Solved

Malware and white smoke problem?

Posted on 2011-03-07
19
1,237 Views
Last Modified: 2012-05-11
One of my PCs keeps getting infected with malware.
I had big problems getting rid of the  xp2011 and something called whitesmoke
the xp2011 seems to have gone after I ran rkill and then malwarebytes. There were 765 infections.
In the last 24 hours whitesmoke has come back twice.  Each time I have had to run malabytes which has found 555 or so infections.
I amrunning eset as my antiq virus.
The only clue is that I have been using gmail on that machine.
What can I do now?
Help please.
0
Comment
Question by:digisel
  • 7
  • 5
  • 3
  • +3
19 Comments
 
LVL 4

Expert Comment

by:CHutchins
Comment Utility
Use Combofix and then install avast and run a  boot time scan.  This should clean it all up.
0
 
LVL 9

Expert Comment

by:discgman
Comment Utility
Look for the whitesmoke application that is located on your pc. Most likely in your registry under the run key in local machine/currentcontrolset/software/microsoft/windows/run. Also do the same under the current user hkey. Also make sure you are deleting after malwarebytes finds the spyware. I sometimes forget this and it sits in my quarentine.
0
 
LVL 38

Expert Comment

by:younghv
Comment Utility
Please do not run ComboFix against this. It is not recommended.

You should look in your Add/Remove programs window in Control Panel and remove anything that is "White Smoke" related.

I recommend that you start with TDSSKILLER found here:
http://support.kaspersky.com/downloads/utils/tdsskiller.zip

* Download the file TDSSKiller.zip and extract it into a folder on the infected (or potentially infected) PC.
* Execute the file TDSSKiller.exe.
* Wait for the scan and disinfection process to be over. You do not have to reboot the PC after the disinfection is over.

If the tool finds a hidden service it will prompt you to type "delete",  you can also just hit "Enter" without typing in and the scan will continue...
The user can then post the log to be analyzed.

Let us know the results and we can take the next steps.
0
 
LVL 38

Expert Comment

by:younghv
Comment Utility
@CHutchins,
There is almost never a situation where "ComboFix" is the first choice of a tool for removing malware - although many people will recommend that.

The whole set of "Virus & Spyware" Zones need advice based on known effective solutions and the "Expert" advice needs to be based on personal knowledge and experience. Poorly chosen advice here can have disastrous results for members trying to repair their computes.

Please focus on Zones where you can put your actual knowledge to work helping others.
0
 
LVL 9

Expert Comment

by:discgman
Comment Utility
Well I agree combofix is the last choice to fix any issues, especially if you can still get into the add and remove programs. But if you cant and any other program will not open I would suggest this to be a good resolution.
0
 
LVL 38

Expert Comment

by:younghv
Comment Utility
@digisel,
I am going to be off-line for a while, so I will go ahead and post the next steps that you MAY have to take.
I will try to get back in here later or first thing tomorrow.

Download, install, and run
CCleaner (www.ccleaner.com)
Doing this will clean out all of the Temp/Junk files from your browser.

Download, install, and run
Malwarebytes (MBAM) (http://www.malwarebytes.org/mbam.php)
When downloading, save to your "Desktop" and use the "Save As" function (Internet Explorer) to rename the file.
The instructions are included right in that link.

When finished with MBAM, post the log that is generated and let us look at it for you.
0
 
LVL 38

Expert Comment

by:younghv
Comment Utility
@discgman,
Please actually read my comments before responding.
ComboFix can be a fantastic tool - when needed.
At this point, it is not needed.

Beyond that, we need to post specific instructions when we recommend its use, not simply "run combofix".
0
 
LVL 9

Expert Comment

by:discgman
Comment Utility
younghv

I read your comments...


That is true, the "run combofix" is not a fix all and i wouldnt suggest it without exhausting all other options. But in my years of cleaning spyware like whitesmoke, its always hit and miss. One program cleans it one week, then its another program. CCleaner, spywaresweeper, windowsdefender. They always have a new and improved tool, but the only ones that really clean are malwarebytes and combofix.
0
 
LVL 3

Expert Comment

by:lloydclinton
Comment Utility
Also, disable System Restore in Windows XP and System Protection in Windows Vista / 7.  Malware, virus, etc. can hide there and be very difficult to get removed.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 38

Expert Comment

by:younghv
Comment Utility
Please DO NOT disable System Restore - it may be the only 'fall back' point you have if something goes wrong with the repairs.

