Jump to content

White Smoke Translator has taken over


Recommended Posts

Got infected with AV8 initially...it seems I've gotten rid of that (with much effort), but then Whitesmoke Translator popped up, installing itself on my computer. I've tried to wipe it using malwarebytes and it will say it's gone, but then when I do a scan (first with AVG, then with AVAST) it pops up again. I'm constantly getting redirected on searches and a "Host Processes for Windows Services has stopped working" message (I've started using Google Chrome instead of IE8...I still get redirected, but my browser doesn't get shut down or locked up as often as with IE8). Also, can't get Windows Update to work at all (seems to have happened around the same time as when the AV8 virus took hold). Any help you can give me I would appreciate. This has been going on now for a couple of weeks. Thank you.

Link to post
Share on other sites

Thanks for replying to my plea for help, RPMMcMurphy. I ran the DDS.txt and Attach.txt (both included here. However, when I tried to run the Gmer, this is what happened: windows kept shutting down, crashing, and I'd have to reboot. It would start the scan, then stop. Incidentally, I followed the instructions for temporarily disabling security programs...the instructions for Avast are a little different from how one would disable it: you get a choice of disabling it for 10 min, 1 hr, until computer is restarted, or disable permanently, under the heading of "Avast Shields Control" when right clicking on icon (which is different from what is pictured in insructions). I chose "until restarted" as well as "1 hour" on the five tries to run gmer. I've included the DDS.txt after all this hoopla here. I do wonder if I've gotten any additional viruses or Trojans while everything was disabled. It seems like Avast blocks one or two per hour. I thank you in advance for anything you can do to help. Anyway, here's the message I got when it would stop:

message: vfkjxqn9.exe has stopped working...here's the details from that:

Problem signature:

Problem Event Name: APPCRASH

Application Name: vfkjxqn9.exe

Application Version: 1.0.15.15530

Application Timestamp: 4cd7c3b7

Fault Module Name: vfkjxqn9.exe

Fault Module Version: 1.0.15.15530

Fault Module Timestamp: 4cd7c3b7

Exception Code: c0000005

Exception Offset: 0000c551

OS Version: 6.0.6002.2.2.0.768.3

Locale ID: 1033

Additional Information 1: fd00

Additional Information 2: ea6f5fe8924aaa756324d57f87834160

Additional Information 3: fd00

Additional Information 4: ea6f5fe8924aaa756324d57f87834160

Once I would reboot, I would get this message:

Windows has recovered from an unexpected shutdown. (Then, the following details)

Problem signature:

Problem Event Name: BlueScreen

OS Version: 6.0.6002.2.2.0.768.3

Locale ID: 1033

Additional information about the problem:

BCCode: 1000008e

BCP1: C0000005

BCP2: 81E63D95

BCP3: 88DFCA54

BCP4: 00000000

OS Version: 6_0_6002

Service Pack: 2_0

Product: 768_1

Files that help describe the problem:

C:\Windows\Minidump\Mini122210-03.dmp

C:\Users\Lisa\AppData\Local\Temp\WER-65754-0.sysdata.xml

C:\Users\Lisa\AppData\Local\Temp\WER7EFE.tmp.version.txt

Read our privacy statement:

http://go.microsoft.com/fwlink/?linkid=501...mp;clcid=0x0409

DDS (Ver_10-12-12.02) - NTFSx86

Run by Lisa at 23:10:52.67 on Tue 12/21/2010

Internet Explorer: 8.0.6001.18975

Microsoft

Attach.txt

Link to post
Share on other sites

Dear RPMcMurphy:

I don't know if this would be helpful, but whenever gmer was about to "stop working" this is the file it would seem to stop/lag on. It's an approximation of the file gmer would seem to lag on right before crashing (I couldn't copy it exactly, sorry)

device\hardisk\volume\shadow\copy

Thanks again,

DaisyMae

Link to post
Share on other sites

DaisyMae:

report.gifP2P - I see you have P2P software (BitTorrent) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to malware infections. Please see this post for more information. I recommend that you uninstall these now. You can do so via Control Panel >> Add or Remove Programs. If you choose to keep these applications, please do not use them until our fixes at MBAM are complete.

icon11.gif Download Combofix from either of the links below, and save it to your desktop.

Link 1

Link 2

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

--------------------------------------------------------------------

Double click on ComboFix.exe & follow the prompts.

