program Files\Support.com\bin\tgkill.exe /cleaneahtioga /start
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [CleanUp] C:\PROGRA~1\McAfee.com\Shared\mcappins.exe /v=3 /cleanup
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\Smc.exe -startgui
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autoclose /waitmore
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Help (HKCU)
O9 - Extra button: ComcastHSI (HKCU)
O9 - Extra button: Support (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {0713E8D2-850A-101B-AFC0-4210102A8DA7} (Microsoft ProgressBar Control, version 5.0 (SP2)) - http://download.mcafee.com/molbin/Shared/ComCtl32/6,0,80,22/ComCtl32.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {3B240FE6-F3DC-4E56-954D-257471ABF8F8} (Artwork Player) - http://www.geecreations.com/cab/artworkplayer.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,64/mcinsctl.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37683.8331018519
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab


----------



## Top Banana (Nov 11, 2002)

SSD done its' job. Log is clean.


----------



## mjordan2001 (May 22, 2003)

THANK YOU!!

Now, any ideas on what this "Avenue A, Inc" is that I keep being warned about by SSD whenever I load this page?

Seems rather ironic that I'm receiving potential bots on a page made for getting rid of them......ROFL


----------



## Top Banana (Nov 11, 2002)

"Avenue A. Inc" is a tracking cookie. It gathers information on your web browsing habits. Concerns privacy as opposed to security. In the grand scheme of things, a minor irritant. Easily dealt with.


----------



## 18c (May 31, 2003)

well i have teh same problem, i have tried these programs inculding ad-aware and i have gone into my regsitry and looked for it.. i have deleted teh the program file of it but it is still in my start-up.. "msconfig" and i unchecked it for now.. but how do i get rid of it..i cannot seem to find it anywhere in my registry or in that high jacker program or in my internet folder and it is not in my program files.. but it is in my start up.. which must mean that it is loading when my comp starts.. can someone please help..


----------



## 18c (May 31, 2003)

also do you want me to post what highjacker came up with?


----------



## shy.hobbs (May 31, 2003)

Thanks to Steve; from following the directions to use regedit and hotkeys it looks as though the virus has been removed.


----------



## 18c (May 31, 2003)

Does anyone know how to get this program off of my start-up list.. i have tried teh regedit but i dont see anything in any of teh files that you mentioned... please help


----------



## TonyKlein (Aug 26, 2001)

Please do the following:

Go to http://www.tomcoyote.org/hjt/ , and download 'Hijack This!'. 
Unzip, doubleclick HijackThis.exe, and hit "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log somewhere, and please show us its contents.

Most of what it lists will be harmless or even required, so do NOT fix anything yet.
Someone here will be happy to help you analyze the results.


----------



## TonyKlein (Aug 26, 2001)

BTW, if you unchecked it, it won't be visible in your log...

After restarting, delete the RapidBlaster/RB32 folder in Program Files.

If you want to get the unchecked RB entry of your Msconfig/Startup loist (although it's harmless), you'll need to edit the Registry.

But please post that Hijack This log first.


----------



## tendoboy101 (Jun 7, 2003)

i've run spybot and adaware, after searching for updates and getting them, looked in reg edit and found nothing, looked in msconfig, found nothing, and its still coming up! help! heres my hijack this log...

