Whitesmoke Virus

[keggerz]

anyone know anything about this thing? My LT was acting weird and then the next thing I know I have this Whitesmoke software and toolbar downloaded on my LT....I didn't initiate it or allow it....did a quick google search and can't really find anything...doing a scan now...part that sucks is that for the most part the only sites I have been on today is here, MFL, cbssportsline.com

[keggerz]

this dirty MF'r...ran hijackthis and when I try to put the log into a reader it kills the connection...try to email myself the log it kills the connection....try to PM myself the log it kills the connection (PM myself the word test it works)

 

now need to try and run the log file from another PC(why I posted it here)

Edited November 22, 2010 by keggerz

[rocknrobn26]

All I can find out about Whitesmoke is it is a translation toolbar/reader. I have a feeling the virus/malware is spoofing Whitesmoke.

Boot into safe mode and do a scan.

Better yet try and do a restore, but go into safe mode first.

[keggerz]

All I can find out about Whitesmoke is it is a translation toolbar/reader. I have a feeling the virus/malware is spoofing Whitesmoke.

Boot into safe mode and do a scan.

Better yet try and do a restore, but go into safe mode first.

I am in the middle of a full system scan right now....Fn thing is doing re-directs now too and FF wont even open up...IE is all that is working now

[rocknrobn26]

I am in the middle of a full system scan right now....Fn thing is doing re-directs now too and FF wont even open up...IE is all that is working now

 

I did find a few other people w/ a similar problem, but no resolve. Sorry.

Did you try the 'restore' yet? Prolly won't work as this seems like a smart one that's flying under the radar.

[keggerz]

I did find a few other people w/ a similar problem, but no resolve. Sorry.

Did you try the 'restore' yet? Prolly won't work as this seems like a smart one that's flying under the radar.

i basically went thru the hijack this line by line to see what wasnt letting it parse for the log analyzer...found this as the culprit but I dont know what it is.

 

http://w w w.Xupdate.Xmicrosoft.Xcom/XwindowsXupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1194652676296

 

I had to put in the spaces between the www and added all the RED X's to be able to post the link but that is what was keeping HJT from being able to parse...actually if you take out the spaces and the red X's and cut and paste it into the google search it will most likley give you a response like it is not connected to the internet

 

this is what the entire string looks like in HJT(or course still take out the Red Xs and the spaces between www)

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://w w w.Xupdate.Xmicrosoft.Xcom/XwindowsXupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1194652676296

Edited November 22, 2010 by keggerz

[rocknrobn26]

i basically went thru the hijack this line by line to see what wasnt letting it parse for the log analyzer...found this as the culprit but I dont know what it is.

 

http://w w w.Xupdate.Xmicrosoft.Xcom/XwindowsXupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1194652676296

 

I had to put in the spaces between the www and added all the RED X's to be able to post the link but that is what was keeping HJT from being able to parse...actually if you take out the spaces and the red X's and cut and paste it into the google search it will most likley give you a response like it is not connected to the internet

 

this is what the entire string looks like in HJT(or course still take out the Red Xs and the spaces between www)

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://w w w.Xupdate.Xmicrosoft.Xcom/XwindowsXupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1194652676296

So where are you?

[keggerz]

So where are you?

did a system restore in safe mode....can now open firefox...initially didn't get any redirects but have now gotten some...also did full system scan with MS Security Essentials and it didn't find anything...but I know it is still there in some capacity anyway

 

at this point I am not even sure what to try next...actually going to run malwarebytes next and go from there

Edited November 22, 2010 by keggerz

[Puddy]

So that's why LT's play has slipped recenty

[rocknrobn26]

did a system restore in safe mode....can now open firefox...initially didn't get any redirects but have now gotten some...also did full system scan with MS Security Essentials and it didn't find anything...but I know it is still there in some capacity anyway

 

at this point I am not even sure what to try next...actually going to run malwarebytes next and go from there

 

Can't hurt, but this sounds like a new one. If you can, give it a few days and re-google. Sorry i couldn't help more.

C'mon Redrum...................where are you?

