W2 blaster worm

[jyeh74]

Hi,

I am trying to get rid of this W32/Blaster Worm that seems to install some sort of "spyware protection" on my computer. I notice when I open new tabs in IE 8, it automatically opens tabs in http://www.searchqu.com/ also. Just noticed this today and I ran SuperAnti Spyware and Avast Free Anti Virus but didn't seem to catch this. Anyone heard of this?

When I try a system restore, it kills the program.

[johns0]

Most likely a pest program that runs on startup,bootup in safemode and look in your user name and all user/public folder for a folder with a exe that doesn't have a proper name and delete it.

[jyeh74]

I will reboot in safemode and run the Super Antispyware program to see if that will help. I didn't catch anything that looks iffy. Usually Super Anti Spyware will kill most spyware but it didn't this time around.

[freebird73717]

download and run rkill first. then run superantispyware. Also couldn't hurt to run malwarebytes

[jyeh74]

I never tried Rkill, usually superanti spyware takes care of it. Malwarebytes never finds anything. I guess its just a combination of different programs. Does it matter if I go into safemode to run these or if I run these programs in normal mode?

[freebird73717]

rkill doesn't need to be run in safemode.
It kills the malwares running processes so that your antimalware can clean it up.

Funny about mbam. I've actually had better luck with it than sas. But when cleaning up an infection I always run rkill, mbam, sas, and a virus scan (in that order).

[ranchhand]

Don't under-estimate Malwarebytes; I have seen it nuke more virii than Super, and I take a lot of them off computers at work. Did this get installed while you were surfing (usually through JAVA), or from a download?

[jyeh74]

Malwarebytes was installed from a download.
I tried using Symantec's removal tool of the W32 Blaster Worm - it did not find anything.

Question - does it matter if I switch users to "Administrator" then run Malwarebytes and then Super, vs running them in my normal user mode?

[jyeh74]

download and run rkill first. then run superantispyware. Also couldn't hurt to run malwarebytes

freebird - I cannot install rkill. This worm stops anything I try to install. I killed my system restore when I tried that too.

[freebird73717]

There is nothing to install. It's a self contained program.
Here's a link to the direct download and they named this one iExplore.exe to fool the malware into letting it run (the malware will think it's internet explorer).
http://download.bleepingcomputer.com/grinler/iExplore.exe

Read more about rkill here
http://www.bleepingcomputer.com/download/anti-virus/rkill

[budz]

go to trendmicro.com and use the free online virus/spyware scanner....btw one spyware program is not going to take care of all spyware.....i use spyware blaster, spybot search, malwarebytes & super antispyware.....IMHO best to run more than one spyware program....just my 2 cents!

[jyeh74]

There is nothing to install. It's a self contained program.
Here's a link to the direct download and they named this one iExplore.exe to fool the malware into letting it run (the malware will think it's internet explorer).
http://download.bleepingcomputer.com/grinler/iExplore.exe

Read more about rkill here
http://www.bleepingcomputer.com/download/anti-virus/rkill

freebird- I tried running it from that link. The W2 blaster worm somehow shuts it down so it doesn't allow it to run. I rebotted into safemode and then tried the link. It works and am running Super and Malwarebytes right now.

Budz- thanks, let me try these other ones too.

Running these in safe mode should be ok right?
What happens if I switch the user to "administrator" and run the spware programs?

I notice when I switch to
administrator" mode, the worm doesnt pop up like it does when I run in my normal user mode, for some reason.

[freebird73717]

Safe mode is actually a good way to get rid of this crap. A lot of it doesn't load in safe mode allowing for easier removal.

[jyeh74]

Safe mode is actually a good way to get rid of this crap. A lot of it doesn't load in safe mode allowing for easier removal.

So safe mode is essentially the same thing with limited applications loaded?
What does switching users (like to "administrator") do?

[jyeh74]

go to trendmicro.com and use the free online virus/spyware scanner....btw one spyware program is not going to take care of all spyware.....i use spyware blaster, spybot search, malwarebytes & super antispyware.....IMHO best to run more than one spyware program....just my 2 cents!

hey budz, i think the W2 worm is gone, but I have this www.searchqu.com that pops up everytime i open a new tab (IE 8 or Firefox) I've used Super and Malewarebytes and Spyware Blaster but cannot get rid of it. Trendmicro is all trial though. Titanium maximum security?

