# spybot question for rb32.exe



## Bruce I.

Saw a post here about using spybot to get rid of rb32.exe. I've run it but its still sitting there in my program files and won't be deleted. When I first noticed this yesterday, I unistalled it from control panel but its still doing its thing, trying to access out.

Any suggestions ?

Thanks, Bruce



__________________

__________________


----------



## Top Banana

Download HijackThis. Unzip, run, "scan", "scan" becomes "save log". Save the log and copy and paste the HijackThis log in your next post.

Do not fix anything in HijackThis. Most of the entries will be harmless.


----------



## Bruce I.

I assume the rb32 entry needs to go ?

Logfile of HijackThis v1.93.0
Scan saved at 7:39:53 PM, on 4/16/2003
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.rr.com/v5/home/0,1793,92,00.html
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg
O4 - HKLM\..\Run: [rb32 lptt01] "C:\Program Files\rb32\rb32.exe"
O4 - HKCU\..\Run: [AutoUpdater] C:\WINNT\System32\aupdate.exe
O4 - Global Startup: OptiCAL Startup.lnk = C:\Program Files\PANTONE COLORVISION\OptiCAL\OptiCAL.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys Class) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37625.3087037037
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab


----------



## Top Banana

Yup.

Scan with HT, "Fix" the following entry, reboot.

Your log is otherwise clean.

O4 - HKLM\..\Run: [rb32 lptt01] "C:\Program Files\rb32\rb32.exe"


----------



## TonyKlein

I have a question about this one:

*O4 - HKCU\..\Run: [AutoUpdater] C:\WINNT\System32\aupdate.exe*

Aupdate.exe is a Norton file, but I've never seen it in Startup this way.

Would you please go to C:\WINNT\System32, find aupdate.exe, and rightclick it.

Choose "Properties". Is it a Symantec file?


----------



## Bruce I.

Top Banana, I've run ht and fixed that rb32 but its still there after a reboot...I'll try again, just did, same thing

Tony, there is no program associated with aupudate, unknown app. Also there are 4 files, .conf, .trk, the app and an uninstall all. Should I click the app to see what it does or....? 

Thanks

Additional info ! Just ran msconfig, startup (win 2k) and rb32 is there and checked. It says Crogram files\rb32...hklm\software\microsoft\current version...

Also, aupdate is there and checked, C:winnt\system 32...hkcu\software\micrsoft\windows\currentversion...

Other enties that are checked are optcal which is monitor calibration that needs to be in startup and :

mobsync
ccApp
ccRegVfy
symtray


----------



## Top Banana

What is still there after a reboot?

The rb32.exe entry in HijackThis or Rapid Blaster in Add Or Remove Programs?


----------



## Bruce I.

See edited post above...

also rb32 is still sitting in program files, though I had uninstalled it from control panel yesterday and tried to fix it twice with ht. Its also still seen in HT


----------



## Top Banana

I am getting more confused by the minute. Could you tell me why Spybot Search and Destroy was unable to remove RB? SSD should remove RB with no problem. Are you using SSD 1.2 fully updated?


----------



## Bruce I.

This is where I started, spybot was downloaded yesterday fully updated. It did not take out rb32.exe. I uninstalled rb32 in add/remove programs but it continues to exist in crogram files and tries to access out on the net.

Then I came to this site and started with your suggestion using HT. That brings us to where I am now. Just ran spybot again, it took out 4 threats but did not see or take out rb32. If I knew why it didn't I wouldn't be at this site (which seems to be a great resource). 

I've tried to dump rb32 4 times with HT...no go
And I don't know if the info from my startup menu helps

So I'm at the mercy of you guys who have alot more experience than me in this area...

Thanks
Bruce


----------



## Top Banana

So....

1. Rapid Blaster cannot be uninstalled by Add or Remove Programs
2. SSD doesn't detect Rapid Blaster
3. HT cannot remove rb32.exe run key

I'm beat.


----------



## Bruce I.

But I really do appreciate your help ! Thanks.

I'll take it out of startup in msconfig and see if I can do anything from there...


----------



## TonyKlein

> _Originally posted by Bruce I.:_
> *Tony, there is no program associated with aupudate, unknown app. Also there are 4 files, .conf, .trk, the app and an uninstall all. Should I click the app to see what it does or....?
> *


I'd very much like to have a copy of that file.

It could possibly be a new baddie, and in that case a number of folks in the Spyware community would certainly want to have a look at it for analysis. Could you zip it up and send me a copy as an attachment, please?

I'll PM you with my e-mail addie.

As soon as I find out what it might be, I'll post here again.

Thanks heaps!


----------



## Bruce I.

Tony, yes I'll send you those 4 files when I get back in a few hours..just send me your address

Ps to top banana - Now I'm freaking out because I cannot disable
rb32 in msconfig it keeps coming back !


----------



## TonyKlein

Thanks Bruce!

BTW, I already sent you my e-mail addie. Check your Private Messages (User Panel > Private Messaging)

About Rb32, I don't know what's happening, but Hijack This ought to remove the startup without a prob, and so should SpyBot.

You _must_ be doing something not quite correctly...


----------



## TonyKlein

BTW, Hijack This ought to be the easiest way to remove that startup, but try this instead:

Copy the bold to Notepad:

*REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"rb32 lptt01"=-*

Save as _Remove.reg_ (save as 'all files'), and doubleclick.
Answer 'yes' to the prompt to have it added to your registry.

Now reboot, and delete the entire RapiBlaster folder in Program Files.

Good luck,


----------



## Bruce I.

Tony, I have emailed you, this regedit did not remove rb32, but lets keep trying !

Thanks


----------



## TonyKlein

It's getting weirder all the time.

Why don't you start your computer in Safe Mode. You ought to be able to remove the RapidBlaster folder there. Then, still in Safe Mode, uncheck the item in Msconfig.


----------



## Defaf

-go to regedit, go FIND type rb32
-delete every rb32 entry, so that you wont find anything saying rb32
-then do a normal search, and type rb32
-delete every rb32 thingie

problem solved.


----------



## Shawn_H

It's to come my attention that Rb32 is a lil bugger... Damn thing popped up out of no where this morning. So I've downloaded several Anti Spyware programs such as Ad-Ware 6.0, Spybot and even the HiJacker program someone recommended in this thread. 

Each program found spyware software and more, but nothing ridded the Rb32.exe file or folder.

Here is what I did, hopefully I've eliminated the pest... Not sure what it does, but I don't need people seeing what naked ladies I have on my machine 

Removed Rb32.exe from Add/Remove Programs
Removed from Tweak UI Add/Remove Programs
Deleted folder and Rb32.exe. Ran programs listed above to remove registry keys for Rb32 (It found 2 keys)

Searched hard drive for Rb32.exe, found nothing. Rechecked with "VIEW SYSTEM/HIDDEN FILES" and found a .OCD? .OCX? file relating to Rb32. Removed it. Now I'm hopefully clean. What does this program "actually" do? Funny that the thread is dated April 17th and I now got the prog on my harddrive on Easter... Hmm Not sure how or where I got it either!


----------



## TonyKlein

The main problem with this new version of RapidBlaster is that it's Program Files folder is no longer called RapidBlaster but Rb32, and that the startup entry is called differently as well.
Other than that there doesn't appear to be anything terribly mysterious about it.

These baddies do tend to mutate, but I have no doubt that SpyBot as well as Ad-Aware will have updated definitions out in a few days.


----------



## Bruce I.

Tony had me take it out in safe mode, it worked, I could delete it from program files, ran hijack this, the entry was gone.

Shawn, all I know is that it is not good, keeps trying to access the net probably with my pertinent info...

Thanks guys for replies

Defaf, thanks, there was still an itty bitty registry entry which I deleted

Bruce


----------



## confusedliz

I have found this on my pc and am wondering how to get rid of it. Can anyone help?

Liz


----------



## Bruce I.

The guys here had several suggestions for me...

Go to task manager, processes and end task for rb32 assuming its running. After that uninstall it from add/remove programs. If you still see it in programs folder on your c drive delete it from there. 

Then run regedit then find rb32.exe and if there is still a registry entry, delete it.

If the task manager approach didn't work, start computer in safe mode and go thru the uninstall steps from above.


Bruce


----------



## kango16

This one was a doozy!

First, use the Add/Remove software option.

Second, go to your Taskbar in Windows 2000 it is CTL-ALT-DEL, and end the rb32 task.

3rd, go to the directory ---> program files/rb32 and delete the entire rb32 directory.

4th, go to regedit and do a search for rb32. Delete any keys that deal with this name.

That should free you of this spyware. Spybot, Ad-ware, etc didn't help me either until I followed these steps.

Hope this helps! Good Luck!


----------



## wolfe26

Damn, I've had to upgrade my browse security to the max everyone and their dog is installing crap on my machine through my browser. Now I have it prompt me about everything and everything.

I was going through some of that garbage and found aupdate and rb32 niether one is detected by spybot which detected and removed alot of garbage but is still having problems with an orbitz file last time I checked.

Anyway to the point - aupdate is spyware atleast the one in system32 if you open it up it will have a little torch icon beside it like I saw one on a trojan program... if you click the uninstall it takes you to a goodbye page for a site called fastblast or something like that which is 404...

Rb32 I have seen no solutions for removal yet.


"If you build it... They will come..."
Wolfe


----------



## wolfe26

The solution kango16 posted worked for me.

now to hunt down more of this spy stuff and get it off my machine.

"If you build it... They will come..."
Wolfe


----------



## Defaf

yeah, kango said exactly the same as i did =) oh well, let everyone else take the credit


----------



## TonyKlein

What _I_ Would do (  ) is a slight variation on what kango16 proposed.

Namely, _first_ and task on the rb32.exe process, and uninstall the program afterwards.

The uninstaller will do a much better job if the program's not running, as holds true when uninstalling any other application as well.

But thanks for the heads up as to the fact that RapidBlaster offers an uninstaller at all!


----------



## Susanjay

I am new to this forum. i found it by accident last nite. while doing a search for rb32. 

i did however find a solution to it. it can be removed by following these instructions

I also used ad remove to try and get rid of this program. but it just keeps coming back

Follow the procedure :
: 1. KILL the task RB32.EXE (using CTRL ALT DEL)
: 2. Delete the file RB32.EXE (in /program files/rapidblaster or (ir could be a folder called Rb32 delete directory rapidblaster or rb32)
: 3. Look for entry RB32.EXE in registry (using regedit) in HKLM/...../RUN and delete it.

then do a search for any reference to rb32, on your puter. and also do a check in your registry to make sure it is still not there. 

if all references are gone. you should be free of it. 

I am not sure how it put in links here but i found the above instructions in cexx.org. 

now i have an unrelated question how do i access my msconfig using windows 2000. pro. I have only had this operating system for a week now. so I am still kind of lost.


----------



## putasolution

Msconfig was not included in Win2000 for some unknown reason

The one from Windows XP, however, works well and can be downloaded from here


----------



## Susanjay

Thank you putasolution. Now downloaded.


----------



## mcredz

I don't know if this helps anyone, but I found the same aupdate file, and it definitely is *NOT* from symantec. I also had aupdate_uninstaller.exe, which took me to
http://www.blazefind.com/bye.html

browser search plug-in. It said it would remove it, and it did remove the registry entry.

I also searched through my registry, and I had three entries for rb32 (I manually deleted the sucker)


----------



## Susanjay

just removing rb32 from your registry does not remove it from your system. until you shut the program down using end task, or task manager, it will still be there. 

you have end task first. shut down the rb32 program, then you delete the program files probably in Crogram files/rb32 You will be denied access to the program if it is still running in the back ground. 

after you have deleted rb32 from your add/remove programs and windows explorer, do a search of your hard drive and if any reference comes up delete it too.

then search your registry again and remove all references again. you should be rid of the program then. 


also delete the aupdate.exe file do a seach for it on your hard drive. delete the one with the lightening bolt through it. (the norton one is a computer with a check mark) I also had the bad one on my machine this morning. grrrrrrrrrr My norton was disabled i had no auto protect nor any mail protection and i could not turn them back on. i am hoping my puter is up and running good now.


----------



## mannteuffel

Hi, I recently noticed aupdate.exe and rb32.exe trying to get through my firewall. I removed it completely using this method and it did not return:

1. press ctrl/alt/del to get Task Manager in XP or the list of programs running in Win95/98
2. highlight rb32 and aupdate.exe if there and end their process/task
3. delete the rb32 folder from root directory (usually c:\program files/rbg32). If it doesn't let you, you haven't ended them running as instructed above, so try again.
4. Go to Start>Run>regedit and do a search for rb32 in the registry. Delete it (I only had one).
5. Go to Start>Run>msconfig (XP and 98 only) and uncheck aupdate, also the blank entry beneath or above it, and rb32, click apply.
6. Reboot and it's gone!

Now I didn't get rid of the msaupdate entries found in the registry as I'm not sure what they are associated with, but rb32 is no longer starting up nor aupdate.


----------



## TonyKlein

That's good! 

FYI, Ad-Aware now already targets Aupdate, and SpyBot ought to have both Aupdate and this latest version of RapidBlaster in next weeks updates.

That will prevent a lot of headaches... !


----------



## Defaf

everyone just wants to post their solution, and everyone just wants to post the solution i gave like "weeks" ago =) dont just say the same solution again in your own words, its already solved.


----------



## Susanjay

i am running spybot which i really like

My question is can i also run ad aware 6. pro????? at the same time. 

I am new here and i did not read all the previous posts. To see if there were solutions posted. I figured out my solution by mYself. So I am very sorry for repeat postings. 

 
Susan


----------



## Defaf

you like a spybot =D? what spybot is that?

yes, you can you ad-aware at the same time, when you scan your computer, and the scan is finished, just dont mark it to be deleted, then it will be saved.

it's good that a woman found out something like that out for her self =) you go GIRL!


----------



## Susanjay

defaf

I built this puter by myself. I have learned all i know about computers on my own. From reading and surfing the net. and from forums like this. 

I am a gramma with an attitude. who loves working on computers.  

yes i like spybot search and destroy. 

i also like ad aware 6 pro. and today got the latest upgrade.


----------



## Fire_Power

I'm surprised that noone has done the obvious and simplist.
Go to your Task Manager, kill the program, then delete it's directory. Done
What does it do though? I've never noticed it does anything...


