Report New Spyware Here

The most recent variants of the RapidBlaster parasite ( http://www.doxdesk.com/parasite/RapidBlaster.html ) will "morph" themselves to evade detection. Periodically, RapidBlaster will download data from its controlling server that contains a new folder and filename. It will then copy itself to that folder, terminate the original process, delete the original file, and run the new file in the new location.

Since the folder and filenames that RapidBlaster uses are randomly sent from the server, and are not contained within the executable itself, it is very easy for the makers of RapidBlaster to simply update the list of folders/filenames that RapidBlaster uses. Thus, looking for the following folders/filenames should not be the only method of detection, and will not guarantee a RapidBlaster-free system.

The following is a incomplete list of RB file names that have been spotted so far:

 rb32 lptt01 = rb32.exe (In a "RapidBlaster" folder in Program Files)

- realplay lptt01 = realplay.exe (In a "RealPlay" folder in Program Files)

- Notepad lptt01 = Notepad.exe (In a "Notepad" folder in Program Files)

- Bsoft lppt01 = Bsoft.exe (In a "BelmontSoft" folder in Program Files)

- Icon lptt01 = icon.exe (In a "Icon" folder in Program Files)

- msys lptt01 = msys.exe  (In a "Msyss" folder in Program Files)

- aimaol lptt01 = aimaol.exe (In a "Aimaol" folder in Program Files)

- nvd32 lptt01 = nvd32.exe ( In a Program Files\NvidStar directory)

- syscon lptt01 = syscon.exe (In a "Syscon" folder in Program Files)

- winwan lptt01 = winwan.exe (In a "Winwan" folder in Program Files)

- taskmngr lptt01 = taskmngr.exe > (In a "Taskmngr" folder in Program Files)

- Microfinder lptt01 = mcf.exe (In a "MicroFinder" folder in Program Files)

- winsyslog lptt01 = winsyslog.exe (In a "Winsyslog" folder in Program Files)

- yahoo_toolbar lptt01 = yahoo_toolbar.exe (In a "yahoo_toolbar" folder in Program Files)

- Surfer lptt01 = surfer.exe (In a "mssurfer" folder in Program Files)

- Dkware lptt01 = dkware.exe (In a "DonkeySoft" folder in Program Files)

- Kazaa lptt01 = kazaa.exe (In a "kazaa" folder in Program Files)

- Explorer lptt01 = explorer.exe (In a "explorer" folder in Program Files)

- Newsgroup lptt01 = newsgroup.exe (In a "newsgroup" folder in Program Files)

- Spool lptt01 = spool.exe (In a "spool" folder in Program Files)

- Msconfig lptt01= msconfig.exe (In a "msconfig" folder in Program Files)

- Adaware lptt01 =  adaware.exe (In a "adaware" folder in Program Files)

- iexplorer lptt01 = explorer.exe (In a "iexplorer" folder in Program Files)

- Syslog lptt01 = Syslog.exe (In a "Syslog" folder in Program Files)

- Spybott lptt01 - Spybott.exe  (In a "Spybott" folder in Program Files)

- efaxs lptt01 = efaxs.exe > (In a "efaxs" folder in Program Files)

- win32_i lptt01 = win32_i.exe (In a "win32_i." folder in Program Files)


Javacool of Javacoolsoftware fame has reacted with great speed, and issued a RapidBlaster killer, which will find any RapidBlaster variants on your system, will kill the process, and delete the Registry Run entry.

Once the process has been terminated, find the program's folder in Program Files, and simply delete it!

Read about it here: http://www.wilderssecurity.net/specialinfo/rapidblaster.html

AHHHGGG!
Surely this behaviour is enough to get them targeted by anti virus software!

Yeah, most of the Antivirus and antitrojan vendors are already branching out to include dialers and some spyware anyway...

I've already submitted the RB installer to DiamondCS, BOClean, ESET, Kaspersky and Gladiator Antivirus myself.

New one:

- spybott lptt01 = spybott.exe (In a "Spybott" folder in Program Files)

Excellent news:

RapidBlaster Killer has been updated, and is now at v. 1.3

New features:

It will not only terminate the task, and remove the run entry,  but also give the user the option of exiting (not the default choice) or proceeding to delete the file(s) and cleanup.

So the program can now:

-Delete the RapidBlaster file(s)/folder(s).
-Delete the Uninstall entry/entries.

No need to do any additional manual cleaning.  
In short:  it will delete ALL of this new version of RapidBlaster, and at present it's the only application which does!


