BleepingComputer.com: whitesmoke translator viruis

i woke up this morning and saw that my computer had loaded WhiteSmoke translator. I used the uninstall program command after I unplugged the network cable. Then when I tried to restart my machine it just sat on the windows opening screen. I tried to load in safe mode with networking but it keeps locking up at C:\WINDOWS\system32\drivers\Mup.sys... anyone know of a way I can get the machine to fully start up in safe mode? Help please....

Hello and welcome.
The WhiteSmoke web site indicates it makes English grammar correction software, translation software, and other specialized English writing tools. However, many users have reported they did not know how WhiteSmoke was downloaded or installed. From our investigation and dealings with this software we are also finding many cases of it with a TDSS rootkit infection. So depending on the severity of system infection will determine how the disinfection process goes.

The web site says the software can be removed through Add/Remove Programs or Programs and Features if using Vista/Windows 7 so check there first, highlight anything with the name "Whitesmoke", select Remove and restart the computer normally. This appears to work in most cases with the Whitesmoke Toolbar but not with the Translator.

Please post the complete results of your MBAM scan for review.

To retrieve the Malwarebytes Anti-Malware scan log information, launch MBAM.

• Click the Logs Tab at the top.
  
• The log will be named by the date of scan in the following format: mbam-log-date(time).txt
  -- If you have previously used MBAM, there may be several logs showing in the list.
  
• Click on the log name to highlight it.
  
• Go to the bottom and click on Open.
  
• The log should automatically open in notepad as a text file.
  
• Go to Edit and choose Select all.
  
• Go back to Edit and choose Copy or right-click on the highlighted text and choose Copy from there.
  
• Come back to this thread, click Add Reply, then right-click and choose Paste.
  
• Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.

Logs are saved to the following locations:
-- XP: C:\Documents and Settings\<Username>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-yyyy-mm-dd
-- Vista, Windows 7, 2008: C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-yyyy-mm-dd

Please download the TDSS Rootkit Removing Tool (TDSSKiller.zip) and save it to your Desktop. <-Important!!!
Be sure to print out and follow all instructions for performing a scan or refer to these instructions with screenshots.

• Extract (unzip) the file to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the Desktop. Vista/Windows 7 users refer to these instructions if you're unsure how to unzip a file.
  
• If you don't have an extracting program, you can download TDSSKiller.exe and use that instead.
  
• Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
  Vista/Windows 7 users right-click and select Run As Administrator.

• When the program opens, click the Start Scan button.
  
• Do not use the computer during the scan
  
• If the scan completes with nothing found, click Close to exit.
  
• If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  
• Ensure Cure is selected, then click Continue > Reboot now to finish the cleaning process.<- Important!!
  Note: If 'Suspicious' objects are detected, you will be given the option to Skip or Quarantine. Skip will be the default selection.
  
• A log file named TDSSKiller_version_date_time_log.txt will be created and saved to the root directory (usually Local Disk C:).
  
• Copy and paste the contents of that file in your next reply.

-- If TDSSKiller does not run, try renaming it. To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to these instructions. In some cases it may be necessary to redownload TDSSKiller and randomly rename it before downloading and saving to the computer.

-- For any files detected as 'Suspicious' (except those identified as Forged to be cured after reboot) get a second opinion by submitting to Jotti's virusscan or VirusTotal. In the "File to upload & scan" box, browse to the location of the suspicious file and submit (upload) it for scanning/analysis. {Credit quietman7}

Sorry - I forgot to mention that I am running Windows XP. Since my machine locks up on booting up, I have removed the hard drive and am running it as a secondary drive on another computer of mine to diagnose it. I will post the MBAM results once i run it. I cannot run TDSSKiller as it will not run on a secondary drive, only the C: drive.

I have run a Sophos scan and it found: http://www.sophos.com/security/analyses/viruses-and-spyware/trojtdlmbra.html in the Master Boot Record, drive PHYSICALDRIVE1. And states that no actions can be taken manual cleanup is required.

To check for and confirm the MBR rootkit,can you run this.


Please download mbr.exe and save it to the root directory, usually C:\ <- (Important!).

• Go to Start > Run and type: cmd.exe
  
• press Ok.
  