----------



## Bruce I.

It constantly tries to access the inet. I noticed it when a search engine called blaze find mysteriously appeared on my machine


----------



## TonyKlein

> _Originally posted by Fire_Power:_
> *I'm surprised that noone has done the obvious and simplist.
> Go to your Task Manager, kill the program, then delete it's directory. Done
> *


Far from always.

Many of these baddies are implemented as Browser plugins, and you won't always find a startup entry, a running process, or a program files directory.


----------



## wolfe26

Fire_Power,

Because just shutting it down in tast manager and deleting the directories leaves behind scattered part of the program and registry entries. 

and when your computer has to check 400 invalid registry entries before it does something it slows it down alot I know I just removed approximately 400 that were left behind by Shoddy unstall files for real programs and my computer runs much faster. 

Just think how much your until method leaves behind?

"If you build it... They will come..."
Wolfe


----------



## The FiShMaN

> _Originally posted by TonyKlein:_
> *I'd very much like to have a copy of that file.  *


Sorry Tony but that AUPDATE.EXE does load from SYSTEM32 DIR in Win2K.. It is a file from Symantec Corp. It's the Live Update part of the prog.. Thought you may want to know that since you may not be familiar with Win2K as much as you are with XP.

*







*


----------



## wolfe26

The Fishman,

I am running win2k and Norton... and aupdate performed exactly as I stated about had a little torch beside it like a common trojan and when the uninstal was run away it took me to that bye page that was 404...

my norton run LUALL.EXE when updating.

"If you build it... They will come..."


----------



## Bruce I.

So wolfe, in win2k aupdate is safe ? I also run norton and win2k...


----------



## Bruce I.

I just noticed I only have 2 entries left for aupdate, in sys32, from the 4 I had, .trk and .conf, the other 2 are gone. Since then, I've deleted rb32, installed adaware and unchecked aupdate from msconfig. I just now checked aupdate for startup in msconfig and when the machine booted, a microsoft upate download showed up. Coincidence ? The other 2 aupdate files that I had several days ago are gone.

So I guess the question is is aupdate bad or good ?


----------



## Bruce I.

So it seems that adaware quarantined 2 of those aupdate files, the 2 that are left I'm guessing are legit....


----------



## forenplayer

this worked for me 
1. press ctrl/alt/del to get Task Manager in XP or the list of programs running in Win95/98
2. highlight rb32 and aupdate.exe if there and end their process/task
3. delete the rb32 folder from root directory (usually c:\program files/rbg32). If it doesn't let you, you haven't ended them running as instructed above, so try again.
4. Go to Start>Run>regedit and do a search for rb32 in the registry. Delete it (I only had one).
5. Go to Start>Run>msconfig (XP and 98 only) and uncheck aupdate, also the blank entry beneath or above it, and rb32, click apply.
6. Reboot and it's gone!

then ran jv16 registry cleaner,now it's gone alltogether


----------



## forenplayer

any idea how these files get in?can i get it just by surfing the net?or has to be something i agreed to install in my pc?


----------



## wolfe26

Why do people insist on posting the same solution to the same problem in the same thread over and over again?

Bruce,

the aupdate you need to worry about seem to have kind of a torch icon beside them.


"If you build it... They will come..."


----------



## johnnypoopoo

I did everything you guys said , and thanks for the help , I cant get rid of ISTbar in my IE bar, thanks


----------



## HallMarc

OK my first question is why are you messing around? Go to http://tds.diamondcs.com.au/ and get the free trial version plus couple of other goodies. Sorry Mac and everyone else; Windows platforms only. This is how I found my aupdate and rb32 both of which are now completely gone. Wasn't hard either. I don't know what either of them do except they slowed dowm my laptop alot.
I would do this though:
1) shut them down
2) remove them from the registry
3) reomve them from wherever else they maybe
tada gone


----------



## johnnypoopoo

In my IE bar it says ISTbar , is that apart of this spyware


----------



## TonyKlein

> _Originally posted by The FiShMaN:_
> *Sorry Tony but that AUPDATE.EXE does load from SYSTEM32 DIR in Win2K.. It is a file from Symantec Corp. It's the Live Update part of the prog.. Thought you may want to know that since you may not be familiar with Win2K as much as you are with XP.
> *


This particular Aupdate.exe is a baddy. No legitimate Symantec Aupdate.exe loads at startup this way.

As a matter of fact, I got hold of the file, and reported it.

As a result, Ad-Aware is now targeting it, and it also has been included into the SpyBot S&D beta updates.

I sent it to Andrew Clover to be analyzed, and he came back with the following:

"I'm calling this 'AUpdate'. It is distributed by 'searchbarcash.com', who
run the usual dastardly webmaster affiliate scheme to get it loaded; the
company name given at that site is 'CDT Inc.'.

CDT also run poortals my-internet.info and blazefind.com, which have links
to install pages for AUpdate.

The class ID used by its ActiveX drive-by installer is good old:

018B7EC3-EECA-11D3-8E71-0000E82C6C0D

as used by C2/lop and any number of dialler installers. What is it with
this class ID, was it used as an example in Commercial Malware For Dummies
New Second Edition or something?

The file loaded by this is described as 'IE Plugin' but it's not the same
as the parasite known as 'IEPlugin'. Its path is:

http://public.searchbarcash.com/softwares/v1.0b//0001.cab

which is signed 10th April 2003 and contains an executable ie_plugin.exe.
This drops aupdate.exe and aupdate.conf into the System[32] folder.
aupdate.exe is added to HKLM...Run under the name 'AutoUpdater'.
aupdate.conf contains, I believe, the URL aupdate.exe will connect to,
but it's in an encoded form; looks crackable but I can't be bothered.

aupdate.exe fetches sequentially numbered executable files:

http://www.my-internet.info/updates/upgrade1.exe
http://www.my-internet.info/updates/upgrade2.exe
...

and stops when it gets a 404. It stores the next number to try in the file
aupdate.trk also in the System[32] folder, and presumably tries it again later.
At the moment, upgrades 1 to 3 are available; I'll keep an eye on upgrade4.exe
to see if anything else is installed. The 'upgrades' are:

1: An uninstaller for AUpdate. Adds 'aupdate_uninstall.exe' and 'M01' to
the System[32] folder, and sets up an Uninstall entry for Add/Remove
Programs under the name 'MS AUpdate'.

2: An IE toolbar, using shdocvw.dll to add an HTML page as a toolbar, namely

http://public.searchbarcash.com/bars_manager.php?origin=toolbar&software_id=0001

This page often triggers pop-up ads. It also hijacks the homepage, to:

http://public.searchbarcash.com/homepages_manager.php?origin=homepage&software_id=0001

The class ID used for the toolbar is:

69550BE2-9A78-11D2-BA91-00600827878D

which is the same as our old friend TinyBar. Indeed the method of
implementing the toolbar is exactly the same as TinyBar, and if you
look at the adjacent install files 0002.cab and 0003.cab you'll see
they contain a TinyBar installer by name. Either CDT Inc. have 'bought'
a TinyBar clone from trixscripts.com, or they have a closer connection
to Asher Nahmias. I'm calling this variant TinyBar/AUpdate."

In short, it's a baddie, and you'd do well to nuke it off your system. 
Don't trust me, trust Lavasoft, SpyBot, and Andrew Clover...


----------



## The FiShMaN

Sorry Tony if i was wrong, nobody said anything before my post about anything showing up on they're taskbar or toolbar. All I know is that I was able to remove the one I had without an issue nor adverse results.. The Aupdate I have is the legit one & I was mistaken on 2000 from where it was loading from.. YOU WERE RIGHT, I WAS'NT. My bad.


----------



## TonyKlein

Hey, no prob! 

I thought of Symantec at first as well. It was only after seeing that startup location, and hgaving a look at the file that I realized this was something quite different.


----------



## Bruce I.

After using the adaware with latest definitions and unchecking aupdate in msconfig, I still have aupdate.conf and .trk in sys32. They have a windows logo, shall I delete them ? It is no longer in hijack this though....


----------



## TonyKlein

You can delete the aupdate.exe file in System32. It's your Blaze Find hijacker.


Not sure what you mean by *.trk, though...


----------



## Bruce I.

Thats my point, the .exe is gone, after running adaware, these two files are still there....

aupdate.conf and aupdate.trk, with a windows logo


----------



## TonyKlein

In that case feel free to delete them manually.

AAW apparently needs to update it's Aupdate detection.

Cheers,


----------



## HallMarc

Hmm. aupdate is a "trojan" in that I had this on my laptop and I have no and have had no Symantec products on it. All of those files you mentioned we're in existence. One claiming it was Symantec to a point. Look everywhere and often like I did for both br.* and aupdate.* files and delete them all in one session like I did. I still have the one thing leftover and have no clue as to how to remove it. Cool ??? is still in existence as an IE plug-in. I have looked hi and lo to no avail. I cannot find where this lives. It doesn't seem to be causing any problems so I am not overly concerned.


----------



## TonyKlein

Please download the latest beta version of Hijack This here:

http://www.spywareinfo.com/~merijn/files/beta/hijackthis.zip

Unzip, doubleclick HijackThis.exe, and hit "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log somewhere, and please show us its contents.

Most of what it lists will be harmless, so don't fix anything yet.


----------



## johnnypoopoo

Whats it mean when my IE bar has ISTbar, or you can check it and un check it.


----------



## johnnypoopoo

should i only delete the aupdate with the lighting strike though it.


----------



## johnnypoopoo

should i only delete the aupdate with the lighting strike though it.


----------



## TonyKlein

Johnny,

It would be best to do this:

Download Spybot - Search & Destroy

It removes Aupdate providing the latest beta updates have been applied.

After installing, press Settings, and Settings again.
Go to the Webupdate section, and check "Display also available beta versions".

Now press *Online*, and search for, put a check mark at, and install *all updates*.

Next, _close_ all Internet Explorer windows, hit 'Check for Problems', and have SpyBot remove all it finds.

NOTE: SSD will sometimes not be able to remove all _active_ components in the first 'run'. 
In that case you will get a dialog asking you to run SSD at next start. 
Click yes and reboot. 
Subsequently SSD will come up before the system puts these components 'in use', and it will then be able to 'fix' the rest.

Good luck,


----------



## HallMarc

O man!!!! What a program!!! It removed that last bit of IE spyware plus some!!! Everybody should get this program SpyBot Search and Destroy and it's free no less. They will be getting a nice donation from me. Thank you for the info!
Marc


----------



## TonyKlein

You're welcome! 

Do you mind if we use your last statement for publicity purposes?

Nah, just kidding...









Cheers,


----------



## HallMarc

No prob! Best wishes!


----------



## worfking

thx for all the help guys had the same file and NO spyware program would help. did the task manager then the reg edit and then deleted the whole folder from my comp.
ran regedit again and searched for it and .....POOF!!! it was gone


----------



## Webber

I think rb32.exe is a popup program, I started getting these little add popups 4 days ago, and sure enough rb32.exe was created on my computer the very same day.

Regards..
Webber


----------



## TonyKlein

Yup. This is it:

http://www.doxdesk.com/parasite/RapidBlaster.html

An updated SpyBot S&D will remove RB without a prob:

http://spybot.eon.net.au/


----------



## jimmy381

i had visited a web page which change my home page and a few other things. not a big deal i changed all of it back or so i thought. now i get popups at all different times even when i havent been on the comp for a while i come back to it to find ads. im running popup killer which works fine except for these certain ads. ive run spybot and hijack this, the lastest versions, and ive also clean out my cookies and temp files. when im playing day of defeat for a while online at times my comp crashes back to the desk top because an and popped up. some of these ads scroll up from the lower right hand side and are small and some just appear. its weird im not even surfing the net and these ads pop up any help would be apprieciated. im runnig win xp and ie6


----------



## Die Hard

jimmy381

Go to this addy and follow the instructions and this nuisance will be gone. http://www.itc.virginia.edu/desktop/docs/messagepopup/

Die Hard


----------



## kiowamec

Hello everyone,
Just thought I would let you know how I got rid of rb32.exe on my xp box. 
This is one nasty little program.

Restart in safe mode. 

rb32.exe has changed all the colors in safe mode to black so at first it seems like it has efected it also, but it does still work, hit the widows button.

Navigate through my computer and delete rb32.exe, I think my was under program files\rapid blaster.

restart normally

run every clean up program you can find to clean up your system.

even though the program is gone it has made some permanent changes.

it effected my nero so it wouldnt burn and it locked out my A drive.

nero express still worked.

back up your stuff and reformat.


----------



## mrlooneytoon

ok i know that RB is a really really *really* bad problem cuz i had it too 
now i'm no computer expert and what everyone else posted up there might be the best and most effective way of getting rid of rb32 but unfortunately it didnt work for me, so I tried the most unbelievable thing out of frustration. heres what i did:

1: looked for the rb32 directory in the program files (C:\Program File\rb32)
2: in the view>options menu of the folder i unchecked the box "Hide Extensions For Known File Types"
3: right clicked the rb32.exe executable and changed the extension to sumthing harmelss like a GIF so now the extension was "rb32.gif"  
4: Then i deleted it and prayed. Fortunately it deleted cuz before it kept saying "File is in use and stuff..."
5: Then i just deleted the rb32 folder where the exe was put in. 
6: I think that was the end of rb32 because my TASK MANAGER didnt show an rb32 exe any more
7: full computer search results didnt show any more rb32 except for one with a .pf extension in the prefetch folder. I deleted that as well.
8: Then i went to the msconfig by going to Start>Run and typing in "msconfig" and chose the startup tab. I unchecked the entry for rb32.exe
8: There was one more thing I had to do which was delete any registry entries so in Start>Run i typed in "regedit" to get to registry editor... then i CTRL + F and searched for any rb32 entry. It came up with a folder called "rb32illpt" or sumthing like that so I deleted that folder as well. The contents had rb32 entries which get deleted when the folder is. Make sure u dont touch anything else in there or you'll have more problems than spyware 
9: and thats basically all i did...restarted my comp and no more rb32!!!

hope this helps and works for you like it did me

Good luck!


----------



## ^Demosthenes

I found rb32.exe again in another unwanted program called IST Toolbar. (in program files/ISTBar) installs a 'search bar' or something to explorer. 

anyone else found this there?


----------



## problems32

I've been doing all that stuff to rid myself of this nonsense, It appears like alot is gone but when I go on the net my homepage is www.whazit.com and everytime I change the homepage it just goes back to that and It's really annoying me. Does anyone know what's up with that.


