Donna Freeman Posted February 4, 2011 ID:384236 Share Posted February 4, 2011 I have this stupid White Smoke toolbar virus/malware crap on my work computer. I ran a full Malwarebytes scan in safe mode, and White Smoke is still on here. Can someone please walk me through how to get rid of it?Thank you SO much! Link to post Share on other sites More sharing options...
LDTate Posted February 4, 2011 ID:384237 Share Posted February 4, 2011 DO NOT use any TOOLS such as Combofix, Vundofix, or HijackThis fixes without supervision.Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.Vista and Windows 7 users:1. These tools MUST be run from the executable. (.exe) every time you run them 2. With Admin Rights (Right click, choose "Run as Administrator")Stay with this topic until I give you the all clean post.You might want to print these instructions out.I suggest you do this:XP UsersDouble-click My Computer. Click the Tools menu, and then click Folder Options. Click the View tab.Uncheck "Hide file extensions for known file types." Under the "Hidden files" folder, select "Show hidden files and folders." Uncheck "Hide protected operating system files." Click Apply, and then click OK.Vista UsersTo enable the viewing of hidden and protected system files in Windows Vista please follow these steps:Close all programs so that you are at your desktop.Click on the Start button. This is the small round button with the Windows flag in the lower left corner.Click on the Control Panel menu option.When the control panel opens you can either be in Classic View or Control Panel Home view: If you are in the Classic View do the following: Double-click on the Folder Options icon.Click on the View tab.If you are in the Control Panel Home view do the following: Click on the Appearance and Personalization link.Click on Show Hidden Files or Folders.Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.Remove the checkmark from the checkbox labeled Hide extensions for known file types.Remove the checkmark from the checkbox labeled Hide protected operating system files.Please do not delete anything unless instructed to. We've been seeing some Java infections lately.Go here and follow the instructions to clear your Java Cache Next:Please download ATF Cleaner by Atribune.Download - ATF Cleaner Link to post Share on other sites More sharing options...
LDTate Posted February 7, 2011 ID:385588 Share Posted February 7, 2011 Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks! Link to post Share on other sites More sharing options...
LDTate Posted February 10, 2011 ID:387358 Share Posted February 10, 2011 Topic re-opened.Post tthe results from the Combofix scan and tell me how it's running now. Link to post Share on other sites More sharing options...
Donna Freeman Posted February 11, 2011 Author ID:387707 Share Posted February 11, 2011 Thank you for your help! Below is the Combofix log. Please let me know what I need to do now!ComboFix 11-02-09.05 - donna 02/10/2011 16:21:20.1.2 - x86Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1632 [GMT -5:00]Running from: c:\documents and settings\Donna.HDG\Desktop\ComboFix.exeAV: Microsoft Security Essentials *Disabled/Outdated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}.((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))).c:\windows\system32\twunk_32.exe.\\.\PhysicalDrive0 - Bootkit TDL4 was found and disinfected.((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))).-------\Legacy_6TO4((((((((((((((((((((((((( Files Created from 2011-01-10 to 2011-02-10 ))))))))))))))))))))))))))))))).2011-02-04 19:51 . 2011-02-04 19:51 -------- d-----w- C:\Rfwin2011-01-29 08:02 . 2011-01-29 08:03 -------- d-----w- C:\ff041216644b580ddca1ca6e34b319fc2011-01-26 22:22 . 2011-01-26 22:22 -------- d-----w- C:\TEMP2011-01-26 22:22 . 2009-12-11 16:40 74441941 ----a-w- c:\temp\Clt-Inst\Setup.exe2011-01-26 22:22 . 2008-07-27 14:28 140216 ----a-w- c:\temp\Clt-Inst\vpremote.exe2011-01-26 15:28 . 2011-01-26 15:38 -------- d-----w- C:\YardiGenesis2011-01-26 14:14 . 2011-01-26 14:14 -------- d-----r- C:\MSOCache2011-01-25 13:00 . 2011-01-25 13:00 -------- d-----w- C:\Intel2011-01-25 13:00 . 2011-01-25 13:00 -------- d-----w- C:\dell.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2010-11-29 22:38 . 2010-11-29 22:38 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx2010-11-29 22:38 . 2010-11-29 22:38 69632 ----a-w- c:\windows\system32\QuickTime.qts.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2010-01-08 1044480]"TrueImageMonitor.exe"="c:\program files\SonicWALL\SonicWALL Bare Metal Recovery and Local Archiving\TrueImageMonitor.exe" [2007-05-03 1165304]"AcronisTimounterMonitor"="c:\program files\SonicWALL\SonicWALL Bare Metal Recovery and Local Archiving\TimounterMonitor.exe" [2007-05-03 1945416]"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2007-05-03 149024]"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-23 620152]"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-01-25 421160]"QuickBooksDB18"="c:\program files\Intuit\QuickBooks 2008\QBDBMgrN.exe" [2006-09-13 128536]c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_Acrobat.exe [2011-1-26 295606]Adobe Acrobat Synchronizer.lnk - c:\program files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe [2006-10-23 734872]QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2009-9-16 972064][HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]"NoWelcomeScreen"= 1 (0x1)[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]@="Service"[HKEY_LOCAL_MACHINE\software\microsoft\security center]"AntiVirusOverride"=dword:00000001"FirewallOverride"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\system32\\sessmgr.exe"="c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [6/20/2007 2:30 PM 79168]S4 QuickBooksDB18;QuickBooksDB18;c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB18 --> c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB18 [?].Contents of the 'Scheduled Tasks' folder2011-02-05 c:\windows\Tasks\AppleSoftwareUpdate.job- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 16:50]2011-02-10 c:\windows\Tasks\MP Scheduled Scan.job- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 17:26]..------- Supplementary Scan -------.IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlIE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlIE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlIE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.htmlIE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.htmlIE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlIE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlIE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlIE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000.**************************************************************************catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2011-02-10 16:27Windows 5.1.2600 Service Pack 3 NTFSscanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfullyhidden files: 0**************************************************************************.--------------------- LOCKED REGISTRY KEYS ---------------------[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]@Denied: (A 2) (Everyone)@="FlashBroker""LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe,-101"[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]"Enabled"=dword:00000001[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe"[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]@Denied: (A 2) (Everyone)@="IFlashBroker4"[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]@="{00020424-0000-0000-C000-000000000046}"[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}""Version"="1.0".--------------------- DLLs Loaded Under Running Processes ---------------------- - - - - - - > 'explorer.exe'(3196)c:\windows\system32\WININET.dllc:\windows\system32\ieframe.dllc:\windows\system32\webcheck.dllc:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dllc:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll.------------------------ Other Running Processes ------------------------.c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exec:\program files\Common Files\Acronis\Schedule2\schedul2.exec:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exec:\program files\Bonjour\mDNSResponder.exec:\program files\Adobe\Acrobat 8.0\Acrobat\acrobat_sl.exec:\program files\iPod\bin\iPodService.exec:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe.**************************************************************************.Completion time: 2011-02-10 16:31:50 - machine was rebootedComboFix-quarantined-files.txt 2011-02-10 21:31Pre-Run: 105,292,439,552 bytes freePost-Run: 105,264,824,320 bytes freeWindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe[boot loader]timeout=2default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS[operating systems]c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdconsUnsupportedDebug="do not select this" /debugmulti(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect- - End Of File - - 1F0661AD8D1F4F981027513D122C4274 Link to post Share on other sites More sharing options...
LDTate Posted February 11, 2011 ID:387709 Share Posted February 11, 2011 I'll assume it's running good now.Good job The following will implement some cleanup procedures as well as reset System Restore points:For XP: Click START run Now type ComboFix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.For Vista / Windows 7 Click START Search Now type ComboFix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.If you used DeFoggerTo re-enable your Emulation drivers, double click DeFogger to run the tool. The application window will appear Click the Re-enable button to re-enable your CD Emulation drivers Click Yes to continue A 'Finished!' message will appear Click OK DeFogger will now ask to reboot the machine - click OKIMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_enable which will appear on your desktop.Your Emulation drivers are now re-enabled.Here's my usual all clean postTo be on the safe side, I would also change all my passwords. This infection appears to have been cleaned, but as the malware could be configured to run any program a remote attacker requires, it's impossible to be 100% sure that any machine is clean.Log looks good Make your Internet Explorer more secure - This can be done by following these simple instructions:From within Internet Explorer click on the Tools menu and then click on Options.Click once on the Security tabClick once on the Internet icon so it becomes highlighted.Click once on the Custom Level button.Change the Download signed ActiveX controls to PromptChange the Download unsigned ActiveX controls to DisableChange the Initialize and script ActiveX controls not marked as safe to DisableChange the Installation of desktop items to PromptChange the Launching programs and files in an IFRAME to PromptChange the Navigate sub-frames across different domains to PromptWhen all these settings have been made, click on the OK button. If it prompts you as to whether or not you want to save the settings, press the Yes button.Next press the Apply button and then the OK to exit the Internet Properties page.[*]Update your AntiVirus Software - It is imperative that you update your Antivirus software at least once a week(Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.[*]Use a Firewall - I can not stress how important it is that you use a Firewall on your computer.Without a firewall your computer is succeptible to being hacked and taken over.I am very serious about this and see it happen almost every day with my clients.Simply using a Firewall in its default configuration can lower your risk greatly.[*] WOT , Web of Trust, As 'Googling' is such an integral part of internet life, this free browser add on warns you about risky websites that try to scam visitors, deliver malware or send spam. It is especially helpful when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:Green to go Yellow for caution Red to stop WOT has an addon available for both Firefox and IE.[*]Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly.This will ensure your computer has always the latest security updates available installed on your computer.If there are new updates to install, install them immediately, reboot your computer, and revisit the siteuntil there are no more critical updates.Only run one Anti-Virus and Firewall program.I would suggest you read:PC Safety and Security--What Do I Need?.How to Prevent Malware: Link to post Share on other sites More sharing options...
LDTate Posted February 14, 2011 ID:389283 Share Posted February 14, 2011 Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you. Link to post Share on other sites More sharing options...
Recommended Posts