  • If you have trouble, stop and post back. Do not try to repeatedly run comboFix!
  • When finished, it will produce a report for you.

.

Please include the following in your next post:

  • ComboFix log

Link to post
Share on other sites

Hello RP,

I ran combofix with a few caveats: First, it didn't save to my desktop (I clicked on link on Chrome gave me the choice to save, which I did...then I had a choice to open or "open folder." I could have moved file to desktop, but didn't think to do it at that point. I hope this didn't effect results of log. Second, while combofix was doing its thing, I got a message stating that Windows had shut down unexpectedly...it seems that the testing continued after that, but have no idea the effects of this on the process itself. Third, combofix kept giving me the message that my Avast antivirus was enabled, though I had disabled it. I even went in and disabled updates, etc. I don't know what I could have done further, barring uninstalling Avast altogether. Last, when the process was complete and my system rebooted, WhiteSmoke Translator window showed up on my desktop, as usual, asking for registration. Throughout this time of trying to get rid of it (prior to coming to you) I had tried to remove it without using its own uninstaller. I figured that even the uninstaller was merely another (or further) infection. But when nothing seemed to work, I had tried using its own uninstaller, only to be told that there were, I believe it had said, files missing and therefore couldn't be used. So, WhiteSmoke is still there. I hope these notes are helping you. Thanks again for all your help. Here's the combo fix log:

ComboFix 10-12-22.06 - Lisa 12/23/2010 8:19.1.2 - x86

Microsoft

Link to post
Share on other sites

DaisyMae:

icon11.gif Open Notepad Go to Start> All Programs> Accessories> Notepad ( this will only work with Notepad ) and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above File::

File::
c:\program files\Application Updater\ApplicationUpdater.exe
c:\program files\Common Files\Spigot\Search Settings\SearchSettings.exe
Driver::
Application Updater
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SearchSettings"=-
RegLock::
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]

Save this as CFScript to your desktop.

Then disable your security programs and drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

icon11.gif You have this program installed, Malwarebytes' Anti-Malware (MBAM). Please update it and run a scan.

Open MBAM

  • Click the Update tab
  • Click Check for Updates
  • If an update is found, it will download and install the latest version.
  • The program will close to update and reopen.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Please include the following in your next post:

  • ComboFix log
  • MBAM log

Link to post
Share on other sites

Okay, RP...ran the combofix the way you instructed. Ran malwarebytes the way you instructed. WhiteSmoke still shows up in my programs. Mbam, at the end of removal process, stated that there were some files that couldn't be disinfected...don't know if those are included in log, but I didn't see them. This forum won't let me post results from both in one reply; claims it's too long. So, here's the combofix results...I'll post the mbam log in a second reply immediately:

ComboFix 10-12-22.06 - Lisa 12/23/2010 20:07:17.2.2 - x86

Microsoft

Link to post
Share on other sites

Dear RP,

WhiteSmoke is still in my add/remove programs list, as well as on my "Start" menu. Since it's rebooted after mbam, I haven't seen the registration screen for whitesmoke pop up on my desktop. When I ran the mbam (previously, per my post) it rebooted, and I tried to open the log, and my "security center." For some reason, each time I got the message that these files couldn't be opened because they were marked for deletion. That worried me a bit, so I rebooted on my own, and then that message did not come up again. I don't know what that was, or if that will help you. Did you note that some files couldn't be disinfected after mbam? I will run mbam again, per your request, in safe mode, and reply again with that log. Let's cross our fingers! Thanks.

DaisyMae

Link to post
Share on other sites

Dear RP,

WhiteSmoke is still in my add/remove programs list, as well as on my "Start" menu. Since it's rebooted after mbam, I haven't seen the registration screen for whitesmoke pop up on my desktop. When I ran the mbam (previously, per my post) it rebooted, and I tried to open the log, and my "security center." For some reason, each time I got the message that these files couldn't be opened because they were marked for deletion. That worried me a bit, so I rebooted on my own, and then that message did not come up again. I don't know what that was, or if that will help you. Did you note that some files couldn't be disinfected after mbam? I will run mbam again, per your request, in safe mode, and reply again with that log. Let's cross our fingers! Thanks.

DaisyMae

Link to post
Share on other sites

Hi, RP. I ran mbam in safe mode "with networking" (so I could update mbam without any other problems). Still show whitesmoke on programs list and startup menu. Here's the log:

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 5387

Windows 6.0.6002 Service Pack 2 (Safe Mode)

Internet Explorer 8.0.6001.18975

12/24/2010 1:17:16 AM

mbam-log-2010-12-24 (01-17-16).txt

Scan type: Quick scan

Objects scanned: 156456

Time elapsed: 4 minute(s), 44 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

DaisyMae:

Let's see if we can get rid of those with this:

icon11.gif Download and install the Revo Uninstaller

  • Double click the new Revo Uninstaller icon on your desktop to start the program
  • Scroll through the listed programs and Right Click on the program you wish to uninstall (WhiteSmoke)
  • From the pop out menu choose Uninstall
  • Click Yes to the confirmation dialogue
  • In the next window select the Advanced mode
  • Click Next to start uninstalling the program
  • Answer Yes to confirm the uninstall
  • When the program has completed the four steps, click Next to allow the program to search for leftovers
  • Once complete, click Next, then Finish
  • Repeat the above steps for any other programs you wish to remove.

Please include the following in your next post:

  • Let me know how that went

Link to post
Share on other sites

DaisyMae:

Let's see if we can get rid of those with this:

icon11.gif Download and install the Revo Uninstaller

  • Double click the new Revo Uninstaller icon on your desktop to start the program
  • Scroll through the listed programs and Right Click on the program you wish to uninstall (WhiteSmoke)
  • From the pop out menu choose Uninstall
  • Click Yes to the confirmation dialogue
  • In the next window select the Advanced mode
  • Click Next to start uninstalling the program
  • Answer Yes to confirm the uninstall
  • When the program has completed the four steps, click Next to allow the program to search for leftovers
  • Once complete, click Next, then Finish
  • Repeat the above steps for any other programs you wish to remove.

Please include the following in your next post:

  • Let me know how that went

Hi, RP:

Ran Revo...got a message regarding whitesmoke files that were "registered or unregistered" ...not being able to be deleted? Not really sure. Couldn't record the exact message. Nonetheless, Whitesmoke did uninstall. I realized afterward when looking back at your instructions that I had not chosen "Advanced" as it was not a choice given on a different page, thus I completely missed it on the same page I had been on. I decided to delete another program I had been wanting to get rid of, this time choosing "advanced" and that one uninstalled without any messages or warnings? Revo does not show Whitesmoke anymore...any way we can find these files it referred to? Also, haven't tried to run windows update to see if it's working yet...have that disabled...haven't run an Avast scan, either...should I check those now? Or wait till we can hopefully get rid of the last of Whitesmoke? Thanks.

Link to post
Share on other sites

Hello, RP: Ran JavaRa (with Avast enabled)...didn't produce any sort of log. Searched for one, none existed. Began to download Eset (in google chrome) and got a message that since I wasn't using IE, I needed to do....I don't know...something. So, I decided to open IE and ran it. Now, for some reason, when I'm in IE in Gmail, I get a message that the "compatiblity view" is on...I went thru the steps to disable that, and it doesn't show it's in that mode, though I keep getting the message. So, ran Eset (with Avast enabled) and at the end, there was no "click the details" option. The best I could do was copy the results into notepad, so I'm posting those here. I will run DDS again as you instructed (I figure I should run it with Avast disabled and no internet connection, as I don't want to reinfect my computer...though as you can see, Eset shows there are 4 infected files). If you want me to run DDS differently than let me know. Thanks.

C:\Program Files\Windows Live\Messenger\riched20.dll Win32/Toolbar.MyWebSearch application

C:\Qoobox\Quarantine\MBR_HardDisk0.mbr Win32/Olmarik.AJL trojan

C:\Qoobox\Quarantine\C\ProgramData\657AAqh1.exe_.vir a variant of Win32/Injector.DTR trojan

C:\Qoobox\Quarantine\C\Windows\system32\f3PSSavr.scr.vir Win32/Toolbar.MyWebSearch application

Good evening, RP!

Here is the DDS log, as promised. I await your reply. Happy holidays! BTW, I saved the attach.txt in case you decide you need it. Thanks!

DDS (Ver_10-12-12.02) - NTFSx86

Run by Lisa at 18:21:29.64 on Fri 12/24/2010

Internet Explorer: 8.0.6001.18975

Microsoft

Link to post
Share on other sites

DaisyMae:

Merry Christmas! This will take care of that ESET detection (the others are already in quarantine and will be removed when we uninstall ComboFix):

Open an elevated command window:

  • Click Start and type cmd in Start Search.
  • When cmd.exe populates above, right click it and select Run as Administrator to open an elevated command prompt.