• At the command prompt type: c:\mbr.exe >>"C:\mbr.log"
  
• press Enter.
  
• The process is automatic...a black DOS window will open and quickly disappear. This is normal.
  
• A log file named mbr.log will be created and saved to the root of the system drive (usually C:\).
  
• Copy and paste the results of the mbr.log in your next reply.

If you have a problem using the command prompt, you can just double-click on mbr.exe to run the tool.

As I mentioned before I removed the HD from the affected computer and am running it slave to another computer so it is showing up as D:\. I loaded the mbr.exe in the root D:\ and ran the cmd.exe, typed in d: to get it to root D:\ and ran the command. This is from the log file:

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST3160812AS rev.3.AHH -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-e

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

I am a little confused at the "Device\Ide\IdeDeviceP2T0L0-e" because the affected drive is a SATA drive.

The MBAM scan is still running. Will post the results when complete.

Thank you for your help! It is greatly appreciated.

here are the results of the MBM scan:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5481

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

1/8/2011 12:02:49 PM
mbam-log-2011-01-08 (12-02-49).txt

Scan type: Quick scan
Objects scanned: 349086
Time elapsed: 3 hour(s), 22 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


here is a screen capture from the sophos scan that I ran overnight:

MBRCheck scans all the available drives, so

Make a backup of MBR of the the drive 1 with mbr.exe and send it to Jottiscan or VirusTotal. The syntax in this case will be:

Quote

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:
How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.
<filepath>suspect.file

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/

I was able to get the affected HD back in the computer and booted up. I ran several sophos scans they found nothing.

I ran the MBR scan again as you requested and these are the results:

[ArcaVir]
2010-11-15 Found nothing
[F-Secure Anti-Virus]
2010-11-15 Found nothing
[Avast! antivirus]
2010-11-14 Found nothing
[Ikarus]
2010-11-15 Found nothing
[Grisoft AVG Anti-Virus]
2010-11-14 Found nothing
[Kaspersky Anti-Virus]
2010-11-15 Found nothing
[Avira AntiVir]
2010-11-15 Found nothing
[ESET NOD32]
2010-11-14 Found nothing
[Softwin BitDefender]
2010-11-15 Found nothing
[Panda Antivirus]
2010-11-14 Found nothing
[ClamAV]
2010-11-15 Found nothing
[Quick Heal]
2010-11-15 Found nothing
[CPsecure]
2010-11-15 Found nothing
[Sophos]
2010-11-15 Found nothing
[Dr.Web]
2010-11-15 Found nothing
[VirusBlokAda VBA32]
2010-11-14 Found nothing
[Frisk F-Prot Antivirus]
2010-11-14 Found nothing
[VirusBuster]
2010-11-14 Found nothing

This lloks good now. Are there any other signs of infection here?

I don't see any other signs of infection. The machine has been able to shutdown and start up correctly and things appear to be operating normally. Thank you for your help.

If there are no more problems or signs of infection, you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:

• Go to Start > Programs > Accessories > System Tools and click "System Restore".
  
• Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.

• Then use Disk Cleanup to remove all but the most recently created Restore Point.
  
• Go to Start > Run and type: Cleanmgr
  
• Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  
• Click the "More Options" tab, then click the "Clean up" button under System Restore.
  
• Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  
• Click Yes, then click Ok.
  
• Click Yes again when prompted with "Are you sure you want to perform these actions?"
  
• Disk Cleanup will remove the files and close automatically.

Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.

Tips to protect yourself against malware and reduce the potential for re-infection:

• Simple and easy ways to keep your computer safe.
  
• How did I get infected?, With steps so it does not happen again!.
  
• Hardening Windows Security - Part 1 & Part 2.
  
• Configuring Internet Explorer for Practical Security and Privacy - How to Secure Your Web Browser.
  
• Your Guide To Staying Safe Online.
  
• Use Task Manager to close pop-up messages to safely exit malware attacks.

• Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications. Read P2P Software User Advisories and Risks of File-Sharing Technology.

• Keeping Autorun enabled on USB and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. To learn more about this risk, please read:

• USB-Based Malware Attacks.
  
• When is AUTORUN.INF really an AUTORUN.INF?.
  
• Please disable Autorun asap!.

You're welcome.