spybot question for rb32.exe

Bruce I. · 07:48 AM

Saw a post here about using spybot to get rid of rb32.exe. I've run it but its still sitting there in my program files and won't be deleted. When I first noticed this yesterday, I unistalled it from control panel but its still doing its thing, trying to access out.

Any suggestions ?

Thanks, Bruce

__________________

__________________

Top Banana · 16-Apr-2003, 11:43 AM #2

Download HijackThis. Unzip, run, "scan", "scan" becomes "save log". Save the log and copy and paste the HijackThis log in your next post.

Do not fix anything in HijackThis. Most of the entries will be harmless.

Bruce I. · 16-Apr-2003, 07:44 PM #3

I assume the rb32 entry needs to go ?

Logfile of HijackThis v1.93.0
Scan saved at 7:39:53 PM, on 4/16/2003
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.rr.com/v5/home/0,1793,92,00.html
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg
O4 - HKLM\..\Run: [rb32 lptt01] "C:\Program Files\rb32\rb32.exe"
O4 - HKCU\..\Run: [AutoUpdater] C:\WINNT\System32\aupdate.exe
O4 - Global Startup: OptiCAL Startup.lnk = C:\Program Files\PANTONE COLORVISION\OptiCAL\OptiCAL.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys Class) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/Sha...in/AvSniff.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...625.3087037037
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/Sha.../bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab

Top Banana · 16-Apr-2003, 08:02 PM #4

Yup.

Scan with HT, "Fix" the following entry, reboot.

Your log is otherwise clean.

O4 - HKLM\..\Run: [rb32 lptt01] "C:\Program Files\rb32\rb32.exe"

TonyKlein · 17-Apr-2003, 03:10 AM #5

I have a question about this one:

O4 - HKCU\..\Run: [AutoUpdater] C:\WINNT\System32\aupdate.exe

Aupdate.exe is a Norton file, but I've never seen it in Startup this way.

Would you please go to C:\WINNT\System32, find aupdate.exe, and rightclick it.

Choose "Properties". Is it a Symantec file?

Bruce I. · 08:29 AM

Top Banana, I've run ht and fixed that rb32 but its still there after a reboot...I'll try again, just did, same thing

Tony, there is no program associated with aupudate, unknown app. Also there are 4 files, .conf, .trk, the app and an uninstall all. Should I click the app to see what it does or....?

Thanks

Additional info ! Just ran msconfig, startup (win 2k) and rb32 is there and checked. It says C

rogram files\rb32...hklm\software\microsoft\current version...

Also, aupdate is there and checked, C:winnt\system 32...hkcu\software\micrsoft\windows\currentversion...

Other enties that are checked are optcal which is monitor calibration that needs to be in startup and :

mobsync
ccApp
ccRegVfy
symtray

Top Banana · 17-Apr-2003, 08:16 AM #7

What is still there after a reboot?

The rb32.exe entry in HijackThis or Rapid Blaster in Add Or Remove Programs?

Bruce I. · 17-Apr-2003, 08:34 AM #8

See edited post above...

also rb32 is still sitting in program files, though I had uninstalled it from control panel yesterday and tried to fix it twice with ht. Its also still seen in HT

Top Banana · 17-Apr-2003, 08:45 AM #9

I am getting more confused by the minute. Could you tell me why Spybot Search and Destroy was unable to remove RB? SSD should remove RB with no problem. Are you using SSD 1.2 fully updated?

Bruce I. · 17-Apr-2003, 09:15 AM **#10**

This is where I started, spybot was downloaded yesterday fully updated. It did not take out rb32.exe. I uninstalled rb32 in add/remove programs but it continues to exist in c

rogram files and tries to access out on the net.

Then I came to this site and started with your suggestion using HT. That brings us to where I am now. Just ran spybot again, it took out 4 threats but did not see or take out rb32. If I knew why it didn't I wouldn't be at this site (which seems to be a great resource).

I've tried to dump rb32 4 times with HT...no go
And I don't know if the info from my startup menu helps

So I'm at the mercy of you guys who have alot more experience than me in this area...

Thanks
Bruce

Top Banana · 17-Apr-2003, 09:28 AM **#11**

So....

1. Rapid Blaster cannot be uninstalled by Add or Remove Programs
2. SSD doesn't detect Rapid Blaster
3. HT cannot remove rb32.exe run key

I'm beat.

Bruce I. · 17-Apr-2003, 09:32 AM **#12**

But I really do appreciate your help ! Thanks.

I'll take it out of startup in msconfig and see if I can do anything from there...

TonyKlein · 17-Apr-2003, 11:38 AM **#13**

Quote:

Originally posted by Bruce I.:
Tony, there is no program associated with aupudate, unknown app. Also there are 4 files, .conf, .trk, the app and an uninstall all. Should I click the app to see what it does or....?

I'd very much like to have a copy of that file.

It could possibly be a new baddie, and in that case a number of folks in the Spyware community would certainly want to have a look at it for analysis. Could you zip it up and send me a copy as an attachment, please?

I'll PM you with my e-mail addie.

As soon as I find out what it might be, I'll post here again.

Thanks heaps!

Bruce I. · 17-Apr-2003, 01:34 PM **#14**

Tony, yes I'll send you those 4 files when I get back in a few hours..just send me your address

Ps to top banana - Now I'm freaking out because I cannot disable
rb32 in msconfig it keeps coming back !

TonyKlein · 17-Apr-2003, 01:44 PM **#15**

Thanks Bruce!

BTW, I already sent you my e-mail addie. Check your Private Messages (User Panel > Private Messaging)

About Rb32, I don't know what's happening, but Hijack This ought to remove the startup without a prob, and so should SpyBot.

You must be doing something not quite correctly...

Search
Search in:
Show Threads Show Posts
Advanced Search

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)