Solved

Malware and white smoke problem?

Posted on 2011-03-07
19
1,263 Views
Last Modified: 2012-05-11
One of my PCs keeps getting infected with malware.
I had big problems getting rid of the  xp2011 and something called whitesmoke
the xp2011 seems to have gone after I ran rkill and then malwarebytes. There were 765 infections.
In the last 24 hours whitesmoke has come back twice.  Each time I have had to run malabytes which has found 555 or so infections.
I amrunning eset as my antiq virus.
The only clue is that I have been using gmail on that machine.
What can I do now?
Help please.
0
Comment
Question by:digisel
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 5
  • 3
  • +3
19 Comments
 
LVL 4

Expert Comment

by:CHutchins
ID: 35062899
Use Combofix and then install avast and run a  boot time scan.  This should clean it all up.
0
 
LVL 9

Expert Comment

by:discgman
ID: 35062985
Look for the whitesmoke application that is located on your pc. Most likely in your registry under the run key in local machine/currentcontrolset/software/microsoft/windows/run. Also do the same under the current user hkey. Also make sure you are deleting after malwarebytes finds the spyware. I sometimes forget this and it sits in my quarentine.
0
 
LVL 38

Expert Comment

by:younghv
ID: 35062993
Please do not run ComboFix against this. It is not recommended.

You should look in your Add/Remove programs window in Control Panel and remove anything that is "White Smoke" related.

I recommend that you start with TDSSKILLER found here:
http://support.kaspersky.com/downloads/utils/tdsskiller.zip

* Download the file TDSSKiller.zip and extract it into a folder on the infected (or potentially infected) PC.
* Execute the file TDSSKiller.exe.
* Wait for the scan and disinfection process to be over. You do not have to reboot the PC after the disinfection is over.

If the tool finds a hidden service it will prompt you to type "delete",  you can also just hit "Enter" without typing in and the scan will continue...
The user can then post the log to be analyzed.

Let us know the results and we can take the next steps.
0
2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

 
LVL 38

Expert Comment

by:younghv
ID: 35063033
@CHutchins,
There is almost never a situation where "ComboFix" is the first choice of a tool for removing malware - although many people will recommend that.

The whole set of "Virus & Spyware" Zones need advice based on known effective solutions and the "Expert" advice needs to be based on personal knowledge and experience. Poorly chosen advice here can have disastrous results for members trying to repair their computes.

Please focus on Zones where you can put your actual knowledge to work helping others.
0
 
LVL 9

Expert Comment

by:discgman
ID: 35063047
Well I agree combofix is the last choice to fix any issues, especially if you can still get into the add and remove programs. But if you cant and any other program will not open I would suggest this to be a good resolution.
0
 
LVL 38

Expert Comment

by:younghv
ID: 35063049
@digisel,
I am going to be off-line for a while, so I will go ahead and post the next steps that you MAY have to take.
I will try to get back in here later or first thing tomorrow.

Download, install, and run
CCleaner (www.ccleaner.com)
Doing this will clean out all of the Temp/Junk files from your browser.

Download, install, and run
Malwarebytes (MBAM) (http://www.malwarebytes.org/mbam.php)
When downloading, save to your "Desktop" and use the "Save As" function (Internet Explorer) to rename the file.
The instructions are included right in that link.

When finished with MBAM, post the log that is generated and let us look at it for you.
0
 
LVL 38

Expert Comment

by:younghv
ID: 35063061
@discgman,
Please actually read my comments before responding.
ComboFix can be a fantastic tool - when needed.
At this point, it is not needed.

Beyond that, we need to post specific instructions when we recommend its use, not simply "run combofix".
0
 
LVL 9

Expert Comment

by:discgman
ID: 35063142
younghv

I read your comments...


That is true, the "run combofix" is not a fix all and i wouldnt suggest it without exhausting all other options. But in my years of cleaning spyware like whitesmoke, its always hit and miss. One program cleans it one week, then its another program. CCleaner, spywaresweeper, windowsdefender. They always have a new and improved tool, but the only ones that really clean are malwarebytes and combofix.
0
 
LVL 3

Expert Comment

by:lloydclinton
ID: 35063254
Also, disable System Restore in Windows XP and System Protection in Windows Vista / 7.  Malware, virus, etc. can hide there and be very difficult to get removed.
0
 
LVL 38

Expert Comment

by:younghv
ID: 35063366
Please DO NOT disable System Restore - it may be the only 'fall back' point you have if something goes wrong with the repairs.