All should carefully read this article:
Viruses in System Volume Information (System Restore)
http://www.experts-exchange.com/A_1934.html
0
 
LVL 3

Expert Comment

by:lloydclinton
Comment Utility
If your files are backed up, and the system is this messed up then disabling System Restore is the least of your problems.  At some point you will have to evaluate how much time you are spending on the problem vs making sure critical files are backed up and starting over from a fresh install.  Also, if your user is running as a local administrator you will probably continue to have problems.
0
 
LVL 23

Assisted Solution

by:phototropic
phototropic earned 150 total points
Comment Utility
"...There were 765 infections..."  "... Each time I have had to run malabytes which has found 555 or so infections..."

That is a huge total of infected files.  Can you post a scan log?  It would be good to see what Mbam is detecting.

"...I am running eset as my antiq virus..."  Could you update and run that, and post a scan log please.

If you have a problem running it, try an online eSet scan:

http://www.eset.com/us/online-scanner/run

If malware scanners consistently return high totals "...Each time...555 or so infections..." it suggests you may have a file-infector.  We need to know what is being detected. Did TDSSKiller find anything?

 
0
 
LVL 9

Expert Comment

by:discgman
Comment Utility
I remember how I removed white smoke, its been a year or so since it was a problem. I ran all the cleaners that are standard including malwarebytes. The thing that finally prevented it from coming back was to locate where the file was and delete it. For me I followed the path it showed in the registry under the run command, rebooted the pc and booted into safe mode (f8), found the file under program files, deleleted the entire file and it never came back. Ran a couple of scans after that and it cleaned the program.
0
 
LVL 38

Accepted Solution

by:
younghv earned 200 total points
Comment Utility
I have seen several references to TDSSKiller automatically finding and removing this infection.

It just never seems to be a good idea to tell someone to go mucking around in the registry - ever - unless you are highly confident that they have the tecnical skills.
0
 
LVL 9

Assisted Solution

by:discgman
discgman earned 150 total points
Comment Utility
Well yes, if TDSSKiller can find this file and unlock the folder to delete it that would be great. If not, then manual instructions will need to be created.

If microsoft can post millions of fixes that include mucking into the registry with the caption "make sure to backup the registry before making changes or it will do permanet harm to your pc" I think we can do that here with the same warnings.
0
 

Author Comment

by:digisel
Comment Utility
@ photrophic  more than 95% of the listed infectins were duplicates of whitesmoke.pub.
@  discgman:  I ran TDSSKiller.   It cleaned whitemsoke immediately.  I did run a clean version of malwarebytes though this appeared to be unnecessary.
@ younghv:see above.

pc is running fine now, and much faster.   I think all is in the clear.  
This has been a very informaative string.
Thanks to all for their interesting contributions in time and expertise.   It is much appreciated.


0
 

Author Closing Comment

by:digisel
Comment Utility
Thanks to all.   Wish I had more points available.
0
 
LVL 38

Expert Comment

by:younghv
Comment Utility
@digisel,
If my suggestion worked, than why in the world did you award 150 points to this comment:
http:#a35073801 ?

When you reward worthless comments with "Expert" points, you are giving credibility to people who don't know what they are talking about - and the entire site suffers.

We have a virtual plethora of people posting their garbage advice around these Zones and awarding them points only encourages more of the same.
**************

My question above is rhetorical and needs no response, but you might keep in mind that all of us are volunteers and we only work on questions that we choose.

/unsubscribed
0
 

Author Comment

by:digisel
Comment Utility
@younghv: On reflection I think I owe you an apology and an explanation as you put in a lot of time, thought and effort and came up with the solution as well as a lot of important points for everyone else.
Not being an expert myself I set out to be fair withregard to the time and effort that three of the responders, including yourself, had put in.
I think that having re-read the posts I should have awarded you 400 and the other two 50 each because of your high quality.   I will remember and apply you comments more diligently in the future - and I shall look out for you in future so should the opportunity arise I will be able to make recompense.
Anyway you have earned my gratitude and I hope you accept my apology.
Regards
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

INTRODUCTION "Virut" is a nasty, polymorphic file infector, and it infects every executable and screensaver file on access.  Some variant also infects .htm, html, .rar and .zip archives, and latest variants infects php and asp.  It patches system…
There are many reasons malware will stay around and continue to grow as a business.  The biggest reason is the expanding customer base.  More than 40% of people who are infected with ransomware, pay the ransom.  That makes ransomware a multi-million…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now