# IMPORTANT: RapidBlaster Parasite warning!



## TonyKlein (Aug 26, 2001)

The most recent variants of RapidBlaster ( http://www.doxdesk.com/parasite/RapidBlaster.html ) will "morph" themselves to evade detection. Periodically, RapidBlaster will download data from its controlling server that contains a new folder and filename. It will then copy itself to that folder, terminate the original process, delete the original file, and run the new file in the new location.

Since the folder and filenames that RapidBlaster uses are randomly sent from the server, and are not contained within the executable itself, it is very easy for the makers of RapidBlaster to simply update the list of folders/filenames that RapidBlaster uses. Thus, looking for the following folders/filenames should not be the only method of detection, and will not guarantee a RapidBlaster-free system.

The following is a incomplete list of RB file names that have been spotted so far:

rb32 lptt01 = rb32.exe (In a "RapidBlaster" folder in Program Files)

- realplay lptt01 = realplay.exe (In a "RealPlay" folder in Program Files)

- Notepad lptt01 = Notepad.exe (In a "Notepad" folder in Program Files)

- Bsoft lppt01 = Bsoft.exe (In a "BelmontSoft" folder in Program Files)

- Icon lptt01 = icon.exe (In a "Icon" folder in Program Files)

- msys lptt01 = msys.exe (In a "Msyss" folder in Program Files)

- aimaol lptt01 = aimaol.exe (In a "Aimaol" folder in Program Files)

- nvd32 lptt01 = nvd32.exe ( In a Program Files\NvidStar directory)

- syscon lptt01 = syscon.exe (In a "Syscon" folder in Program Files)

- winwan lptt01 = winwan.exe (In a "Winwan" folder in Program Files)

- taskmngr lptt01 = taskmngr.exe > (In a "Taskmngr" folder in Program Files)

- Microfinder lptt01 = mcf.exe (In a "MicroFinder" folder in Program Files)

- winsyslog lptt01 = winsyslog.exe (In a "Winsyslog" folder in Program Files)

- yahoo_toolbar lptt01 = yahoo_toolbar.exe (In a "yahoo_toolbar" folder in Program Files)

- Surfer lptt01 = surfer.exe (In a "mssurfer" folder in Program Files)

- Dkware lptt01 = dkware.exe (In a "DonkeySoft" folder in Program Files)

- Kazaa lptt01 = kazaa.exe (In a "kazaa" folder in Program Files)

- Explorer lptt01 = explorer.exe (In a "explorer" folder in Program Files)

- Newsgroup lptt01 = newsgroup.exe (In a "newsgroup" folder in Program Files)

- Spool lppt01= spool.exe (In a "spool" folder in Program Files)

- Msconfig lppt01 = msconfig.exe (In a "msconfig" folder in Program Files)

- Adaware lppt01 = lptt01 adaware.exe (In a "adaware" folder in Program Files)

- iexplorer lptt01 = explorer.exe (In a "iexplorer" folder in Program Files)

- Syslog lptt01 = Syslog.exe (In a "Syslog" folder in Program Files)

Javacool of Javacoolsoftware fame has reacted with great speed, and issued a RapidBlaster killer, which will find any RapidBlaster variants on your system, will kill the process, and delete the Registry Run entry.

Once the process has been terminated, find the program's folder in Program Files, and simply delete it!

Read about it here: http://www.wilderssecurity.net/specialinfo/rapidblaster.html


----------



## Aaron.W (May 9, 2003)

. . . and it may help to block the subnet 217.116.231 "VIDEO-PLAY.COM" so it can't call home for updates. ;]


----------



## Davey7549 (Feb 28, 2001)

Tony
Can one assume if they see the tag of lptt01 it is a rapidblaster derivative?

Dave


----------



## TonyKlein (Aug 26, 2001)

> _Originally posted by Aaron.W:_
> *. . . and it may help to block the subnet 217.116.231 "VIDEO-PLAY.COM" so it can't call home for updates. ;] *


That may be worth a try! :up:



> _Originally posted by davey7549 :_
> *Can one assume if they see the tag of lptt01 it is a rapidblaster derivative? *


I think that would be a safe assumption, Dave. I can't remember any other startups that look like that.


