Need a virus expert!

I've just had the window pop up that says

"System is shutting down, please save work in progress and log off"

I googled it and have found out its the

"W32.Blaster.Worm"

I googled that, and found a Symantec removal tool for it, ran it, and it finished saying

"W32.Blaster.Worm has not been found on your computer"

I really dont want to have to reformatt, has anybody had this before and successfully removed it?

Please help!

format

no but seriously,

go into safe mode

go to start > run > msconfig

Go to startup tab, and untick everything. then rebooting into normal windows

See if its got rid of it.

call me captain obvious but its clearly different virus then

you really should have called the thread "W32.Blaster.Worm virus"

i think format is the only safe way

Has this happened repeatedly or just once ? If im right then teh worm would cause it to happen every time you log on to your machine.

Its jsut happened once, I managed to stop it with shutdown -a in run

I just want to get rid of it completely and it looks like format is the only way?

delete clientregistry.blob..... thats what i always do!

Have you tried turning it off and on again?

In all seriousness .. is it plugged in?

Erm, something like this went around ages ago, alot of googling found me a cure which i very quickly opened on boot, was like 30 seconds before it went into shutdown, so had to be quick :L

I turned the shutdown window off, thats not the problem, the problem now is that I want to remove it from my computer altogether, preferably without formatting. I'm running my 2nd removal tool now, if that doesnt work I'll try a restart and see if the problem persists.

Buy NOD32.

http://download.bleepingcomputer.com/sUBs/ComboFix.exe download this, boot in safe mode, run it, see if it picks anything up..

Keith Chegwin posted this on another virus post to help westy try it worth a pop

Ok, so i did what you said, and the computer has rebooted, I havent got the window again, and the program successfully removed 5 files from the windows folder and said it was successful. I guess only time will tell now, whether the problem has been fixed?

Thankyou for your replies anyway

A further point - 3 of my friends on vent have also had the same thing, 1's was fine after the initial window came up, and the other 2 formatted just to be sure. We were discussing, and there's nothing that all of us have in common, in terms of downloads or anything like that. So I'm extremely puzzled as to why its happened :S

as above

nGen - get the logs from combofix, and put here, i wanna have a look make sure you got everything.. dont want your pc to explode or w/e

ComboFix 08-09-28.01 - DandeH 2008-09-29 16:51:06.1 - NTFSx86

Running from: C:\Documents and Settings\DandeH\Desktop\ComboFix.exe

[color=red]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/color]
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\packet.dll
C:\WINDOWS\system32\pthreadVC.dll
C:\WINDOWS\system32\wanpacket.dll
C:\WINDOWS\system32\wpcap.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2008-08-28 to 2008-09-29 )))))))))))))))))))))))))))))))
.