----------



## problems32

Check it out

Logfile of HijackThis v1.94.0
Scan saved at 8:50:23 PM, on 5/21/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL=http://www.whazit.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://www.whazit.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://www.whazit.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.whazit.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.whazit.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch=http://www.whazit.com
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL=http://www.whazit.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.whazit.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar=http://www.whazit.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page=http://www.whazit.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch=www.whazit.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.whazit.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINDOWS\System32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page=%SystemRoot%\system32\blank.htm
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet4_80.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {D5B72AED-E54A-11D6-B1B2-444553540000} - C:\WINDOWS\bho.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [MediaLoads Installer] "C:\Program Files\DownloadWare\dw.exe" /H
O4 - HKLM\..\Run: [DownloadWare] "C:\Program Files\DownloadWare\dw.exe" /H
O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM95\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Red Swoosh EDN Client] C:\Program Files\RSNet\RSEDNClient.exe
O4 - HKCU\..\Run: [Cacheman] C:\PROGRA~1\Cacheman\Cacheman.exe
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potb_x.cab
O16 - DPF: Yahoo! Toki Toki Boom - http://download.games.yahoo.com/games/clients/y/vtj_x.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab
O16 - DPF: {28F00B0F-DC4E-11D3-ABEC-005004A44EEB} (Register Class) - http://content.hiwirenetworks.net/inbrowser/cabfiles/2.5.30/Hiwire.cab
O16 - DPF: {4129EA54-F04E-11D3-BF96-00C04F0E7BE2} (CMV4 Class) - http://www109.coolsavings.com/download/cscmv4X.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...apple.com/qt505/us/win/QuickTimeInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/02ea988cdb50c614e406/netzip/RdxIE601.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.141/code/PWActiveXImgCtl.CAB
O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297C} - http://download.weatherbug.com/minibug/tricklers/AWS/minibuginstaller.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37432.7992824074
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yahoo.com/dl/mail/ymmapi.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab


----------



## problems32

what should I do about this


----------



## Top Banana

Close IE. Scan with HT, "Fix" *all* the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL=http://www.whazit.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://www.whazit.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://www.whazit.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.whazit.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.whazit.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch=http://www.whazit.com
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL=http://www.whazit.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.whazit.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar=http://www.whazit.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page=http://www.whazit.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch=www.whazit.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.whazit.com
O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet4_80.dll
O2 - BHO: (no name) - {D5B72AED-E54A-11D6-B1B2-444553540000} - C:\WINDOWS\bho.dll
O4 - HKLM\..\Run: [MediaLoads Installer] "C:\Program Files\DownloadWare\dw.exe" /H
O4 - HKLM\..\Run: [DownloadWare] "C:\Program Files\DownloadWare\dw.exe" /H
O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup
O4 - HKCU\..\Run: [Red Swoosh EDN Client] C:\Program Files\RSNet\RSEDNClient.exe
O16 - DPF: {28F00B0F-DC4E-11D3-ABEC-005004A44EEB} (Register Class) - http://content.hiwirenetworks.net/i...5.30/Hiwire.cab
O16 - DPF: {4129EA54-F04E-11D3-BF96-00C04F0E7BE2} (CMV4 Class) - http://www109.coolsavings.com/download/cscmv4X.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/02ea988cdb50c6...ip/RdxIE601.cab
O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297C} - http://download.weatherbug.com/mini...uginstaller.cab

*Reboot*.

Download SSD. Update it via "Online" tab, "Check for problems" and "Fix" all the red entries.


----------



## problems32

My home page problem was fixed thanks. My HT log looks like this now though.

Logfile of HijackThis v1.94.0
Scan saved at 9:35:40 PM, on 5/21/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.whazit.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch=www.whazit.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.whazit.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINDOWS\System32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page=%SystemRoot%\system32\blank.htm
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM95\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Cacheman] C:\PROGRA~1\Cacheman\Cacheman.exe
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potb_x.cab
O16 - DPF: Yahoo! Toki Toki Boom - http://download.games.yahoo.com/games/clients/y/vtj_x.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...apple.com/qt505/us/win/QuickTimeInstaller.exe
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.141/code/PWActiveXImgCtl.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37432.7992824074
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yahoo.com/dl/mail/ymmapi.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

still some whazit left and ssd is in the middle of searching it looks stuck


----------



## Top Banana

Scan with HT, "Fix" the following:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.whazit.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch=www.whazit.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.whazit.com

Close IE. Scan with SSD. "Fix" all the red entries.

If it sticks let us know.


----------



## problems32

Awesome, it seems to be fixed. Thank you so much.


----------



## Top Banana

No problem.


----------



## kewwlkat

Hey guyz, not sure what to do, but hijackthis said that it's best to show your log to knowledgable people, so here is:

Logfile of HijackThis v1.94.1
Scan saved at 10:20:38 PM, on 5/22/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\DOCUME~1\MIDNITE\APPLIC~1\eeblckie.exe
C:\WINDOWS\System32\aupdate.exe
C:\Documents and Settings\MIDNITE\Application Data\DownloadPlus.exe
C:\DOCUME~1\MIDNITE\LOCALS~1\Temp\Byo1.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\rb32\rb32.exe
C:\Program Files\Adobe\Acrobat 5.0\Reader\AcroRd32.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://w31118.wabu.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://w31118.wabu.com/searchbar.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.aquabid.com/cgi-bin/auction/auction.cgi?disp&allend&12
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar=http://w31118.wabu.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page=http://w31118.wabu.com/searchbar.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://w31118.wabu.com/searchbar.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINDOWS\System32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page=%SystemRoot%\system32\blank.htm
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1fe6cc32-ba46-440f-bfc2-1c8eba7f641c} - C:\DOCUME~1\MIDNITE\APPLIC~1\oostuegrkd.dll
O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet3_88.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {69550BE2-9A78-11D2-BA91-00600827878D} - C:\WINDOWS\System32\shdocvw.dll
O3 - Toolbar: bldrtreeegz - {fef7f981-022a-48b9-a1b4-1a5aa2e6d984} - C:\DOCUME~1\MIDNITE\APPLIC~1\oostuegrkd.dll
O4 - HKLM\..\Run: [llgrkst] C:\DOCUME~1\MIDNITE\APPLIC~1\eeblckie.exe -QuieT
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup
O4 - HKLM\..\Run: [rb32 lptt01] "C:\Program Files\rb32\rb32.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AutoUpdater] C:\WINDOWS\System32\aupdate.exe
O4 - Startup: Download Plus.lnk = C:\Documents and Settings\MIDNITE\Application Data\DownloadPlus.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...ple.com/drakken/us/win/QuickTimeInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/230e24069e26c2908f03/netzip/RdxIE601.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003050501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37755.9769444444
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = p9362.wabu.com
O17 - HKLM\Software\..\Telephony: DomainName = p9362.wabu.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{46E6AC3B-1478-43F1-9368-46D03522AD4D}: Domain = p9362.wabu.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = p9362.wabu.com


----------



## Top Banana

Close IE, scan with HT, tick and "Fix" *all* the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://w31118.wabu.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://w31118.wabu.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar=http://w31118.wabu.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page=http://w31118.wabu.com/searchbar.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://w31118.wabu.com/searchbar.html
O2 - BHO: (no name) - {1fe6cc32-ba46-440f-bfc2-1c8eba7f641c} - C:\DOCUME~1\MIDNITE\APPLIC~1\oostuegrkd.dll
O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet3_88.dll
O3 - Toolbar: bldrtreeegz - {fef7f981-022a-48b9-a1b4-1a5aa2e6d984} - C:\DOCUME~1\MIDNITE\APPLIC~1\oostuegrkd.dll
O4 - HKLM\..\Run: [llgrkst] C:\DOCUME~1\MIDNITE\APPLIC~1\eeblckie.exe -QuieT
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup
O4 - HKLM\..\Run: [rb32 lptt01] "C:\Program Files\rb32\rb32.exe"
O4 - HKCU\..\Run: [AutoUpdater] C:\WINDOWS\System32\aupdate.exe
O4 - Startup: Download Plus.lnk = C:\Documents and Settings\MIDNITE\Application Data\DownloadPlus.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/230e24069e26c2...ip/RdxIE601.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = p9362.wabu.com
O17 - HKLM\Software\..\Telephony: DomainName = p9362.wabu.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{46E6AC3B-1478-43F1-9368-46D03522AD4D}: Domain = p9362.wabu.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = p9362.wabu.com

*Reboot*.

Remove New.net from Add/Remove programs.

Download SSD. Update it, close IE, "Check for problems" and "Fix" all the red entries.


----------



## kewwlkat

You said scan with HT, tick...what's tick?


----------



## Top Banana

tick = put a checkmark into the box before the entry.


----------



## kewwlkat

WOW, we got a genious on our hands  
Did everything that was specified by you, top banana, after reboot, I ran SDD again, and the message I got was:

"Congratulations! No immediate threats were found"

THANX bro


----------



## Top Banana

Nice work, kewwlkat. Yup, I always like that message.


----------



## Dark|Lord

I searched my c:\ drive for rb32*, and whiel I didn't find those .ocx files others mentioned, it did find rb32.exe-xxxxxxxxx.pf in the c:\windows\prefetch directory.

I've now deleted every reference I found in the registry, and every match my drive-search came up with.

I've also got that aupdate.exe in c:\windows\system32, which I'm about to get rid of. 

If either of them come back after I reboot, then I know there's something, somewhere running a misleadingly named file during the start-up procedure... I just have no clue what.. didn't notice anything abnormal in msconfig, other than the rb32 stuff I removed already, so..

Adam


----------



## TonyKlein

An updated SpyBot S&D will get rid of both RapidBlaster and Aupdate without any probs:

http://spybot.eon.net.au/

There's no need to remove it manually.


----------



## imweasel

Does adaware 6.0 take care of rb32.exe now?


----------



## TonyKlein

Yup, I should think it does.


----------



## Tru Xman

http://www.doxdesk.com/parasite/ISTbar.html

Apparently the install could have originally come from something called ISTbar. It installs other parasite programs like Rapid Blaster.

It goes on to give specific instructions on how to get rid of the ISTbar and RB:

RapidBlaster/AInst, if not removed, can also allow any web page to silently reinstall RapidBlaster.

Removal
Use the Control Panel's Add/Remove Programs entry for 'RapidBlaster' (v1 variant) or 'rb32 lptt01' (lp variant).

To remove the AInst variant installer, go to the Downloaded Program Files folder inside the Windows folder, right-click the 'AInst' item and 'Remove' it.

After restarting, you can clear up by deleting the 'RapidBlaster' folder inside Program Files, and deleting the key 'HKEY_LOCAL_MACHINE\Software\RapidBlaster' from the registry (Start->Run->regedit).

Sounds basic but might work!!!!


----------



## maddog202

Removing rb32.exe is "no problamo" at least in windows 2000 pro. Just start up in safe mode, navigate to the folder "rb32.exe", right click it then delete it. then go empty your recycle bin. Restart your computer normally and VIOLA! it's gone.


----------



## Nathliea

To get rid of rb32, i ran my regedit and searched for it. It found one instance of rb32, which i deleted.
Then, I went back to try to delete the exe file and folder for it, but it said the program was in use. So i went to task manager, then processes, and ended the task called rb32.exe.
Then i was able to delete the .exe and the folder it was in, which i have also removed from my recycle bin. I am rb32 FREE! =)


----------



## FenWolfe

I ran into the rb32 issue, and found a halfway easy way to fix it:

1) end task on rb32.exe (in processes under 2k/XP)
2) Delete the directory from the hard drive
3) Run Regclean to clean up the mess


----------



## Thguns

FYI, used Nortons cleansweep. Results posted below. 2 files, temp file also. Running windows xp
******************************************************************************

** Norton CleanSweep Report **

Generated at: 8:28 PM on Friday, May 30, 2003
Type: Programs
Action: Uninstall
Backup to: No Backup

Title: rb32.exe
File name: C:\Documents and Settings\Thguns\Local Settings\Temp\rb32.exe

File 'C:\Documents and Settings\Thguns\Local Settings\Temp\rb32.exe' -- Deleted.
Folder 'C:\Documents and Settings\Thguns\Local Settings\Temp\cometdt' -- Deleted.
Folder 'C:\Documents and Settings\Thguns\Local Settings\Temp\ICD2.tmp' -- Deleted.
Folder 'C:\Documents and Settings\Thguns\Local Settings\Temp\msoclip1\01' -- Deleted.
Folder 'C:\Documents and Settings\Thguns\Local Settings\Temp\msoclip1' -- Deleted.
Folder 'C:\Documents and Settings\Thguns\Local Settings\Temp\VBE' -- Deleted.
Folder 'C:\Documents and Settings\Thguns\Local Settings\Temp\WERA3.tmp.dir00' -- Deleted.
------------------------------------------------------------------------------
73,728 bytes have been deleted.

** End Of Report **

******************************************************************************

** Norton CleanSweep Report **

Generated at: 8:28 PM on Friday, May 30, 2003
Type: Programs
Action: Uninstall
Backup to: No Backup

Title: rb32.exe
File name: C:\Program Files\rb32\rb32.exe

File 'C:\Program Files\rb32\rb32.exe' -- Deleted.
Registry value 'rb32 lptt01' in key 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run' -- Deleted.
Folder 'C:\Program Files\rb32' -- Deleted.
------------------------------------------------------------------------------
73,728 bytes have been deleted.

** End Of Report **


----------



## And1GT14

lately i have had a lot of continuous problems, all related to each other, all of them are fixed except for one, which im not sure about.. first i had a problem where my homepage kept reseting itself to my homepage, except with this weird toolbar. so i was able to track it down to this program called 'tqtrprbr.exe' i deleted that. but that wasnt the last of it... i found rb32.exe on my computer and took the steps suggested to remove it and that worked fine, but now on startup i get a message saying 'install free scratch cards' i went to msconfig and located this file vblao. when i searched for vblao in the registry, i found a couple of tqtrprbr files and a couple rb32 files and one even named 'scratch cards' so i deleted all of those, and i thought all my problems were solved.....but then when i restarted the scratch card thing came up. so i searched for vblao, tqtrprbr, and rb32 in my registry and nothing came up, exept for this 'unset value' thing... so i dont think that is the problem....but im pretty sure ive gotten rid of everything... but this scratch card keeps popping up... anybody know what to do? im gonna try restarting one more time.. but ill be checking this post.. THANKS!