----------



## Davey7549 (Feb 28, 2001)

Tony
Thanks for the info! I generally do not handle heavy security issues since you guys are better at it but it is good to know if I see it!

Dave


----------



## IMM (Feb 1, 2002)

Tony - thanx for the info. I still think (for those that have any interest), that the best protection mechanism for malware, trojans and virii is a thorough understanding of the processes (and mutexes) which run on your machine normally. You will at least recognize that something has changed that way (once you become familiar with them).
A good start along these lines is a utility which will show you the processes (and mutexes), as well as the cpu utilization of a process. A utility such as *Process Explorer* is an excellent start. It takes a little time to get a grasp on the normal processes and will probably surprise you with what's running in a normal sense (you may well end up with questions  ). It's also a good process killer for those cases where a file is un-deletable because it's in use.
http://www.sysinternals.com/ntw2k/freeware/procexp.shtml


----------



## mobo (Feb 23, 2003)

Tony....what suggestions would you have for myself as well as others who read this for some type of program that would be running while online to help in keeping these as well as other nasties out of your system ?


----------



## TonyKlein (Aug 26, 2001)

Well, the most important thing is to tighten your security settings, so that these things won't be stealth installed any more.

Here's some reading:
So how on earth did I get all this spyware in the first place?


----------



## brendandonhu (Jul 8, 2002)

There was someone in chat yesterday with RapidBlaster-pointed him towards the rbkiller program and instead he just deleted the whole CLSID section of the registry because he thought that might fix it! Instructed him to restore the registry, but I don't think he did. So this is definitely a good thread!

At this point its beyond advertising and antivirus software should pick this up!
It calls home for updates.
Executes arbitrary code.
Random Filenames.
Clearly tries to avoid detection.

Maybe the ISP running it can get ahold of its update site and make an update that will remove the virii-like spyware?


----------



## TonyKlein (Aug 26, 2001)

> _Originally posted by brendandonhu:_
> *At this point its beyond advertising and antivirus software should pick this up!
> *


Well, BOClean and Kaspersky are at this moment targeting it, and DiamondCS and ESET will soon. Others wil probably follow.

I'm sorry to say that Ad-Aware with reffile #145 doesn't do a thorough job yet.

I just tested it on RapidBlaster:

Only once out of 5 trials it detected and terminated the running process, which isn't good... 

None of the five times it removed the file.

I guess we'll be recommending RB Killer for a while yet!


----------



## TonyKlein (Aug 26, 2001)

Excellent news:

RapidBlaster Killer has been updated, and is now at v. 1.3

New features:

It will not only terminate the task, and remove the run entry, but also give the user the option of exiting (not the default choice) or proceeding to delete the file(s) and cleanup.

So the program can now:

-Delete the RapidBlaster file(s)/folder(s).
-Delete the Uninstall entry/entries.

No need to do _any_ additional manual cleaning. 
In short: it will delete ALL of this new version of RapidBlaster, and at present it's still the only application which does!

RB Killer 1.3 download:

http://www.spywareinfo.com/downloads/rbkiller/rbkiller.exe
or
http://www.wilderssecurity.net/downloads/rbkiller.exe

The webpage: http://www.wilderssecurity.net/specialinfo/rapidblaster.html


----------



## PCfixer (Jul 8, 2003)

Good information, thanks for taking the time to report it, if more of these warnings were posted life would be easier on the PC, prevention is the best cure. Cheers Dave


----------



## valgobo (Jul 13, 2003)

Hi, tony 

I got a problem with my internet explorer 6 (ie6).

I cannot open hotmail.com and as well whenever iam brousing different websites say, mcafee.com, or yahoo.com etc, one of the pages could not open at all. for example,

On Mcafee.com i want to scan online for virus. for this i can go upto actual "scan now" page after passing through different pages for logins and agreements etc. but i cannot actually execute a scan.

similarly i CANNOT open hotmail.com home page THROUGH internet explorer BUT same page works perfectly through NETSACPE 7.0

When i read ur forums i checked for RB32 folder and also scanned "Hijack this" "Rapidblaster killer" "spywareblaster"
i found rb and removed RB32 folder from my system in safe mode.

