just got another W32/Blaster.worm notice. Again, I have followed the instructions here for removal by updating the MS patch, running Sophos Blaster
is an older infection that targeted a security issue related to the Remote Procedure Call (RPC) function. Symptoms of infection included the computer restarting every few minutes without user input or receiving a System Shutdown dialog box with the message: "This system is shutting down. Please save all work...This shutdown was initiated by NT Authority\System...Windows must now restart because because the Remote Procedure Call [RPC] service terminated unexpectanly.
Microsoft addressed this vulnerability with a security update several years ago. Blaster targets computers with out-of-date software, and those computers remain at risk of infection until the update is installed. However, if your machine has been kept updated with all service packs and critical patches and you do not have these symptoms, I doubt you actually have this infection so earlier fix tools for Blaster will not work.
You are most likely receiving a bogus warning message or fake alert from a Rogue security program
indicating that your computer is infected.
Before doing anything further, if you have not already done so, you should back up
all your important documents, personal data files and photos to a CD or DVD drive as some infections may render your computer unbootable during or before the disinfection process
. If that occurs there may be no option but to reformat
and reinstall the OS or perform a full system recovery. The safest practice is not to backup
any files with the following file extensions: exe, .scr, .ini, .htm, .html, .php, .asp, .xml, .zip, .rar, .cab as they may be infected.
Please post the complete results of your last MBAM scan for review (even if nothing was found).
To retrieve the Malwarebytes Anti-Malware scan log information, launch MBAM.
Logs are saved to the following locations:
- Click the Logs Tab at the top.
- The log will be named by the date of scan in the following format: mbam-log-date(time).txt
-- If you have previously used MBAM, there may be several logs showing in the list.
- Click on the log name to highlight it.
- Go to the bottom and click on Open.
- The log should automatically open in notepad as a text file.
- Go to Edit and choose Select all.
- Go back to Edit and choose Copy or right-click on the highlighted text and choose Copy from there.
- Come back to this thread, click Add Reply, then right-click and choose Paste.
- Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
-- XP: C:\Documents and Settings\<Username>\Application Data\Malwarebytes\Malwarebytes Anti-Malware\Logs\mbam-log-yyyy-mm-dd
-- Vista, Windows 7, 2008: C:\ProgramData\Malwarebytes\Malwarebytes Anti-Malware\Logs\mbam-log-yyyy-mm-dd
Please download Kaspersky's TDSSKiller
and save it to your Desktop. <-Important!!!Be sure to print out and follow the instructions for performing a scan. Alternate instructions can be found here.
- Extract (unzip) the file to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the Desktop.
- Alternatively, you can download TDSSKiller.exe and use that instead.
- Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
Vista/Windows 7 users right-click and select Run As Administrator.
-- If TDSSKiller does not run, try renaming it. To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to these instructions. In some cases it may be necessary to redownload TDSSKiller and randomly rename it before downloading and saving to the computer or to perform the scan in "safe mode".-- For any files detected as 'Suspicious' (except those identified as Forged to be cured after reboot) get a second opinion by submitting to Jotti's virusscan or VirusTotal. In the "File to upload & scan" box, browse to the location of the suspicious file and submit (upload) it for scanning/analysis.Important Note
- When the program opens, click the Start Scan button.
- Do not use the computer during the scan
- If the scan completes with nothing found, click Close to exit.
- Any objects found, will show in the Scan results - Select action for found objects and offer three options.
- If an infected file is detected, the default action will be Cure...do not change it.
- Click Continue > Reboot now to finish the cleaning process.<- Important!!
- If 'Suspicious' objects are detected, you will be given the option to Skip or Quarantine. Skip will be the default selection. Leave it as such for now.
- A log file named TDSSKiller_version_date_time_log.txt will be created and saved to the root directory (usually Local Disk C:).
- Copy and paste the contents of that file in your next reply.
: Some infections will alter the Proxy settings
in Internet Explorer which can affect your ability to browse, update or download tools required for disinfection. If you are experiencing such a problem, check those settings. To do that, please refer to Steps 4-7
under the section Automated Removal Instructions
in this guide
Alternatively, you can press the WINKEY + R
keys on your keyboard or click
, and in the Open dialog box, type: inetcpl.cpl
or press Enter
. Click the Connections
tab and continue following the instructions in the above guide.
If using FireFox, refer to these instructions
to check and configure Proxy Settings under the Connection Settings Dialog