----------



## And1GT14

i restarted and it didnt pop up.. Thanks everybody for your help!!


----------



## mistressm

In case no one said this (I didn't see mention of it), this spybot is also masquerading by the name of notepad.exe.

I found rb32.exe *and* notepad.exe in their own folders under c:/. Both of them tried to access rapidblaster, and loaded up in my start-up menu. Ms-config did not remove them, but a search for rb32.exe turned up the other.


----------



## TonyKlein

> _Originally posted by mistressm:_
> *In case no one said this (I didn't see mention of it), this spybot is also masquerading by the name of notepad.exe.
> 
> *


No, I'm afraid it isn't.
Could you explain why you think that's the case, please?


----------



## mistressm

I know that notepad is usually found in the c:/windows/notepad.exe, so I thought it was odd that there was a folder, c:/notepad, and also an entry in msconfig>startup.

I tried disabling it, but it kept coming back. When I opened c:/notepad/notepad.exe, my firewall popped up and said that it was trying to access cnt.rapidblaster.com. This notepad.exe has the same icon as rb32.exe, also.

I did a search for notepad.exe and found some information on the Qaz virus, which renames your notepad.exe file to note.com, and then names itself notepad.exe, but Norton Antivirus didn't find that virus, and a search didn't turn up a file called note.com.

I also managed to get rid of it by following the same procedure for rb32.exe (which I *also* had, so I'm guessing I got it from the same source).

I hope that's detailed enough!


----------



## TonyKlein

The presence of a C:\Notepad folder is strange, to say the least.

Now I haven't seen RapidBlaster do that before, although I've been seeing new unknown startups that apparently mimic RapidBlaster:

- icon lptt01 = "c:\program files\icon\icon.exe"

- bsoft lptt01 = "c:\program files\BelmontSoft\bsoft.exe

Haven't had a chance to examine any of these, but we may be in for a major development as far as RB is concerned. 

However, note that all these folders were in Program Files, and not in the root of the drive.

It may have been something unrelated.


----------



## mistressm

That's it. If you find them, double click on them. If you have a firewall up, you'll see that they try to access rapidblaster.com.

That's the format they seem to follow:

- one filename.exe in a folder, something unobtrusively named.
- filename lptt01 = "c:\folder\filename.exe" on the start-up tab.

This is all pretty sneaky.


----------



## TonyKlein

You didn't by any chance think of saving the file/folder?

If it's really a new version of RapidBlaster, the guys at Lavasoft, SpyBot and the like would welcome a chance to analyze it.

This is a very recent development.


----------



## mistressm

Unfortunately, I'm paranoid, so I've removed them. I'm actually uncertain if I've removed all traces of notepad.exe from my registry, as I'm afraid I'll inadvertently delete something associated with the real notepad.

As mentioned, the lptt01 seems to be a dead giveaway; I believe if you find anything in your start-up menu with that beside it, you will also find a folder somewhere with just a single file in it, which tries to access rapidblaster.

The new variant could just have different names and file locations, outside of the traditional rb32.


----------



## TonyKlein

Well, I'm sure we'll be seeing more of it before soon... 

Thanks for the heads up! :up:


----------



## Beeblebrox

Hi there!
I notice tghis is a place for total nerds, as I don't understand a word you guys are saying... So if I could please have an answer to my question in clear english... (even better if it were Finnish) 

So here's the deal (beware, it's gonna be a long post)
Our computer has been doing strange stuff. It works fine for some time before it suddenly gets completely stuck. It has become practically useless, and believe me, it took a many restarts to get this message done... just Imagine writing half a page of stuff and almost at the end everything stops... I did that on your webpage. Now I'm using wordpad so I can save every few minutes... Anyway, I used to believe the problem was caused when accessing some file, like everytime the file was accessed, the computer got stuck. This I thought because it worked (almost) fine when, for instance playing Tomb Raider. When my sister played Tropico, she could never get as far as the main menu... I found this rb32 thing in the list of programs when pressing Ctrl+Alt+Del, and shut it down. I also did that in msconfig. It however, always comes back.
Now I'm going to describe the computer at "stuck" mode:
- Mouse doesn't move
- Keyboard doesn't react
- Display is on
- Red hard drive lamp on or off depending on how it was at the moment of failure.
- Cd goes in and out
- Doesn't get stuck in DOS mode (I mean only dos, without windows on background)
- When a dos program is run from windows, it does get stuck after a while.
- Haven't tried the disk drive

So, about rb32. I noticed it a long time ago and wondered what it was. I thought it was an inocent background program (my older sister gets loads of them using kazaa). Today I finally decided to search for information on it on the internet and seeing that the first 10 results in Google search were Tech Support forums I knew it was more serious than I thought...
However, you people seem to already know what it is and everything, but I don't. I know you guys must be ABSOLUTELY bored on the subject, but if we could start from the very beginning, beginning with:
- what is rb32, is it dangerous?
- could rb32 be cauing the problems with my machine?
- I have F-secure, yet it doesn't say anything about rb32, why?
- Where did it come from (kazaa would be my first suspect)?
- and all that kind of basic stuff, and please, although I know you people tend to expect people to understand your language could you make it as simple as possible...

I lost my patience reading the posts in this thread, cause I didn't understand heck...
The other reason I didn't read everything is being unable to do it with the machine getting stuck every now and then...

If rb32 turns out to be the bad guy behing everything, and you get it fixed, then you may have saved the computer from our evil plans of "formatting" or whatever it is in English, making the hard drive COMPLETELY empty, the computer. Sister has 10 GB of music from kazaa, which she can't save on CDs, as burning process is completely impossible at this computer...

Well, well, it took me 3 reboots of the computer to get this message done, now there's still the task of getting it into your forums. If it's there now, then I have succeeded!!


----------



## Top Banana

Download HijackThis. Unzip, run, "Scan", "Scan" changes to "Save log". Save the log and copy and paste the HijackThis log into your next post.

Do not fix anything in HijackThis. Most entries will be harmless.

This will help.


----------



## TonyKlein

And to answer some of your questions, here's some reading on what spyware or adware is exactly:

http://www.spywareinfo.com/articles/spyware/
Spyware: a new threat 
Adware, Spyware and other unwanted "malware" - and how to remove them

And this is about rb32: http://www.doxdesk.com/parasite/RapidBlaster.html

Please post that log, as TB requested.


----------



## Arrrggg

OK ... I tried everything... and I finally got rid of RB32...

Here is exactly what I did...

1. I made the regedit4 file mentioned above...
then rebooted.. but it didnt seem to fix the problem.

2. Next, this sounds really silly.... But it worked!
I tried to delete the folder /Program Files/RapidBlaster/
But that didn't work... So i right clicked on it, went to 
the properties, unchecked "Read-only", and then renamed
the file at the top of the properties screen to RapidBlaster2.
Clicked OK.. then held down shift and delete. That deleted
the folder. 

3. Then I went to regedit and did a search for rb32 and deleted
all references to it. Make sure you do the search a few times.

4. This is a little strange but.. when I opened up the
/Program Folder again.. /RapidBlaster (not RapidBlaster2) was
there again... But this time. I just did another shift delete and
the folder deleted. I rebooted... and I'm RapidBlaster Free!


Try doing those 4 steps... I have a feeling you only need to do
steps 2 and 3.

Note: I did notice that if you try running the control panel uninstall
rb32... what it is basically doing is running the program rb32.exe and not an uninstall version of it... So, do try uninstalling it from there.


----------



## TonyKlein

> _Originally posted by mistressm:_
> *As mentioned, the lptt01 seems to be a dead giveaway; I believe if you find anything in your start-up menu with that beside it, you will also find a folder somewhere with just a single file in it, which tries to access rapidblaster.
> 
> The new variant could just have different names and file locations, outside of the traditional rb32. *


You're abolutely right on the mark! :up:

So far we've seen the following new RapidBlaster variants:

- realplay lptt01 = realplay.exe (In a "RealPlay" folder in Program Files)

- Notepad lptt01 = Notepad.exe (In a "Notepad" folder in Program Files)

- Bsoft lppt01 = Bsoft.exe (In a "BelmontSoft" folder in Program Files)

- Icon lptt01 = icon.exe (In a "Icon" folder in Program Files)

- msys lptt01 = msys.exe > (In a "Msyss" folder in Program Files) e


----------



## videofridge

Hi, I discovered the nasty rb32 on my machine yesterday... only realised it was there when it crashed... anyway got rid of it... thanks, and surprise surprise IE is running tons faster!...So i've done the hijackthis log again... anything else i should be looking out for?... Also I still have aupdate.exe on my machine - Seems to be part of norton, shall I leave that alone?

Also... This Rb32 came from ISTbar an annoying little porn search bar, that came from surfing through astalavista.com... :-( grrrr

Thanks

Logfile of HijackThis v1.94.0
Scan saved at 13:56:38, on 05/06/2003
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL=http://66.40.21.68/search.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://www.couldnotfind.com/search_page.html?&account_id=107312
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://www.couldnotfind.com/search_page.html?&account_id=107312
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.mail.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.couldnotfind.com/search_page.html?&account_id=107312
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title=Microsoft Internet Explorer provided by Virgin Net
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [GrdSys32] C:\Program Files\X-Stream3_6\GrdSys32.exe
O4 - HKLM\..\Run: [RegShave] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\SYSTEM\QTTASK.EXE
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\SYSTEM\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [misiCTRL] C:\WINDOWS\SYSTEM\misiCTRL.exe
O4 - HKLM\..\Run: [misiTRAY] C:\WINDOWS\SYSTEM\misiTRAY.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WinFast2KLoadDefault] rundll32.exe wf2kcpl.dll,DllLoadDefaultSettings
O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\VISION~1\ONETOU~2.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKCU\..\Run: [Mail.com] C:\Program Files\mail.com\mcalert.exe -auto
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRAM FILES\SCANSOFT\PAPERPORT\PPWebCap.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Exif Launcher.lnk = C:\Program Files\Exif Launcher\QuickDCF.exe
O4 - Startup: AOL 7.0 Tray Icon.lnk = C:\Program Files\AOL 7.0\aoltray.exe
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Check for OneTouch Updates.lnk = C:\Program Files\Visioneer OneTouch\WiseUpdt.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Dell Home (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.virgin.net
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...apple.com/qt505/uk/win/QuickTimeInstaller.exe
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw2fd.hotmail.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.bitstream.com/wfplayer/tdserver.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37670.1336689815
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {65E34CC9-B31A-4195-BAEA-8098420D185E} (Lycos Messenger) - http://www.intouch.lycos.co.uk/messenger/client/ActiveXMsgrCore.cab


----------



## Gordon7000

Hi videofridge,

There are at least two versions of 'aupdate.exe'. One is the genuine Norton file, but the other is associated with the parasite, TinyBar. Could you provide us with the full path of your 'audate.exe' so that we can determine which file this is?

Many thanks, Gordon


----------



## videofridge

Hello...

Looks like there's only this one...

C:\Program Files\Symantec\LiveUpdate\aupdate.exe - it's signed by symantec also... should be OK?

Cheers for your help.


----------



## Gordon7000

Hi videofridge,

Yep, that 'aupdate.exe' file is OK.

As for your log, close your Internet connection & browser.

Run HijackThis. Tick each item below, and get HT to 'Fix checked'.


R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL=http://66.40.21.68/search.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://www.couldnotfind.com/search_page.html?&account_id=107312

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://www.couldnotfind.com/search_page.html?&account_id=107312

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.couldnotfind.com/search_page.html?&account_id=107312


Now, reboot your PC.

Post a new HijackThis log to the forum, together with a StartupList log. To produce a StartupList log, run HijackThis, press "Config..." > "Misc Tools" > Generate StartupList Log." 

Regards, Gordon


----------



## videofridge

Hi Gordon

Really appreciate the help...

In relation to the startup list I tend to get alot errors with kernel32.dll

Here's the new HT.log

Logfile of HijackThis v1.94.0
Scan saved at 16:25:43, on 05/06/2003
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.mail.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title=Microsoft Internet Explorer provided by Virgin Net
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [GrdSys32] C:\Program Files\X-Stream3_6\GrdSys32.exe
O4 - HKLM\..\Run: [RegShave] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\SYSTEM\QTTASK.EXE
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\SYSTEM\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [misiCTRL] C:\WINDOWS\SYSTEM\misiCTRL.exe
O4 - HKLM\..\Run: [misiTRAY] C:\WINDOWS\SYSTEM\misiTRAY.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WinFast2KLoadDefault] rundll32.exe wf2kcpl.dll,DllLoadDefaultSettings
O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\VISION~1\ONETOU~2.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKCU\..\Run: [Mail.com] C:\Program Files\mail.com\mcalert.exe -auto
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRAM FILES\SCANSOFT\PAPERPORT\PPWebCap.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Exif Launcher.lnk = C:\Program Files\Exif Launcher\QuickDCF.exe
O4 - Startup: AOL 7.0 Tray Icon.lnk = C:\Program Files\AOL 7.0\aoltray.exe
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Check for OneTouch Updates.lnk = C:\Program Files\Visioneer OneTouch\WiseUpdt.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Dell Home (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.virgin.net
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...apple.com/qt505/uk/win/QuickTimeInstaller.exe
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw2fd.hotmail.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.bitstream.com/wfplayer/tdserver.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37670.1336689815
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {65E34CC9-B31A-4195-BAEA-8098420D185E} (Lycos Messenger) - http://www.intouch.lycos.co.uk/messenger/client/ActiveXMsgrCore.cab