2008-09-29 14:17 . 2007-04-16 16:52 92,672 --a------ C:\WINDOWS\system32\mspush.dll
2008-09-22 15:41 . 2008-09-22 15:41 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2008-09-22 15:41 . 2008-09-22 15:41 <DIR> d-------- C:\Program Files\Reference Assemblies
2008-09-22 15:41 . 2008-09-22 15:41 <DIR> d-------- C:\Program Files\MSBuild
2008-09-22 15:38 . 2008-09-22 15:38 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-09-22 15:36 . 2008-09-22 18:45 <DIR> d-------- C:\Program Files\compLexity Demo Player
2008-09-22 15:36 . 2008-09-22 15:36 <DIR> dr-h----- C:\AHCache
2008-09-17 23:42 . 2008-09-17 23:42 <DIR> d-------- C:\Program Files\MTA San Andreas
2008-09-17 23:29 . 2008-09-17 23:29 <DIR> d-------- C:\Program Files\Rockstar Games
2008-09-17 23:11 . 2008-09-17 23:12 <DIR> d-------- C:\Documents and Settings\DandeH\Application Data\DAEMON Tools Pro
2008-09-17 23:11 . 2008-09-17 23:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DAEMON Tools Pro
2008-09-17 23:10 . 2008-09-17 23:12 <DIR> d-------- C:\Program Files\DAEMON Tools Pro
2008-09-05 12:02 . 2008-09-28 22:17 <DIR> d-------- C:\Warhammer Online - Age of Reckoning
2008-09-02 17:26 . 2003-04-03 00:17 172,032 --a------ C:\WINDOWS\system32\ac3filter.ax
2008-09-02 14:53 . 2008-09-02 14:54 <DIR> d-------- C:\Program Files\iPod-Converter
2008-09-02 14:38 . 2008-09-02 14:38 <DIR> d-------- C:\ConverterOutput
2008-09-02 14:37 . 2008-09-02 14:52 <DIR> d-------- C:\Program Files\Cucusoft
2008-09-02 14:37 . 2004-10-12 14:40 2,255,360 --a------ C:\WINDOWS\system32\libavcodec.dll
2008-09-02 14:37 . 2007-03-25 21:40 2,174,976 --a------ C:\WINDOWS\system32\ffdshow.ax
2008-09-02 14:37 . 2003-03-18 22:20 1,060,864 --a------ C:\WINDOWS\system32\MFC71.DLL
2008-09-02 14:37 . 2004-10-05 16:16 395,776 --a------ C:\WINDOWS\system32\libmplayer.dll
2008-09-02 14:37 . 2003-03-30 20:08 372,736 --a------ C:\WINDOWS\system32\xvid.ax
2008-09-02 14:37 . 2004-10-12 14:42 262,144 --a------ C:\WINDOWS\system32\TomsMoComp_ff.dll
2008-09-02 14:37 . 2004-10-04 01:50 112,640 --a------ C:\WINDOWS\system32\libmpeg2_ff.dll
2008-09-02 14:37 . 2004-09-10 13:50 34,820 --a------ C:\WINDOWS\system32\ffdshow.reg
2008-09-02 10:39 . 2008-09-02 10:39 <DIR> d-------- C:\Program Files\Voobys
2008-09-02 10:38 . 2008-09-02 10:38 <DIR> d-------- C:\WINDOWS\system32\URTTEMP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-29 15:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kontiki
2008-09-29 15:27 --------- d-----w C:\Program Files\Steam
2008-09-29 14:54 --------- d-----w C:\Documents and Settings\DandeH\Application Data\AVG7
2008-09-29 14:52 --------- d-----w C:\Program Files\mIRC
2008-09-29 13:19 --------- d-----w C:\Program Files\Hitman Pro
2008-09-28 21:31 --------- d-----w C:\Program Files\FlashGet
2008-09-24 08:09 --------- d-----w C:\Program Files\Warcraft III
2008-09-22 20:44 --------- d-----w C:\Program Files\XAC
2008-09-17 22:29 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-17 21:43 --------- d-----w C:\Program Files\S2SaTstrat
2008-09-17 21:42 --------- d-----w C:\Program Files\PokerStars
2008-09-17 16:10 --------- d-----w C:\Program Files\HLSW
2008-08-30 14:00 --------- d-----w C:\Documents and Settings\DandeH\Application Data\Apple Computer
2008-08-30 13:58 --------- d-----w C:\Program Files\Apple Software Update
2008-07-29 20:10 73,720 ----a-w C:\WINDOWS\system32\dxva2.dll
2008-07-29 20:10 493,048 ----a-w C:\WINDOWS\system32\evr.dll
2008-07-29 20:10 26,112 ----a-w C:\WINDOWS\system32\TsWpfWrp.exe
2008-07-29 19:35 326,160 ----a-w C:\WINDOWS\system32\PresentationHost.exe
2008-07-29 18:59 781,344 ----a-w C:\WINDOWS\system32\PresentationNative_v0300.dll
2008-07-29 18:59 43,544 ----a-w C:\WINDOWS\system32\PresentationHostProxy.dll
2008-07-29 18:59 161,296 ----a-w C:\WINDOWS\system32\UIAutomationCore.dll
2008-07-29 18:59 105,016 ----a-w C:\WINDOWS\system32\PresentationCFFRasterizerNative_v0300.dll
2008-07-29 18:24 97,800 ----a-w C:\WINDOWS\system32\infocardapi.dll
2008-07-29 18:24 622,080 ----a-w C:\WINDOWS\system32\icardagt.exe
2008-07-29 18:24 11,264 ----a-w C:\WINDOWS\system32\icardres.dll
2008-07-27 15:16 111,928 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2008-07-25 10:16 96,760 ----a-w C:\WINDOWS\system32\dfshim.dll
2008-07-25 10:16 83,968 ----a-w C:\WINDOWS\system32\mscories.dll
2008-07-25 10:16 282,112 ----a-w C:\WINDOWS\system32\mscoree.dll
2008-07-25 10:16 158,720 ----a-w C:\WINDOWS\system32\mscorier.dll
2008-07-06 12:06 575,488 ----a-w C:\WINDOWS\system32\xpsshhdr.dll
2008-07-06 12:06 117,760 ----a-w C:\WINDOWS\system32\prntvpt.dll
2008-07-06 12:06 1,676,288 ----a-w C:\WINDOWS\system32\xpssvcs.dll
2008-07-02 02:18 98,304 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-11-24 02:27 22,328 ----a-w C:\Documents and Settings\DandeH\Application Data\PnkBstrK.sys
.