Copy the contents of the following code box then right click in the command window, select paste and press "Enter"

del C:\Program Files\Windows Live\Messenger\riched20.dll

I don't see any remaining traces of WhiteSmoke in your log. How is your computer running now?

Link to post
Share on other sites

DaisyMae:

Merry Christmas! This will take care of that ESET detection (the others are already in quarantine and will be removed when we uninstall ComboFix):

Open an elevated command window:

  • Click Start and type cmd in Start Search.
  • When cmd.exe populates above, right click it and select Run as Administrator to open an elevated command prompt.

Copy the contents of the following code box then right click in the command window, select paste and press "Enter"

del C:\Program Files\Windows Live\Messenger\riched20.dll

I don't see any remaining traces of WhiteSmoke in your log. How is your computer running now?

Hi, RP...performed elevated command...copied & pasted code...got message back that system cannot find file specified. Performed it twice just to be certain. In general, my computer is running better. Still haven't tried updating and installing windows updates, but you told me not to install anything new, so I haven't. I don't even know if Windows Update (or Defender, for that matter) will install since that became a problem once I got infected. No internet search redirects as of late though. I await your next instruction. Hope you're having a great X-Mas :D

Link to post
Share on other sites

Hi,

Look for this file manually through Windows Explorer and if it's there, right click on it and select "Delete":

C:\Program Files\Windows Live\Messenger\riched20.dll

Then try to run Windows Updates and let me know how it goes.

RP:

I found the file, and deleted it as instructed. I ran windows update & installed updates (though it seemed to freeze on installing Windows Live Essentials so I had to cancel that. I don't know why that is a problem...it's happened before. The following is the details on that. Was also wondering why I suddenly have "Blocked Startup Programs" in my system tray (it started about a week ago, actually). Thanks.

Windows Live Essentials 2011 (KB2434419)

Installation date: ?12/?25/?2010 7:50 PM

Installation status: Failed

Error details: Code 800706BE

Update type: Recommended

Do more with Windows on your PC with free programs from Microsoft for photos, movies, instant messaging, email, social networking, and more. Get it all in one simple download.

Windows Live Essentials includes Messenger, Photo Gallery, Mail, Movie Maker, Writer, Family Safety, and Windows Live Mesh, plus Bing Bar, Messenger Companion, Microsoft Outlook Hotmail Connector, Microsoft Outlook Social Connector Provider for Windows Live Messenger, and Microsoft Silverlight.

Installing this update will replace your Windows Live Toolbar with Bing Bar.

More information:

http://explore.live.com/windows-live-essentials

http://explore.live.com/microsoft-service-agreement

http://privacy.microsoft.com/

http://explore.live.com/windows-live-2011-...em-requirements

Help and Support:

http://explore.live.com/windows-live-essentials-help-center

Link to post
Share on other sites

DaisyMae:

Your logs look good! That Windows Live Essentials update is giving many users trouble, but it's not related to malware. All I have left for you to do are another update and some very important cleanup:

icon11.gif Your Adobe reader needs to be updated. Please visit Adobe's site and grab the newest version. Be sure to watch for and uncheck any boxes offering to install other software.

icon11.gif Uninstall ComboFix

  • Press the Windows key + R on your keyboard or click Start -> Run. Copy and past the following text into the run box that opens and press OK:
    Combofix /Uninstall

Combofix_uninstall_image.jpg

icon11.gif Delete the following tools along with any other logs you saved from our work:

  • DDS
  • GMER

icon11.gif Download TFC to your desktop

  • Close any open windows.
  • Double click the TFC icon to run the program
  • TFC will close all open programs itself in order to run,
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted.
  • The program should not take long to finish it's job
  • Once its finished it should automatically reboot your machine,
  • if it doesn't, manually reboot to ensure a complete clean

icon11.gif Finally, I'd like to make a couple of suggestions to help you stay clean in the future:

  • Restart any anti-malware programs that we disabled while we were cleaning your machine.
  • Keep your antivirus application and MBAM current and updated. Scan with them at least weekly.
  • Avoid using P2P programs. Refer back to my earlier post for more information.
  • Please visit this General Computer Security Forum and review this post for some helpful information.

Please post once more so I know you are all set and I can mark this thread resolved. Good luck and stay safe!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.