blaster worm terrorizing my comp!

[hitchhiker13]

Out of nowhere, my computer got the blaster worm. I can't open any programs, antivirus protectors, or removal tools unless I'm in safe mode. Apparantly, the most popular way to get rid of it is to use malwarebytes in safe mode (no network). I did this, but the problem persists. What now?

 

[Borg 386]

Give this tool a try. Read the entire article, save/print the instructions, then d/l the tool & run it.

W32.Blaster.Worm Removal Tool

W32.Blaster.Worm Removal Tool | Symantec

This tool is designed to remove the infections of:

W32.Blaster.Worm
W32.Blaster.B.Worm
W32.Blaster.C.Worm
W32.Blaster.D.Worm
W32.Blaster.E.Worm
W32.Blaster.F.Worm

Important:
W32.Blaster.Worm exploits the DCOM RPC vulnerability. This is described in Microsoft Security Bulletin MS03-026, and a patch is available there. You must download and install the patch. In many cases, you will need to do this before continuing with the removal instructions. If you are not able to remove the infection or prevent re-infection using the following instructions, first download and install the patch.

 

[Hopalong X]

Microsoft removal tool> Download Details - Microsoft Download Center - Windows Malicious Software Removal Tool x64

 

[hitchhiker13]

Give this tool a try. Read the entire article, save/print the instructions, then d/l the tool & run it.

W32.Blaster.Worm Removal Tool

W32.Blaster.Worm Removal Tool | Symantec

This tool is designed to remove the infections of:

W32.Blaster.Worm
W32.Blaster.B.Worm
W32.Blaster.C.Worm
W32.Blaster.D.Worm
W32.Blaster.E.Worm
W32.Blaster.F.Worm

Important:
W32.Blaster.Worm exploits the DCOM RPC vulnerability. This is described in Microsoft Security Bulletin MS03-026, and a patch is available there. You must download and install the patch. In many cases, you will need to do this before continuing with the removal instructions. If you are not able to remove the infection or prevent re-infection using the following instructions, first download and install the patch.

Didn't do me any good. It says i need network administrator permission. Even though i am the administrator. And the virus made it so there is no option of running it as administrator.

 

[hitchhiker13]

I also tried using R-Kill and SuperAntiSpyware in safe mode, but that didn't help either.

 

[Golden]

Hi,

Can you post the log of when you ran Malwarebytes in Safe Mode?

Regards,
Golden

 

[hitchhiker13]

Microsoft removal tool> Download Details - Microsoft Download Center - Windows Malicious Software Removal Tool x64

I just finished using the Microsoft removal tool (on safe mode) and it didn't detect anything.

 

[hitchhiker13]

Malwarebytes' Anti-Malware 1.51.2.1300
Malwarebytes : Free anti-malware, anti-virus and spyware removal download

Database version: 8090

Windows 6.1.7601 Service Pack 1 (Safe Mode)
Internet Explorer 9.0.8112.16421

11/5/2011 11:56:35 AM
mbam-log-2011-11-05 (11-56-35).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 29295
Time elapsed: 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 8
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{6AE00F2C-62F7-41B5-83A6-B0CC6959CBC4} (Adware.ShopToWin) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{15C039C3-F230-4706-9CAA-DE476AAB02AC} (Adware.ShopToWin) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{59D4DC90-68D2-4321-988D-625E118F7DE6} (Adware.ShopToWin) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\FCSB000063943.Shopping.1 (Adware.ShopToWin) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\FCSB000063943.Shopping (Adware.ShopToWin) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6AE00F2C-62F7-41B5-83A6-B0CC6959CBC4} (Adware.ShopToWin) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{6AE00F2C-62F7-41B5-83A6-B0CC6959CBC4} (Adware.ShopToWin) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6AE00F2C-62F7-41B5-83A6-B0CC6959CBC4} (Adware.ShopToWin) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\program files (x86)\shop to win 21\shop to win 21.dll (Adware.ShopToWin) -> Quarantined and deleted successfully.
c:\Users\Sheil\AppData\LocalLow\fcsb000063943\Toolbar\shoppingbho.dll (Adware.ShopToWin) -> Quarantined and deleted successfully.

 

[hitchhiker13]

Malwarebytes' Anti-Malware 1.51.2.1300
Malwarebytes : Free anti-malware, anti-virus and spyware removal download

Database version: 8090

Windows 6.1.7601 Service Pack 1 (Safe Mode)
Internet Explorer 9.0.8112.16421

11/5/2011 1:22:17 PM
mbam-log-2011-11-05 (13-22-17).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 420707
Time elapsed: 38 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cd Tools updater (Trojan.Agent) -> Value: cd Tools updater -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msi system tune (Trojan.Agent) -> Value: msi system tune -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\default drivers checker (Trojan.Agent) -> Value: default drivers checker -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Users\Sheil\AppData\Local\Temp\0.8942148782947734.exe (Exploit.Drop.2) -> Quarantined and deleted successfully.
c:\Users\Sheil\AppData\Local\Temp\ikstun.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\Sheil\AppData\Local\Temp\gnstvn.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\Sheil\AppData\Local\Temp\rhgpv.exe (Trojan.Agent) -> Quarantined and deleted successfully.

 

[Teerex]

This is not the blaster worm, it's a plain trojan/scareware/virus infestation.

 

[hitchhiker13]

but it says that it is a blaster worm. The fake privacy protection program pops up as soon as I log into my computer, and at the bottom on the tool bar, a constant stream of popups appear saying that ".....isn't working due to Win32_blaster worm."

 

[carwiz]

"Rogue programs like Trojan Agent are used to scare people into buying unneeded programs because they claim your computer is at risk, or give falsified scan results and put their own malware in your system, according to Malware Bytes."

 

[Jacee]

Please download TFC by Old Timer TFC - Temp File Cleaner by OldTimer - Geeks to Go Forums and save it to your desktop.
Save any unsaved work. TFC will close ALL open programs including your browser!
Double-click on TFC.exe to run it. If you are using Vista/Windows 7 right-click on the file and choose Run As Administrator.
Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.

Next, flush the DNS cache and restore MS's Hosts file

Copy and paste these lines in Note pad.

@Echo on
pushd\windows\system32\drivers\etc
attrib -h -s -r hosts
echo 127.0.0.1 localhost>HOSTS
attrib +r +h +s hosts
popd
ipconfig /release
ipconfig /renew
ipconfig /flushdns
netsh winsock reset all
netsh int ip reset all
shutdown -r -t 1
del %0

Save as flush.bat to your desktop. Right click on the flush.bat file to run it as Administrator. Your computer will reboot itself.

Update and run a full scan with MBam and post the results.