[wolfe26]

The Fishman,

I am running win2k and Norton... and aupdate performed exactly as I stated about had a little torch beside it like a common trojan and when the uninstal was run away it took me to that bye page that was 404...

my norton run LUALL.EXE when updating.

"If you build it... They will come..."

[Bruce I.]

So wolfe, in win2k aupdate is safe ? I also run norton and win2k...

[Bruce I.]

I just noticed I only have 2 entries left for aupdate, in sys32, from the 4 I had, .trk and .conf, the other 2 are gone. Since then, I've deleted rb32, installed adaware and unchecked aupdate from msconfig. I just now checked aupdate for startup in msconfig and when the machine booted, a microsoft upate download showed up. Coincidence ? The other 2 aupdate files that I had several days ago are gone.

So I guess the question is is aupdate bad or good ?

[Bruce I.]

So it seems that adaware quarantined 2 of those aupdate files, the 2 that are left I'm guessing are legit....

[forenplayer]

this worked for me
1. press ctrl/alt/del to get Task Manager in XP or the list of programs running in Win95/98
2. highlight rb32 and aupdate.exe if there and end their process/task
3. delete the rb32 folder from root directory (usually c:\program files/rbg32). If it doesn't let you, you haven't ended them running as instructed above, so try again.
4. Go to Start>Run>regedit and do a search for rb32 in the registry. Delete it (I only had one).
5. Go to Start>Run>msconfig (XP and 98 only) and uncheck aupdate, also the blank entry beneath or above it, and rb32, click apply.
6. Reboot and it's gone!

then ran jv16 registry cleaner,now it's gone alltogether

[forenplayer]

any idea how these files get in?can i get it just by surfing the net?or has to be something i agreed to install in my pc?

[wolfe26]

Why do people insist on posting the same solution to the same problem in the same thread over and over again?

Bruce,

the aupdate you need to worry about seem to have kind of a torch icon beside them.


"If you build it... They will come..."

[johnnypoopoo]

I did everything you guys said , and thanks for the help , I cant get rid of ISTbar in my IE bar, thanks

[HallMarc]

OK my first question is why are you messing around? Go to http://tds.diamondcs.com.au/ and get the free trial version plus couple of other goodies. Sorry Mac and everyone else; Windows platforms only. This is how I found my aupdate and rb32 both of which are now completely gone. Wasn't hard either. I don't know what either of them do except they slowed dowm my laptop alot.
I would do this though:
1) shut them down
2) remove them from the registry
3) reomve them from wherever else they maybe
tada gone

[johnnypoopoo]

In my IE bar it says ISTbar , is that apart of this spyware

[TonyKlein]

Quote:

Originally posted by The FiShMaN:
Sorry Tony but that AUPDATE.EXE does load from SYSTEM32 DIR in Win2K.. It is a file from Symantec Corp. It's the Live Update part of the prog.. Thought you may want to know that since you may not be familiar with Win2K as much as you are with XP.

This particular Aupdate.exe is a baddy. No legitimate Symantec Aupdate.exe loads at startup this way.

As a matter of fact, I got hold of the file, and reported it.

As a result, Ad-Aware is now targeting it, and it also has been included into the SpyBot S&D beta updates.

I sent it to Andrew Clover to be analyzed, and he came back with the following:

"I'm calling this 'AUpdate'. It is distributed by 'searchbarcash.com', who
run the usual dastardly webmaster affiliate scheme to get it loaded; the
company name given at that site is 'CDT Inc.'.

CDT also run poortals my-internet.info and blazefind.com, which have links
to install pages for AUpdate.

The class ID used by its ActiveX drive-by installer is good old:

018B7EC3-EECA-11D3-8E71-0000E82C6C0D

as used by C2/lop and any number of dialler installers. What is it with
this class ID, was it used as an example in Commercial Malware For Dummies
New Second Edition or something?

The file loaded by this is described as 'IE Plugin' but it's not the same
as the parasite known as 'IEPlugin'. Its path is:

http://public.searchbarcash.com/soft...1.0b//0001.cab

which is signed 10th April 2003 and contains an executable ie_plugin.exe.
This drops aupdate.exe and aupdate.conf into the System[32] folder.
aupdate.exe is added to HKLM...Run under the name 'AutoUpdater'.
aupdate.conf contains, I believe, the URL aupdate.exe will connect to,
but it's in an encoded form; looks crackable but I can't be bothered.

aupdate.exe fetches sequentially numbered executable files:

http://www.my-internet.info/updates/upgrade1.exe
http://www.my-internet.info/updates/upgrade2.exe
...

and stops when it gets a 404. It stores the next number to try in the file
aupdate.trk also in the System[32] folder, and presumably tries it again later.
At the moment, upgrades 1 to 3 are available; I'll keep an eye on upgrade4.exe
to see if anything else is installed. The 'upgrades' are:

1: An uninstaller for AUpdate. Adds 'aupdate_uninstall.exe' and 'M01' to
the System[32] folder, and sets up an Uninstall entry for Add/Remove
Programs under the name 'MS AUpdate'.

2: An IE toolbar, using shdocvw.dll to add an HTML page as a toolbar, namely

http://public.searchbarcash.com/bars...ftware_id=0001

This page often triggers pop-up ads. It also hijacks the homepage, to:

http://public.searchbarcash.com/home...ftware_id=0001

The class ID used for the toolbar is:

69550BE2-9A78-11D2-BA91-00600827878D

which is the same as our old friend TinyBar. Indeed the method of
implementing the toolbar is exactly the same as TinyBar, and if you
look at the adjacent install files 0002.cab and 0003.cab you'll see
they contain a TinyBar installer by name. Either CDT Inc. have 'bought'
a TinyBar clone from trixscripts.com, or they have a closer connection
to Asher Nahmias. I'm calling this variant TinyBar/AUpdate."



In short, it's a baddie, and you'd do well to nuke it off your system.
Don't trust me, trust Lavasoft, SpyBot, and Andrew Clover...

[The FiShMaN]

Sorry Tony if i was wrong, nobody said anything before my post about anything showing up on they're taskbar or toolbar. All I know is that I was able to remove the one I had without an issue nor adverse results.. The Aupdate I have is the legit one & I was mistaken on 2000 from where it was loading from.. YOU WERE RIGHT, I WAS'NT. My bad.

[TonyKlein]

Hey, no prob!

I thought of Symantec at first as well. It was only after seeing that startup location, and hgaving a look at the file that I realized this was something quite different.

[Bruce I.]

After using the adaware with latest definitions and unchecking aupdate in msconfig, I still have aupdate.conf and .trk in sys32. They have a windows logo, shall I delete them ? It is no longer in hijack this though....

[TonyKlein]

You can delete the aupdate.exe file in System32. It's your Blaze Find hijacker.


Not sure what you mean by *.trk, though...