####################################

And the Startuplist: -

StartupList report, 05/06/2003, 16:21:19
StartupList version: 1.52
Started from : C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE
Detected: Windows ME (Win9x 4.90.3000)
Detected: Internet Explorer v5.51 SP2 (5.51.4807.2300)
* Using default options
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\X-STREAM3_6\GRDSYS32.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\LXSUPMON.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\WINFAST\WFTVFM\WFWIZ.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\SCANSOFT\PAPERPORT\PPWEBCAP.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\EXIF LAUNCHER\QUICKDCF.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\WINDOWS\Start Menu\Programs\StartUp]
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
Exif Launcher.lnk = C:\Program Files\Exif Launcher\QuickDCF.exe
AOL 7.0 Tray Icon.lnk = C:\Program Files\AOL 7.0\aoltray.exe
Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
Check for OneTouch Updates.lnk = C:\Program Files\Visioneer OneTouch\WiseUpdt.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ScanRegistry = C:\WINDOWS\scanregw.exe /autorun
TaskMonitor = C:\WINDOWS\taskmon.exe
PCHealth = C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
SystemTray = SysTray.Exe
LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
Adaptec DirectCD = C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
POINTER = point32.exe
Norton Auto-Protect = C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
GrdSys32 = C:\Program Files\X-Stream3_6\GrdSys32.exe
RegShave = C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
LoadQM = loadqm.exe
QuickTime Task = C:\WINDOWS\SYSTEM\QTTASK.EXE
LexStart = Lexstart.exe
LXSUPMON = C:\WINDOWS\SYSTEM\LXSUPMON.EXE RUN
misiCTRL = C:\WINDOWS\SYSTEM\misiCTRL.exe
misiTRAY = C:\WINDOWS\SYSTEM\misiTRAY.exe
NvCplDaemon = RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
nwiz = nwiz.exe /install
WinFast2KLoadDefault = rundll32.exe wf2kcpl.dll,DllLoadDefaultSettings
WinFast Schedule = C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
OneTouch Monitor = C:\PROGRA~1\VISION~1\ONETOU~2.EXE

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
SchedulingAgent = mstask.exe
SSDPSRV = C:\WINDOWS\SYSTEM\ssdpsrv.exe
*StateMgr = C:\WINDOWS\System\Restore\StateMgr.exe
StillImageMonitor = C:\WINDOWS\SYSTEM\STIMON.EXE

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Mail.com = C:\Program Files\mail.com\mcalert.exe -auto
Taskbar Display Controls = RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
PPWebCap = C:\PROGRAM FILES\SCANSOFT\PAPERPORT\PPWebCap.exe

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[Modem]
= C:\WINDOWS\DRIVERS\MODEM.PIF

[OptionalComponents]
*No values found*

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=Explorer.exe
SCRNSAVE.EXE=
drivers=mmsystem.dll power.drv

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 25/5/2003, 19:5:34)

[rename]
NUL=C:\WINDOWS\TEMP\F{0246CA20-776D-11D2-8010-00104B9B8592}0.xxx

--------------------------------------------------

C:\AUTOEXEC.BAT listing:

SET windir=C:\WINDOWS
SET winbootdir=C:\WINDOWS
SET COMSPEC=C:\WINDOWS\COMMAND.COM
SET PATH=C:\WINDOWS;C:\WINDOWS\COMMAND
SET PROMPT=$p$g
SET TEMP=C:\WINDOWS\TEMP
SET TMP=C:\WINDOWS\TEMP

--------------------------------------------------

C:\WINDOWS\WINSTART.BAT listing:

C:\WINDOWS\tmpcpyis.bat

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Tune-up Application Start.job
PCHealth Scheduler for Data Collection.job
Scan for Viruses.job
update viruses.job

--------------------------------------------------

Enumerating Download Program Files:

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[{41F17733-B041-4099-A042-B518BB6A408C}]
CODEBASE = http://a1540.g.akamai.net/7/1540/52...apple.com/qt505/uk/win/QuickTimeInstaller.exe

[Hotmail Attachments Control]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\HMATCHMT.OCX
CODEBASE = http://lw2fd.hotmail.msn.com/activex/HMAtchmt.ocx

[CV3 Class]
InProcServer32 = C:\WINDOWS\SYSTEM\WUV3IS.DLL
CODEBASE = http://windowsupdate.microsoft.com/R1097/V31Controls/x86/mil/en/actsetup.cab

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\DIRECTOR\SWDIR.DLL
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

[TDServer Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\TDSERVER.OCX
CODEBASE = http://www.bitstream.com/wfplayer/tdserver.cab

[Update Class]
InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37670.1336689815

[PhotosCtrl Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\YPHOTOS.DLL
CODEBASE = http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab

[Lycos Messenger]
InProcServer32 = C:\WINDOWS\ACTIVEXMSGRCORE.DLL
CODEBASE = http://www.intouch.lycos.co.uk/messenger/client/ActiveXMsgrCore.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL
UPnPMonitor: C:\WINDOWS\SYSTEM\UPNPUI.DLL
AUHook: C:\WINDOWS\SYSTEM\AUHOOK.DLL

--------------------------------------------------
End of report, 7,878 bytes
Report generated in 0.158 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only


----------



## Gordon7000

Hi videofridge,

Your log looks better. No sign of RapidBlaster now. However, you've probably got too many programs running at Windows start up. You might want to reduce the programs at startup to the minimum required. For a list of programs/tasks that it's safe (or unsafe) to disable, have a look here:

http://www.pacs-portal.co.uk/startup_content.htm

There's quite a few Kernel32.DLL error messages caused by various different problems. Next time you see this message, could you copy the full details of the error message to the forum, and tell us what you were doing when the error occurred. This might help us to pinpoint the cause of this problem.

Regards, Gordon


----------



## videofridge

cheers for your help mate


----------



## KataKalyzmyk

i just got this disease and the awnser is pretty simple, CTRL + ALT + DELETE go to "processes" find the "rb32.exe" which should be running, end process, then delete file, if you have any questions or concerns please feel free to add me to your msn list, the info is in my sig, hope it works for you later


----------



## Gordon7000

Hi KataKalyzmyk,

RapidBlaster has several variants with different entries in the PC, and is associated with other malicious programs. It's essential to remove both RapidBlaster itself, together with its associated registry entries, etc, from the PC - and also any other associated programs: e.g, the ISTBar parasite.

Regards, Gordon


----------



## KataKalyzmyk

well i DID leave out a small step, after running ad-aware 6.0 it seemed to clean everything out just fine, i no longer have rb32 on my computer so it seemed to work just fine for me  but i have a problem, when cleaning it out i seemed to have cleaned out the reg key to my norton firewall, and a fewother things and now they dont work  any ideas?


----------



## Gordon7000

Hi KataKalyzmyk,

Firstly, if your Norton firewall is not working just now, download and install another one for temporary use. ZoneAlarm or Sygate will do fine.

Next, it would help if we could see your HijackThis log and StartupList log. This will help establish the cause of the problem.

Download, unzip and run Hijack This from here:

http://www.spywareinfo.com/~merijn/files/hijackthis.zip

Most of the entries in the log are harmless, so DON'T fix anything yet. Just SCAN your computer. Then, press the SAVE LOG button. This will open the log in Notepad. Copy and post (paste) the log from Notepad to this forum (don't use attachments).

Also, while running HijackThis, press "Config..." > "Misc Tools" > Generate StartupList Log." Post this log to the forum as well.Someone will then let you know what to do next.

Regards, Gordon


----------



## TheEvilDude

Well i dont know if this worked completly and solved my problem but when i rebooted my computer the End Task Screen didnt have any RB32 in the list. Heres what i did
1.Renamed C:/Program FIles/RB32 to Crogram Files/RB32 X
*Note: Didnt do muchbut thought i would try it.
2.Went to End Task Screen and Ended RB32
3.Went to Start/Run/regedit
4.Went to Edit/Search 
5.Searched for RB32
*Note: only 2 Related to RB32/Rapid Blaster
*Note: Other two were suspishious in name 
6.Went to Start/Run/Regedit
7.Unchecked box with RB32 SOMETHING
8.Clicked Cleanup
9.Pressed Apply Without pressing OK then Ignored it without
Closeing
10.Shift + Deleted C:/Program Files/RB32 X
11.Pressed OK ok MScCOnfig


----------



## Gordon7000

Hi TheEvilDude - and welcome,

Well, you certainly seem to have removed some of the RB elements. However, there may be other components lurking on your PC under different names, so it would help if you could provide us with a HijackThis log and also a StartupList log.

This is especially important now, as there's a new and much more malicious version of RapidBlaster being installed on user's PCs.

Download, unzip and run Hijack This

http://www.spywareinfo.com/~merijn/files/hijackthis.zip

Most of the entries in the log are harmless, so DON'T fix anything yet. Just SCAN your computer. Then, press the SAVE LOG button. This will open the log in Notepad. Copy and post (paste) the log from Notepad to this forum (don't use attachments).

To produce a StartupList log, run HijackThis, press Config... > Misc Tools > Generate StartupList log.

Post both logs to the forum and someone will tell you what to do next.

Regards, Gordon


----------



## TheEvilDude

Ø¤ Well here u go man. This is my Startup List. ¤Ø

StartupList report, 6/10/2003, 12:58:18 PM
StartupList version: 1.52
Started from : G:\HIJACKTHIS.EXE
Detected: Windows ME (Win9x 4.90.3000)
Detected: Internet Explorer v5.50 (5.50.4134.0100)
* Using default options
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINJECT.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
C:\PROGRAM FILES\ROXIO\GOBACK\GBPOLL.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\PROGRAM FILES\SUPPORT.COM\BIN\TGCMD.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\ICSMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\SYSTEM\AUPDATE.EXE
C:\PROGRAM FILES\ROXIO\GOBACK\GBTRAY.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINSM32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\Program Files\Norton SystemWorks\Norton CleanSweep\Monwow.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
G:\HIJACKTHIS.EXE
C:\PROGRAM FILES\SYMANTEC\LIVEUPDATE\AUPDATE.EXE
C:\PROGRAM FILES\SYMANTEC\LIVEUPDATE\LUCOMSERVER.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\WINDOWS\Start Menu\Programs\StartUp]
CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsm32.exe

Shell folders Common Startup:
[C:\WINDOWS\All Users\Start Menu\Programs\StartUp]
GoBack.lnk = C:\Program Files\Roxio\GoBack\GBTray.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ScanRegistry = C:\WINDOWS\scanregw.exe /autorun
TaskMonitor = C:\WINDOWS\taskmon.exe
PCHealth = C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
SystemTray = SysTray.Exe
tgcmd = "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
ICSMGR = ICSMGR.EXE
SSRunScript = "C:\Program Files\Support.com\Charter\bin\SSRunScript.exe" /script "C:\Program Files\Support.com\Charter\vbs\verifyconnection.vbs" /args //b startupdelay
ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
ccRegVfy = "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
NPROTECT = C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
QuickTime Task = "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
MSConfigReminder = C:\WINDOWS\SYSTEM\msconfig.exe /reminder

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
SchedulingAgent = mstask.exe
*StateMgr = C:\WINDOWS\System\Restore\StateMgr.exe
ccEvtMgr = "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
ScriptBlocking = "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
CSINJECT.EXE = C:\Program Files\Norton SystemWorks\Norton CleanSweep\CSINJECT.EXE
NPROTECT = C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
SymTray - Norton SystemWorks = C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
GoBack Polling Service = C:\Program Files\Roxio\GoBack\GBPoll.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

AutoUpdater = C:\WINDOWS\SYSTEM\aupdate.exe

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=Explorer.exe
SCRNSAVE.EXE=
drivers=mmsystem.dll power.drv

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 6/6/2003, 21:35:42)

[Rename]
NUL=C:\WINDOWS\TTFCACHE
NUL=C:\WINDOWS\TTFCACHE
NUL=C:\WINDOWS\TTFCACHE
NUL=C:\WINDOWS\TTFCACHE

--------------------------------------------------

C:\AUTOEXEC.BAT listing:

SET COMSPEC=C:\WINDOWS\COMMAND.COM
SET windir=C:\WINDOWS
SET winbootdir=C:\WINDOWS
SET PATH=C:\WINDOWS;C:\WINDOWS\COMMAND
SET PROMPT=$p$g
SET TEMP=C:\WINDOWS\TEMP
SET TMP=C:\WINDOWS\TEMP

--------------------------------------------------

Enumerating Browser Helper Objects:

NAV Helper - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Tune-up Application Start.job
PCHealth Scheduler for Data Collection.job
Symantec NetDetect.job
Norton SystemWorks One Button Checkup.job
Norton AntiVirus - Scan my computer.job

--------------------------------------------------

Enumerating Download Program Files:

[Update Class]
InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?1045873094660

[AvxScanOnline Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\BITDEF~1.OCX
CODEBASE = http://www.bitdefender.com/scan/Msie/bitdefender.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[{A1DC3241-B122-195F-B21A-000000000000}]
CODEBASE = http://www.blowsearch.com/TB/The_Ultimate_Browser_Enhancer.exe

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL
AUHook: C:\WINDOWS\SYSTEM\AUHOOK.DLL

--------------------------------------------------
End of report, 6,690 bytes
Report generated in 0.230 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only


----------



## TheEvilDude

And heres the log. Sorry if their in Reverse order.

Logfile of HijackThis v1.94.0
Scan saved at 4:52:02 PM, on 6/10/2003
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride=127.0.0.1
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {69550BE2-9A78-11D2-BA91-00600827878D} - C:\WINDOWS\SYSTEM\shdocvw.dll
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ICSMGR] ICSMGR.EXE
O4 - HKLM\..\Run: [SSRunScript] "C:\Program Files\Support.com\Charter\bin\SSRunScript.exe" /script "C:\Program Files\Support.com\Charter\vbs\verifyconnection.vbs" /args //b startupdelay
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\msconfig.exe /reminder
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [CSINJECT.EXE] C:\Program Files\Norton SystemWorks\Norton CleanSweep\CSINJECT.EXE
O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
O4 - HKLM\..\RunServices: [GoBack Polling Service] C:\Program Files\Roxio\GoBack\GBPoll.exe
O4 - HKCU\..\Run: [AutoUpdater] C:\WINDOWS\SYSTEM\aupdate.exe
O4 - Startup: CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsm32.exe
O4 - Global Startup: GoBack.lnk = C:\Program Files\Roxio\GoBack\GBTray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?1045873094660
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {A1DC3241-B122-195F-B21A-000000000000} - http://www.blowsearch.com/TB/The_Ultimate_Browser_Enhancer.exe


----------



## bzhayes

Hi... I am new and pretty clueless. 

I've read many of the posts on this rb32.exe thing and I gave it a go. I appeared to have 3 programs running associated with this: (1) rb32.exe (2) aupdate (3) livegirls.exe. I haven't seen any mention of this third one in these threads. Any way, nothing was running so I didn't need to end any tasks. I searched and deleted everything associated with the 3 programs. I then started regedit and searched for rb32 found two items with it and deleted both.

