I hope someone can help me.
“provacy Protection” program has invaded my laptop and has disabled Avast and MalwareBytes.When trying to open those programs it says the file is infected with a WIN32 Blaster Worm. It got rid of my Avast shortcut and replaced it with one of its own (masquerading as a windows icon) and won’t even let me open the virus programs from the start menu. It has a fake firewall warning with “block” and “allow” buttons that I’m afraid to close in case I activate something. It does not show up in the programs list (though I found it interesting that, while experimenting, it would have let me remove Quicktime, but not Paretologic) and will not let me use the tskmgr either.

I tried looking it up, but the only removal advice seems hopelessly involved, and I don’t trust it anyway! Is there a reasonable, reliable fix for this? Or should I take it to the Geek Squad? I have work on it quite sensitive and need to be able to safely use it as quickly as possible. My OS is Win XP Pro 64 v2003, service pack 2.

I read somewhere that, on start up, all hell breaks loose, so I’m afraid to turn my computer off. I hope you can help (Avast senior member please!) Thank you!!

Hichoirgirl1,

Since it’s an XP 64bit system the tools we will be able use may be limited. Let’s a look at what’s going on.

Download OTL to your desktop.

[*]Double click on OTL.exe to run it. Make sure all other windows are closed and to let it run uninterrupted.
[*]When the window appears, underneath Output at the top change it to Minimal Output
[*]Check the boxes beside LOP Check and Purity Check.
[*]In the window under Custom Scans/Fixes copy and paste the following

[B]
netsvcs
%SYSTEMDRIVE%*.*
%systemroot%\Fonts*.com
%systemroot%\Fonts*.dll
%systemroot%\Fonts*.ini
%systemroot%\Fonts*.ini2
%systemroot%\Fonts*.exe
%systemroot%\system32\spool\prtprocs\w32x86*.*
%systemroot%\REPAIR*.bak1
%systemroot%\REPAIR*.ini
%systemroot%\system32*.jpg
%systemroot%*.jpg
%systemroot%*.png
%systemroot%*.scr
%systemroot%*._sy
%APPDATA%\Adobe\Update*.*
%ALLUSERSPROFILE%\Favorites*.*
%APPDATA%\Microsoft*.*
%PROGRAMFILES%*.*
%APPDATA%\Update*.*
%systemroot%*. /mp /s
CREATERESTOREPOINT
%systemroot%\System32\config*.sav
%PROGRAMFILES%\bak. /s
%systemroot%\system32\bak. /s
%ALLUSERSPROFILE%\Start Menu*.lîk /x
%systemroot%\system32\config\systemprofile*.dat /x
%systemroot%*.config
%systemroot%\system32*.db
%PROGRAMFILES%\Internet Explorer*.dat
%APPDATA%\Mikzosoft\Internet Explorer\Quick Launch*.lnk /x
%USERPROFILE%\Deskuop*.exe
%PROGRAMFILES%\Common Files*.*
%systemroot%*.src
%systemroot%\install*.*
%systemroot%\system32\DLL*.*
%systemroot%\system32\HelpFiles*.*
%systemroot%\system32\rundll*.*
%systemroot%\winn32*.*
%systemroot%\Java*.*
%systemroot%\system32\test*.*
%systemroot%\system32\Rundll32*.*
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
%USERPROFILE%..|smtmp;true;true;true /FP
%temp%\smtmp*.* /s
/md5start
iexplore.*
explorer.*
winlogon.*
dll
zx.dll
hlp.dat
consrv.dll
/md5stop

[/B]
[*]Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.

Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.

If the post seem to long you can attach them.

Thank you for your response oldman.

I’m a little confused though - you say to download the OTL to my desktop - which is the computer I’m using now to talk to you. My laptop is the infected computer and I ended up turning it off as the viral program wouldn’t allow the screensaver to run. Do I download the OTL to my laptop? And should I start it in SAFE mode? If so, can I save the OTL to a travel drive and download it in safe mode on my laptop? (I’m not familiar with using safe mode)

Thanks so much for your help!

you must of course download and run OTL on the infected computer :

Definition
desktop: http://searchwinit.techtarget.com/definition/desktop

Definition
desktop computer: http://searchenterprisedesktop.techtarget.com/definition/desktop-computer

Okay…now I feel silly. :-[ But should I go ahead and start up like normal? Or Safe mode? This program seems to debilitate everything before it gets started.

try Normal, if no success try safe mode

Oldman and/or Essexboy will be back in here and help you tomorrow…
well tomorrow is already 2 hours old over here ;D

Thanks so much. I’ll try it right now

The Program is not allowinig the OTL to open or run (says it also has the worm) :-\

you mean avast…right click avast tray icon and disable for 10min

I’ve been trying to follow oldman’s instructions with his OTL download. And one of the first things the malicious thing did was get rid of all Avast icons and won’t let the program open from anywhere…

*By “malicious thing” I mean the invading program, not OTL!

I think choirgirl1 is talking about Privacy Protection, Pondus.

OK i guess you need to kill the running malware process before you can run it…and we have a program that can do that…but i suggest you wait until Oldman or Essexboy is back here to do that…

Thanks Pondus - do you know about what time GMT he comes on? We’re 8 hours ahead. I’ll try to stay near the computer as late as I can. And thank you Donovansrb10 for your clarification…it’s getting a bit confusing!

No Problem.

Essexboy (UK time) is usually in here around 08:00pm - 11:59pm in weekdays…
so sunday tomorrow (now ;D ) around miday…maybe

Oldman i dont know

Thank you so much. I’ll check back periodically

Hi choirgirl1,

You can do a couple of things to try to get OTL to run.

First ignore the messages from the rogue that OTL is infected. That is don’t acknowledge or close the popup.

If that doesn’t work, right click OTL and click rename. On the keyboard type explorer.exe and hit enter.

Try running it again by double clicking the renamed file.

Lastly you can try safe mode. To start your computer in Safe Mode :
[]Restart your computer
[]After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
[]Instead of Windows loading as normal, a menu with options should appear;
[]Select the first option, to run Windows in Safe Mode, then press “Enter”.
[*]Choose your usual account.

Hi Oldman
PP (“Privacy Protection”) allowed me to rename the OTL program, but wouldn’t let me open the text. I tried to rename it too, but it wasn’t fooled I guess So I manually typed in the code and ran the scan. I’m savimg it to travel drive now and will proceed to post it here…I hope you’re still there!

The text files are VERY long and I’m not really comfortable “posting” them in public. How do I attach them? Is there a securer way to send them to you?