Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

PUP.WhiteSmoke removal help


  • Please log in to reply
11 replies to this topic

#1 aSillySurfer

aSillySurfer

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:41 PM

Posted 24 December 2010 - 02:21 AM

I recently acquired spyware which I think I got rid of, but when I went to the Norton help website to clear some things up, a helper discovered I still have PUP.WhiteSmoke (whatever that is) files in my system, and they felt they did not have the knowledge to deal with this and directed me to this site. I'm here to get help on removing these, and then re-instating my Norton service that is giving me trouble re-downloading the AntiVirus that I purchased a month ago. The subscription for that purchase is one year, but one month later it is not letting me get it back.

So, I'm here, as directed, to get some help removing PUP.WhiteSmoke. Can anyone help me?

EDIT: The attached file is the MalwareByte scan results I got.

Attached Files


Edited by hamluis, 24 December 2010 - 07:59 AM.
Moved from Win 7 to Am I Infected ~ Hamluis.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,386 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:41 PM

Posted 24 December 2010 - 08:40 AM

The WhiteSmoke web site indicates it makes English grammar correction software, translation software, and other specialized English writing tools. However, many users have reported they did not know how WhiteSmoke was downloaded or installed. From our investigation and dealings with this software we are also finding many cases of it with a TDSS rootkit infection. So depending on the severity of system infection will determine how the disinfection process goes.

The web site says the software can be removed through Add/Remove Programs or Programs and Features if using Vista/Windows 7 so check there first, highlight anything with the name "Whitesmoke", select Remove and restart the computer normally. This appears to work in most cases with the Whitesmoke Toolbar but not with the Translator.

Rescan again with Malwarebytes Anti-Malware (Full Scan) in normal mode and check all items found for removal. Don't forgot to check for database definition updates through the program's interface (preferable method) before scanning and to reboot afterwards. Failure to reboot normally will prevent Malwarebytes' from removing all the malware. When done, click the Logs tab and copy/paste the contents of the new report in your next reply.

Please download the TDSS Rootkit Removing Tool (TDSSKiller.zip) and save it to your Desktop. <-Important!!!
Be sure to print out and follow all instructions for performing a scan or refer to these instructions with screenshots.

  • Extract (unzip) the file to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the Desktop. Vista/Windows 7 users refer to these instructions if you're unsure how to unzip a file.
  • If you don't have an extracting program, you can download TDSSKiller.exe and use that instead.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • When the program opens, click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure is selected, then click Continue > Reboot now to finish the cleaning process.<- Important!!
    Note: If 'Suspicious' objects are detected, you will be given the option to Skip or Quarantine. Skip will be the default selection.
  • A log file named TDSSKiller_version_date_time_log.txt will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.
-- If TDSSKiller does not run, try renaming it. To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to these instructions. In some cases it may be necessary to redownload TDSSKiller and randomly rename it before downloading and saving to the computer.

-- For any files detected as 'Suspicious' (except those identified as Forged to be cured after reboot) get a second opinion by submitting to Jotti's virusscan or VirusTotal. In the "File to upload & scan" box, browse to the location of the suspicious file and submit (upload) it for scanning/analysis.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 aSillySurfer

aSillySurfer
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:41 PM

Posted 24 December 2010 - 01:13 PM

I just woke up, sorry for the delay. The helper at the Norton site had me run the MalwareByte scan already, and when I removed the PUP.WhiteSmoke files, it seems they are really gone. I looked in Add/Removed Programs and I don't see anything related to White Smoke, but I've been told a rootkit can easily just show me what I want to see and still be infecting my computer. I'm running another MalwareByte scan now and then I'll post that log when it is finished, and proceed with the next steps you outlined. Thanks!

EDIT: I ran the MalwareBytes scan and the TDSSKiller scan and neither of them found any dangerous files.

Edited by aSillySurfer, 24 December 2010 - 02:31 PM.


#4 aSillySurfer

aSillySurfer
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:41 PM

Posted 24 December 2010 - 02:25 PM

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5386

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

12/24/2010 10:57:53 AM
mbam-log-2010-12-24 (10-57-53).txt

Scan type: Full scan (C:\|D:\|E:\|)
Objects scanned: 371315
Time elapsed: 50 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,386 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:41 PM

Posted 24 December 2010 - 02:44 PM

The TDSS Rootkit is the most common malware we have seen with Whitesmoke. If TDSKiller did not find anything and MBAM removed the files (its effective at finding them), that's a good sign the infection may not have been as severe as other cases. Infections will vary and some will cause more harm to a system then others.