Logfile of HijackThis v1.94.0
Scan saved at 12:30:01 PM, on 06/07/2003
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://start.earthlink.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL=http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.couldnotfind.com/search_page.html?&account_id=50108
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch=about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL=http://www.terra.es/personal8/robrimer/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.search-plus.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar=http://www.terra.es/personal8/robrimer/search.html
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [CLMFrontPanel] clmpanel /i
O4 - HKLM\..\Run: [ConMgr.exe] "C:\PROGRAM FILES\EARTHLINK 5.0\CONMGR.EXE"
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\HPCD-W~1\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\realmon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\Program Files\ICQ\NDetect.exe
O4 - HKLM\..\Run: [vwtnpxfn] C:\WINDOWS\SYSTEM\vwtnpxfn.exe
O4 - HKLM\..\Run: [vqaexpya] C:\WINDOWS\SYSTEM\vqaexpya.exe
O4 - HKLM\..\Run: [HP CD-Writer] C:\Program Files\HP CD-Writer\Mmenu\hpcdtray.exe
O4 - HKLM\..\Run: [aimaol lptt01] "c:\program files\aimaol\aimaol.exe"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
O4 - HKLM\..\RunServices: [TVWatch] C:\WINDOWS\SYSTEM\TVWatch.exe
O4 - HKLM\..\RunServices: [InoTask] C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\InoTask.exe
O4 - HKLM\..\RunServices: [InoRT] C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\InoRT9x.exe
O4 - HKCU\..\Run: [ICQ Plus] "C:\Program Files\ICQPlus\vplus.exe"
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.EXE
O4 - Startup: EarthLink ToolBar 5.0.lnk = C:\Program Files\EarthLink 5.0\etoolbar.exe
O4 - Startup: TextBridge Instant Access OCR.lnk = C:\Program Files\TextBridge Classic\Bin\TBMenu.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: AIM (HKLM)
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O13 - WWW Prefix: 
O15 - Trusted Zone: http://free.aol.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37624.7372916667
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab


----------



## TonyKlein (Aug 26, 2001)

Yes, this new version is a nightmare... 

Try starting your computer in Safe Mode, find the aimaol folder in c:\program files and delete it.

Also delete the following files:

C:\WINDOWS\SYSTEM\vwtnpxfn.exe
C:\WINDOWS\SYSTEM\vqaexpya.exe

Then, still in Safe Mode, run hijack This, and have it fix these:

*O4 - HKLM\..\Run: [vwtnpxfn] C:\WINDOWS\SYSTEM\vwtnpxfn.exe
O4 - HKLM\..\Run: [vqaexpya] C:\WINDOWS\SYSTEM\vqaexpya.exe
O4 - HKLM\..\Run: [aimaol lptt01] "c:\program files\aimaol\aimaol.exe"*

By the way, could you please do a Find Files for *winsysx*
Do you happen to have a file by that name?


----------



## tendoboy101 (Jun 7, 2003)

i knew that aimaol file was weird! just never opened (stupid me)
i ran a find, and found no winsysx, but heres a dumb question (i'm not computer literate) how do i start up in safe mode?


----------



## TonyKlein (Aug 26, 2001)

How to start the computer in Safe Mode

BTW, these are the RB file names we've collected at present. When in Safe Mode, better look for each and every one of them:

- rb32 lptt01 = rb32.exe (In a "RapidBlaster" folder in Program Files)

- realplay lptt01 = realplay.exe (In a "RealPlay" folder in Program Files)

- Notepad lptt01 = Notepad.exe (In a "Notepad" folder in Program Files)

- Bsoft lppt01 = Bsoft.exe (In a "BelmontSoft" folder in Program Files)

- Icon lptt01 = icon.exe (In a "Icon" folder in Program Files)

- msys lptt01 = msys.exe > (In a "Msyss" folder in Program Files)

- aimaol lptt01 = aimaol.exe (In a "Aimaol" folder in Program Files)

- nvd32 lptt01 = nvd32.exe ( In a Program Files\NvidStar directory)

- syscon lptt01 = syscon.exe (In a "Syscon" folder in Program Files)

- winwan lptt01 = winwan.exe (In a "Winwan" folder in Program Files)

- taskmngr lptt01 = taskmngr.exe > (In a "Taskmngr" folder in Program Files)

- mcf lptt01 = mcf.exe (In a "Mcf" folder in Program Files)

- winsyslog lptt01 = winsyslog.exe (In a "Winsyslog" folder in Program Files)

You'd better check for ALL of those!


----------



## tendoboy101 (Jun 7, 2003)

i did as you said and so far so good. thank you! i couldn't find the two files in the system folder, but i did pick them up in hijack this and fixed them, and i did delete the aimaol folder. thank you again, this thing has been a thorn in my side for too long. a regular sars of the computer world with all its lovely mutations if you will lol. thanks again!


----------



## TonyKlein (Aug 26, 2001)

You're welcome. 

Let's hope it will stay away!


----------



## v1pesters (Jun 17, 2003)

Logfile of HijackThis v1.94.0
Scan saved at 9:16:44 PM, on 6/16/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://ixquick.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://www.emachines.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.dogpile.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINDOWS\System32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page=%SystemRoot%\system32\blank.htm
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {2662BDD7-05D6-408F-B241-FF98FACE6054} - C:\Program Files\Xupiter\XTUpdate.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Xupiter - {57E69D5A-6539-4d7d-9637-775DE8A385B4} - C:\Program Files\Xupiter\XupiterToolbar.dll (file missing)
O4 - HKLM\..\Run: [SSRunScript] "C:\Program Files\Support.com\Charter\bin\SSRunScript.exe" /script "C:\Program Files\Support.com\Charter\vbs\verifyconnection.vbs" /args //b startupdelay
O4 - HKLM\..\Run: [rb32 lptt01] "C:\Program Files\rb32\rb32.exe"
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: Yahoo! Chinese Checkers - http://download.games.yahoo.com/games/clients/y/cct0_x.cab
O16 - DPF: Yahoo! Cribbage - http://download.games.yahoo.com/games/clients/y/it0_x.cab
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot2_x.cab
O16 - DPF: Yahoo! Exploder - http://download.games.yahoo.com/games/clients/y/vtk_x.cab
O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/st2_x.cab
O16 - DPF: {018B7EC3-EECA-11D3-8E71-0000E82C6C0D} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v3.0/0006.cab
O16 - DPF: {02C20140-76F8-4763-83D5-B660107B7A90} (Loader Class) - http://connect.online-dialer.com/MaConnect.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {54E7E082-1DA6-412E-96B5-C290FCEF5329} (DFRun Class) - http://webpdp.gator.com/v3/download/iegator_4090_hd3ptdmgainads.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8522F9B3-38C5-4AA4-AE40-7401F1BBC851} - http://198.65.164.175/movies/movies_viewer_plugin_file.cab
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs7b.instantservice.com/jars/customerxsigned34.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37770.79125
O16 - DPF: {A45F39DC-3608-4237-8F0E-139F1BC49464} - http://movie-viewer.offshoreclicks.com/dialup_files/99950001.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E8EDB60C-951E-4130-93DC-FAF1AD25F8E7} (MoneyTree Dialer) - http://xbs.nyc.mtree.com/mt/dialers/fc/UniDist.CAB
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab

as you can probably see i'm having some trouble with both, xupiter, rb32.exe, and apparently some other crap. I will deaply appreciate any help you can give me in getting rid of it.


----------



## Top Banana (Nov 11, 2002)

Download RapidBlaster Killer. This will terminate and remove RapidBlaster.

Scan with HijackThis, put a checkmark at and "Fix checked" the following entries.

Close all browser windows before fixing.

O2 - BHO: (no name) - {2662BDD7-05D6-408F-B241-FF98FACE6054} - C:\Program Files\Xupiter\XTUpdate.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Xupiter - {57E69D5A-6539-4d7d-9637-775DE8A385B4} - C:\Program Files\Xupiter\XupiterToolbar.dll (file missing)
O16 - DPF: {018B7EC3-EECA-11D3-8E71-0000E82C6C0D} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v3.0/0006.cab
O16 - DPF: {02C20140-76F8-4763-83D5-B660107B7A90} (Loader Class) - http://connect.online-dialer.com/MaConnect.cab
O16 - DPF: {54E7E082-1DA6-412E-96B5-C290FCEF5329} (DFRun Class) - http://webpdp.gator.com/v3/download...ptdmgainads.cab
O16 - DPF: {8522F9B3-38C5-4AA4-AE40-7401F1BBC851} - http://198.65.164.175/movies/movies...plugin_file.cab
O16 - DPF: {A45F39DC-3608-4237-8F0E-139F1BC49464} - http://movie-viewer.offshoreclicks....es/99950001.cab
O16 - DPF: {E8EDB60C-951E-4130-93DC-FAF1AD25F8E7} (MoneyTree Dialer) - http://xbs.nyc.mtree.com/mt/dialers/fc/UniDist.CAB

