Whitesmoke Trojan

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by jennb, Dec 7, 2010.

  1. jennb

    jennb Private E-2

    Hello,

    It would appear that my husbands laptop has gotten this nasty virus. We have Malwarebytes, and Spybot on the laptop as well as McAfee. Malwarebytes and Spybot both found something and corrected itself. All was good.....
    I can't find a program to uninstall. But I was going to download and use AVAST instead. I can not connect to the internet on that laptop...I get a red screen saying no virus detected. It does this for any site.

    So I came here and wanted to know the best way to go through the DO ME FIRST post when I can't get to where I need to be.
    I HATE MCAFEE!!!


    Thank you so much for any help you can give! I greatly appreciate it!

    Jenn
     
  2. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    You mean you are trying to uninstall Mcafee?

    Do not install avast until mcafee is definately gone.

    Well you can transfer the tools needed in the Read and Run me first to the sick computer using a flashdrive or a disk.
     
  3. jennb

    jennb Private E-2

    I'm sorry I realize now looking back at my original post that some of it did not make much sense.

    Whe he first ran a scan and it popped up whitesmoke, I could click on start and it showed up on my list of programs. My first thought at that point would be to uninstall it. There was not anything there. I have since removed McAfee from that laptop.

    I will download everything to a flashdrive and try that. I just didn't know how that would work with not being able to update the definitions and all.

    I will go through all of that and come back and see what lovely things pop up. Thank you, I really appreciate you taking the time.

    Jenn
     
  4. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    If necessary, as stated in the R&R:

    Manual update files that you can transfer over if needed. You will need to transfer the installer and update files over, install the software and then run the update files.
    http://www.majorgeeks.com/SUPERAntiS...ons_d6303.html
    http://www.malwarebytes.org/mbam/dat...mbam-rules.exe

    You're most welcome. I will be here waiting.
     
  5. jennb

    jennb Private E-2

    Still working through it.....sorry its taking so long....so far everything is popping up with nothing but but I keep getting redirected to a particular site. I am not finished yet.....once I do I will upload the logs. Thank you again for your patience. :)
     
  6. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Don't worry, just go at your own pace, and post again once you have got the logs. :)
     
  7. jennb

    jennb Private E-2

    Ok....after much arguing with my computer....the holidays....and a case of MRSA....I am back.....I finally got through the read and run thread. Right now I am not seeing further "whitesmoke" issues but I am still having problems....I am getting redirected about half the time on the internet regardless of the browser. I am also getting some error messages saying I am not authorized because I am not admin, but there is only one account.


    Anywho

    at your leisure.....I hope you all had an EXCELLENT CHRISTMAS!!!!!

    Also I am a 64 bit so I did not run RootRepeal....I think that is everything....

    Jennifer
     

    Attached Files:

  8. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Hi Jennifer.

    Let's continue on

    First of all the below needs to be done as it could interfere with the fix.

    How to disable Spybot's TeaTimer

    Java(TM) 6 Update 22 <--- Uninstall outdated Java

    Using windows explorer, delete these pair of folders:
    • c:\users\Household\AppData\Roaming\Gosy
    • c:\users\Household\AppData\Roaming\Syxee

    Go to TDSSKiller and Download TDSSKiller.zip to your Desktop

    • Extract its contents to your Desktop so that you have TDSSKiller.exe directly on your Desktop and not in any subfolder of the Desktop.
    • Now double click the TDSSkiller.exe file to run it ( if using Vista or Windows 7 do not double click on it but rather, right click and select Run As Administrartor.
    • Allow the application to run and a window will open showing that it is TDSSkiller from Kaspersky
    • Click Start scan
    • It will run rather quickly and will notify you of whether anything is found or not.
    • Follow the instructions to delete/quarantine if asks you what to do when if finds something.
    Whether an infection is found or not, a log file should be created on your C: drive ( or whatever drive you boot from) in the root folder named something like TDSSKiller.2.1.1_27.12.2009_14.17.04_log.txt which is based on the program version # and date and time run. Please attach this log to your next reply. (See: HOW TO: Attach Items To Your Post )

    Reboot your machine and install the most current and up to date version of Java available here at the below link:

    Java Runtime 6

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.