RB Killer 1.3 download:

http://www.spywareinfo.com/downloads/rbkil...er/rbkiller.exe
or
http://www.wilderssecurity.net/downloads/rbkiller.exe

The webpage:  http://www.wilderssecurity.net/specialinfo...pidblaster.html

what the hell i this spybott is it riuning are computer tell me please  



peace

spybott.exe (just like adaware.exe) is one of the many names this new version of RapidBlaster uses to disguise itself.

Download that RapidBlaster killer and run it.
It will completely remove this pest from your system.

I have Spybott in my Program Files folder and have been getting random pop-ups and programs installed, so I downloaded the RB Killer but it's saying no Rapid Blaster programs found.  I uninstalled it but it's still there, and im afraid to just delete the program.
any ideas?
my computer has been running extremely slow lately too.
Thanks!!

Please do the following:

First restart your computer.
Now go to http://www.tomcoyote.org/hjt/ ,  and download 'Hijack This!'.
Unzip, doubleclick HijackThis.exe, and hit "Scan".

When the scan is finished,  the  "Scan"  button will change into a "Save Log"  button.
Press that,  save the log somewhere, and please show us its contents.

Most of what it lists will be harmless or even required, so do NOT fix anything yet.
Someone here will be happy to help you analyze the results.

OK, here goes:

Logfile of HijackThis v1.95.0
Scan saved at 12:30:57 PM, on 7/7/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.50 (5.50.4134.0600)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\MSGLOOP.EXE
C:\WINDOWS\SYSTEM\MSG32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\AMERICA ONLINE 8.0\AOLTRAY.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRA~1\NETROPA\ONSCRE~1\OSD.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\WINDOWS\DESKTOP\TORI MIX\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL=http://www.free64all.com/tgp/out.php3?l=207
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://www.searchenhancement.com/searchbar/iev1.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://search.searchenhancement.com/nph-enhanced.cgi?affid=sesm&sstring=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL=http://www.clickyestoenter.net/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://search.searchenhancement.com/nph-enhanced.cgi?affid=sesm&sstring=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar=http://www.searchenhancement.com/searchbar/iev1.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page=http://search.searchenhancement.com/nph-enhanced.cgi?affid=sesm&sstring=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL=http://search.searchenhancement.com/nph-enhanced.cgi?affid=sesm&sstring=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://search.searchenhancement.com/nph-enhanced.cgi?affid=sesm&sstring=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title=Microsoft Internet Explorer provided by America Online
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default)=http://search.searchenhancement.com/nph-enhanced.cgi?affid=sesm&sstring=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=http://search.xrenoder.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page=c:\windows\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak=http://search.xrenoder.com
R3 - URLSearchHook: WebSearch Class - {9368D063-44BE-49B9-BD14-BB9663FD38FC} - C:\PROGRAM FILES\SCBAR\V1\SCBAR.DLL
O1 - Hosts: 193.125.201.50 ie.search.msn.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {00041A26-7033-432C-94C7-6371DE343822} - C:\PROGRAM FILES\SCBAR\V1\SCBAR.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [VsecomrEXE] C:\Program Files\Network Associates\McAfee VirusScan\VSEcomR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {0CEC7E32-884C-11D4-86EC-00105AD18ACB} (DFRun Class) - http://www.gator.com/download/1800/iegator.cab
O16 - DPF: {2C38A62E-D257-40E8-8BB7-5624E38FEB0A} - http://www.freepagecounter.com/best_sex_shows.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://apple.speedera.net/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

_______________
I did download and run Spybot last night and it seems to have helped.  Those odd programs like "Spybott" are still there though.
Thank you again!

[R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL=http://www.free64all.com/tgp/out.php3?l=207 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://www.searchenhancement.com/searchbar/iev1.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://search.searchenhancement.com/nph-enhanced.cgi?affid=sesm&sstring= R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL=http://www.clickyestoenter.net/search.htm R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://search.searchenhancement.com/nph-enhanced.cgi?affid=sesm&sstring= R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar=http://www.searchenhancement.com/searchbar/iev1.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page=http://search.searchenhancement.com/nph-enhanced.cgi?affid=sesm&sstring= R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL=http://search.searchenhancement.com/nph-enhanced.cgi?affid=sesm&sstring= R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://search.searchenhancement.com/nph-enhanced.cgi?affid=sesm&sstring= R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default)=http://search.searchenhancement.com/nph-enhanced.cgi?affid=sesm&sstring= R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=http://search.xrenoder.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak=http://search.xrenoder.com R3 - URLSearchHook: WebSearch Class - {9368D063-44BE-49B9-BD14-BB9663FD38FC} - C:\PROGRAM FILES\SCBAR\V1\SCBAR.DLL O1 - Hosts: 193.125.201.50 ie.search.msn.com O2 - BHO: (no name) - {00041A26-7033-432C-94C7-6371DE343822} - C:\PROGRAM FILES\SCBAR\V1\SCBAR.DLL O16 - DPF: {0CEC7E32-884C-11D4-86EC-00105AD18ACB} (DFRun Class) - http://www.gator.com/download/1800/iegator.cab O16 - DPF: {2C38A62E-D257-40E8-8BB7-5624E38FEB0A} - http://www.freepagecounter.com/best_sex_shows.cab O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -]

Download and run Javacool's RapidBlaster killer : http://www.wilderssecurity.net/downloads/rbkiller.exe
It's at present the only application that will effectively remove this pest!