------- Sigcheck -------

2005-06-11 01:17 57856 ad3d9d191aea7b5445fe1d82ffbb4788 C:\WINDOWS\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
2001-08-23 13:00 51200 9b4155ba58192d4073082b8fc5d42612 C:\WINDOWS\$NtServicePackUninstall$\spoolsv.exe
2004-08-04 08:56 57856 7435b108b935e42ea92ca94f59c8e717 C:\WINDOWS\$NtUninstallKB896423$\spoolsv.exe
2004-08-04 08:56 57856 7435b108b935e42ea92ca94f59c8e717 C:\WINDOWS\ServicePackFiles\i386\spoolsv.exe
2005-06-11 00:53 57856 f53b930c971a22ddf529a379ee14b0d3 C:\WINDOWS\system32\spoolsv.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"kdx"="C:\Program Files\Kontiki\KHost.exe" [2007-04-23 1032640]
"Octoshape Streaming Services"="C:\Program Files\Octoshape Streaming Services\DandeH\OctoshapeClient.exe" [2006-02-13 214648]
"DAEMON Tools Pro Agent"="C:\Program Files\DAEMON Tools Pro\DTProAgent.exe" [2007-09-06 136136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-09-17 8491008]
"4oD"="C:\Program Files\Kontiki\KHost.exe" [2007-04-23 1032640]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"Wireless Manager"="C:\Program Files\Virgin Broadband Wireless\Wireless Manager.exe" [2007-10-16 585728]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-06-02 267048]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-24 219136]

C:\Documents and Settings\DandeH\Start Menu\Programs\Startup\
Voobys.lnk - C:\Documents and Settings\DandeH\Application Data\Microsoft\Installer\{B72257D6-189D-4CB0-9CDC-26A93536C34B}\_16496df1.exe [2008-09-02 3774]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll
"VIDC.XFR1"= xfcodec.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
--a------ 2007-12-21 13:36 579072 C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 08:56 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
--a------ 2007-02-06 00:52 849280 C:\Program Files\Microsoft IntelliPoint\ipoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-06-02 11:13 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 12:54 5674352 C:\Program Files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-09-17 01:07 8491008 C:\WINDOWS\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2007-09-17 01:07 81920 C:\WINDOWS\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 10:50 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-04-18 18:39 1271032 c:\Program Files\Steam\steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-07-12 04:00 132496 C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
-r------- 2005-05-03 11:43 69632 C:\WINDOWS\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2007-09-17 01:07 1626112 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
-r------- 2006-12-19 04:12 16062464 C:\WINDOWS\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
-r------- 2006-05-16 11:04 2879488 C:\WINDOWS\SkyTel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\mIRC\\mirc.exe"=
"C:\\Program Files\\Steam\\steamapps\\aceman54\\counter-strike\\hl.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Program Files\\Steam\\steamapps\\aceman54\\counter-strike source\\hl2.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"C:\\Program Files\\HLSW\\hlsw.exe"=
"C:\\Program Files\\Steam\\steam.exe"=
"C:\\Program Files\\Steam\\steamapps\\aceman54\\team fortress 2\\hl2.exe"=
"C:\\Program Files\\Steam\\steamapps\\ace54\\counter-strike\\hl.exe"=
"C:\\World of Warcraft\\BackgroundDownloader.exe"=
"C:\\Program Files\\Macromedia\\Dreamweaver 8\\Dreamweaver.exe"=
"C:\\WINDOWS\\PCHEALTH\\HELPCTR\\Binaries\\helpctr.exe"=
"C:\\Program Files\\Steam\\steamapps\\common\\call of duty 4\\iw3mp.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"C:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"C:\\Program Files\\Steam\\steamapps\\aceman54\\condition zero\\hl.exe"=
"C:\\Program Files\\Steam\\steamapps\\aceman54\\day of defeat\\hl.exe"=
"C:\\Program Files\\Kontiki\\KService.exe"=
"C:\\Program Files\\Steam\\steamapps\\common\\trackmania nations forever\\TmForever.exe"=
"C:\\Program Files\\Xfire\\xfire.exe"=
"C:\\Program Files\\Octoshape Streaming Services\\DandeH\\OctoshapeClient.exe"=
"C:\\Program Files\\FlashGet\\FlashGet.exe"=
"C:\\Program Files\\Steam\\steamapps\\d4nd3h\\counter-strike\\hl.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R2 AffinegyService;AffinegyService;C:\Program Files\Virgin Broadband Wireless\AffinegyService.exe [2007-10-16 143360]
R2 NinjaVideo Helper.exe;NinjaVideo Helper;C:\Program Files\NinjaVideo\NinjaVideo Helper\NinjaVideo Helper.exe [2008-04-10 110592]
S3 AFGMp50;AFGMp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\AFGMp50.sys [ ]
S3 AFGSp50;AFGSp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\AFGSp50.sys [2007-05-22 27072]
S3 ALLOW-IO;ALLOW-IO;D:\ALLOW-IO.sys [ ]
S3 Razerlow;Razer Copperhead Driver;C:\WINDOWS\system32\Drivers\Razerlow.sys [2005-08-12 19020]
S3 uisp;Freescale USB JW32 driver;C:\WINDOWS\system32\Drivers\usbicp.sys [2001-01-04 162900]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9055bd4d-84ca-11dd-b8ec-00508d9dcae7}]
\Shell\AutoRun\command - F:\Install.exe
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-Free Upload Manager - C:\Program Files\Free Download Manager\fum\fum.exe
MSConfigStartUp-Free Uploader Oe Integration - C:\Program Files\Free Download Manager\FUM\fumoei.exe
MSConfigStartUp-swg - C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\DandeH\Application Data\Mozilla\Firefox\Profiles\dfupjv7y.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF -: plugin - C:\Documents and Settings\DandeH\Application Data\Mozilla\plugins\npoctoshape.dll
FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - C:\Program Files\Octoshape Streaming Services\DandeH\octoprogram-L03-NMS0806091_SUA_000\npoctoshape.dll
FF -: plugin - C:\Program Files\Octoshape Streaming Services\DandeH\octoprogram-L03-NMS0806260_SUA_000\npoctoshape.dll
FF -: plugin - C:\Program Files\Yahoo!\Common\npyaxmpb.dll
FF -: plugin - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-29 16:54:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Kontiki\KService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\ComboFix\pv.cfexe
.
**************************************************************************
.
Completion time: 2008-09-29 16:58:16 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-29 15:58:14

Pre-Run: 66,191,667,200 bytes free
Post-Run: 66,409,926,656 bytes free

246 --- E O F --- 2008-02-22 01:02:13

You all using the same cheats?