Delete

Program Files\Xupiter


----------



## tomwood (Jun 18, 2003)

I have downloaded the "Hijack This" software and these are the results from the "Scan" I did:

Logfile of HijackThis v1.94.0
Scan saved at 18:43:50, on 18/06/03
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.runsearch.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar=http://www.netscapeonline.co.uk/search/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch=http://www.runsearch.com/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.runsearch.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title=Internet Explorer
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=http://www.freehqmovies.com/enter.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page=c:\windows\SYSTEM\blank.htm
F1 - win.ini: load=C:\OPLIMIT\ocraware.exe
O1 - Hosts: 216.239.37.101 www.kazaagold.com
O1 - Hosts: 216.239.37.101 kazaagold.com
O1 - Hosts: 216.239.37.101 www.k-lite.com
O1 - Hosts: 216.239.37.101 www.kazaa-download.de
O1 - Hosts: 216.239.37.101 www.mp3downloadhq.com
O1 - Hosts: 216.239.37.101 www.easymusicdownload.com
O1 - Hosts: 216.239.37.101 easymusicdownload.com
O1 - Hosts: 216.239.37.101 www.mp3madeeasy.com
O1 - Hosts: 216.239.37.101 www.monstershare.com
O1 - Hosts: 216.239.37.101 www.kazaa-plus.net
O1 - Hosts: 216.239.37.101 kazaa-plus.net
O1 - Hosts: 216.239.37.101 www.kazaa-plus.com
O1 - Hosts: 216.239.37.101 www.edonkey.com
O1 - Hosts: 216.239.37.101 www.kazaa-file-sharing-downloads.com
O1 - Hosts: 216.239.37.101 www.kazaaplatinum.com
O1 - Hosts: 216.239.37.101 www.madeformusic.com
O1 - Hosts: 216.239.37.101 ikazaa.net
O1 - Hosts: 216.239.37.101 www.mp3u.com
O1 - Hosts: 216.239.37.101 www.mp3specialty.com
O1 - Hosts: 216.239.37.101 music-download-world.com
O1 - Hosts: 216.239.37.101 song-download-world.com
O1 - Hosts: 216.239.37.101 www.flixs.net
O1 - Hosts: 216.239.37.101 www.ishareit.net
O1 - Hosts: 216.239.37.101 www.ishareit.com
O1 - Hosts: 216.239.37.101 www.download-doctor.com
O1 - Hosts: 193.125.201.50 msn.com
O1 - Hosts: 193.125.201.50 search.msn.com
O1 - Hosts: 193.125.201.50 auto.search.msn.com
O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM\NZDD.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
O4 - HKCU\..\Run: [ITVFootballCluster] C:\PROGRAM FILES\DESKTOP DES\SKINKERS.EXE
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - Startup: RealDownload.lnk = C:\Program Files\REAL\RealDownload\REALDOWNLOAD.EXE
O4 - Startup: Microsoft Office.lnk = c:\WINDOWS\Installer\{00010409-78E1-11D2-B60F-006097C998E7}\misc.exe
O4 - Startup: Watch.lnk = C:\WINDOWS\TWAIN_32\1200CU\WATCH.exe
O4 - Startup: UMAX VistaAccess.lnk = C:\VSTASCAN\vsaccess.exe
O4 - Startup: Camio Viewer.lnk = D:\Tom\Digital Camera Software\After Shot\IXApplet.exe
O4 - User Startup: RealDownload.lnk = C:\Program Files\REAL\RealDownload\REALDOWNLOAD.EXE
O4 - User Startup: Microsoft Office.lnk = c:\WINDOWS\Installer\{00010409-78E1-11D2-B60F-006097C998E7}\misc.exe
O4 - User Startup: Watch.lnk = C:\WINDOWS\TWAIN_32\1200CU\WATCH.exe
O4 - User Startup: UMAX VistaAccess.lnk = C:\VSTASCAN\vsaccess.exe
O4 - User Startup: Camio Viewer.lnk = D:\Tom\Digital Camera Software\After Shot\IXApplet.exe
O4 - Global Startup: Windows Media PowerPoint-Hilfsprogramm.lnk = C:\Program Files\Windows Media Components\Tools\nsppthlp.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .PDF: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} (WTHoster Class) - http://www.wildtangent.com/install/wdriver/ddc/flipside/corollajoyride/wtinst.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {55F2FE00-C6E1-11D4-84BC-009027889212} (Seagate DiscWizard) - http://support.seagate.com/discwizardasp/bin/npdscwiz.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37639.3022800926

