win32/worm blasterSolved/Closed

Question

Hello, 



I had a message on spyware protection come up saying I had win32 worm blaster virus and upgrade to stop threat. 

I didn't upgrade as it seemed a bit dodgy.

Im running on PC windows xp.

I can't boot in safe mode and I cant run any .exe programms. I cant even run system restore. I cant download any programmes to stop it as they dont open. The only thing I can do is use internet explorer. 

Any ideas welcome please

jonboy2011 · Accepted Answer

I got the original message from spyware protection  it looks like a shiled divided into our with blue red green and yellow. I came up win32/worm blast and started scanning my computer. Do you want me to do a scan with it again it seems to be the only thing that works other than internet explorer

Ambucias · Answer

Dear Jonboy,

Looks like it's not win32 worm blaster but a disguised scam as we frequently see.  It's actually a rogue trojan horse running loose in the stable.

You have access to internet explorer, so you should be able to access the rogue killer tool.

Here is how to get rid of this scam rogue virus designed to get to your credit card account and it is a good thing you did not fall for it. 

Please follow the following procedure carefully and to the letter. 

You have a rogue virus Trojan Horse which is self protective, thus it will prevent any antivirus from fonctionning. 

You must kill the evil processes which the virus is presently running amd preventing you from running any antivirus. If you don't it will keep reproducing the files for ever. 

To kill the processes: 

1. Download to your desktop and run Rogue Kill: 

https://download.bleepingcomputer.com/grinler/rkill.com 

2. You should now see a window that shows all of your desktop icons, including the rkill.com program. 

3. Double-click on the rkill.com in order to automatically attempt to stop any processes associated with the Rogue programs. Please be patient while the program looks for various malware programs and ends them. When it has finished, the black window will automatically close and you can continue with the next step. 

If you get a message that rkill is an infection, do not be concerned. This message is just a fake warning given by the Horse when it terminates programs that may potentially remove it. If you run into these infections warnings that close Rkill, a trick is to leave the warning on the screen and then run Rkill again. By not closing the warning, this typically will allow you to bypass the malware trying to protect itself so that rkill can terminate the processes . So, please try running Rkill until malware is no longer running. 

As a matter of a fact, if you get messages, it is a sign that the virus is agonizing with excrutiating pain, so you can just grin while it is suffering!:)))

Please, DO NOT REBOOT your computer or the processes will come back to haunt you! 

Download to your desktop Malwarebyte. 

https://ccm.net/downloads/security-and-maintenance/4621-malwarebytes-anti-malware/ 

Once on your desktop, we must still outwit the virus. 

Right click on the MBAM icon and click on rename. Rename it kioskea.exe. 

Install Malwarebyte and launch it. From the second tab, update it. 

Pretty please, request a FULL system scan which should take more than hour. Once the scan is finish, delete all of item that were found. 

It is very important that you let Malwarebyte run for as long as it takes, in some cases the creators of Malwarebyte suggest that you go do something like watch a rerun of "Gone with the Wind" or read Tolstoy's "War and Peace".

Once your computer is clean and working normally just to be on the safe side 
*Turn off system restore and wait 30 seconds, 
*Turn it back on and create a new restore point. 

This way it gets rid of anything bad that might have gotten saved in a restore point and you have a clean restore point to use in the near future if needed. 
Do not turn it off until your computer is clean and working normally because you might need to use it if something goes wrong during the clean-up process. 
It is better to go back to an infected restore point if something goes wrong then to not be able to undo changes that were damaging. 

(Malwarebyte may reboot your computer, don't be alarmed. Should it happened, relaunch Malwarebyte to complete the FULL scan) 

Once all this is completed, I always suggest to delete Malwarebyte as some people have reported that it may interfere with other antivirus applications. 

Please let us know about the results or I may throw a curse on your system which will cause to bark all the time.:)))

Best regards

jonboy2011 · Answer

Problem is I cant run anything .exe 

When downloading roguekill i even downloaded the other type extension files .scr .com but they wouldnt work either

Ambucias · Answer

Stand by while I search my data base.  You do have a worm not a trojan.

We must end some running processes as the virus, to protect itself will prevent the running of some exe.

See you in a minute or 2

jonboy2011 · Answer

Okay mate thanks your a star

Ambucias · Answer

Follow these steps to download and run the tool:

Download the FixBlast.exe file from: 

https://www.broadcom.com/support/security-center

Save to your Windows desktop.

