win32/worm blasterSolved/Closed

Question

Hello, 



I had a message on spyware protection come up saying I had win32 worm blaster virus and upgrade to stop threat. 

I didn't upgrade as it seemed a bit dodgy.

Im running on PC windows xp.

I can't boot in safe mode and I cant run any .exe programms. I cant even run system restore. I cant download any programmes to stop it as they dont open. The only thing I can do is use internet explorer. 

Any ideas welcome please

jonboy2011 · Accepted Answer

I got the original message from spyware protection  it looks like a shiled divided into our with blue red green and yellow. I came up win32/worm blast and started scanning my computer. Do you want me to do a scan with it again it seems to be the only thing that works other than internet explorer

Ambucias · Answer

Dear Jonboy,

Looks like it's not win32 worm blaster but a disguised scam as we frequently see.  It's actually a rogue trojan horse running loose in the stable.

You have access to internet explorer, so you should be able to access the rogue killer tool.

Here is how to get rid of this scam rogue virus designed to get to your credit card account and it is a good thing you did not fall for it. 

Please follow the following procedure carefully and to the letter. 

You have a rogue virus Trojan Horse which is self protective, thus it will prevent any antivirus from fonctionning. 

You must kill the evil processes which the virus is presently running amd preventing you from running any antivirus. If you don't it will keep reproducing the files for ever. 

To kill the processes: 

1. Download to your desktop and run Rogue Kill: 

https://download.bleepingcomputer.com/grinler/rkill.com 

2. You should now see a window that shows all of your desktop icons, including the rkill.com program. 

3. Double-click on the rkill.com in order to automatically attempt to stop any processes associated with the Rogue programs. Please be patient while the program looks for various malware programs and ends them. When it has finished, the black window will automatically close and you can continue with the next step. 

If you get a message that rkill is an infection, do not be concerned. This message is just a fake warning given by the Horse when it terminates programs that may potentially remove it. If you run into these infections warnings that close Rkill, a trick is to leave the warning on the screen and then run Rkill again. By not closing the warning, this typically will allow you to bypass the malware trying to protect itself so that rkill can terminate the processes . So, please try running Rkill until malware is no longer running. 

As a matter of a fact, if you get messages, it is a sign that the virus is agonizing with excrutiating pain, so you can just grin while it is suffering!:)))

Please, DO NOT REBOOT your computer or the processes will come back to haunt you! 

Download to your desktop Malwarebyte. 

https://ccm.net/downloads/security-and-maintenance/4621-malwarebytes-anti-malware/ 

Once on your desktop, we must still outwit the virus. 

Right click on the MBAM icon and click on rename. Rename it kioskea.exe. 

Install Malwarebyte and launch it. From the second tab, update it. 

Pretty please, request a FULL system scan which should take more than hour. Once the scan is finish, delete all of item that were found. 

It is very important that you let Malwarebyte run for as long as it takes, in some cases the creators of Malwarebyte suggest that you go do something like watch a rerun of "Gone with the Wind" or read Tolstoy's "War and Peace".

Once your computer is clean and working normally just to be on the safe side 
*Turn off system restore and wait 30 seconds, 
*Turn it back on and create a new restore point. 

This way it gets rid of anything bad that might have gotten saved in a restore point and you have a clean restore point to use in the near future if needed. 
Do not turn it off until your computer is clean and working normally because you might need to use it if something goes wrong during the clean-up process. 
It is better to go back to an infected restore point if something goes wrong then to not be able to undo changes that were damaging. 

(Malwarebyte may reboot your computer, don't be alarmed. Should it happened, relaunch Malwarebyte to complete the FULL scan) 

Once all this is completed, I always suggest to delete Malwarebyte as some people have reported that it may interfere with other antivirus applications. 

Please let us know about the results or I may throw a curse on your system which will cause to bark all the time.:)))

Best regards

jonboy2011 · Answer

Problem is I cant run anything .exe 

When downloading roguekill i even downloaded the other type extension files .scr .com but they wouldnt work either

Ambucias · Answer

Stand by while I search my data base.  You do have a worm not a trojan.