See what you can make out of them. I want to try and get rid of cnt.rapidblaster and rb32 and all of that sort of stuff.


----------



## FreewareFind (Jun 25, 2003)

Another way of solving the problem, at least one that works for me, is to use a firewall and simply not allow the program access to the internet. (and there's really no good reason why one shouldn't be running a firewall, anyway, especially since there's plenty of freeware ones out there)


----------



## Pearldive (Jun 27, 2003)

Thanks for being here, glad I found you. Heres my Highjacker log. Can anyone help me with popups, and stuff?

Logfile of HijackThis v1.95.0
Scan saved at 7:30:09 PM, on 06/27/2003
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\TREND PC-CILLIN 98\IOMON98.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\HPZTSB05.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\TREND PC-CILLIN 98\WEBTRAP.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\PTSNOOP.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\HPZSTATX.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\COMMON FILES\MEDIA\OTMS.EXE
C:\PROGRAM FILES\NETWORK ESSENTIALS\V11\NE.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL=http://www.sureseeker.com/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://www.computan.com/world_search.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.google.ca/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL=http://www.sureseeker.com/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.sureseeker.com/search.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://www.computan.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.orbitexplorer.com/cgi-bin/IESearch.cgi?bid=&affid=212
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title=Microsoft Internet Explorer provided by Computan Internet Access
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page=c:\windows\SYSTEM\blank.htm
R3 - URLSearchHook: OESearchHook Class - {341FB59F-3507-443b-8147-423B4E3B2B15} - C:\PROGRAM FILES\COMMON FILES\OE\SEARCH.DLL
O2 - BHO: (no name) - {7011471D-3F74-498E-88E1-C0491200312D} - C:\PROGRAM FILES\COMMON FILES\MEDIA\OTGLOVE.DLL
O2 - BHO: (no name) - {D48F2E28-68E2-4920-9848-D6E6C7AB3EB7} - C:\PROGRAM FILES\COMMON FILES\OE\REDIRECTOR.DLL
O2 - BHO: (no name) - {702AD576-FDDB-4d0f-9811-A43252064684} - C:\PROGRAM FILES\COMMON FILES\OE\TOOLBAR.DLL
O2 - BHO: SmartPops - {D5C778F1-CF13-4E70-ADF0-45A953E7CB8B} - C:\PROGRAM FILES\NETWORK ESSENTIALS\V11\NE.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Search Toolbar - {702AD576-FDDB-4d0f-9811-A43252064684} - C:\PROGRAM FILES\COMMON FILES\OE\TOOLBAR.DLL
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [IOMON98.EXE] "C:\Program Files\Trend PC-cillin 98\IOMON98.EXE"
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb05.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SearchEnhancement] "C:\PROGRAM FILES\SCBAR\V1\SCBAR.EXE" /U
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKCU\..\Run: [RamBooster] C:\PROGRAM FILES\RAMBOOSTER\RAMBOOSTER.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .ckd: C:\PROGRA~1\INTERN~1\PLUGINS\npdyn32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.computan.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {351CF0CE-B05A-11D2-ABD9-00104B685417} (PWImageControl Class) - http://ebay.sj.ipixmedia.com/code//PWActiveXImgCtl.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.25.152/code/PWActiveXImgCtl.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.parallelgraphics.com/bin/cortvrml.cab
O16 - DPF: {11BF0E2B-4229-4ADC-9C11-1C6968731018} (Download Class) - http://www.0190-dialer.com/VLoading.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37586.5943865741
O16 - DPF: {FC327B3F-377B-4CB7-8B61-27CD69816BC3} - http://spweather.whenu.com/WeatherAutoCAST0010.cab
O16 - DPF: {54E7E082-1DA6-412E-96B5-C290FCEF5329} (DFRun Class) - http://webpdp.gator.com/v3/download/iegator_4090_hd3ptdmgainads.cab
O16 - DPF: {D7B3E460-9968-4191-BD6F-BEED1BC18482} (Loader Class) - http://www.orbitexplorer.com/OELoader.cab
O16 - DPF: {EB6AFDAB-E16D-430B-A5EE-0408A12289DC} - http://download.mediacharger.com/swimsuitnetwork.cab