What concerns me is that in the same folder (in regedit) as one of the rb32's is a lot of other stuff that looks suspicious.

They include: (1) livegirls...
(2) aupdate...
(3) firedeamon...
(4) download plus.Ink...

and I just searched and rb32... is back!! Items (3) and (4) are, as I recall, associated with some similar type of problem I had a while back.

Any help you could provide would be greatly appreciated. Thanks

Ben


----------



## Top Banana

Download HijackThis. Unzip, run, "Scan", "Scan" changes to "Save log". Save the log and copy and paste the HijackThis log into your next post.

Do not fix anything in HijackThis. Most entries will be harmless.

This will help.


----------



## bzhayes

Thx for replying Topbanana. I had already done; I guess I should have put it in my first post.

Thanks

Ben

Logfile of HijackThis v1.94.0
Scan saved at 5:08:08 PM, on 6/10/2003
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINNT\System32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page=%SystemRoot%\system32\blank.htm
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: Zero Popup - {2EF37A01-884F-11d5-AC99-B112050ECB4F} - C:\PROGRA~1\ZEROPO~1\HTMLEdit.dll
O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINNT\System32\nzdd.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: (no name) - {69550BE2-9A78-11D2-BA91-00600827878D} - C:\WINNT\System32\shdocvw.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://free.aol.com
O16 - DPF: Yahoo! Bridge - http://download.games.yahoo.com/games/clients/y/bt0_x.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct0_x.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {230C3D02-DA27-11D2-8612-00A0C93EEA3C} (SAXFile FileUpload ActiveX Control) - http://www.photogize.com/saxfile.cab
O16 - DPF: {28F00B0F-DC4E-11D3-ABEC-005004A44EEB} (Register Class) - http://content.hiwirenetworks.net/inbrowser/cabfiles/2.5.30/Hiwire.cab
O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE Class) - http://207.188.7.105/119b316e90b0a77f9521/netzip/RdxIE.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/20682de26839e09dd517/netzip/RdxIE2.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37417.4628356481
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F43BF615-8759-4D0A-9770-CF4315A9D279}: Domain = seas.ucla.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = seas.ucla.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = seas.ucla.edu
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = seas.ucla.edu


----------



## Top Banana

Scan with HijackThis, put a checkmark at and "Fix checked" *all* the following entries.

Close all browser windows before fixing.

O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINNT\System32\nzdd.dll
O3 - Toolbar: (no name) - {69550BE2-9A78-11D2-BA91-00600827878D} - C:\WINNT\System32\shdocvw.dll
O15 - Trusted Zone: http://free.aol.com
O16 - DPF: {28F00B0F-DC4E-11D3-ABEC-005004A44EEB} (Register Class) - http://content.hiwirenetworks.net/i...5.30/Hiwire.cab
O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE Class) - http://207.188.7.105/119b316e90b0a7...etzip/RdxIE.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/20682de26839e0...tzip/RdxIE2.cab

The above entries mainly concern Netzip and TinyBar and should be fixed. No trace of RapidBlaster in your log though, so probably just orphaned registry keys you are describing.

Try Spybot S&D for cleanup.

If it was my PC, I wouldn't worry.


----------



## bzhayes

Thanks!

Ben


----------



## Top Banana

You're welcome.


----------



## TonyKlein

You also want to take a closer look at this one:

*O2 - BHO: Zero Popup - {2EF37A01-884F-11d5-AC99-B112050ECB4F} - C:\PROGRA~1\ZEROPO~1\HTMLEdit.dll*

http://www.doxdesk.com/parasite/ZeroPopUp.html


----------



## Jammer1010

I have read this whole string of post and i am way confused. Dont even have a clue where to start. I need specific instructions too please. This started a few days ago when i posted about all of my music files being renamed by them selves and duplcated after my nephew was here for a day on pute. I have ran Adaware , S&D , Rapidkill ect. It never detected it. I ran McAfee, it has detected 4 virus's that is cant clean or delete. Here is the names of the 4 virus

SexNow.exe
installer_george_test.exe
aupdate.exe
2443[1].exe

Adware-Rblast, AdwareISTbar, Porndialer-167

Now in my add/remove programs here is what I see and not sure what to do

MSaupdate no files size listed

rb32 no files size listed

syslog no files size listed

yahoo internet mail no files size listed

and the list goes on as to programs that use to have files sizes and they no longer do, and they all have this lil weird icon now that looks like a CD and computer monitor. I have ran hijack log for you since that seems to be what you need to see. and i also have more information and detail as to the location of the virus's when Mcafee was scanning if you need that info. Here is HT log and I hope you all can help me PLEASE!!!!!!

OK when I saved the HT file it made it a document I cant open. Also when i ran HT the other night it made SEVERAL copies of the back up on my desktop and i didnt know what the deal was so i saved them all they are a .tmp files and .OSD files MAN What is going on..... Nope still cant post the HT log for you.. In desperate need of help and guidance

Thanks,

Jammer1010


----------



## TonyKlein

Before doing anything else, you NEED to run this all new RapidBlaster killer by Javacool: http://www.wilderssecurity.net/downloads/rbkiller.exe
It's at present the only application that will effectively remove this pest!

Launch the program and hit the Scan button.
RBKiller will find any RapidBlaster variants on your system, kill the process, delete the Registry Run entry, _and_ remove the file itself.

To double-check, open the "scanlog.txt" file that was created when you scanned with RapidBlaster Killer - it will be located in the same folder as the rbkiller.exe executable that you downloaded. (The file will contain the full path to any RapidBlaster processes that were terminated)

Next, we'll need to see that Hijack This log.

If you doubleclick the log file, does it open in Notepad?

If so, go to Edit > Select all, then to Edit > copy.
Now you've copied the entire text to the Windows Clipboard (this happens behind your back.)

Next, go back to this forum thread, and click "Post Reply".
In an empty area click your RIGHT mouse button, and choose 'Paste' from the context menu.

And voila, there's your Hijack This log.

NOTE: Should the log NOT open in Notepad by default, which seems to be the case here, do this:

. Highlight the logfile by clicking on it once
· Hold down the shift key and then right-click your mouse 
· Select "Open With" from the menu 
. Pick Notepad.exe.

Be sure to check the box, "Always use this program to open these files".

· Click "OK" and you are all done!


----------



## iammelinda

After I ran hijack this and spybot and posted the resutls here, I followed the instructions from you guys....

Spybot said it was unable to fix/remove something.
The rb32 kept running and then I did this:

start
find file/folder
rb32
three files came up...
right click, then delete


seems to be gone

was this ok to do? It seemed to work??


----------



## TonyKlein

RapidBlaster will morph into a file with another name, given half a chance.

Did you run RapidBlaster Killer?

It will detect and remove any RB variant in seconds


----------



## TheEvilDude

Seems that no one had answered so i guess my log is pritty much clean. Unless none of you realy looked at it. OH, and my computer has been kinda spazing out sence i deleted Rb32.exe and the regesty entrys. 
Its kinda wierd hearing the Red Busy Light going off when im not doing anything. It seems to be in a pattern. like Noise 1,2,3,4,5,-,15 Noise 15 Noise, ext. 

bzhayes, The file called DownloadPlus is kinda annoying. I found it earlyer on after DLing a Mod to a game. DownloadPlus its like a lagger and a nuscence. I found DownloadPlus in C:/Windows/Aplication Data/
It wont Replicate it's slef so you can delet it there then look in regestry and delet those if u want.


----------



## TonyKlein

Removing those items can only make your system run better, so I'd have to assume the problems you're having now are not related.

All we did was take out some browser plugins and an isolated file that don't belong on your system.

And DownloadPlus is indeed a nuisance:
http://www.doxdesk.com/parasite/DownloadPlus.html

We didn't touch any Windows files.


----------



## TheEvilDude

thanks TonyKlein

Apreshiate the help and stuff. Quick question though. Do I stay to help or should i go?


----------



## TonyKlein

You're welcome,

And by all means, do stick around, if you feel like it. 
This board is there for everyone, and if you see a topic where you feel you have something to contribute, go right ahead; it's all yours!


----------



## TheEvilDude

Cool. Ill be back in a 30 min to about 4 hours. Somewhere between there. 

OH, and thanks again TonyKlein, Top Banana, and all the other peoples names i cant realy remember that helped. 

No offence to the others who helped. I just cant remember ure names.


----------



## TonyKlein

You're welcome.

It's what we enjoy doing!


----------



## Jammer1010

Sry on lunch break and wanted to get this to you ASAP Tony and anyone else that can help. Well here is my Hijackthis log 
Logfile of HijackThis v1.93.0
Scan saved at 3:07:09 PM, on 6/11/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://www.earthlink.net/partner/more/msie/button/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://oklahomacity.cox.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL=http://www.earthlink.net/partner/more/msie/button/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page=http://rd.yahoo.com/customize/ymsgr/defaults/*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar=http://rd.yahoo.com/customize/ymsgr/defaults/sb/*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title=Internet Explorer Provided by Cox High Speed Internet
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default)=http://rd.yahoo.com/customize/ymsgr/defaults/su/*http://www.yahoo.com
O2 - BHO: (no name) - {02478D28-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5_0_2_6.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_0_2_6.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HorngTech4D] C:\PROGRA~1\MOUSES~1\bally4d.exe
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: InterGamesClub BackGammon v1 - http://www.intergamesclub.com/clients/backgammon/igc_backgammongame.cab
O16 - DPF: JT's Blocks - http://download.games.yahoo.com/games/clients/y/blt1_x.cab
O16 - DPF: Yahoo! Backgammon - http://download.games.yahoo.com/games/clients/y/at0_x.cab
O16 - DPF: Yahoo! Dice - http://download.games.yahoo.com/games/clients/y/dct2_x.cab
O16 - DPF: Yahoo! Dots - http://download.games.yahoo.com/games/clients/y/dtt1_x.cab
O16 - DPF: Yahoo! Fleet - http://download.games.yahoo.com/games/clients/y/fltt2_x.cab
O16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/games/clients/y/grt4_x.cab
O16 - DPF: Yahoo! MahJong - http://download.games.yahoo.com/games/clients/y/ot0_x.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/games/clients/y/mjst3_x.cab
O16 - DPF: Yahoo! Pinochle - http://download.games.yahoo.com/games/clients/y/ut2_x.cab
O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/games/clients/y/pyt1_x.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs7b.instantservice.com/jars/customerxsigned33.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37782.7345023148
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/essentials/ymmapi_0727.dll
O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) - 
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab

One more thing in my Doc and settings/Jolene/start menu there is 2 icons i have never seen

Internet Sex provider 2KB 
and 
LiveGirls 1kb

Thanks gotta get back 2 work be back in a bit


----------



## TonyKlein

Your Startup menu entries are not in the log.
I see you're running an older version of Hijack This, which I remember had this bug.

Would you please update HT to the latest version (1.94) and give us a fresh log?

You can do that through the internal updater: Config > Misc. Tools > Update


----------



## eclipse987

ok, i read most of these pages. question....
1. In the regedit, do i get rid of the folder: ISTbar? It has one file in it.

2. Also, when i search for rb32 in the regidit, there is a folder called rb32lptt01 which contained 6 different files in it. Do i delete the whole folder or just the files that have rb32 in them?

3. Hmm, just found, also in the folder 5603, there is a file called rb32 there also in the data field, along with an aupdate and an aupdate.exe file.

Delete all these?


----------



## Top Banana

Download  RapidBlaster Killer. RapidBlaster Killer will terminate RapidBlaster and also remove it.

Then....

Download HijackThis. Unzip, run, "Scan", "Scan" changes to "Save log". Save the log and copy and paste the HijackThis log into your next post.

Do not fix anything in HijackThis. Most entries will be harmless.


----------



## Jammer1010

Logfile of HijackThis v1.94.0
Scan saved at 8:45:13 PM, on 6/11/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://www.earthlink.net/partner/more/msie/button/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://oklahomacity.cox.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL=http://www.earthlink.net/partner/more/msie/button/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page=http://rd.yahoo.com/customize/ymsgr/defaults/*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar=http://rd.yahoo.com/customize/ymsgr/defaults/sb/*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title=Internet Explorer Provided by Cox High Speed Internet
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default)=http://rd.yahoo.com/customize/ymsgr/defaults/su/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINDOWS\SYSTEM\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page=%SystemRoot%\system32\blank.htm
O2 - BHO: (no name) - {02478D28-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5_0_2_6.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_0_2_6.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HorngTech4D] C:\PROGRA~1\MOUSES~1\bally4d.exe
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: InterGamesClub BackGammon v1 - http://www.intergamesclub.com/clients/backgammon/igc_backgammongame.cab
O16 - DPF: JT's Blocks - http://download.games.yahoo.com/games/clients/y/blt1_x.cab
O16 - DPF: Yahoo! Backgammon - http://download.games.yahoo.com/games/clients/y/at0_x.cab
O16 - DPF: Yahoo! Dice - http://download.games.yahoo.com/games/clients/y/dct2_x.cab
O16 - DPF: Yahoo! Dots - http://download.games.yahoo.com/games/clients/y/dtt1_x.cab
O16 - DPF: Yahoo! Fleet - http://download.games.yahoo.com/games/clients/y/fltt2_x.cab
O16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/games/clients/y/grt4_x.cab
O16 - DPF: Yahoo! MahJong - http://download.games.yahoo.com/games/clients/y/ot0_x.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/games/clients/y/mjst3_x.cab
O16 - DPF: Yahoo! Pinochle - http://download.games.yahoo.com/games/clients/y/ut2_x.cab
O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/games/clients/y/pyt1_x.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs7b.instantservice.com/jars/customerxsigned33.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37782.7345023148
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/essentials/ymmapi_0727.dll
O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) - 
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab

StartupList version: 1.52
Started from : C:\Documents and Settings\Jolene\Desktop\HijackThis.EXE
Detected: Windows XP (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 (6.00.2600.0000)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\McAfee\McAfee VirusScan\Webscanx.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\McAfee Firewall\CPDCLNT.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\MOUSES~1\bally4d.exe
C:\WINDOWS\System32\wininetd.exe
C:\Program Files\syslog\syslog.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\Documents and Settings\Jolene\Desktop\HijackThis.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
HorngTech4D = C:\PROGRA~1\MOUSES~1\bally4d.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

RegisterDropHandler = C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

washindex = C:\Program Files\Washer\washidx.exe "Jolene"