We must end some running processes as the virus, to protect itself will prevent the running of some exe.

See you in a minute or 2

jonboy2011 · Answer

Okay mate thanks your a star

Ambucias · Answer

Follow these steps to download and run the tool:

Download the FixBlast.exe file from: 

https://www.broadcom.com/support/security-center

Save to your Windows desktop.

Connect any removable USB devices which may be infected, ie pendrive, flash driver, etc.

Close all the running programs.

If you have a full-time connection to the Internet, disconnect the computer from the network and the Internet.

Turn off System Restore. 

Locate the file that you just downloaded.

Double-click the FixBlast.exe file to start the removal tool.
Click Start to begin the process, and then allow the tool to run.

NOTE: If you have any problems when you run the tool, or it does nor appear to remove the threat, restart the computer in Safe mode and run the tool again.


Restart the computer.
Run the removal tool again to ensure that the system is clean.
then reenable System Restore.

 Reconnect the computer to the network or to the Internet connection.

Run LiveUpdate to make sure that you are using the most current virus definitions.


When the tool has finished running, you will see a message indicating whether the threat has infected the computer. The tool displays results similar to the following:

Total number of the scanned files
Number of deleted files
Number of repaired files
Number of terminated viral processes
Number of fixed registry entries


What the tool does
The Removal Tool does the following: 

Terminates the associated processes
Deletes the associated files
Deletes the registry values added by the threat


Switches
The following switches are designed for use by network administrators:
/HELP, /H, /? 
Displays the help message.
/NOFIXREG 
Disables the registry repair (We do not recommend using this switch).
/SILENT, /S 
Enables the silent mode.
/LOG=[PATH NAME] 
Creates a log file where [PATH NAME] is the location in which to store the tool's output. By default, this switch creates the log file, FixBlast.log, in the same folder from which the removal tool was executed.
/MAPPED 
Scans the mapped network drives. (We do not recommend using this switch. See the following Note.)
/START 
Forces the tool to immediately start scanning.
/EXCLUDE=[PATH] 
Excludes the specified [PATH] from scanning. (We do not recommend using this switch. See the following Note.)
/NOCANCEL 
Disables the cancel feature of the removal tool.
/NOFILESCAN 
Prevents the scanning of the file system.
/NOVULNCHECK 
Disables checking for unpatched files.

jonboy2011 · Answer

No good mate I dled the file. Pluged in a usb pendrive. Turned off the itnernet. Turned of system restore. Double click the fixblast file and its just dissapears again as before ?

Ambucias · Answer

Excrement!

That takes the cake!

alt+crtl+delete

Click on the process tab

Can you spot any strange looking processes, some may be numerical, one may say hotfix, or any other that you encounter?

Ambucias · Answer

Jonboy

The process might be called Msblast

jonboy2011 · Answer

I cant do crt alt delete is dissappeard strainght away

jonboy2011 · Answer

I see it for a second then its gone

Ambucias · Answer

Yikes! We have a huge problem in our hands

When you got the message did it come from your antivirus?

When you got the message about win32 worm blaster, was there any other caracters naming the worm such as Win32 blasterA or blaster msblashH or any other?

I am trying to pinpoint the type of worm so that I get to know how to attack it by surprise from the rear flank and splash it with jet fuel.

jonboy2011 · Answer

backdoor.win32.scrabp
trojan downloader win32/bredolab
mal/generic -a trojan agent
w32.blaster.worm
w32/child-porn.proxy/server
email-worm.brontok

I say its ound 26 critical virus

Ambucias · Answer

This spyware protection is it part of your antivirus?  What is you antivirus?

