| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 99576 | 2009-05-07 05:20:00 | Unable to remove Blaster worm | Renmoo (66) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 771922 | 2009-05-07 05:20:00 | Dear all, A friend's laptop has been infected with the classic worm (the machine shows the RPC message before automatically shutting down). After removing one nasty program via HijackThis (the log is clean otherwise), I scanned the computer using the removal tool from the Symantec website, but it did not pick up the worm. I then tried scanning the laptop using NOD32 that came installed on it, but it too did not detect the worm. MalwareBytes managed to pick up and remove 30 malware, but that did not solve the problem. Any suggestions? OS: Windows XP SP2. |
Renmoo (66) | ||
| 771923 | 2009-05-07 05:36:00 | See if trojan remover removes it, and select all options under utilities | Speedy Gonzales (78) | ||
| 771924 | 2009-05-07 05:39:00 | Blimey been a while since thats raised its head - used to remove that in less than a minute :lol: when the PC starts type do the following : Click on Start, Run Type in CMD and press ENTER Type in the following command and press Enter SHUTDOWN -A This will stop the shut down. Next: Terminate the running program Open the Windows Task Manager by either pressing CTRL+ALT+DEL, selecting the Processes tab or selecting Task Manager and then the process tab Locate one of the following programs (depending on variation), click on it and End Task or End Process MSBLAST.EXE PENIS32.EXE TEEKIDS.EXE MSPATCH.EXE MSLAUGH.EXE ENBIEI.EXE Close Task Manager Download This here (www.microsoft.com) - run it. Remove the Registry entries if there: Click on Start, Run, Regedit In the left panel go to HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>Current Version>Run In the right panel, right-click and delete the following entry ”windows auto update" = MSBLAST.EXE (variant A) ”windows auto update" = PENIS32.EXE (variant B) ”Microsoft Inet xp.." = TEEKIDS.EXE (variant C) "Nonton Antivirus"=MSPATCH.EXE (variant E) "Windows Automation" = "mslaugh.exe" (variant F) "www.hidro.4t.com"="enbiei.exe" (variant G) MAKE SURE YOU TURN OFF SYSTEM RESTORE. Open the search - do a complete system Search for msblast*.* Delete anything it finds. Update your nod32 - run a full indepth scan. EDITED: it may not be Blaster - there are a couple of " copycat" bugs that do the same thing. |
wainuitech (129) | ||
| 771925 | 2009-05-07 05:49:00 | Blimey been a while since thats raised its head - used to remove that in less than a minute :lol: when the PC starts type do the following : Click on Start, Run Type in CMD and press ENTER Type in the following command and press Enter SHUTDOWN -A This will stop the shut down. Next: Terminate the running program Open the Windows Task Manager by either pressing CTRL+ALT+DEL, selecting the Processes tab or selecting Task Manager and then the process tab Locate one of the following programs (depending on variation), click on it and End Task or End Process MSBLAST.EXE PENIS32.EXE TEEKIDS.EXE MSPATCH.EXE MSLAUGH.EXE ENBIEI.EXE Close Task Manager Download This here (www.microsoft.com) - run it. Remove the Registry entries if there: Click on Start, Run, Regedit In the left panel go to HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>Current Version>Run In the right panel, right-click and delete the following entry ”windows auto update" = MSBLAST.EXE (variant A) ”windows auto update" = PENIS32.EXE (variant B) ”Microsoft Inet xp.." = TEEKIDS.EXE (variant C) "Nonton Antivirus"=MSPATCH.EXE (variant E) "Windows Automation" = "mslaugh.exe" (variant F) "www.hidro.4t.com"="enbiei.exe" (variant G) MAKE SURE YOU TURN OFF SYSTEM RESTORE. Open the search - do a complete system Search for msblast*.* Delete anything it finds. Update your nod32 - run a full indepth scan. EDITED: it may not be Blaster - there are a couple of " copycat" bugs that do the same thing. Cool, I will try it out. Thanks! |
Renmoo (66) | ||
| 771926 | 2009-05-07 06:54:00 | Dear all, After removing one nasty program via HijackThis (the log is clean otherwise Removing the words from the log,for that is all you are doing,does not stop the malware from still running . I suggest you do this . . . . Ok . We need to download ComboFix . exe . This will give me a better view to the files running and also hidden on your computer and also those in the registry . . Please download from one of these webpages . . bleepingcomputer . com/sUBs/ComboFix . exe" target="_blank">download . bleepingcomputer . com . forospyware . com/sUBs/ComboFix . exe" target="_blank">www . forospyware . com . geekstogo . com/ComboFix . exe" target="_blank">subs . geekstogo . com * IMPORTANT !!! Save ComboFix . exe to your Desktop Disable your AntiVirus and AntiSpyware applications, usually via a right-click on the System Tray icon . They may otherwise interfere with our tools . Double-click on ComboFix . exe & follow the prompts . If it will not run rename Combofix to xxx . exe and run that . As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed . With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal . It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware . Recovery Console can be installed from your disc if you have Vista if you wish . Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console . **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures . . photobucket . com/albums/hh103/velta911/RcAuto1 . gif" target="_blank">i254 . photobucket . com Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message: . photobucket . com/albums/hh103/velta911/whatnext . png" target="_blank">i254 . photobucket . com Click on Yes to continue scanning for malware . When finished, it shall produce a log for you . Please include the C:\ComboFix . txt and a new HJT log in your next reply . |
Pancake (6359) | ||
| 1 | |||||