Hi all, kind of new to all this so look past my lack of industry vocabulary.

I had something install itself on my computer which put a file in my startup folder to display an ad-banner on startup. It actually was part of a program that got installed. I removed the program through add/remove, but this remained in my startup. I ran Ad Aware. It removed a bunch of other files, but missed some. I used regedt32.exe to remove other spyware/malware junk. Everything is ok, running stable. But I cannot remove this file from my registry "C:\Program Files\rb32\rb32.exe". I choose it and select delete from edit and the file name dissappears until I close the editor. I run msconfig and the file is still there in the startup folder. I then go back into the editor and the file is there again. I can't get rid of this thing. I know I could just uncheck the box and select another startup option, but it's the priciple of the thing! I didn't ask to have this thing installed in my computer and I don't want it there. Any help would be appreciated.

Grab HijackThis (http://www.spywareinfo.com/~merijn/) (tutorial (http://www/tomcoyote.org/hjt)) and post the log and the StartupList log here.

I will try to get more info on that file later....the place where it resides is currently undergoing a server relocation, so I don't have access to it.

Here is some more info...http://www.doxdesk.com/parasite/RapidBlaster.html

Welcome to http://www.pcguide.com/ubb/pcgubb.gif

For someone who isn't that familiar with the lingo you sure seem to use it well....:)

First question: Are you saving the Registry before you close it? If so it suggests that you still have another program that is reinstalling that file/banner. It might be worthwhile to download Spybot Search & Destroy and run both that and AdAware again with updates....

I would also download the trial version of Trojan Hunter and run it. You might also want to run Hijack This and Startup, then post the logs here to get help sorting out whatever might be causing the hassle. You can get these programs through mjc's security link here:

http://www.pcguide.com/vb/showthread.php?s=&threadid=15179

Edit: mjc got here first.....:rolleyes: :)

RapidBlaster(rb32) is a known parasite, with known removal issues...

Thanks guys. Looks like I have to do some more reading. Maybe I couldn't delete that file because it is a required system file that was just associated with the malware? I see the rapid blaster comment. That's probably it. I noticed the ad installs when I launch my browser not upon boot. I just can't figure out what it's called so I can't remove it. I keep getting attempted hijack messages with it in Ad aware. I'll have to go get spybot and see what it finds. Thanks again for the suggestions. I'm an out of work airline mechanic taking certification classes. I've passed A+ hardware, software maybe in a couple weeks. After that MCSE and CCNA. Hopefully the world economies come back and people start flying again. Then I'll go back to work and continue with the IT on a contract basis for experience and maybe make the move to strictly IT down the road. Just a draft plan, playing it as I go:) Thanks again for the suggestions!

Here's the list: Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\MSI\Live Update 2\LMonitor.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe
C:\WINDOWS\System32\desk98.exe
C:\WINDOWS\System32\Ltmoh.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\MICROS~2\GAMECO~1\Common\SWTrayV4.exe
C:\Program Files\ahead\InCD\InCD.exe
C:\DOCUME~1\\APPLIC~1\obrckeee.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ATI Multimedia\main\launchpd.exe
C:\Program Files\Creative\SBAudigy\Taskbar\CTLTray.exe
C:\Program Files\Creative\SBAudigy\Taskbar\CTLTask.exe
C:\Program Files\iM Networks\iM Radio Tuner\iM_Tray.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\DOCUME~1\glen\LOCALS~1\Temp\Lrq1.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\rb32\rb32.exe
C:\PROGRA~1\WinZip\winzip32.exe
C:\unzipped\startuplist\StartupList.exe

C:\Program Files\rb32\rb32.exe

That is the culprit, you need to end task on it before trying to remove it.

But the easier way would probably be to run Spybot..their server is back up so downloads and updates shouldn't be a problem.

SSD tutorial and links (http://www.tomcoyote.org/SPYBOT)

Thanks MJC I'm heading to the site now. I'm sure I'll be visiting this site often. Talk to you later.

XP Registry and STARTUP

Do not know if this will help but

(Before trying the following remember to backup the registry.)

HKLOCAL MACHINE - SOFTWARE - MS - SHARED TOOLS - MSCONFIG - STARTUPREG

If I have remembered it correctly this will take you to the items listed in the startup. just delelte anything there that you do not want.

Just got in from class tonight. I got that banner destroyed by spybot so I'm good to go, but I'll check that out Ernie. That's good to know and file away.

2024
Did you follow it through? have I remembered it correctly?

Have it written down but as usual put it in safe place and cannot find it. :D

Ernie, I followed the path you listed. When I got to startup inside the folder it just listed Name:default Type:REG_SZ Data:Value not set.

I will look out correct instructions and let you know