But still then the same problem persists ??
I have also reinstalled internet explorer but all in vein.

Can u suggest me something else please...... 

help !!

valgobo.


----------



## brendandonhu (Jul 8, 2002)

Please don't post your questions in other threads that are on different topics. Start your own thread.


----------



## bassetman (Jun 7, 2001)

Thanks for all the great info!


----------



## Backspace (May 23, 2003)

OMG!..... What has happened? I double clicked on an icon on the Desktop and it opened quadruples of every icon on the entire Desktop.    

A message window popped up .saying...."Do you really want to Explore 25 objects all at once?... this will slow down your computer conciderably.... blah blah blah...". (maybe not the exact words...)

But all the icons are highlighted ... and will not unhighlight. if yu click on one to open... they ALL open. 

NEVER SEEN THIS ONE BEFORE!

I did a restart and nothing changed.


----------



## Backspace (May 23, 2003)

oops Sorry people... I meant to start a new thread......hit the wrong button....


----------



## JES7ER (Jul 15, 2003)

I have a few things to say first off TONY iam impressed with your knowledge. At first i thought this was some bougus site trying to lure people into a fall sense of secruity but i require i help i run a pretty fast computer and have had problems with Kazaa putting stuff on my computer but any ways i dont know where to put this so heres HiJackThis search result on my computer if you could help  that would be awesome

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
D:\Movies\D-Tools\daemon.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
C:\Program Files\MSI\Live Update 2\LMonitor.exe
C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsmNT.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\ANTHON~1\LOCALS~1\Temp\Rar$EX00.750\HijackThis.exe
C:\Program Files\MSN Messenger\msnmsgr.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.mybc.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://www.mybc.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.shopnav.com/search/9886/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title=Microsoft Internet Explorer provided by telus.net®
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINDOWS\System32\blank.htm
O2 - BHO: My Search BHO - {014DA6C1-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {136A9D1D-1F4B-43D4-8359-6F2382449255} - (no file)
O2 - BHO: (no name) - {14b3d246-6274-40b5-8d50-6c2ade2ab29b} - C:\Program Files\Srng\SNHelper.dll
O2 - BHO: MediaLoads Enhanced - {85A702BA-EA8F-4B83-AA07-07A5186ACD7E} - C:\Program Files\MediaLoads Enhanced\ME1.DLL (file missing)
O2 - BHO: (no name) - {BD5F51D5-9421-43A6-85D9-24CECD1395CB} - C:\WINDOWS\System32\dsa16gt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {55C4D22D-A6D1-4CEB-A96E-99F33FE8185C} - (no file)
O3 - Toolbar: My &Search Bar - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\SBAudigy\Program\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [AtiPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\Movies\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
O4 - HKLM\..\Run: [LiveMonitor] C:\Program Files\MSI\Live Update 2\LMonitor.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Explorer.lnk = C:\WINDOWS\explorer.exe
O4 - Global Startup: CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsmNT.exe
O4 - Global Startup: PC Alert 4.lnk = C:\Program Files\MSI\PC Alert 4\PCAlert4.exe
O8 - Extra context menu item: Ebates - file://C:\Program Files\EbatesMoeMoneyMaker\System\Temp\ebates_script0.htm
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: Ebates (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.mybc.com
O15 - Trusted Zone: http://free.aol.com
O16 - DPF: ChatSpace Java Client 3.0.0.207 - http://surechat.com:9000/Java/cms3207.cab
O16 - DPF: JT's Blocks - http://download.games.yahoo.com/games/clients/y/blt0_x.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://activex.microsoft.com/activex/controls/macromedia/Swdir.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - http://rd1.surfernetwork.com/surferplugin.ocx
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://tw.msi.com.tw/autobios/client/iftwclix.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {946B0485-8F8C-4C35-A6E7-D2115E3B0B4F} (HTMLAccess Class) - http://usa-download.nocreditcard.com/download/Object/DialerHTML/DHTMLAccessXP1042.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37592.9006481481
O16 - DPF: {A1DC3241-B122-195F-B21A-000000000000} - http://www.pdinetwork.com/diallers/L220878.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security2.norton.com/SSC/SharedContent/sc/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw12fd.law12.hotmail.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {FE5D6722-826F-11D5-A24E-0060B0F1A5AE} (Tukati Launcher) - http://3dgamers.tukati.com/tukati/1.6.36.36/tukati.cab
O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} (InstallCtl Class) - http://download.redswoosh.com/Installer/rsinstaller.cab

If you could help that would be awesome. Iam running XP pro and my computer should be running faster then it does so i suspect some viruses thx again


----------



## JES7ER (Jul 15, 2003)

Woops so sorry iam a nub at this...hope i didnt offend ill create a new Thread


----------



## Backspace (May 23, 2003)

Hee Hee Hee.... must be the night for it.. I did the very same thing.....


----------



## bassetman (Jun 7, 2001)

BTW Backspace, your pic doesn't work!


----------



## TonyKlein (Aug 26, 2001)

JES7ER,

In Hijack This, check ALL of the following items. Doublecheck so as to be sure not to miss a single one.
Next, close _all_ browser Windows, and have HT fix all checked.

*R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.shopnav.com/search/9886/search.html

O2 - BHO: My Search BHO - {014DA6C1-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL
O2 - BHO: (no name) - {136A9D1D-1F4B-43D4-8359-6F2382449255} - (no file)
O2 - BHO: (no name) - {14b3d246-6274-40b5-8d50-6c2ade2ab29b} - C:\Program Files\Srng\SNHelper.dll
O2 - BHO: MediaLoads Enhanced - {85A702BA-EA8F-4B83-AA07-07A5186ACD7E} - C:\Program Files\MediaLoads Enhanced\ME1.DLL (file missing)
O2 - BHO: (no name) - {BD5F51D5-9421-43A6-85D9-24CECD1395CB} - C:\WINDOWS\System32\dsa16gt.dll
O2 - BHO: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O3 - Toolbar: My &Search Bar - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL

O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe

O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"

O15 - Trusted Zone: http://free.aol.com

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - 
O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - http://rd1.surfernetwork.com/surferplugin.ocx
O16 - DPF: {A1DC3241-B122-195F-B21A-000000000000} - http://www.pdinetwork.com/diallers/L220878.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security2.norton.com/SSC/Sha...c/bin/cabsa.cab
O16 - DPF: {FE5D6722-826F-11D5-A24E-0060B0F1A5AE} (Tukati Launcher) - http://3dgamers.tukati.com/tukati/1.6.36.36/tukati.cab
O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} (InstallCtl Class) - http://download.redswoosh.com/Installer/rsinstaller.cab*

Now download Spybot - Search & Destroy

After installing, _first_ press *Online*, and search for, put a check mark at, and install *all updates*.

Next, _close_ all Internet Explorer windows, hit 'Check for Problems', and have SpyBot remove/fix all it finds.

Cheers,


----------



## JES7ER (Jul 15, 2003)

Sorry about the spam i wasnt trying to iam kinda a noober on here. So i apoligize for that. But to all of you Thank you, you have my admiration and apprecation


----------



## houstonmesa (Jul 16, 2003)

I used HiJack & here is the log. Is there anything I should delete? Thank you soo much, I'm thrilled to have found this site & assistance.

Logfile of HijackThis v1.95.0
Scan saved at 9:26:03 AM, on 7/16/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\progra~1\scansoft\paperp~1\pptd40nt.exe
C:\WINDOWS\System32\BRMFRSMG.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Sierra\Planner\PLNRnote.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Carlie Owsley\Local Settings\Temporary Internet Files\Content.IE5\JE1B8FVR\hijackthis[1]\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://rd.companion.yahoo.com/slv/ycheck/as/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://rd.companion.yahoo.com/slv/ycheck/as/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.cnn.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default)=http://rd.companion.yahoo.com/slv/ycheck/as/*http://search.yahoo.com/search?p=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINDOWS\System32\blank.htm
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Qidion - {3789CBF0-C4CA-4e98-B93B-22ACF0587FBA} - C:\WINDOWS\qi32.dll
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [PaperPort PTD] c:\progra~1\scansoft\paperp~1\pptd40nt.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - Global Startup: Event Planner Reminders Tray Icon.lnk = C:\Sierra\Planner\PLNRnote.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: MoneySide (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37726.8990162037
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab


----------



## brendandonhu (Jul 8, 2002)

Looks alright to me, are you having problems?