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

McAfee.InstantUpdate.Monitor = "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
Yahoo! Pager = C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\ssmypics.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Yahoo!\Common\ycomp5_0_2_6.dll - {02478D28-C3F9-4efb-9B51-7695ECA05670}

--------------------------------------------------

Enumerating Task Scheduler jobs:

VirusScan.job

--------------------------------------------------

Enumerating Download Program Files:

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\system32\Macromed\Director\SwDir.dll
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

[Shapetris Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\shape.ocx
CODEBASE = http://mirror.worldwinner.com/games/v42/shape/shape.cab

[ExentInf Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\exentctl_0_0_0_1.ocx
CODEBASE = http://us.games2.yimg.com/download.games.yahoo.com/games/play/client/exentctl_0_0_0_1.ocx

[GSDACtl Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\gsda.dll
CODEBASE = https://www.gamespyid.com/alaunch.cab

[Pencil Wars Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\TERRIT~1.OCX
CODEBASE = http://mirror.worldwinner.com/games/v42/territory/territory.cab

[CustomerCtrl Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\customerclient.dll
CODEBASE = http://cs7b.instantservice.com/jars/customerxsigned33.cab

[YahooYMailTo Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ymmapi.dll
CODEBASE = http://us.dl1.yimg.com/download.yahoo.com/dl/installs/essentials/ymmapi_0727.dll

[SwapIt Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\swapit.ocx
CODEBASE = http://mirror.worldwinner.com/games/v49/swapit/swapit.cab

[Tilecity Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\tilecity.ocx
CODEBASE = http://mirror.worldwinner.com/games/v40/tilecity/tilecity.cab

[{CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA}]

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[Microsoft Office Tools on the Web Control]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\OUTC.DLL
CODEBASE = http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab

[MSN Chat Control 4.5]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\MSNChat45.ocx
CODEBASE = http://fdl.msn.com/public/chat/msnchat45.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 6,719 bytes
Report generated in 0.100 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

Here is the start log too ty 
Jammer1010


----------



## eclipse987

OK, i deleted only the files (not folders) that said rb32, as well as the 2 aupdate files. Running msconfig, it didnt show up, im assuming i did that right. But looks like there is a bunch of other junk in this hijackthis log. Also, running rapidblast killer, it didnt find any files. Anywho, here is the log.

Logfile of HijackThis v1.94.0
Scan saved at 22:53:06 , on 6/11/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://www.couldnotfind.com/search_page.html?&account_id=128524
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://www.couldnotfind.com/search_page.html?&account_id=128524
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.couldnotfind.com/search_page.html?&account_id=128524
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title=Microsoft Internet Explorer
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINDOWS\System32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page=%SystemRoot%\system32\blank.htm
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {CD4C3CF0-4B15-11D1-ABED-709549C10000} - C:\ADAM Downloads\Programs\GoZilla\Go!Zilla\GoIEHlp.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: 3DNA Toolbar - {2ECB7FB2-0333-416F-92FD-4904AD49252B} - C:\WINDOWS\SYSTEM32\3DNATO~1.DLL
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\program files\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [system32] C:\WINDOWS\System32\system32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: Download with Go!Zilla - file://C:\ADAM Downloads\Programs\GoZilla\Go!Zilla\download-with-gozilla.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {018B7EC3-EECA-11D3-8E71-0000E82C6C0D} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v3.0/0006.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {8522F9B3-38C5-4AA4-AE40-7401F1BBC851} - http://www.weed-warez.net/free_warez.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F0AA2376-F073-4E57-86E8-0238F99087C7} (AInst Class) - http://www.absoluteteensmut.com/activeinstaller.dll


----------



## Top Banana

eclipse987
No RapidBlaster in your log. 

Scan with HijackThis, put a checkmark at and "Fix checked" *all* the following entries.

Close all browser windows before fixing.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://www.couldnotfind.com/search_page.html?&account_id=128524
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://www.couldnotfind.com/search_page.html?&account_id=128524
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.couldnotfind.com/search_page.html?&account_id=128524
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [system32] C:\WINDOWS\System32\system32.exe
O16 - DPF: {018B7EC3-EECA-11D3-8E71-0000E82C6C0D} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v3.0/0006.cab
O16 - DPF: {8522F9B3-38C5-4AA4-AE40-7401F1BBC851} - http://www.weed-warez.net/free_warez.exe
O16 - DPF: {F0AA2376-F073-4E57-86E8-0238F99087C7} (AInst Class) - http://www.absoluteteensmut.com/activeinstaller.dll

*Restart* your computer.

Navigate to and delete

Program Files\ISTsvc
system32.exe


----------



## eclipse987

Found the ISTsvc folder and file in Program files, but delete system32.exe?? I read that people were having major problems after deleting that. I mean, i have read that it's a kluz email virus, but i ran the program to remove kluz, and it couldnt find nothing.


----------



## Top Banana

system32.exe is not a Windows file. If you have system32.exe you have a problem. Delete it.


----------



## eclipse987

> _Originally posted by Top Banana:_
> *system32.exe is not a Windows file. If you have system32.exe you have a problem. Delete it.  *


Gotcha, delete it out of regedit, or just from start - search files?


----------



## Top Banana

HijackThis will have removed the registry entry so Start > Search and delete the file.


----------



## eclipse987

Thanks alot man, I'm rid of ALL that junk now.


----------



## Jammer1010

I DL the newest version of HT and i posted my start log and my HT log its on page 8. I am still waitng to hear back from Tony ( lol ) or anyone that can assist. I am still having weird problems. Puter is freezing up now. 
Cant connect to internet a lot of times,I have to reboot. Plzzz help. I am off to work I will chk back later. Bye and ty 

Jammer1010


----------



## nicksrocks

can someone please help me??? I can't seem to destroy this rapidblaster mess. I have read this thread, but I'm not sure which direction to take on this. I am not completely computer illiterate, but this is just confusing the you know what out of me. I have two small children who use this computer, and we are slammed with adult popups. I found an icon on my desktop for "Live Girls". I followed some instructions and believe i was able to delete that program, however, rb32 and aupdater is still in tasklist. i downloaded rbkiller, and it detected no rapidblaster processes. can someone please help me, I can't allow my children to use this computer until this is settled.
Thanks so much


----------



## Top Banana

Download HijackThis. Unzip, run, "Scan", "Scan" changes to "Save log". Save the log and copy and paste the HijackThis log into your next post.

Do not fix anything in HijackThis. Most entries will be harmless.


----------



## nicksrocks

here's what Hijackthis log shows:

Logfile of HijackThis v1.94.0
Scan saved at 11:25:45 AM, on 6/16/2003
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://www.websearch.com/ie.aspx
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.nicksfix.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar=http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://www.rr.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title=Internet Explorer Provided by Cox High Speed Internet
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default)=+w
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride=;localhost;hppav;<local>
O1 - Hosts: 65.120.116.172 mini.aimster.com
O1 - Hosts: 65.120.116.173 lite.aimster.com
O1 - Hosts: 65.120.116.174 www.aimster.com
O2 - BHO: (no name) - {63B78BC1-A711-4D46-AD2F-C581AC420D41} - C:\WINDOWS\SYSTEM\BTIEIN.DLL
O2 - BHO: (no name) - {000004CC-E4FF-4F2C-BC30-DBEF0B983BC9} - C:\WINDOWS\IPINSIGT.DLL
O2 - BHO: (no name) - {00000580-C637-11D5-831C-00105AD6ACF0} - C:\WINDOWS\MSVIEW.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [HPScanPatch] C:\WINDOWS\SYSTEM\HPScanFix.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Delay] C:\WINDOWS\delayrun.exe
O4 - HKLM\..\Run: [TVMD] C:\WINDOWS\TVMD.EXE
O4 - HKLM\..\Run: [RapidBlaster] C:\Program Files\RapidBlaster\rb32.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [McAfeeVirusScanService] C:\Program Files\McAfee\McAfee VirusScan\AVSYNMGR.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [AutoUpdater] C:\WINDOWS\SYSTEM\aupdate.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: DLHelperEXE.exe
O8 - Extra context menu item: Search Using Express Search - C:\Program Files\Infoseek\Express\Program\webdocs\search_phrase_IE.html
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: AIM (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.rr.com
O15 - Trusted Zone: http://free.aol.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {5F03EAB4-1AD5-11D4-AE99-0050DAC24E8F} (iWon Slot Machine) - http://www.iwon.com/ct/in_wn/iwonslot1,0,1,5.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.143/code/PWActiveXImgCtl.CAB
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) - http://activex.microgaming.com/DLhelper/version6/dlhelper.cab
O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} (WONWebLauncher Class) - http://www.virtualvegas.com/cab/WONWebLauncherControl.cab
O16 - DPF: {01111C00-3E00-11D2-8470-0060089874ED} (Support.com ActionRunner Class) - http://support.cox.net/custsup/supportaction/sdccommon/download/tgctlar.cab
O16 - DPF: {01111E00-3E00-11D2-8470-0060089874ED} (Support.com SmartIssue) - http://support.cox.net/custsup/supportaction/sdccommon/download/tgctlsi.cab
O16 - DPF: {E93A6FCA-C052-45DF-AC9B-B729066092F8} (Util Class) - http://isupport4.hp.com/motivedocs/linklauncher/MotUtil.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003050501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37587.3216319444
O16 - DPF: {FC327B3F-377B-4CB7-8B61-27CD69816BC3} - http://www.whenu.com/WsCsAutoWCCS0014.cab
O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://dst.trafficsyndicate.com/Dnl/T_50003/btiein.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {F0AA2376-F073-4E57-86E8-0238F99087C7} (AInst Class) - http://www.thesurveyonline.com/activeinstaller.dll


----------



## Top Banana

Scan with HijackThis, put a checkmark at and "Fix checked" *all* the following entries.

Close all browser windows before fixing.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://www.websearch.com/ie.aspx
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default)=+w
O2 - BHO: (no name) - {63B78BC1-A711-4D46-AD2F-C581AC420D41} - C:\WINDOWS\SYSTEM\BTIEIN.DLL
O2 - BHO: (no name) - {000004CC-E4FF-4F2C-BC30-DBEF0B983BC9} - C:\WINDOWS\IPINSIGT.DLL
O2 - BHO: (no name) - {00000580-C637-11D5-831C-00105AD6ACF0} - C:\WINDOWS\MSVIEW.DLL
O4 - HKLM\..\Run: [TVMD] C:\WINDOWS\TVMD.EXE
O4 - HKLM\..\Run: [RapidBlaster] C:\Program Files\RapidBlaster\rb32.exe
O4 - HKCU\..\Run: [AutoUpdater] C:\WINDOWS\SYSTEM\aupdate.exe
O4 - Startup: DLHelperEXE.exe
O15 - Trusted Zone: http://free.aol.com
O16 - DPF: {5F03EAB4-1AD5-11D4-AE99-0050DAC24E8F} (iWon Slot Machine) - http://www.iwon.com/ct/in_wn/iwonslot1,0,1,5.cab
O16 - DPF: {FC327B3F-377B-4CB7-8B61-27CD69816BC3} - http://www.whenu.com/WsCsAutoWCCS0014.cab
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) - http://activex.microgaming.com/DLhe...n6/dlhelper.cab
O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} (WONWebLauncher Class) - http://www.virtualvegas.com/cab/WON...cherControl.cab
O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://dst.trafficsyndicate.com/Dnl/T_50003/btiein.cab

*Restart* your computer.

Delete

TVMD.EXE
Program Files\RapidBlaster
aupdate.exe

Download Spybot S&D. Update SS&D via the "Online" tab. Search for and download all updates. Close Internet Explorer, hit "Check for problems". After scan hit "Fix selected problems".


----------



## Metallica

Hi Top Banana,

http://forums.techguy.org/t138563/s.html

Any particular reason for not using the RapidBlasterKiller?

Just curious,

Pieter


----------



## Top Banana

Hi Metallica,

nicksrocks said that RapidBlaster Killer had been used and did
identify RapidBlaster.

O4 - HKLM\..\Run: [RapidBlaster] C:\Program Files\RapidBlaster\rb32.exe

My guess is that RBK did not identify this RB as it is an old variant and that RBK only targets the new "morphing" RB.

Only my guess, Pieter.  Right? Wrong? Wish I knew!


----------



## Metallica

AFAIK RapidBlasterKiller should take care of the original version as well.
I´ll ask Javacool to make sure.

Regards,

Pieter


----------



## nicksrocks

thank you so much top banana for your assistance. I have done all that you suggested, and at this time, a search yields no rb32.Thank you! And as for the rapidblaster killer not showing any rapidblaster processes when I ran it. Before I ran the rbkiller, I had already hit ctrl+alt+del and closed rb32 and aupdate before I ran rbkiller, do you think that might have been the cause of rbkiller not finding it??? I absolutely have no clue. Once again, thanks for your assistance.


----------



## Top Banana

You're welcome.  

As for RapidBlaster and RapidBlaster Killer. I wish I knew!


----------



## Javacool

> _Originally posted by nicksrocks:_
> *thank you so much top banana for your assistance. I have done all that you suggested, and at this time, a search yields no rb32.Thank you! And as for the rapidblaster killer not showing any rapidblaster processes when I ran it. Before I ran the rbkiller, I had already hit ctrl+alt+del and closed rb32 and aupdate before I ran rbkiller, do you think that might have been the cause of rbkiller not finding it??? I absolutely have no clue. Once again, thanks for your assistance. *


RapidBlaster Killer can only detect and clean RapidBlaster if it is running. If you terminated the process, it won't find it (but once terminated, of course, it isn't much of a threat, and you can easily remove the Run key with HijackThis) 

And RB Killer should get the older versions (at least, it'll get every version I could get my hands on). In the event that RB Killer doesn't get one of the original versions, Spybot or Ad-Aware will definitely clear those. (The new morphing versions are what traditional anti-spyware programs have trouble with, which is the original reason I created RapidBlaster Killer). Also, FYI, the newest version may still use the C:\Program Files\RapidBlaster\rb32.exe path.

*BUT*, it looks like (from what I see in the HijackThis logs) RapidBlaster Killer correctly got rid of the initial infection, but it seems nicksrocks picked it up again from the following:

O16 - DPF: {F0AA2376-F073-4E57-86E8-0238F99087C7} (AInst Class) - http://www.thesurveyonline.com/activeinstaller.dll

That's a RapidBlaster installer ActiveX control.

