Removing Whitesmoke Translator virus

[weberm]

This morning I discovered Whitesmoke Translator on my computer, along with several new desktop icons. It appears my AVG software caught it but noticed the window is labeled "Resident Shield" so I am suspicious...

I ran MalewareBytes and true to form, had to rename it to coax it to run and it found a lot of shit but crashed when I told it to clean things up.

Help!

 

[goombawaho]

Try running MBAM in safe mode first AFTER running RKILL to snuff out some of the malware processes. Note if RKILL killed any processes off.

See if you can clean things with MBAM and then reboot to normal mode.

Run RKILL again (note if it killed any processes off)
Run MBAM again. Clean what it finds and reboot.

If still suspicious or things aren't getting cleaned up, download COMBOFIX and run it from safe mode. See bleeping computer site for download link.

 

[weberm]

I'm still having trouble with it. I also noticed the @#$*! trojan removed my ability to use regedit and restore to a previous state.

 

[goombawaho]

Can you tell me whether you followed my instructions and at which point things broke down for you???

You can use this to undo the administrative lockouts. Save this as a batch file (.bat) after pasting into notepad. Double click it and allow it run. It's safe for XP.


@ECHO OFF
ECHO Working ..........

REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall /v NoAddRemovePrograms /t REG_DWORD /d 0 /f >NUL

REG add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall /v NoAddRemovePrograms /t REG_DWORD /d 0 /f >NUL

REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall /v NoRemovePage /t REG_DWORD /d 0 /f >NUL

REG add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall /v NoRemovePage /t REG_DWORD /d 0 /f >NUL

REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall /v NoAddPage /t REG_DWORD /d 0 /f >NUL

REG add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall /v NoAddPage /t REG_DWORD /d 0 /f >NUL

REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall /v NoWindowsSetupPage /t REG_DWORD /d 0 /f >NUL

REG add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall /v NoWindowsSetupPage /t REG_DWORD /d 0 /f >NUL

REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall /v NoAddFromCDorFloppy /t REG_DWORD /d 0 /f >NUL

REG add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall /v NoAddFromCDorFloppy /t REG_DWORD /d 0 /f >NUL

REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall /v NoAddFromInternet /t REG_DWORD /d 0 /f >NUL

REG add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall /v NoAddFromInternet /t REG_DWORD /d 0 /f >NUL

REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall /v NoAddFromNetwork /t REG_DWORD /d 0 /f >NUL

REG add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall /v NoAddFromNetwork /t REG_DWORD /d 0 /f >NUL

REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall /v NoServices /t REG_DWORD /d 0 /f >NUL

REG add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall /v NoServices /t REG_DWORD /d 0 /f >NUL

REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall /v NoSupportInfo /t REG_DWORD /d 0 /f >NUL

REG add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall /v NoSupportInfo /t REG_DWORD /d 0 /f >NUL

REG add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\explorer /v NoControlPanel /t REG_DWORD /d 0 /f >NUL

REG add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\system /v DisableRegistryTools /t REG_DWORD /d 0 /f >NUL

REG add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\system /v DisableTaskMgr /t REG_DWORD /d 0 /f >NUL

REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoControlPanel /t REG_DWORD /d 0 /f >NUL

REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoWindowsUpdate /t REG_DWORD /d 0 /f >NUL

REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\system /v DisableRegistryTools /t REG_DWORD /d 0 /f >NUL

REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\system /v DisableTaskMgr /t REG_DWORD /d 0 /f >NUL

REG Delete "HKCU\Software\Policies\Microsoft\internet explorer\control panel" /f >NUL

REG Delete "HKCU\Software\Policies\Microsoft\internet explorer\restrictions" /f >NUL

Exit

 

[weberm]

Yes, I followed your instructions and logged in as Admin in Safe Mode and ran rkill and MB to completion, then rebooted and repeated (my PC had to reboot to remove some of the stuff). Upon rebooting, it complained abut a missing file (qltyey.dll) and rkill seemed to turn off my taask bar (I noticed a message about C:\Windows\Explorer.EXE (sic) failing and was suspicious about the funny case and noticed that file extensions are hidden and could not find the tools option to make them visible.

 

[weberm]

You can use this to undo the administrative lockouts. Save this as a batch file (.bat) after pasting into notepad. Double click it and allow it run. It's safe for XP.

I forgot to ask. Do I run this in Safe Mode as Admin?

 

[goombawaho]

Doesn't matter - safe or regular, but run as ADMIN equivalent user.

Try combofix next. Allow it to finish - don't interrupt it.

Then run an SFC /scannow after the last reboot that it does.

 

[weberm]

I ran the batch file and it complained about the last two commands (not found).

I attempted to run ComboFix but it complained about AVG on my PC during the install and told me to uninstall it, but my PC didn't let me uninstall AVG.

At this point I gave up and took it to a computer shop to see what they could do, but it sounds like they're going to have to wipe the drive and reinstall XP. I've been thinking about upgrading my PC. Perhaps the computer gawds are telling me it's time.

Thanks for your help, though.

 

[goombawaho]

Yeah, it can get to the point of giving up for time or $$$$ reasons. Wish I could have gotten my hands on it.

 

[kjv1611]

weberm,

I'm sure it could still be fixed... more than likely anyway, but a clean install will give you the best piece of mind. Plus, if you didn't have anything on the machine (I'm assuming this one) of any importance, then it's likely the quickest answer to a mean infection anyhow.

Besides getting rid of the virus, if your install was older than a few months, and had any decent amount of usage, you'll get a little bit of performance benefit out of the format and reinstall anyway.

If you want to talk about upgrading hardware (since you mentioned an upgrade), try tossing around some ideas, asking questions over in forum602

I was going to say more, but I'm starting to wander off into the weeds.

 

[weberm]

Luckily I am pretty good about making backups and have partially moved my data to a secondary drive.

I also noticed a LOT less directories on files on my hard drive after it was reloaded.