Friday, November 25, 2011

No, it isn't the Blaster Worm

There has been a rash of posts in help forums by people reporting their computer is infected with the Blaster Worm, w32blaster/worm.  It is not the Blaster Worm that has infected these computers but rather a fake/rogue antispyware program called "Spyware Protection".

Those who have attempted self-help fixes are reporting that they are unable to boot the computer in any mode.  If you are getting notices that your computer is infected with  the w32blaster/worm, follow the following steps:

1. Please restart the computer in Safe Mode with Networking. (To do this, turn your computer off and then back on.  Immediately when you see anything on the screen, start tapping the F8 key on your keyboard. Using the arrow keys on your keyboard, select Safe Mode with Networking and press Enter on your keyboard. Windows will now boot into safe mode with networking and prompt you to login as a user.)
Note:  If you are unable to connect to the Internet, it will be necessary to go to an uninfected computer and download both RKill and Malwarebytes and transport the files to the infected computer via CD/DVD or memory stick.
2. Please download RKill from one of the following links at Bleeping Computer and save to your Desktop:

One, Two,Three or Four

  • Double-click RKill to run.
  • A command window will open then disappear upon completion, this is normal.
  • Please leave RKkill on the Desktop until otherwise advised.
  • Do NOT restart your computer after running rkill as the malware program(s) will start again.
Note: If you you receive security warnings about RKill, please ignore and allow the download to continue.

3. Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, be sure Quick scan is selected, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, EXCEPT items in System Restore as shown in this sample:

  • Click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See the Note below)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
** Note **

If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

After completing the above steps, take the additional time to update the third-party software on your computer, particularly Adobe products and Java.  Also, double-check that any old, vulnerable versions of Java have been uninstalled.

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

If you are still having problems with your computer after completing the above instructions, assistance is available from trained analysts trained in malware removal at the sites listed in Malware Removal Help Sites.  As each site has different requirements, please follow the instructions provided at the site.

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

No comments: