Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Infected by the W/32 Blaster worm - Vista laptop please advise on how to remove

  • Please log in to reply
1 reply to this topic

#1 Dangermurph


  • Members
  • 1 posts
  • Local time:05:01 AM

Posted 26 January 2011 - 12:29 PM


I have recently got the W/32 blaster worm on my laptop (Vista operating systeM) and don;t seem to be able to get rid of it. I keep getting the following error messages:

TCrdMain.exe cannot srart - File TCrdMain.exe is infected with the W/32 Balster Form Pelase Activate Spyware protection to protect your computer.

I have tried the following to resovle the issue:

Created an Ubuntu Install disk and booted up the infected laptop from that. Used the Ubuntu anti-virus software to scan the laptop. It found no viruses! I also tried to logon to the Internet from Ubuntu. This was successful and I could download Dr spyware but when I ran the executable file I got the following message: "End-of-central-directory signature not found. either this is not a zipfile or its constitutes one disk or a multi-part archive. In the latter case the central directory and zipfile comment will be found on the last disk of the archive".

I have also tried to run numerous pieces of software from the net (Kaspersky AVG etc)but my laptop shuts them down as soon as they start to run.

Fianlly I tried to run Spyware Dr and AVG from a USB stick when the laptop was in safe mode - but to no avail. the laptop wnated to access the internet, which of course it couldn't as the laptop was in safe mode.

Any advice on how to get rid of this worm, would be most gratefully received! Thank you.

Edit: Moved topic from Vista to the more appropriate forum. ~ Animal

BC AdBot (Login to Remove)


#2 quietman7


    Bleepin' Janitor

  • Global Moderator
  • 51,734 posts
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:01 AM

Posted 26 January 2011 - 01:50 PM

W32.Blaster.Worm (Win32/Msblast) is an older infection that targeted a security issue related to the Remote Procedure Call (RPC) function. Symptoms of infection included the computer restarting every few minutes without user input or receiving a System Shutdown dialog box with the message: "This system is shutting down. Please save all work...This shutdown was initiated by NT Authority\System...Windows must now restart because because the Remote Procedure Call [RPC] service terminated unexpectanly."

Microsoft addressed this vulnerability with a security update several years ago. Blaster targets computers with out-of-date software, and those computers remain at risk of infection until the update is installed. However, if your machine has been kept updated with all service packs and critical patches and you do not have these symptoms, I doubt you actually have this infection.

You are most likely receiving a bogus warning message or fake alert from a Rogue security program indicating that your computer is infected. These rogue programs are one of the most common sources of malware infection encountered today.

Please reboot in "safe mode with networking", then download Malwarebytes' Anti-Malware (v1.50.1) and RKill by Grinler, saving them to your desktop.RKill.exe Download Link
RKill.com Download Link
RKill.scr Download LinkRenamed versions if the above do not work:
iExplore.exe Download Link
eXplorer.exe Download Link <- this renamed copy may trigger an alert from MBAM...just ignore it.
WiNlOgOn.exe Download Link
uSeRiNiT.exe Download LinkRKill is available in several versions to include renamed versions in case one does not work, you can try another. As such, you may want to download and save more than one before proceeding.

Reboot normally, then proceed as follows:
  • Double-click on the Rkill desktop icon to run the tool.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it still does not work, repeat the process and attempt to use one of the remaining versions until the tool runs.
  • Note: You may have to make repeated attempts to use Rkill several times before it will run as some malware variants try to block it.
  • A log file will be created and saved to the root directory, C:\rkill.log
  • Copy and paste the contents of rkill.log in your next reply.
-- If you get an alert that Rkill is infected, ignore it. The alert is a fake warning given by the rogue software which attempts to terminate tools that try to remove it. If you see such a warning, leave the warning on the screen and then run Rkill again. By not closing the warning, this sometimes allows you to bypass the malware's attempt to protect itself so that Rkill can perform its routine.

Important: Do not reboot your computer until after performing a scan with Malwarebyes'. A scan must be completed immediately after running RKill.

Perform a Quick Scan in normal mode with Malwarebytes' Anti-Malware and follow these instructions. Check all items found for removal. Don't forgot to check for database definition updates through the program's interface (preferable method) before scanning and to reboot afterwards. Failure to reboot normally will prevent Malwarebytes' from removing all the malware. When done, click the Logs tab and copy/paste the contents of the new report in your next reply.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users