Ambucias · Answer

If you

Click Start, click Run, type cmd in the Open box, and then click OK.
At the command prompt, type dir %systemroot%\system32\filename.ext /a /s, and then press ENTER, 

do you see any files where filename.ext is :

Msblast.exe, Nstask32.exe, Penis32.exe, Teekids.exe, Winlogin.exe, Win32sockdrv.dll, or Yuetyutr.dll. ?

jonboy2011 · Answer

When i type that in it say : Windows cannot find dir

My antivrus was AVG

jonboy2011 · Answer

SORRY open run type cmd you see the little black screen then it dissapears

Ambucias · Answer

Looks it's not just a blaster worm because in most instances, that type of worm would keep restarting your system.

Do you have access to explorer?

Do you have a pendrive?

jonboy2011 · Answer

Yes I have a pendrive and I have explorer

Ambucias · Answer

Well, this is positive news!

If we get your system back in shape, would it be possible for you to get me an invitation to the Royal Wedding, or at least have the opportunity to have tea and cucumber sandwiches with the new royal couple?

I will be back in 5

jonboy2011 · Answer

If you get me back in shape, I'll get you a night with the lady herself lol

Cucumber sandwiches are horrid tea and scones are what its all about

Ambucias · Answer

In explorer go to windows system 32 and tell me if you see:

%SystemDir%\msblast.exe
 or any another msblast file

If you do, blast it away

I'm taking a 5 minute break

jonboy2011 · Answer

Sorry mate I dont know what you mean by go to windows system 32 how do I do that ?

I have internet explorer open ggole as my homepage

Ambucias · Answer

Click right on start

Click left on explorer

Left pane scroll down to windows and then to windows 32

Click on windows 32 and in the right pane, see is you find msblast

jonboy2011 · Answer

I click left on explorer went to my computer, then c drive, then all I can see is a folder called WINXP. Instide that there is a system32 and twain_32 older but that it ?

Am I looking in the wrong place ?

Sorry to be a pain

Ambucias · Answer

Jonboy,

I am called to duty, family that is, I will return on line at 2100 hrs your time.  Presently 7h53 AM here.

If you cannot mblast file, try running the following from your desktop and if not working from the pendrive.  It is very potent medecinal compound:

A very powerfull antidote that is able to kill and send any virus to the glue factory. It is of very last resort and should not be abused of, as matter of a fact, once you have used it, I suggest you delete it from your system. 

To keep your system safe, you must follow the instructions hereunder to the letter: 

First step, boot your system in safe mode with networking

1. Download Combofix to your desktop. 

http://www.combofix.org/download.php 

2.Close all open Windows including this one. 

Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix. 

3. Double click on the ComboFix icon. 

Windows is issuing this prompt because ComboFix does not have a digital signature. This is perfectly normal and safe and you can click on the Run button to continue. 

4. Accept the disclaimer and the recovery 

5.You should now press the Yes button to continue. If at any time during the Recovery Console installation you receive a message stating that it failed to install, please allow ComboFix to continue with the scan of your computer. 

ComboFix will disconnect your computer from the Internet, so do not be surprised or concerned if you receive any warnings stating that you are no longer on the Internet. When ComboFix has finished it will automatically restore your Internet connection. 

While the program is scanning your computer, it will change your clock format, so do not be concerned when you see this happen. When ComboFix is finished it will restore your clock settings to their previous settings. 

If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt. 

During the process, please do not mouse click nor must you tap on the keyboard.  Let the tool run.

Once you are done, report to me on how your system is behaving. 

Good luck 

Ambucias

jonboy2011 · Answer

Problem is I cant boot in safe mode. Think im just going to get it formated and start fresh. Thanks or trying

jonboy2011 · Answer

Hey mate just before I took my computer to be done. I tried that combomix in normal mode I thought my computer has crashed but then when I restarted it AVG kicked back in and I can run exe. files again. AVG keeps saying I have the following

win32 - trojan gen
ZHPDIAG2.TMP

jonboy2011 · Answer

AVG has picked up and quarenteened about 30 things so far. Is there something I should run now to make sure everything has really gone. It feels too good to be true ! Combofix did the trick I think thanks mate for all your help glad I didnt give up lol

Ambucias · Answer

Just to make sure that you are clean

I must make a diagnostic and to do so, I require a log.