Launch the program and hit the Scan button.
RBKiller will find any RapidBlaster variants on your system, kill the process, delete the Registry Run entry, and remove the file itself.


Next, in Hijack This,  check ALL of the following items.  Doublecheck so as to be sure not to miss a single one.
Next, shut down all browser Windows, and have HT fix all checked.

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL=http://www.free64all.com/tgp/out.php3?l=207
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://www.searchenhancement.com/searchbar/iev1.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://search.searchenhancement.com/nph-enhanced.cgi?affid=sesm&sstring=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL=http://www.clickyestoenter.net/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://search.searchenhancement.com/nph-enhanced.cgi?affid=sesm&sstring=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar=http://www.searchenhancement.com/searchbar/iev1.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page=http://search.searchenhancement.com/nph-enhanced.cgi?affid=sesm&sstring=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL=http://search.searchenhancement.com/nph-enhanced.cgi?affid=sesm&sstring=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://search.searchenhancement.com/nph-enhanced.cgi?affid=sesm&sstring=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default)=http://search.searchenhancement.com/nph-enhanced.cgi?affid=sesm&sstring=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=http://search.xrenoder.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak=http://search.xrenoder.com

R3 - URLSearchHook: WebSearch Class - {9368D063-44BE-49B9-BD14-BB9663FD38FC} - C:\PROGRAM FILES\SCBAR\V1\SCBAR.DLL

O1 - Hosts: 193.125.201.50 ie.search.msn.com

O2 - BHO: (no name) - {00041A26-7033-432C-94C7-6371DE343822} - C:\PROGRAM FILES\SCBAR\V1\SCBAR.DLL

O16 - DPF: {0CEC7E32-884C-11D4-86EC-00105AD18ACB} (DFRun Class) - http://www.gator.com/download/1800/iegator.cab
O16 - DPF: {2C38A62E-D257-40E8-8BB7-5624E38FEB0A} - http://www.freepagecounter.com/best_sex_shows.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -


Now restart your computer, and delete the entire C:\PROGRAM FILES\SCBAR folder.

Cheers,

Thanks so much for the info.  It seems to be better for now.  

You're welcome.  

Dear Whazit Portal Team,

Firstly let me congratulate you all for the excellent work that you are doing for the visitors to your website and to be web community in General.

I am sure each one of have a contribution in it, however minor that it may seem, and therefore each one of you deserve a piece of that accolade. You have all worked long and hard to deserve it.

This is in relation to one particularly nifty tool which is credited to your creativity and genius.

Its the Whaimager utiliy. I am sure it is one of those things that you would like to carry to your very graves.

There is one particular information that I seek from you, if you will kindly forward it to me over Email.

May I request you for the names of the "mummy's" of your entire team.

This is because I have a particularly interesting christmas gift for all your mother's in mind, its a sort of gratitude for your great work. A small reciprocation from the user community.

I havent told you.. bcos it could sound irrelavant, but I own a piggery up here in India. We have got about 200 of them here.. Enuff, like many grannies have said before.

The computer thing is just one of the things that I do, but its mainly the pigs..

I have noticed in several discrete occassions that my pigs have an affinity for older women and will mount one easily if laid bare before them.

Its just that I want to organise an occassion for your mummmies and my pigs to get to know each other better. I am sure it will be a lovely Christmas for all of them. If some of you have already lost your moms, well ! its my pigs who will miss them, but never mind... you can still send the names in.

Thanking you,

Yours sincerely,

Abhijit, India.

PS: This is the first name that has already come in..

I got it from register.com by a whois on whazit.com

Its Mrs WMS
 c/o Godaddy softwares.

We are passing this information to the respective user foras on the Internet, so that some of us actually pass on some floral tribute to your offices, premises.

Mrs WMS, I must tell you.. you must see the look in each one of my pigs at the thought of you.

Very interesting!  

However, are you absolutely certain you posted in the right forum?
Are you absolutely certain you didn't intend to post here instead? :

http://www.prep4usmle.com/community/viewforum.php?f=43