    Now you must describe to me how things are running! :)
     
  9. jennb

    jennb Private E-2

    Ok....I turned off teatimer....and updated the Java per your instructions. After the TDSSKILLER ran and I rebooted per instructions it popped up with another box Windows defender saying I had some bad mojo.....I would tell you specifically what that mojo is but the box disappeared after running the MGtools. Anywho....

    Here are the logs for the MGTools and the TDSSKiller

    I am looking and looking and I CAN NOT FIND THE LOG for MGTools. I know where its supposed to be I found it before. But its not there. I even did a search on the entire computer for it. I hate that.....It did all kinds of yummy goodness that it didn't do before. I am running it again......to try and got some kind of log but I can't find it.....GRRRRR......
     
  10. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Just attach the TDSSKiller log (as it did not attach) and then re-run C:\MGTools.exe. THEN there should be a C:\MGLogs.zip
     
  11. jennb

    jennb Private E-2

    ok I just finished running it again and I still can't find the zip file either by just freaking looking or by searching for the name.....should I uninstall MGtools and re-install and then run again? I will wait for further guidance....

    Jenn
     
  12. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Don't forget to attach the TDSSKiller log!

    No, try this first.

    Please do this, click Start, Run and enter cmd and click OK. This will open a command prompt window. In the command prompt window, enter the below commands each followed by the enter key. Note there is a space after the cd

    cd \MGtools
    GetLogs.bat

    You got a C:\MGLogs.zip now? If not...

    Please click Start, Run, and enter cmd and click OK. This will open a command prompt window. Enter the below commands at the command prompt each followed by the enter key. The bold black are commands. The purple is merely informational.

    cd \MGtools <-- this changes to the MGtools folder and the prompt should change to C:\MGtools>
    ShowNew <-- this will try to run all another scan from MGtools. Tell me what error messages, if any, you see.
    GetRunKey <-- this will try to run all one scan from MGtools. Tell me what error messages, if any, you see.

    Got a C:\MGLogs.zip now?
     
  13. jennb

    jennb Private E-2

    ok here is the tdsskiller log and I will redo the MGTools as directed!
     

    Attached Files:

  14. jennb

    jennb Private E-2

    I am in the process of doing the instructions for the MGTools....I was able to run a scan which is what your instructions ultimately had me do.....getlogs.bat what I can't find now like I did the FIRST time is once the scan is complete...and it says to press any key to continue (once I press the key) I go to get the zip file....and its not there.... that is the problem I am having...it runs the scan fine but the file isn't there....I will try both of your thoughts and see whats shaking when I'm done....

    THANKS FOR ALL YOUR HELP!
     
  15. jennb

    jennb Private E-2

    Ok I finally got one....but it put it in some really weird RANDOM place....the comand prompt even says C:\MGtools.zip

    it put it in c:\\Users\Household\AppData\Local\VirtualStore

    WTH?
     

    Attached Files:

  16. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    :confused I don't know.

    Now before I review those logs, and while you are still online, please run TDSSKiller again for me and attach the log.

    (Getting late for me, almost 3am)
     
  17. jennb

    jennb Private E-2

    I am so sorry....I had gotten so irritated that I closed my pc's down for the night.... I did the scan I got one more log.. I changed it from cure to copy to quarantine as instructed on the page. Here is the log.

    Thank you again for all of your help! I really appreciate it.
    :)
     

    Attached Files:

  18. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Was there an option to cure rather than quarantine? (Try that again) I am going to have you run it one more time and attach the log. That last log still shows a rootkit infection.
     
  19. jennb

    jennb Private E-2

    There was an option to cure but it said to copy to quarantine. I thought that odd myself. ANyway I did the scan again left it at cure. Rebooted as instructed here is the log but now when the computer boots up I get an error message that says the following.

    RUN DLL

    There was a problem starting
    c:\Windows\System32\config\systemprofile\AppData\Local\ihekorilow.dll

    i have no idea what this means. I am on my way out the door to work. I will check in and do what I can while I am at work. I didn't realize there was such a significant difference in time.

    Thanks again.
     

    Attached Files:

  20. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    It means there is still malware present, but we will find it!