[johns0]

Its not a worm,its an exe that you need to get rid of,its in a folder where i already you told you,goto microsoft.com and do a online scan from them.

[jyeh74]

Its not a worm,its an exe that you need to get rid of,its in a folder where i already you told you,goto microsoft.com and do a online scan from them.

This is what I found
http://answers.microsoft.com/en-us/ie/forum/ie8-windows_7/searchqu/d0b18d31-097d-4a85-...3-9f7a6c7c619a

What folder under program files?

[budz]

go to trendmicro.com and use the free online virus/spyware scanner....btw one spyware program is not going to take care of all spyware.....i use spyware blaster, spybot search, malwarebytes & super antispyware.....IMHO best to run more than one spyware program....just my 2 cents!

hey budz, i think the W2 worm is gone, but I have this www.searchqu.com that pops up everytime i open a new tab (IE 8 or Firefox) I've used Super and Malewarebytes and Spyware Blaster but cannot get rid of it. Trendmicro is all trial though. Titanium maximum security?

You gotta look good at the trendmicro website for the free online virus scanner. Here's the link for it......good luck!

http://housecall.trendmicro.com/

[redwudz]

From what I've read, searchqu is classified by many as rootkit malware and seems particularly difficult to remove. Quite a few posts on the net about it. Most of the regular anti-malware programs seem to have no affect on it.

If all else fails, you can look here, though I have no idea if it will work: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

[ranchhand]

Udates Malwarebytes to latest indexes and run it. After that run Comobfix. Remember, combofix is a serious utility, once it starts do not press any keys, move the mouse or stop it! It will post a black screen on your computer-that is normal, there is nothing wrong; part of Combofix auto-runs from a command prompt, that is why it is so powerful. It will post a log when finished.
If nothing else helps, go here: http://www.suggestafix.com/index.php?showforum=15 and read the pinned topic on "Read This First" at that top of the page, follow the instructions. If that doesn't help, register-in and someone will be along to help.

[aedipuss]

you might give gmer a try.

[freebird73717]

Another option is to take the drive out of this computer and put it into another computer to clean it.

or

Use a bootcd with AV tools. Dr Web cure it is one that I know of. I also think there is one from bitdefender

I threw together an Ubuntu distro with Avast antivirus installed. It works well in these situations.
http://ubuntu-antivirus-livecd.awardspace.info/

edit
I've just updated the distro. Size is 854mb so it will need a dvd. Couldn't get it any smaller due to program dependencies

[angiesapp]

ok so I have downloaded these suggestions from everyone, tried starting in safemode and changing to administrator and this stupid thing will not allow me to do anything. can some PLEASE help. I am ready to throw this stupid desktop out the window. I have even tried running it from my laptop into the network but that won't work either.

[angiesapp]

nevermind, I got around it. thanks for all the posts that helped get rid of this.

[ranchhand]

Glad you got it fixed! but..... April -------->August?? You are a very patient person!

[powerguy]

nevermind, I got around it. thanks for all the posts that helped get rid of this.

Finally you got it fixed, I'm pleased to get more insight on this issue following the thread

[Nelson37]

Do you think you could perhaps shine some light on what exactly you did to remove the infection?

[angiesapp]

Glad you got it fixed! but..... April -------->August?? You are a very patient person!

not really just have a laptop that I used instead. lol

[angiesapp]

Do you think you could perhaps shine some light on what exactly you did to remove the infection?

everything that was in this thread, it was about a 10 hour ordeal because my desktop needs some updating and is really slow but just do what everyone suggests and it will clear it up.

[Nelson37]

There were roughly 37 different things suggested.

It would be nice if you would spend a mere fraction of the time that people here expended trying to help YOU, and explain exactly what you did to remove the virus.

Your last post indicted you had tried everything suggested to no avail. Without additional information from YOU, this entire post is pretty much reduced to a total waste of time. I, for one, will remember that, and your user name, till hell freezes over and will make it my mission in life to make sure everyone else knows it as well, next time you have a problem.