Open this link and download ZHPDiag : 

https://www.zebulon.fr/telechargements/securite/systeme/zhpdiag.html 


Register the file on your Desktop. 

Double click on ZHPDiag.exe and follow the instructions. 

the tool created two icons ZHPDiag and ZHPFix (we will use ZHPFix at the next step). 

Double click on the short cut ZHPDiag on your Destktop.  

Click on the Magnifying glass and run the analysys. 

Wait for the tool to finished (maybe a long time) 

Close ZHPDiag. 


To transmit the report, click on this link : 

https://authentification.site 

Click on Parcourir and search the directory where you installed ZHPDiag (usually C:\Program Files\ZHPDiag). 

Select the file ZHPDiag.txt. 

Click on "upload » 

Copy the url and post it here

jonboy2011 · Answer

https://authentification.site/files/27809980/ZHPDiag.txt

Its already in the post mate ;) Ill post you a cucumber sandwich aswell hehe

Ambucias · Answer

Stand by for the analysis

Ambucias · Answer

Okay, the system is clean as whistle but there is a lot of junk and if I were you, I would stay away from sweetim a perfect place to get a virus, as matter of a fact I would get rid of it.

You can now delete the logs and empty the AVG quarantine folder

To get rid of the junk download, install and run the following:

https://ccm.net/downloads/security-and-maintenance/4555-ccleaner/

For the registry:

https://ccm.net/download/download-13339-eusing-free-registry-cleaner

After the clean-up, I strongly recommend that you create a brand new restore point, a place you will know it's safe to go back to in case of trouble.  You can name it Ambucias if you wish.

See you in Tipperary and God save the Queen

jonboy2011 · Answer

Thanks mate appreciate all your help.

One last question what is sweetim ? Just so I know to keep away

Ambucias · Answer

It's a site you have been on which can hyjack your browser.  It may also have been in an e-mail.

I forgot after you create the restore point, defragment your hard disk, after all this, things need to be put back where they belong.

jonboy2011 · Answer

Hmm dont know when I went on that site. I save alot off pictures from google images maybe it was a link in there.

Thanks once again

Will defo be thinking of u when they get married lol, Ambucias the guy who saved my ass

ComputerIlliterate · Answer

Hi I have the exact same virus! I don't have pen drive or AVG (I don't actually know what AVG is, I'm an idiot when it comes to computers). What will ComboFix do to my computer? Will it delete everything off of it?

Irina · Answer

Kind Mr. Ambucias,
I have stumbled upon this thread after having become quite desperate in finding a solution to fix/cure my PC. The following in a lengthy description of all the steps I have gone through in an attempt to rescue my PC (Windows 7 Home Premium, Service Pack1 x64 Dell Inc Inspiron One) .
Yesterday I had noticed that an automated scan from my antivirus (COMODO) had started, but the automated scan which should have started at the same time from Malwarebytes Anti-Malware had not.
I checked and it wasn't showing minimized in the tray either. Thinking it odd  I tried to open it by double clicking its desktop icon  and then by doubleclicking its exe file in its source folder. Each time it said "C:\...cannot be run in Win32 mode."
Almost every application/program I tried to open said "... cannot be run in Win32 mode". (In the meantime Comodo had finished the scan and found nothing and shut down by itself). I panicked and tried disinfecting by any means that I could
think of by aid of my laptop and USB memory stick.
From my Usb memory stick I had managed to install on my evidently infected PC (in Safe Mode - it was the only way it let me): SuperAntiSpyware Professional, a Professional version of Malwarebytes, Spybot Search & Destroy, Webroot SecureAnywhere, Trojan Killer and CCleaner. 
I ran each of them in Safe Mode, in that order. Clicked the fix/delete command depending on each one, and got rid of the files they had found as suspicious or infected. Then I ran all the scans a second time for verification and they no longer found anything/ any other results to display.
Even so, when starting windows Normally, neither one of these security/cleanup programs would not run and that "... cannot be run in Win32 mode" message would always appear (despite having selected for each the option to launch at system startup in hopes to bypass the damned virus that wouldn't let me open/run exe files). After some time only Webroot Secure Anywhere started and after finishing its scan found nothing; to my great dismay.
I had also noticed that the virus blocked my Administrator privileges. It wouldn't let me force run anything in administrator mode. Nor alter user settings in control panel nor uninstall programs. In SafeMode I managed to regive myself Administrator status and set a password.
After much searching, I had found your thread "Win32/worm blaster" and the instructions you gave jonboy2011. I did run rkill (in Safe mode - it wouldn't let me otherwise) and it said it found no malware. I ran a Malwarebyte scan again and it didn't have any results to display.
The first time I ran FixBlast.exe it died on me and dissappeared halfway through the scan.
Then I downloaded ComboFix and when I tried to run it, it told me to disable Comodo Antivirus. I disabled it then clicked OK, but ComboFix still said Comodo Antivirus was running and had to be closed. I closed ComboFix and uninstalled Comodo. Even after uninstalling it, when I tried to run ComboFix again it still said that Comodo Antivirus is running and needs to be disabled. I manually searched for and deleted any stray files I could find that had anything to do with Comodo, and tried again. Same message.
Becoming quite concerned and desperate that I couldn't use the only thing that had helped jonboy2011, I tried as final attempts a scan with Avast antivirus and then a scan with Kaspersky via its RescueDisk 10 which I had saved and made work onto a bootable USB stick. Both Avast and Kaspersky had found a (different) file with a long name string of letters and numbers which were in a Comodo Quarantine folder apparently and I deleted them upon instruction and warning of high risk from Kaspersky and Avast.
It was 4.30 AM at that time, my memory was rather clouded around that time. Anyway, even after all that, when starting window in Normal Mode the situation remained the same "cannot be run in Win32 mode".
So ultimately, in Safe Mode again, I ran ComboFix without being able to disable anything and saved the log.txt on my USB stick and now I have uploaded it here in hopes that you would please help me and read it and make sense of it and save my PC with your knowledge.
I also ran FixBlast.exe after. This time it did not crash midway - it completed and said "W32.Blaster.Worm has not been found on your computer."
As of the moment of this writing, when starting windows Normally (after typing in the new password) the only programs that start automatically are DriverReviver, Avast, SuperAntiSpyware and Webroot SecureAnywhere. A message saying "The C:\Program Files\CCleaner\CCleaner64.exe application cannot be run in Win32 mode" appears. No Malwarebytes in sight. When I try to run it, it says "The C:\Program Files(x86)\Malwarebytes Anti-Malware\mbam.exe application cannot be run in Win32 mode". Trojan Killer gets the same "cannot run in Win32 mode" message. ComboFix the same. And trying to run FixBlaster.exe it tells me "You do not have Administrator rights to run the tool". I am stumped. I am at a loss. I am desperate. Please help me, sir, because I don't know what else to do to fix/cure my PC.

I apologize for my very long post, but I hoped that maybe by seeing all the steps I had gone through would help find out who the culprit/what kind of damned virus it is and what course of action can be taken.

Thank you very much for taking the time to read my message. I will be eternally grateful if you can help me with this difficult situation.

Kindest Regards,
Irina

P.S. I could only send the rkill and ComboFix logs I got after scanning in Safe Mode.
I tried to run ZHPDiag2.exe and it said "ShellExecuteEx a echoue ; code 129. the %1 application cannot be run in Win32 mode". Tried again in Safe Mode, installed it, opened it - it gave some sort of error message that dissappeared in a second and then it started and I could run the scan. Maybe there is hope after all.

http://www.speedyshare.com/uuvSF/log.txt
http://www.speedyshare.com/zzDRq/Rkill.txt
http://speedy.sh/99Hnf/ZHPDiag.txt

Win32/worm blaster

38 responses

Similar discussions

Subscribe To Our Newsletter!