----------



## houstonmesa (Jul 16, 2003)

Yes, I've been having an extreme amt of porn pop ups. Today I located rapidblaster on my computer, researched it a bit & came to this site. I attempted to remove it various ways you had suggested, but it will not allow me to delete the file stating that it is either in use or is "written"..I can't even remember if that's the term.


----------



## brendandonhu (Jul 8, 2002)

Did you try RBKiller
http://www.spywareinfo.com/downloads/rbkiller/rbkiller.exe


----------



## houstonmesa (Jul 16, 2003)

Yes, it says no rapidblaster activity detected, but the files on on the computer. And the activity certainly seems to reflect it.


----------



## brendandonhu (Jul 8, 2002)

I dont think this is it-but fix this item
O3 - Toolbar: Qidion - {3789CBF0-C4CA-4e98-B93B-22ACF0587FBA} - C:\WINDOWS\qi32.dll


----------



## houstonmesa (Jul 16, 2003)

Now should I just wait & see if the pop ups continue? Thanks so much for your help, I truly appreciate it. Carlie


----------



## brendandonhu (Jul 8, 2002)

No problem-but yes see if they continue. I dont think that item could be causing all this trouble, but its possible.


----------



## TonyKlein (Aug 26, 2001)

Qidion is a baddie, though:

http://www.doxdesk.com/parasite/Pugi.html


----------



## houstonmesa (Jul 16, 2003)

A baddie in which sense?


----------



## brendandonhu (Jul 8, 2002)

In the sense that it causes unneccessary advertising, popups, slowdowns, and security problems, not to mention tracking your internet activity and selling the data.


----------



## houstonmesa (Jul 16, 2003)

Thanks, I'm glad I deleted it then. Carlie


----------



## brendandonhu (Jul 8, 2002)

Ok good-are the popups gone?


----------



## houstonmesa (Jul 16, 2003)

So far, so good. My computer has been a virtual hostage due to amt of porn popping up, you couldn't leave it on for more than 1/2 an hour & there would be 2-3 pop-ups just in that short amt of time. & the last time that anyone could have even looked at any porn sites was 2-3 months ago. Thank God for your site!


----------



## JohnneBGood (Jul 17, 2003)

YOU folks are the best!! I have a computer that has been getting slower and slower. Then, the porn pop ups made it so I couldn't even let my kids use it anymore. I tried clearing caches, deleting temp files & cookies - but it stumped me. I finally looked for something that could record what was happening on my computer when those pop ups occurred so I could try to figure out what was happening - I installed "007 Spy Software" and found that "rapidblaster" was being called. I searched on the web under "rapidblaster" and found you - THANK YOU!!

I ran Spybot S & D - which found rapidblaster - but it did give me a type of error that it couldn't kill one of the files. I then ran rbkiller - it didn't find anything. I did a file search on RB32.EXE and found "RB32.EXE-1FE480B1.pf" - should I delete it?

The pop ups were always intermittent - so I don't know if I have solved the problem yet or not - but so far I haven't received any more pop ups.

Would you mind looking at the hijacker to see if there is anything else I should do?

Again - thank you so much!!

