Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

pup.whitesmoke removal help please


  • Please log in to reply
9 replies to this topic

#1 allehn

allehn

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:01 AM

Posted 15 January 2011 - 10:21 PM

please can someone help me determine whether i still have pup.whitesmoke infection, or any part of it, or any rootkit behind it?
nis is reporting that i have 200 threats with the status "remove failed" for all of these . i dont know why it didnt remove them, but i am working through them removing them one at a time with nis, which is very time consuming. i would use "apply all" and remove them at one stroke but this would also remove my infected thunderbird inbox. nis unhelpfully offers only one course of action for this - deletion - which will remove the entire inbox file. there is no option to do nothing. i have run malwarebytes antimalware and it found 10 malwares, including pup.whitesmoke, all of which i removed with malwarebytes. however i was advised that i would need help removing it, hence this post.
please can anyone advise? thanks

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,199 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:01 AM

Posted 15 January 2011 - 11:44 PM

Hello and welcome.
The WhiteSmoke web site indicates it makes English grammar correction software, translation software, and other specialized English writing tools. However, many users have reported they did not know how WhiteSmoke was downloaded or installed. From our investigation and dealings with this software we are also finding many cases of it with a TDSS rootkit infection. So depending on the severity of system infection will determine how the disinfection process goes.

The web site says the software can be removed through Add/Remove Programs or Programs and Features if using Vista/Windows 7 so check there first, highlight anything with the name "Whitesmoke", select Remove and restart the computer normally. This appears to work in most cases with the Whitesmoke Toolbar but not with the Translator. {Thanks quietman7}

Please download the TDSS Rootkit Removing Tool (TDSSKiller.zip) and save it to your Desktop. <-Important!!!
Be sure to print out and follow all instructions for performing a scan or refer to these instructions with screenshots.

  • Extract (unzip) the file to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the Desktop. Vista/Windows 7 users refer to these instructions if you're unsure how to unzip a file.
  • If you don't have an extracting program, you can download TDSSKiller.exe and use that instead.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • When the program opens, click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure is selected, then click Continue > Reboot now to finish the cleaning process.<- Important!!
    Note: If 'Suspicious' objects are detected, you will be given the option to Skip or Quarantine. Skip will be the default selection.
  • A log file named TDSSKiller_version_date_time_log.txt will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.
-- If TDSSKiller does not run, try renaming it. To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to these instructions. In some cases it may be necessary to redownload TDSSKiller and randomly rename it before downloading and saving to the computer.

-- For any files detected as 'Suspicious' (except those identified as Forged to be cured after reboot) get a second opinion by submitting to Jotti's virusscan or VirusTotal. In the "File to upload & scan" box, browse to the location of the suspicious file and submit (upload) it for scanning/analysis.


Next run MBAM (MalwareBytes):

Please download Malwarebytes Anti-Malware and save it to your desktop.
Download Link 1
Download Link 2MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Troubleshoot Malwarebytes' Anti-Malware
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 allehn

allehn
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:01 AM

Posted 16 January 2011 - 09:42 AM

hi thanks for your help
i ran tdss killer and mbam and both found nothing. so i guess the infections gone. (i had previously uninstalled whitesmoke and run nis and mbam). however, nis is scanning now and has found 28 threats so far.

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,199 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:01 AM

Posted 16 January 2011 - 03:23 PM

What did NIS find and how is it running?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 allehn

allehn
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:01 AM

Posted 18 January 2011 - 06:10 AM

nis went on to find 101 threats, but only showed 2, which were both thunderbird compressed inbox files. each contained many threats, so it seemed to be counnting these individually to make up the 101.
now, without any action by me, it is showing 8 threats, including the 2 thunderbird files. each of these tbird files still shows the same number of threats as before, but nis seems to be counting the threats differently.

what it now shows is:
trojan.virantix ( 3 times)
downloader.misleadApp
packed.Mystic!gen1 (2 times)
and the 2 compressed tbird inbox files

it says "not attempted" to the tbird files, and "remove failed" to the rest. i dont know why the remove failed on these.
nis is configured to exclude the 2 tbird inbox files from scans but they are still in the threat list.

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,199 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:01 AM

Posted 18 January 2011 - 11:59 AM

Hello, With out opening those emails,delete them from the inbox then empty the trash.

Now run FakeAlert Stinger.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 allehn

allehn
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:01 AM

Posted 19 January 2011 - 10:20 AM

hello boopme
unfortunately that is a lot of work.
the 2 compressed tbird inboxes between them contain 209 infected emails. nis does not give enough info to allow the infected ones to be easily identified eg this is the entry for one infection:

report.exe
[contained in] report.exe
[contained in] unknown03b70b73.data
[contained in] c:\users\ ... \inbox
No fix attempted

report.exe is the name of the attachment and thunderbird does not find it.

with so many infected emails, most of which come into my catchall inbox which i rarely look at, its not really practical to delete the infected ones. i have set nis to exclude these tbird inbox files from scans but they are still in the threat list. any idea how to purge the list?

also i do not use one of the inboxes - it is kept merely as a backup and tbird is not configured to access it, so i cant removed the infected emails in it anyway.

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,199 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:01 AM

Posted 19 January 2011 - 10:31 AM

Ok ,we can have it done for you,probably need a script made. So we need to move you to a new topic.
We need a deeper look. Please go here....
Preparation Guide ,do steps 6 - 9.

Create a DDS log and post it in the new topic explained in step 9,which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
If Gmer won't run,skip it and move on.
Let me know if that went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 allehn

allehn
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:01 AM

Posted 15 May 2011 - 03:34 AM

i did this and no malware was found

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,199 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:01 AM

Posted 15 May 2011 - 11:44 AM

Hi allehn, I don't see youe DDS log in the other forum. Malware takes more efoort to remove then it did to let it in. Did you run the TDSS killer from the earlier post? The prep guide will not find malware you can remove. I wasn't sure what this meant " i did this and no malware was found "
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users