All should carefully read this article:
Viruses in System Volume Information (System Restore)
http://www.experts-exchange.com/A_1934.html
0
 
LVL 3

Expert Comment

by:lloydclinton
ID: 35063447
If your files are backed up, and the system is this messed up then disabling System Restore is the least of your problems.  At some point you will have to evaluate how much time you are spending on the problem vs making sure critical files are backed up and starting over from a fresh install.  Also, if your user is running as a local administrator you will probably continue to have problems.
0
 
LVL 23

Assisted Solution

by:phototropic
phototropic earned 150 total points
ID: 35066741
"...There were 765 infections..."  "... Each time I have had to run malabytes which has found 555 or so infections..."

That is a huge total of infected files.  Can you post a scan log?  It would be good to see what Mbam is detecting.

"...I am running eset as my antiq virus..."  Could you update and run that, and post a scan log please.

If you have a problem running it, try an online eSet scan:

http://www.eset.com/us/online-scanner/run

If malware scanners consistently return high totals "...Each time...555 or so infections..." it suggests you may have a file-infector.  We need to know what is being detected. Did TDSSKiller find anything?

 
0
 
LVL 9

Expert Comment

by:discgman
ID: 35073571
I remember how I removed white smoke, its been a year or so since it was a problem. I ran all the cleaners that are standard including malwarebytes. The thing that finally prevented it from coming back was to locate where the file was and delete it. For me I followed the path it showed in the registry under the run command, rebooted the pc and booted into safe mode (f8), found the file under program files, deleleted the entire file and it never came back. Ran a couple of scans after that and it cleaned the program.
0
 
LVL 38

Accepted Solution

by:
younghv earned 200 total points
ID: 35073748
I have seen several references to TDSSKiller automatically finding and removing this infection.

It just never seems to be a good idea to tell someone to go mucking around in the registry - ever - unless you are highly confident that they have the tecnical skills.
0
 
LVL 9

Assisted Solution

by:discgman
discgman earned 150 total points
ID: 35073801
Well yes, if TDSSKiller can find this file and unlock the folder to delete it that would be great. If not, then manual instructions will need to be created.

If microsoft can post millions of fixes that include mucking into the registry with the caption "make sure to backup the registry before making changes or it will do permanet harm to your pc" I think we can do that here with the same warnings.
0
 

Author Comment

by:digisel
ID: 35073867
@ photrophic  more than 95% of the listed infectins were duplicates of whitesmoke.pub.
@  discgman:  I ran TDSSKiller.   It cleaned whitemsoke immediately.  I did run a clean version of malwarebytes though this appeared to be unnecessary.
@ younghv:see above.

pc is running fine now, and much faster.   I think all is in the clear.  
This has been a very informaative string.
Thanks to all for their interesting contributions in time and expertise.   It is much appreciated.


0
 

Author Closing Comment

by:digisel
ID: 35073888
Thanks to all.   Wish I had more points available.
0
 
LVL 38

Expert Comment

by:younghv
ID: 35074197
@digisel,
If my suggestion worked, than why in the world did you award 150 points to this comment:
http:#a35073801 ?

When you reward worthless comments with "Expert" points, you are giving credibility to people who don't know what they are talking about - and the entire site suffers.

We have a virtual plethora of people posting their garbage advice around these Zones and awarding them points only encourages more of the same.
**************

My question above is rhetorical and needs no response, but you might keep in mind that all of us are volunteers and we only work on questions that we choose.

/unsubscribed
0
 

Author Comment

by:digisel
ID: 35074659
@younghv: On reflection I think I owe you an apology and an explanation as you put in a lot of time, thought and effort and came up with the solution as well as a lot of important points for everyone else.
Not being an expert myself I set out to be fair withregard to the time and effort that three of the responders, including yourself, had put in.
I think that having re-read the posts I should have awarded you 400 and the other two 50 each because of your high quality.   I will remember and apply you comments more diligently in the future - and I shall look out for you in future so should the opportunity arise I will be able to make recompense.
Anyway you have earned my gratitude and I hope you accept my apology.
Regards
0

Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sub-Titled: “My Way” (with apologies to Francis Albert Sinatra) Let me start by stating emphatically that I am one of those Experts who prefer doing things “My Way”. It’s kind of a no-brainer. “The following procedure works for me, so here is …
Operating system developers such as Microsoft (https://www.microsoft.com) and Apple have made incredible strides in virus protection over the past decade. Operating systems come packaged with built in defensive tools such as virus protection and a f…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Add bar graphs to Access queries using Unicode block characters. Graphs appear on every record in the color you want. Give life to numbers. Hopes this gives you ideas on visualizing your data in new ways ~ Create a calculated field in a query: …

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question