How is your computer running now? Are there any more signs of infection, strange audio ads, unwanted pop-ups, security alerts, or browser redirects?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 aSillySurfer

aSillySurfer
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:41 PM

Posted 24 December 2010 - 03:23 PM

After I used System Restore (I did not restore to a back up I had.) I haven't had any symptoms of the malware, my computer runs just as it did before - minus the Norton AntiVirus program. The only problem I'm having is redownloading the NAV I had before I restored, and now it's uninstalled and it's not letting me download it again for free - even though I have about 330 days of subscription left until my renewal date.

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,386 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:41 PM

Posted 24 December 2010 - 04:20 PM

Usually when installing trial versions the software vendors incorporates safeguards to prevent continued use of their product after the expiration date. Safeguards include measures to ensure hackers cannot modify the trial period date by adding data files to hidden folders and creating registry entries in obscure locations so they cannot be easily found. If something goes wrong with the anti-virus program during the trial or a major infection occurs which prompts drastic measures, it is not unusual to experience a problem attempting to reinstall the software. I suggest you check with Symantec/Norton Product Support and advise them what happened. They should be able to assist or instruct what you need to do in this situation.

It may take some time for support to get back to you or you may want to consider using an alternative free anti-virus rather than leaving your computer unprotected.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 aSillySurfer

aSillySurfer
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:41 PM

Posted 24 December 2010 - 04:52 PM

Alright. I did pay for this product, a 1 year subscription. After it stopped working I downloaded a different Trial Version just to be protected while I got the problem sorted out. I went to the Norton Community site to get help re-downloading it and after some dialogue they sent me here to make sure the Malware is completely gone before they help me get my program back. Thanks for all of your help!

#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,386 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:41 PM

Posted 24 December 2010 - 05:11 PM

You're welcome.

Keep in mind that there are no guarantees or shortcuts when it comes to malware removal, especially when dealing with rootkits. I can only go by what the scan logs show (what was detected/removed) and your description of whatever signs or symptoms of infection you are experiencing.

If you want a more detailed look at your system, then more advanced tools are needed to investigate. Before that can be done you will need you to folllow the instructions in the Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help and post a DDS log for further investigation in the Virus, Trojan, Spyware, and Malware Removal Logs forum.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 Ecto1

Ecto1

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:41 PM

Posted 01 January 2011 - 09:23 AM

Hello, I Googled this issue...Malwarebytes got rid of some of the files, but after a couple of times of running Malwarebytes, it detects the Pup.Whitesmoke "folder" (it's not a file)

So, it keeps finding it (yes, even after I reboot), and I command it to REMOVE it, it SHOWS it was removed, but whenever I run a scan again...it finds it again. (it did , however, get rid of the 3 other files though without a problem)

Being a writer of sorts, I downloaded this program for Grammar Checking....to be honest, you think it'll really be THAT much of a problem if it's a legitimate company?

Otherwise Download.com wouldn't have it on their site....that's the site I go to to download LEGIT software. But do you honestly think it'll compromise the SECURITY of my computer or no? (Allowing hackers access to my hard drive, keylogger issues, etc?)

Because I think some companies have this method of letting people download trails, only to install software to "nag" you to buy their product, and make it hard for you to remove it (not unlike calling customer service to cancel a subscription, making you jump through hoops HOPING you cave to buying their product)

Spyware = "Maybe they'll give, get annoyed, and cave and buy our software", essentially this is an "advertising" method on their part. Someone in my writing group recommended it. <shrug>

Essentially, it's detected as a "false positive"?

Funny, this post is rather recent, the holiday season 2010.

So your feedback this is appreciated.

Edited by Ecto1, 01 January 2011 - 09:40 AM.


#11 Ecto1

Ecto1

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:41 PM

Posted 01 January 2011 - 09:46 AM

Hm, ran the TDSS killer at Kapresky, it said "No threats found"....so there ya go? lol

#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,386 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:41 PM

Posted 01 January 2011 - 10:03 AM

Welcome to BC Ecto1

If you have an issue or problem you would like to discuss, please start your own topic. Doing that will help to avoid the confusion that often occurs when trying to help two or more members at the same time in the same thread. Even if your problem is similar to the original poster's problem, the solution could be different based on the kind of hardware, software, system requirements, etc. you are using and the presence of other malware. Further, posting for assistance in someone else's topic is not considered proper forum etiquette.

Thanks for your cooperation.
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users