Using RapidBlaster Killer again should have cleaned that infection off, but since the process was terminated it couldn't detect it. (Again, it isn't dangerous if the process isn't running.) In any case, it sounds as though RapidBlaster is finally gone, which is a good thing. But your system still isn't safe - reinfection can occur at any time.

I would *highly* recommend that you try SpywareBlaster , nicksrocks. It'll prevent your computer from being constantly reinfected with RapidBlaster.

Hopefully this answers any questions.

Best regards,

-Javacool


----------



## Metallica

Thank you for taking the trouble to clear that up, Javacool.

Regards,

Pieter


----------



## leopold

The most excellent way to get rb32 off is the procedure by Mr. mannteuffel I have done, Windows xp, and is OK. It is probably then SpyBot produce this sheet rb32 as a aggressive advertising. Print of connection has been find.
[email protected]

*get rb32 off * aggressive advertising


----------



## Metallica

> _Originally posted by leopold:_
> *It is probably then SpyBot produce this sheet rb32 as a aggressive advertising. *


To what avail, so more free programs get downloaded costing him money in bandwith? 

Regards,

Pieter


----------



## leopold

To make people be in "Anger" like you and insist them to buy or download the spy ware (rb32). All time as I have been infected by the rb32, Ive gotten on my screen free offer to download the SpyBot . 
By the procedure of removing the rb32, I find on my computer in pieces of software a written connection between SpyBot and rb32.

Best regards for all that are happy to killed rb32 by SpyBot
Leopold


----------



## Metallica

I'm sorry I must be misunderstanding you.
Are you referring to this program: http://security.kolla.de/
or something else?

Regards,

Pieter


----------



## leopold

Sorry,NO
Leopold


----------



## Metallica

That's a relief. These are the people responsible for RapidBlaster:

www. 2nd-thought.com (don't go there unless you're propelrly protected!!!!!! )

But you might be more familiar with them as "CPM Media, LTD" - the makers of FreeScratchCards. :down:

The above reflects the findings of the author and not the owners of this site. 

Regards,

Pieter


----------



## leopold

thanks for your information. I do not like 2 thought after all
Regards.
Leopold


----------



## Bez1385

I have the same problem RB35 just appeared and i haven't been able to get rid of it. I've tryed everything i know and its still there. 





I saw someone was having a problem with audate or something like that. Norton poped up saying that it was a virus i ran a scan of the folder it was in Quaritined it and deleted it.


----------



## Bez1385

I was looking through a number of other message boards and one of them sent me to this web site
http://www.lurkhere.com/~nicefiles/ 
download the spybot update it and run the search it will find everything having to do with rb35 and a bunch of other crap you don't know is on your pc once you reboot your pc RB35 is gone!!!!


----------



## Gordon7000

Hi Bez1385 - and welcome!

Great to hear that you've managed to get rid of RapidBlaster with Spybot S&D. It's an excellent utility. However, some related files could still be on your computer under different names. If you would like us to check for any remaining potentially malicious files, could you download, unzip and run HijackThis?

http://www.spywareinfo.com/~merijn/files/hijackthis.zip

Most of the entries in the log are harmless, so DON'T fix anything yet. Just SCAN your computer. Then, press the SAVE LOG button. This will open the log in Notepad. Copy and post (paste) the log from Notepad to this forum (don't use attachments).

Also, please provide a StartupList log as well. To produce a StartupList log, run HijackThis, press Config... > Misc Tools > Generate StartupList log.

Post both logs to the forum and someone will tell you what to do next.

Regards, Gordon


----------



## brianduz

Yesterday Norton advised I have a virus. I spent about 2 frustrating hours in panic mode before I figured out how to fix it.
Norton A/V identified virus as "download.trojan " and identified file as "aupdate.exe"&took me to symantec site where it suggested I download new updates. Doing so changed nothing. 
Norton A/V was unable to quarantine or delete.Using Explorer went to Windows\system32\aupdate.exe. Could not delete, "file access denied". Tried the net and downloaded 2 different "Trojan Finders". They wasted about an hour and found nothing.

Here's what I finally did! Went to START, ran Msconfig, unchecked aupdate.exe. Rebooted, returned to system32 where I was now able to delete all 4 files. Went to regedit used FIND and deleted everything with the word aupdate in it. 
Don't normally post anything, but thought It would be great if I could save even 1 person from that frustrating crap.
Hope this helps
Brian


----------



## leopold

Thanks Brian. It ist still the some, as I wrote on 18.Jun. an agressive promotion for spy tools in kind to made (or let made) worms to show their spy tools are usefull.
regards
Leopold


----------



## brianduz

I followed Bruce& Wolfe's (sp)advice.Downloaded Spybot & changed security settings to "high". FWIW, I'm pretty sure I had RB32 last year(maybe an older ver) & used same method as I outlined for aupdate PLUS used taskmanager as 1 of you guys suggestedbut I forgot about 'till I read your suggestion. 
Thanks guys & good luck Leopold


----------



## Okie_Miami

I followed Defaf's post, and it finally got rid of rb32.. after following the post directions.. I had to reboot, to finally get that bugger out of the recycle bin,, but it is gone! AND a strange side effect is that the entry for AUPDATE went with it! Does anyone know what these two had in common?


----------



## Guest

I recomend HijackThis! Just unzip the attached file with winzip, open the unzipped file, click scan, check rb32, click fix checked, click yes, click ok, exit HijackThis, delete rb32 and you're done!


----------



## Metallica

> _Originally posted by Guest:_
> *I recomend HijackThis! Just unzip the attached file with winzip, open the unzipped file, click scan, check rb32, click fix checked, click yes, click ok, exit HijackThis, delete rb32 and you're done! *


Please buy me a lotteryticket when that works. 

http://www.doxdesk.com/parasite/RapidBlaster.html

http://www.wilderssecurity.net/specialinfo/rapidblaster.html

Regards,

Pieter


----------



## chuck_patton

This is what HiJack came up with, would appreciate any help.

Logfile of HijackThis v1.95.1
Scan saved at 1:30:13 PM, on 7/17/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\AOL Companion\companion.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\America Online 8.0\aol.exe
C:\Program Files\America Online 8.0\waol.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Chuck Patton\Local Settings\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System32\blank.htm
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37685.9254050926
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{021A7F10-C5CA-43AE-896D-48A3C58319AD}: NameServer = 198.81.17.134
O17 - HKLM\System\CS1\Services\Tcpip\..\{021A7F10-C5CA-43AE-896D-48A3C58319AD}: NameServer = 198.81.17.134


----------



## Agent_Lovato

I found this in my pc as well. 
It seems to exe. on MS IE program load.
When I do a search at that point the aupupdate.exe file is found in the C:\Documents and Settings\SURFER\Local Settings\Temporary Internet Files
location and also comes up at a browser location or www.google.com
Properties of these indicate that they are either an internet shortcut or an HTML document.

What is this damn file ?


----------



## Agent_Lovato

is it some sort of Acceptable Use Policy from the ISP that is exe. upon internet access and checking via some sort of .COM function ?


----------



## TonyKlein

Hi, and welcome to the board. 

Please do the following:
Go to http://www.tomcoyote.org/hjt/ , and download 'Hijack This!'. 
Unzip, doubleclick HijackThis.exe, and hit "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log somewhere, and please show us its contents.

Most of what it lists will be harmless or even required, so do NOT fix anything yet.
Someone here will be happy to help you analyze the results.


----------



## Agent_Lovato

Logfile of HijackThis v1.95.1
Scan saved at 10:29:07 AM, on 7/19/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGRDIAN.EXE
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\Program Files\AnalogX\POW\pow.exe
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\WinZip\winzip32.exe
C:\DOCUME~1\SURFER\LOCALS~1\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://findloss.com/home.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://findloss.com/home.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://minisearch.startnow.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://findloss.com/home.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System32\blank.htm
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\WS_FTP Pro\wsbho2k0.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGRDIAN.EXE" /SU
O4 - HKLM\..\Run: [WM_LOGIN] C:\Program Files\McAfee\McAfee Firewall\\MSGLOGIN.EXE
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - Global Startup: POW!.lnk = C:\Program Files\AnalogX\POW\pow.exe
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O10 - Broken Internet access because of LSP provider 'cslsp.dll' missing
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab


----------



## Thilias

been getting massive amounts of popups lately 
diabled the messenger popups no problem and got rid of rb32 as discribed many times here 
ran SSD and ad-aware
deleted all red entries
so now i come to you

i did the hijack this and got all this junk

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Logitech1\iTouch\iTouch.exe
C:\Program Files\Microsoft IntelliPoint 4.12\Mouse\SETUP\MSH\Mouse\point32.exe
C:\WINDOWS\SYSTEM32\ATIPTAXX.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\devldr32.exe
E:\Program Files\ICQ\ICQ\ICQ.exe
C:\Program Files\Internet Explorer\iexplore.exe
E:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Thilias Thalis\Local Settings\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.shaw.ca
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.shaw.ca
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System32\blank.htm
O1 - Hosts: 216.40.230.4 desktop.kazaa.com
O1 - Hosts: 216.40.230.4 alpha.kazaa.com
O1 - Hosts: 216.40.230.4 shop.kazaa.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech1\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Mirabilis ICQ] E:\Program Files\ICQ\ICQ\NDetect.exe
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft IntelliPoint 4.12\Mouse\SETUP\MSH\Mouse\point32.exe
O4 - HKLM\..\Run: [AtiPTA] C:\WINDOWS\SYSTEM32\ATIPTAXX.EXE
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: PowerReg Scheduler.lnk = C:\PowerReg Scheduler.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech1\Desktop Messenger\8876480\Program\LDMConf.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {1C955F3B-5B32-4393-A05D-24B4970CD2A1} (Video Class) - http://stream10k.redhotnetworks.com/cabs/videox.cab
O16 - DPF: {3F2771B1-0853-4701-8BBA-81A01245A8F0} (IntraLaunch.MainControl) - http://www.1lifeservers.com/cfm/infoapp/intralaunch.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003050501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37619.5973611111
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} (CTAdjust Class) - http://download.microsoft.com/download/Typography/Utility/2.0b/WXP/EN-US/clearadj.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4273/mcfscan.cab
O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} - http://www.wildtangent.com/install/wdriver/ddc/shockwave/wtinst.cab

^the first 2 sections 
the whole log 
http://members.shaw.ca/LtThilias/hijackthis.txt


----------



## dohoanmy

Fix these :

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System32\blank.htm
O1 - Hosts: 216.40.230.4 desktop.kazaa.com
O1 - Hosts: 216.40.230.4 alpha.kazaa.com
O1 - Hosts: 216.40.230.4 shop.kazaa.comO6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Visit this site to download the program Spybot http://security.kolla.de/ . Remember to update before running and close all windows while running the program .


----------



## dvk01

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System32\blank.htm
should NOT be deleted, it is a default windows setting to allow you to have a blank page at IE start up rather than a website

Some one will come back about the rest after the downtime today


----------



## Metallica

You will want to get rid of these however:

O16 - DPF: {1C955F3B-5B32-4393-A05D-24B4970CD2A1} (Video Class) - http://stream10k.redhotnetworks.com/cabs/videox.cab
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptem...iveSecurity.cab
O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} - http://www.wildtangent.com/install/...wave/wtinst.cab

Regards,

Pieter


----------



## knman00

HEY GUYS FORGET ALL THOSE PROGRAMS FIXING THE RB32 35 PROBLEM IS REALLY REALLY SIMPLE SO SIMPLE UR NOT GONNA BELIEVE IT ALL U DO IS ALT CTR DELETE AND END THE PROCESS OF THE RB32 35 EXE GO TO THE FILE FOLDER IN YOUR PROGRAM FILES HIT SHIFT+DELETE TO PERMANTENTLY DELETE IT AND HERE IS THE REAL TRICK MAKE SURE U HAVE NO PROGRAMS RUNNING DO NOT RESTART UR COMPUTER OR SHUT IT DOWN THIS WILL ONLY RESPAWN THE RB PROBLEM INSTEAD PULL THE POWER PLUG OUT OF THE BACK OF UR COMPUTER AND THEN PLUG IT BACK IT IN AND YOUR RB PROBLEMS ARE SOLVED FORGET ALL THOSE SILLY PROGRAMS USE UR MINDS REMEMEBER WHENEVER YOU SHUTDOWN OR RESTART WINDOWS IT ALWAYS SAYS SAVING SETTINGS THE RB32 TRICKS WINDOWS INTO THINKING THAT IT IS A SYSTEM FILE WHICH IT NEEDS SO IT MAKES WINDOWS BACK IT UP AND RESTORE IT WHEN U RESTART NOW THINK ABOUT IT IF YOU PULL THE POWER TO THE PC WINDOWS WONT HAVE A CHANCE TO "SAVE YOUR SETTINGS" AKA RESTORE THE RB32.EXE PRETTY SLICK HUH???


----------



## Flrman1

knman00 


Stop Yelling!


----------



## TonyKlein

... or saying things that are blatantly untrue:



> _Originally posted by knman00:_
> *THE RB32 TRICKS WINDOWS INTO THINKING THAT IT IS A SYSTEM FILE WHICH IT NEEDS SO IT MAKES WINDOWS BACK IT UP AND RESTORE IT WHEN U RESTART *


It has nothing to do with Windows File Protection:

What Rapidblaster does, is "periodically download data from its controlling server that contains a new folder and filename. 
It will then copy itself to that folder, terminate the original process, delete the original file, and run the new file in the new location."


----------



## Flrman1

Thanks for stepping in Tony.

I figured you would put the nonsense to bed!:up:


----------



## marcmfs

actually i was able to get rid of it pretty easily on my system.

I am using win2k so that might have an advantage in that regard.

what I did was simple, told windows to uninstall, I then looked in the processes and stoped it fron running in the task manager, then looked for it in the registry and deleted all keys associated with it (there should be 2 entries, tho im sure there might be others) then deleted the file from the drive (permanently) restarted and it was gone.

I did tho, check the system after I rebooted with adware 6.0 and norton virus checker.

My concern tho is what else got installed when this got installed? and how come I didn't realise it was being installed?


----------



## kqn73

Thanks...Spybot seemed to get it out here.
Let me know if you fully got rid of it on your machine.
KQN73


----------



## Rollin' Rog

Time to close this one; those with similar problems should begin a thread of their own for best support.


----------

