Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1272
  • Last Modified:

Malware and white smoke problem?

One of my PCs keeps getting infected with malware.
I had big problems getting rid of the  xp2011 and something called whitesmoke
the xp2011 seems to have gone after I ran rkill and then malwarebytes. There were 765 infections.
In the last 24 hours whitesmoke has come back twice.  Each time I have had to run malabytes which has found 555 or so infections.
I amrunning eset as my antiq virus.
The only clue is that I have been using gmail on that machine.
What can I do now?
Help please.
0
digisel
Asked:
digisel
  • 7
  • 5
  • 3
  • +3
3 Solutions
 
CHutchinsCommented:
Use Combofix and then install avast and run a  boot time scan.  This should clean it all up.
0
 
discgmanCommented:
Look for the whitesmoke application that is located on your pc. Most likely in your registry under the run key in local machine/currentcontrolset/software/microsoft/windows/run. Also do the same under the current user hkey. Also make sure you are deleting after malwarebytes finds the spyware. I sometimes forget this and it sits in my quarentine.
0
 
younghvCommented:
Please do not run ComboFix against this. It is not recommended.

You should look in your Add/Remove programs window in Control Panel and remove anything that is "White Smoke" related.

I recommend that you start with TDSSKILLER found here:
http://support.kaspersky.com/downloads/utils/tdsskiller.zip

* Download the file TDSSKiller.zip and extract it into a folder on the infected (or potentially infected) PC.
* Execute the file TDSSKiller.exe.
* Wait for the scan and disinfection process to be over. You do not have to reboot the PC after the disinfection is over.

If the tool finds a hidden service it will prompt you to type "delete",  you can also just hit "Enter" without typing in and the scan will continue...
The user can then post the log to be analyzed.

Let us know the results and we can take the next steps.
0
2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

 
younghvCommented:
@CHutchins,
There is almost never a situation where "ComboFix" is the first choice of a tool for removing malware - although many people will recommend that.

The whole set of "Virus & Spyware" Zones need advice based on known effective solutions and the "Expert" advice needs to be based on personal knowledge and experience. Poorly chosen advice here can have disastrous results for members trying to repair their computes.

Please focus on Zones where you can put your actual knowledge to work helping others.
0
 
discgmanCommented:
Well I agree combofix is the last choice to fix any issues, especially if you can still get into the add and remove programs. But if you cant and any other program will not open I would suggest this to be a good resolution.
0
 
younghvCommented:
@digisel,
I am going to be off-line for a while, so I will go ahead and post the next steps that you MAY have to take.
I will try to get back in here later or first thing tomorrow.

Download, install, and run
CCleaner (www.ccleaner.com)
Doing this will clean out all of the Temp/Junk files from your browser.

Download, install, and run
Malwarebytes (MBAM) (http://www.malwarebytes.org/mbam.php)
When downloading, save to your "Desktop" and use the "Save As" function (Internet Explorer) to rename the file.
The instructions are included right in that link.

When finished with MBAM, post the log that is generated and let us look at it for you.
0
 
younghvCommented:
@discgman,
Please actually read my comments before responding.
ComboFix can be a fantastic tool - when needed.
At this point, it is not needed.

Beyond that, we need to post specific instructions when we recommend its use, not simply "run combofix".
0
 
discgmanCommented:
younghv

I read your comments...


That is true, the "run combofix" is not a fix all and i wouldnt suggest it without exhausting all other options. But in my years of cleaning spyware like whitesmoke, its always hit and miss. One program cleans it one week, then its another program. CCleaner, spywaresweeper, windowsdefender. They always have a new and improved tool, but the only ones that really clean are malwarebytes and combofix.
0
 
lloydclintonCommented:
Also, disable System Restore in Windows XP and System Protection in Windows Vista / 7.  Malware, virus, etc. can hide there and be very difficult to get removed.
0
 
younghvCommented:
Please DO NOT disable System Restore - it may be the only 'fall back' point you have if something goes wrong with the repairs.

All should carefully read this article:
Viruses in System Volume Information (System Restore)
http://www.experts-exchange.com/A_1934.html
0
 
lloydclintonCommented:
If your files are backed up, and the system is this messed up then disabling System Restore is the least of your problems.  At some point you will have to evaluate how much time you are spending on the problem vs making sure critical files are backed up and starting over from a fresh install.  Also, if your user is running as a local administrator you will probably continue to have problems.
0
 
phototropicCommented:
"...There were 765 infections..."  "... Each time I have had to run malabytes which has found 555 or so infections..."

That is a huge total of infected files.  Can you post a scan log?  It would be good to see what Mbam is detecting.

"...I am running eset as my antiq virus..."  Could you update and run that, and post a scan log please.

If you have a problem running it, try an online eSet scan:

http://www.eset.com/us/online-scanner/run

If malware scanners consistently return high totals "...Each time...555 or so infections..." it suggests you may have a file-infector.  We need to know what is being detected. Did TDSSKiller find anything?

 
0
 
discgmanCommented:
I remember how I removed white smoke, its been a year or so since it was a problem. I ran all the cleaners that are standard including malwarebytes. The thing that finally prevented it from coming back was to locate where the file was and delete it. For me I followed the path it showed in the registry under the run command, rebooted the pc and booted into safe mode (f8), found the file under program files, deleleted the entire file and it never came back. Ran a couple of scans after that and it cleaned the program.
0
 
younghvCommented:
I have seen several references to TDSSKiller automatically finding and removing this infection.

It just never seems to be a good idea to tell someone to go mucking around in the registry - ever - unless you are highly confident that they have the tecnical skills.
0
 
discgmanCommented:
Well yes, if TDSSKiller can find this file and unlock the folder to delete it that would be great. If not, then manual instructions will need to be created.

If microsoft can post millions of fixes that include mucking into the registry with the caption "make sure to backup the registry before making changes or it will do permanet harm to your pc" I think we can do that here with the same warnings.
0
 
digiselAuthor Commented:
@ photrophic  more than 95% of the listed infectins were duplicates of whitesmoke.pub.
@  discgman:  I ran TDSSKiller.   It cleaned whitemsoke immediately.  I did run a clean version of malwarebytes though this appeared to be unnecessary.
@ younghv:see above.

pc is running fine now, and much faster.   I think all is in the clear.  
This has been a very informaative string.
Thanks to all for their interesting contributions in time and expertise.   It is much appreciated.


0
 
digiselAuthor Commented:
Thanks to all.   Wish I had more points available.
0
 
younghvCommented:
@digisel,
If my suggestion worked, than why in the world did you award 150 points to this comment:
http:#a35073801 ?

When you reward worthless comments with "Expert" points, you are giving credibility to people who don't know what they are talking about - and the entire site suffers.

We have a virtual plethora of people posting their garbage advice around these Zones and awarding them points only encourages more of the same.
**************

My question above is rhetorical and needs no response, but you might keep in mind that all of us are volunteers and we only work on questions that we choose.

/unsubscribed
0
 
digiselAuthor Commented:
@younghv: On reflection I think I owe you an apology and an explanation as you put in a lot of time, thought and effort and came up with the solution as well as a lot of important points for everyone else.
Not being an expert myself I set out to be fair withregard to the time and effort that three of the responders, including yourself, had put in.
I think that having re-read the posts I should have awarded you 400 and the other two 50 each because of your high quality.   I will remember and apply you comments more diligently in the future - and I shall look out for you in future so should the opportunity arise I will be able to make recompense.
Anyway you have earned my gratitude and I hope you accept my apology.
Regards
0

Featured Post

[Webinar] Cloud and Mobile-First Strategy

Maybe you’ve fully adopted the cloud since the beginning. Or maybe you started with on-prem resources but are pursuing a “cloud and mobile first” strategy. Getting to that end state has its challenges. Discover how to build out a 100% cloud and mobile IT strategy in this webinar.

  • 7
  • 5
  • 3
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now