Logfile of HijackThis v1.95.1
Scan saved at 12:19:40 AM, on 7/17/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\WINDOWS\System32\NILaunch.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\PROGRA~1\aim\aim.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\PhotoWorks\Uploader\PWComm.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\McAfee\McAfee VirusScan\Webscanx.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\kurt\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System32\blank.htm
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\kurt\Application Data\Mozilla\Profiles\default\z80603av.slt\prefs.js)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [Net-It Launcher] C:\WINDOWS\System32\NILaunch.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ssmgr] ssmon
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /startmonitor
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\aim\aim.exe -cnetwait.odl
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: PhotoWorks Uploader.lnk = C:\Program Files\PhotoWorks\Uploader\PWComm.exe
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: AOL Instant Messenger (SM) (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {28F00B0F-DC4E-11D3-ABEC-005004A44EEB} (Register Class) - http://content.hiwirenetworks.net/inbrowser/cabfiles/2.5.26/Hiwire.cab
O16 - DPF: {2C8EEB84-6D60-11D4-BD64-0050048A82BF} (eshare communications NetAgent Customer ActiveX Control version 2) - http://www.cabeagent.com/netagent/objects/custappx2.CAB
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://i.a.cnn.net/cnn/resources/cult3d/cult.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {7B461720-5910-45A3-B617-3B53A972F209} (Pixami-PhotoWorks Upload UI Control) - http://services.photoworks.com/Pixami/PixamiSFWUploader.cab
O16 - DPF: {80F1B906-D066-11D3-AD70-009027B8ADBC} (WebPlayer Class) - http://content.hiwirenetworks.net/inbrowser/cabfiles/2.5.30/Hiwire.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37582.7052199074
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.walmartphotocenter.com/photo/upload/XUpload.ocx


----------



## brendandonhu (Jul 8, 2002)

Yes, delete that RB32 file.
I just took a quick look, but all I see that you need to fix is this
O4 - HKLM\..\Run: [Net-It Launcher] C:\WINDOWS\System32\NILaunch.exe


----------



## Gandalf400 (Jul 21, 2003)

Hi.
This is my first posting on here, so I hope I do it right!

Having read all the above, and run 'Hijack This', could someone please tell me if the following Log includes anything that requires attention.

Logfile of HijackThis v1.95.1
Scan saved at 2:50:52 PM, on 7/21/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\EPSON\EBAPI\SAGENT2.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\GSICON.EXE
C:\WINDOWS\SYSTEM\DSLAGENT.EXE
C:\PROGRAM FILES\EASY KEYBOARD\EASYKEY.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZONEALARM.EXE
C:\PROGRAM FILES\AOL COMPANION\COMPANION.EXE
C:\PROGRAM FILES\AOL 8.0\AOLTRAY.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\AOL 8.0\WAOL.EXE
C:\PROGRAM FILES\AOL 8.0\SHELLMON.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.aol.co.uk/search
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AOL
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {00000273-8230-4DD4-BE4F-6889D1E74167} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [stcloader] C:\WINDOWS\SYSTEM\stcloader.exe
O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [Easykey] C:\Program Files\Easy Keyboard\Easykey.exe
O4 - HKLM\..\Run: [ATIGART] c:\ati\gart\atigart.exe
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiQiPcl] AtiQiPcl.exe
O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SAgent2ExePath] C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM\E_SRCV02.EXE
O4 - Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Startup: AOL 8.0 Tray Icon.lnk = C:\Program Files\AOL 8.0\aoltray.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?1050550191650
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net

Thanks for all the help provided on this site, It's reassuring to know that ppl like you are willing, and able to help the less well informed like me.


----------



## TonyKlein (Aug 26, 2001)

Check and have Hijack This fix the following:

*O2 - BHO: (no name) - {00000273-8230-4DD4-BE4F-6889D1E74167} - (no file)

O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [stcloader] C:\WINDOWS\SYSTEM\stcloader.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present*

Npw restaret your computer, and delete the C:\WINDOWS\SYSTEM\stcloader.exe file.

Cheers,


----------



## brendandonhu (Jul 8, 2002)

Tony-is there a list of downloaded program files as you have your lists of BHOs and Toolbar CLSIDs? I always find it hard to go through the O16s.


----------



## TonyKlein (Aug 26, 2001)

No, I don't think there is one.
However, these are much easier to identify, as the urls are there.

When in doubt, just go to that site, and in most cases that will tell you enough.


----------



## brendandonhu (Jul 8, 2002)

Ok thanks.


----------



## TonyKlein (Aug 26, 2001)

Also, the latest version of Javacool's SpywareBlaster sports a "Find" feature. It's an excellent way of identifying a lot of CLASS ID's for known baddies.


----------



## Gandalf400 (Jul 21, 2003)

Tony

Thanks very much for your help, and such a quick response too. All seems well now , Thanks again.


----------

