w32/blaster worm - help!

[janices 0]

I have a W32/Blaster worm.  I am running Windows 7.  I try to run my nod32 and get a message about egui.exe being infected. I tried (in Safe Mode) Symantec's FixBlast (I couldn't find anything on Eset to fix it) but that software didn't find anything.  I downloaded Spybot S&D and it ran the first time in Safe Mode and it didn't find anything.  Restarted my laptop normally and immediately got messages that my laptop was infected.  I tried running Spybot again and now get the message that it (SD's executable) is corrupted. I rebooted in Safe Mode with Networking, tried Eset's Rogue Application finder but no luck.  Now I am running the Online scanner.  (I am currently using a 2nd laptop to write this message).

 

Help!!! I don't know what else to do.

 

 

[Guest Matt]

Hi Janices,

 

Win32/Blaster Worm was wiped out years ago by a security update from Microsoft, I beleive this may be a fake infection, If you can still access the internet on the machine please try downloading the following anti-malware program : hxxp://www.malwarebytes.org/ which is free once installed run  a full scan on the machine and remove all infections found, this should remove all or part of the infection, spybot doesn't remove the blaster worm infection , failing that please call Eset on: 0845 838 0832

[janices 0]

Thank you so much for responding.  I went to Malwarebytes.org which took me to a website "majorgeeks.com" with a couple of options to download.  Is that a safe site?

[mattspchelp 4]

That site should be safe however the link below is a direct link from the software developer: hxxp://www.malwarebytes.org/mbam-download-exe.php

 

Regards

 

Matt

[janices 0]

It looks like Majorgeeks was OK.  There were questions about it on the malwarebytes forum.  I'm still waiting for the ESET online scan to finish (1 hour into it but no threats detected yet ).   There is definitely something on my laptop based on it's behavior (My nod32 has been hijacked and won't run). 

[mattspchelp 4]

When you say nod32 , the actual nod32 product was stopped several years ago and new products where brought out, I would suggest you find your eset username and password and download the latest product from esets website, also you can run a malwarebytes scan whilst eset online scanner runs.

[janices 0]

The product says ESET Nod32 Antivirus.  I may not be at the latest version,but I think I'm at least version 4 and maybe 5.  I can't get it to run right now on my infected laptop but the robot looking guy displays when I could start it.  I'm up for renewal on July 20th too.  Step 3 (of 4) of the scan is getting pretty close to finishing so I may just wait until it finishes -- depending on what Step 4 looks like.  I've downloaded malwarebytes onto this laptop and will put it on a flash drive to get it to the infected laptop.

[mattspchelp 4]

Sorry Janices, I work with the business versions and they are now called "endpoint antivirus/ endpoint security" the home software is still nod32 my apologies, Can I ask what software reported you had this infection as in your original post it stated eset wouldn't open, keep me updated, there are several different tools we can run to try and get rid of the infection,

[janices 0]

I had gone on the internet to find out how to change the default page/screen that shows up when my Mom turns on her Samsung tablet.  I went to a Samsung product forum (don't remember the page).  I immediately got a pop up about my system being infected and compromised.  I got a few of these and it's hard to tell what is real and what is not.  The one that keeps popping up has the Windows "shield" icon.  I didn't trust any of them so I didn't click on any of the popups.  I got off the internet and then flipped the switch to cut the wireless connection to the laptop.  I went to run Nod32 and got the message that egui.exe would not run as it was infected.  I'm guessing that is the GUI interface executable so I don't know if there was a different non-GUI way to run Nod32.    

 

The online scan finished and found no threats.  I'll try malwarebytes now.

[janices 0]

Well, malwarebytes found two threats - both were trojan files in a Temp file directory.  It deleted them, but that didn't solve the problem.  I tried to run malwarebytes in a non-safe mode and got a message that said the mbam.exe could not be run because it was infected.  I don't know what to do now.  Could the booting up process be "ruining" the anti-malware software?    If the process of booting up is causing the problems and destroying the malwarebytes program, would it help to boot up and then install malwarebytes and run it?

[JamesR 52]

Hello Janices,

 

What you are reporting appears to be a Fake Antivirus which prevents the launching of .exe files when in normal mode.  Please try running the ESET Rogue Application Remover(ERAR).  You will likely need to download it to a thumbdrive from a non infected machine.  You can find download links and instructions for ERAR here: hxxp://kb.eset.com/zap/SOLN3035

[janices 0]

James & Matt,

 

Thank you both for your responses.

 

James, the first thing I ran was the ERAR but it didn't find anything.  The ESET online scan didn't find anything either.  I opened up a case with ESET but I couldn't get the log files requested because my Nod32 wasn't functioning. 

 

At the advice of coworkers, I did a system restore to a restore point of about a week ago. That appears to have solved the problem but I didn't get a lot of time to work with my laptop last night after the restore as it was time to make dinner.

 

Janice