I recognized 2 annoying items myself
What is orbitexplorer?


----------



## Top Banana (Nov 11, 2002)

Scan with HijackThis, put a checkmark at and "Fix checked" the following entries. Close all windows except for HijackThis before fixing.

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL=http://www.sureseeker.com/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL=http://www.sureseeker.com/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.sureseeker.com/search.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.orbitexplorer.com/cgi-bin/IESearch.cgi?bid=&affid=212
R3 - URLSearchHook: OESearchHook Class - {341FB59F-3507-443b-8147-423B4E3B2B15} - C:\PROGRAM FILES\COMMON FILES\OE\SEARCH.DLL
O2 - BHO: (no name) - {7011471D-3F74-498E-88E1-C0491200312D} - C:\PROGRAM FILES\COMMON FILES\MEDIA\OTGLOVE.DLL
O2 - BHO: (no name) - {D48F2E28-68E2-4920-9848-D6E6C7AB3EB7} - C:\PROGRAM FILES\COMMON FILES\OE\REDIRECTOR.DLL
O2 - BHO: (no name) - {702AD576-FDDB-4d0f-9811-A43252064684} - C:\PROGRAM FILES\COMMON FILES\OE\TOOLBAR.DLL
O2 - BHO: SmartPops - {D5C778F1-CF13-4E70-ADF0-45A953E7CB8B} - C:\PROGRAM FILES\NETWORK ESSENTIALS\V11\NE.DLL
O3 - Toolbar: &Search Toolbar - {702AD576-FDDB-4d0f-9811-A43252064684} - C:\PROGRAM FILES\COMMON FILES\OE\TOOLBAR.DLL
O4 - HKLM\..\Run: [SearchEnhancement] "C:\PROGRAM FILES\SCBAR\V1\SCBAR.EXE" /U
O16 - DPF: {11BF0E2B-4229-4ADC-9C11-1C6968731018} (Download Class) - http://www.0190-dialer.com/VLoading.cab
O16 - DPF: {54E7E082-1DA6-412E-96B5-C290FCEF5329} (DFRun Class) - http://webpdp.gator.com/v3/download...ptdmgainads.cab
O16 - DPF: {D7B3E460-9968-4191-BD6F-BEED1BC18482} (Loader Class) - http://www.orbitexplorer.com/OELoader.cab
O16 - DPF: {EB6AFDAB-E16D-430B-A5EE-0408A12289DC} - http://download.mediacharger.com/swimsuitnetwork.cab

Restart your computer and delete

Program Files\SCBar

Download Spybot S&D. Update SS&D via the "Online" tab. Search for and download all updates. Close Internet Explorer, hit "Check for problems". After scan hit "Fix selected problems". SS&D may prompt you to restart your computer at this stage.


----------



## Pearldive (Jun 27, 2003)

THANK YOU !!!! very much . I followed your instructions and SS&D found residue of a "Friend Greeting "virus and 158 other items that I had long ago thought cured and caused me much grief.

Thank you again !!


----------



## Top Banana (Nov 11, 2002)

You're welcome.


----------