Connect any removable USB devices which may be infected, ie pendrive, flash driver, etc.

Close all the running programs.

If you have a full-time connection to the Internet, disconnect the computer from the network and the Internet.

Turn off System Restore. 

Locate the file that you just downloaded.

Double-click the FixBlast.exe file to start the removal tool.
Click Start to begin the process, and then allow the tool to run.

NOTE: If you have any problems when you run the tool, or it does nor appear to remove the threat, restart the computer in Safe mode and run the tool again.


Restart the computer.
Run the removal tool again to ensure that the system is clean.
then reenable System Restore.

 Reconnect the computer to the network or to the Internet connection.

Run LiveUpdate to make sure that you are using the most current virus definitions.


When the tool has finished running, you will see a message indicating whether the threat has infected the computer. The tool displays results similar to the following:

Total number of the scanned files
Number of deleted files
Number of repaired files
Number of terminated viral processes
Number of fixed registry entries


What the tool does
The Removal Tool does the following: 

Terminates the associated processes
Deletes the associated files
Deletes the registry values added by the threat


Switches
The following switches are designed for use by network administrators:
/HELP, /H, /? 
Displays the help message.
/NOFIXREG 
Disables the registry repair (We do not recommend using this switch).
/SILENT, /S 
Enables the silent mode.
/LOG=[PATH NAME] 
Creates a log file where [PATH NAME] is the location in which to store the tool's output. By default, this switch creates the log file, FixBlast.log, in the same folder from which the removal tool was executed.
/MAPPED 
Scans the mapped network drives. (We do not recommend using this switch. See the following Note.)
/START 
Forces the tool to immediately start scanning.
/EXCLUDE=[PATH] 
Excludes the specified [PATH] from scanning. (We do not recommend using this switch. See the following Note.)
/NOCANCEL 
Disables the cancel feature of the removal tool.
/NOFILESCAN 
Prevents the scanning of the file system.
/NOVULNCHECK 
Disables checking for unpatched files.

jonboy2011 · Answer

No good mate I dled the file. Pluged in a usb pendrive. Turned off the itnernet. Turned of system restore. Double click the fixblast file and its just dissapears again as before ?

Ambucias · Answer

Excrement!

That takes the cake!

alt+crtl+delete

Click on the process tab

Can you spot any strange looking processes, some may be numerical, one may say hotfix, or any other that you encounter?

Ambucias · Answer

Jonboy

The process might be called Msblast

jonboy2011 · Answer

I cant do crt alt delete is dissappeard strainght away

jonboy2011 · Answer

I see it for a second then its gone

Ambucias · Answer

Yikes! We have a huge problem in our hands

When you got the message did it come from your antivirus?

When you got the message about win32 worm blaster, was there any other caracters naming the worm such as Win32 blasterA or blaster msblashH or any other?

I am trying to pinpoint the type of worm so that I get to know how to attack it by surprise from the rear flank and splash it with jet fuel.

jonboy2011 · Answer

backdoor.win32.scrabp
trojan downloader win32/bredolab
mal/generic -a trojan agent
w32.blaster.worm
w32/child-porn.proxy/server
email-worm.brontok

I say its ound 26 critical virus

Ambucias · Answer

This spyware protection is it part of your antivirus?  What is you antivirus?

Ambucias · Answer

If you

Click Start, click Run, type cmd in the Open box, and then click OK.
At the command prompt, type dir %systemroot%\system32\filename.ext /a /s, and then press ENTER, 

do you see any files where filename.ext is :

Msblast.exe, Nstask32.exe, Penis32.exe, Teekids.exe, Winlogin.exe, Win32sockdrv.dll, or Yuetyutr.dll. ?

jonboy2011 · Answer

When i type that in it say : Windows cannot find dir

My antivrus was AVG

jonboy2011 · Answer

SORRY open run type cmd you see the little black screen then it dissapears

Ambucias · Answer

Looks it's not just a blaster worm because in most instances, that type of worm would keep restarting your system.

Do you have access to explorer?

Do you have a pendrive?

jonboy2011 · Answer

Yes I have a pendrive and I have explorer

Ambucias · Answer

Well, this is positive news!

If we get your system back in shape, would it be possible for you to get me an invitation to the Royal Wedding, or at least have the opportunity to have tea and cucumber sandwiches with the new royal couple?

I will be back in 5

Win32/worm blaster

38 responses

Similar discussions

Subscribe To Our Newsletter!