[keggerz]

Can't hurt, but this sounds like a new one. If you can, give it a few days and re-google. Sorry i couldn't help more.

C'mon Redrum...................where are you?

would like to give it a few days but not sure that I can...I use Contribute to write my weekly huddle article on and I only have it on that laptop...I am not sure if it will effect my being able to use it since it does access the huddle thru the net and that is how I download my weekly template and then re-upload it to the site...fingers crossed because i normally only have to have 2 teams written by Wed. if there is a Thurs game...but this week there are 3 Thurs games so I wanted to have all 6 teams written up by Tues nite so they would be accessible for Wed. AM...again fingers crossed.

[satelliteoflovegm]

I feel like I just did a table read for Star Trek. I'm all tingly.

[keggerz]

full scan with malwarebytes in safe mode turned up nothing

Edited November 22, 2010 by keggerz

[redrumjuice]

Make sure your proxy wasn't enabled, it's pretty basic, google it.

[keggerz]

Make sure your proxy wasn't enabled, it's pretty basic, google it.

just checked FF and it is set like this "use system proxy settings"

 

In IE the "use a proxy server for you LAN" box is NOT checked and the auto detect and auto configure boxes aren't checked either

 

now what?

Edited November 22, 2010 by keggerz

[keggerz]

After some more searching it looks like this could be the "Google Redirect Virus"

 

doesn't look fun...might have to change/fix dns stuff etc

 

http://sites.google.com/site/k8omsbob/malware-removal

[SEC=UGA]

C'mon Redrum...................where are you?

 

He created it, he ain't gonna spill the beans on a fix for it.

[rajncajn]

Keg, you must be the pron master. I've never seen anyone have more trouble with their computers than you.

[redrumjuice]

In IE the "use a proxy server for you LAN" box is NOT checked and the auto detect and auto configure boxes aren't checked either

 

Check that one, leave the other two unchecked.

 

You need to download these on another machine, copy to flash drive or cd, then boot your other machine into safe WITH NETWORKING, run in this order:

 

Disable system restore

 

CCleaner, remove all temp files http://download.cnet.com/ccleaner/

 

Copy to desktop, run Combo fix, let it update and do whatever it suggests: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

 

Malwarebytes, update, then full scan

 

Where are you now?

[keggerz]

Check that one, leave the other two unchecked.

 

You need to download these on another machine, copy to flash drive or cd, then boot your other machine into safe WITH NETWORKING, run in this order:

 

Disable system restore

 

CCleaner, remove all temp files http://download.cnet.com/ccleaner/

 

Copy to desktop, run Combo fix, let it update and do whatever it suggests: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

 

Malwarebytes, update, then full scan

 

Where are you now?

almost 3 hours into another malware bytes scan (updated it this time)...forgot my flash drive at home so won't be able to do anything else until I get home around 5.

 

as for checking AUTO DETECT in IE what do i do for FireFox? I assume that I check "Auot-Detect proxy settings for this network" other options are:

No Proxy

Use System proxy settings (which is currently checked)

Manual proxy configurations

Automatic proxy configuration URL:

 

Thanks!

[keggerz]

Keg, you must be the pron master. I've never seen anyone have more trouble with their computers than you.

[redrumjuice]

Never use a proxy, FF usually uses the settings set up for IE.

[bpwallace49]

C'mon Redrum...................where are you?

 

He is busy trying to prove that Barack Obama created the computer virus to destroy the world . . . . and then show a link that says the anti-virus manufacturers all donate to his campaign, creating a sinister synergy that is designed to generate support for the New World Order and an all-world currency under the control of the Un . . . aww forget it . . . .

[redrumjuice]

He is busy trying to prove that Barack Obama created the computer virus to destroy the world . . . . and then show a link that says the anti-virus manufacturers all donate to his campaign, creating a sinister synergy that is designed to generate support for the New World Order and an all-world currency under the control of the Un . . . aww forget it . . . .

 

fixed.

[gbpfan1231]

fixed.

YOU ARE MISSING SOME WORDS IN CAPS.