    That last TDSSKiller log looks more promising. I will have you run it yet again after this next fix to see the new results.
    Yes, I'm in the UK. However I enjoy the peaceful hours of the early morning so I am often still about and posting at that time. Night owl. Okay, I'll post a fix in a moment.
     
  21. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    WhiteSmoke Toolbar <--- Is still installed according to your logs. Try to uninstall it if it lets you, otherwise, Try using Your Uninstaller

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    After clicking Fix exit HJT.

    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
    Code:
    KILLALL::
    
    File::
    C:\Windows\system32\config\systemprofile\AppData\Local\qtulshnc.dll
    c:\Windows\System32\config\systemprofile\AppData\Local\ihekorilow.dll
    Registry::
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "Ulugiro"=-
    
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe

      [​IMG]

    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Reboot the machine and run TDSSKiller again and attach the log.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.

    How're things running?
    :)
     
  22. jennb

    jennb Private E-2

    Ok....I have tried several times....Combo Fix is not working....it is locking up....and throwing up an error message pev.cfxxe has stopped working. I have not tried MGtools.....Just let me know. how you want me to proceed.

    Thanks.
     
  23. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Okay then replace the combofix step with this one:

    Now download The Avenger by Swandog469, and save it to your Desktop.

    • Extract avenger.exe from the Zip file and save it to your desktop
    • Run avenger.exe by double-clicking on it.
    • Do not change any check box options!!
    • Copy everything in the Quote box below, and paste it into the Input script here: part of the window:
    • Now click the Execute button.
    • Click Yes to the prompt to confirm you want to execute.
    • Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    • Your PC should reboot, if not, reboot it yourself.
    • A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

    Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.

    Also run this.

    Please also download MBRCheck to your desktop

    • Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
    • It will show a Black screen with some data on it
    • Right click on the screen and select > Select All
    • Press Control+C
    • Open a notepad and press Control+V
    • now please ATTACH that report to this thread

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.
     
    Last edited: Dec 29, 2010
  24. jennb

    jennb Private E-2

    Ok....I still got that one .dll error message that I mentioned previously.
    I ran the rest of the scans as instructed attached are the logs for MGtools, and MBR I could not FIND the logs for the avenger. It did not pop them up after it rebooted.
     

    Attached Files:

    Last edited: Dec 30, 2010
  25. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Stubborn little beast.

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    After clicking Fix exit HJT.


    Download and run OTM.

    Download OTM by Old Timer and save it to your Desktop.

    • Right-click OTM.exe And select " Run as administrator " to run it.
    • Paste the following code under the [​IMG] area. Do not include the word Code.
    Code:
    :reg
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
    "Ghahositaduxo"=-
    
    :files
    C:\salijhwe.txt
    C:\Windows\SysWOW64\drivers\uvmwsmmo.sys
    C:\Windows\system32\config\systemprofile\AppData\Local\ihekorilow.dll
    
    :Commands
    [emptytemp]
    [Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
    • Push the large [​IMG] button.
    • OTM may ask to reboot the machine. Please do so if asked.
    • Copy everything in the Results window (under the green bar), and paste it into notepad, save it as something appropriate and attach it into your next reply.

    NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and attach the contents of that document back here in your next post.

    The MBRCheck log was not complete. Re run it and attach the log.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.
     
  26. jennb

    jennb Private E-2

    Ok Here goes....all scans run fine with no hiccups
    ;)
     

    Attached Files:

  27. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    That's looking better. How are things running for you?
     
  28. jennb

    jennb Private E-2

    So far everything looks fine.....:clap:hyper:strong

    I will have him play around and see if any more messages pop up.

    THANK YOU SO MUCH FOR YOUR HELP!!!!!

    I BOW DOWN TO YOUR GREATNESS!!!!
     
  29. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Well leave a message for me giving an update on the computer's status next time you log in. Then if all is well, you will be ready for final steps.
     
  30. jennb

    jennb Private E-2

    Well he has been on it this afternoon will no problems error messages or anything like that. It is actually flying....my little ole laptop and our home computer is jealous now.....

    Thank you again for all of your help. I will be looking for the final instructions that you post when ever you get a chance.....


    THANK YOU!

    Jennifer
     
  31. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds