Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Recovering Whitesmoke Victim

  • Please log in to reply
1 reply to this topic

#1 fingerlakes


  • Members
  • 13 posts
  • Local time:03:29 PM

Posted 21 December 2010 - 05:07 PM

New to the forum. PC was infected with whitesmoke about 4 weeks ago. We were able to remove it with Norton Power Eraser, and then Malwarebytes. PC now shows clean when scanned with Malwarebytes. However, Malwarebytes shows an endless stream of "blocked" outgoing pings coming from somewhere. Any advice on how to fully clear this off our PC? Thanks! Gene

BC AdBot (Login to Remove)


#2 eastonch


  • Members
  • 110 posts
  • Gender:Male
  • Local time:09:29 PM

Posted 21 December 2010 - 06:39 PM

Hi, Gene..

I too had a small run in, tried to do one of them trialpay schemes for tokens on a game, luckily bit defender picked up the first of several viruses from it, an adware attack which is probs the cause of your ping blocks.

Theres a few steps im going to need you to take, som involving downloading some programs, if you already have these, ensure they are fully updated by using the update feature in them.
- why? because like alot of viruses, white smoke embeds itself into the core files like system restore, or when one is created it spreads around that folder. rendering your restore points, pointless.. (punless..)

So then lets get to work right?

After you have all these programs downloaded, installed and updated, you will want to continue with the removal process by following the next chappter!

Booting into safe mode;
why? Well with safe mode we can stop unncessacery start up programs starting, sometiems viruses can stillcome through but its unlikely, also we will be booting with NO network so there will be no ping blocks or requests.


Usually its F8 on POST.

Remember to select just "SAFE MODE" nothing with a command prompt or networking.

System Restore Point Deletion:
After booting into safe mode, follow this guide .
You will follow these steps again after the virus removal process to reactivate.
If you get an error, or a system crash (may lag depending on size) you might want to follow this later, after a virus scan.

Virus Scannning.

Simple right?

You'll wanna run ONE at a time, so when they are all fnished they dont conflict when they are deleting.
You will want to ensure you DELETE and not quarentine. As some of the AV's i suggested may scan vaults and qurentines.

Firstly i'd run MBRAM.
Remove Infections.
Reboot Into Safemode

Secondly i'd run SAS - trial 30days. dont worry you wont be using it for long. skip the setup crap about home page detection.
Remove infections.
Reboot into safemode.

thirdly i'd run Spybot Search & Destroy
remove infections
reboot into safemode

Lastly, but not least i'd give it a quick blast of ad-aware
remove infections
reboot into safemode

Once all have been scanned and remved, you will want a copy of the logs to post back here, for other people to asses or myself if you dont mind, and dont have any issues with me helping out .

Also while in safemode this time, either delte the safe mode stuff or turn it back on, id you are turning it off, reboot and continue to turn. Then you wil want to rebot into normal mode, this time you should be A-OK to look at MBAM's Ping Blocks, Zone Alarm's Ping Blocks or anything like that.
If your still haveing trouble this is probs a host file issue, you could of course try rebooting your router to assign you another dynamic Ip address, maybe it wil fool it.

Just an idea.

Awaiting your swift reply
~ Chris

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users