×
INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!
  • Students Click Here

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Students Click Here

Removing Whitesmoke Translator virus

Removing Whitesmoke Translator virus

Removing Whitesmoke Translator virus

(OP)
This morning I discovered Whitesmoke Translator on my computer, along with several new desktop icons. It appears my AVG software caught it but noticed the window is labeled "Resident Shield" so I am suspicious...

I ran MalewareBytes and true to form, had to rename it to coax it to run and it found a lot of shit but crashed when I told it to clean things up.

Help! curse

RE: Removing Whitesmoke Translator virus

Try running MBAM in safe mode first AFTER running RKILL to snuff out some of the malware processes.  Note if RKILL killed any processes off.

See if you can clean things with MBAM and then reboot to normal mode.

Run RKILL again (note if it killed any processes off)
Run MBAM again.  Clean what it finds and reboot.

If still suspicious or things aren't getting cleaned up, download COMBOFIX and run it from safe mode.  See bleeping computer site for download link.

RE: Removing Whitesmoke Translator virus

(OP)
I'm still having trouble with it. I also noticed the @#$*! trojan removed my ability to use regedit and restore to a previous state. curse

RE: Removing Whitesmoke Translator virus

Can you tell me whether you followed my instructions and at which point things broke down for you???

You can use this to undo the administrative lockouts.  Save this as a batch file (.bat) after pasting into notepad.  Double click it and allow it run.  It's safe for XP.


@ECHO OFF
ECHO Working ..........

REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall /v NoAddRemovePrograms /t REG_DWORD /d 0 /f >NUL

REG add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall /v NoAddRemovePrograms /t REG_DWORD /d 0 /f >NUL

REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall /v NoRemovePage /t REG_DWORD /d 0 /f >NUL

REG add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall /v NoRemovePage /t REG_DWORD /d 0 /f >NUL

REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall /v NoAddPage /t REG_DWORD /d 0 /f >NUL

REG add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall /v NoAddPage /t REG_DWORD /d 0 /f >NUL

REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall /v NoWindowsSetupPage /t REG_DWORD /d 0 /f >NUL

REG add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall /v NoWindowsSetupPage /t REG_DWORD /d 0 /f >NUL

REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall /v NoAddFromCDorFloppy /t REG_DWORD /d 0 /f >NUL

REG add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall /v NoAddFromCDorFloppy /t REG_DWORD /d 0 /f >NUL

REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall /v NoAddFromInternet /t REG_DWORD /d 0 /f >NUL

REG add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall /v NoAddFromInternet /t REG_DWORD /d 0 /f >NUL

REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall /v NoAddFromNetwork /t REG_DWORD /d 0 /f >NUL

REG add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall /v NoAddFromNetwork /t REG_DWORD /d 0 /f >NUL

REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall /v NoServices /t REG_DWORD /d 0 /f >NUL

REG add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall /v NoServices /t REG_DWORD /d 0 /f >NUL

REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall /v NoSupportInfo /t REG_DWORD /d 0 /f >NUL

REG add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall /v NoSupportInfo /t REG_DWORD /d 0 /f >NUL

REG add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\explorer /v NoControlPanel /t REG_DWORD /d 0 /f >NUL
    
REG add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\system /v DisableRegistryTools /t REG_DWORD /d 0 /f >NUL

REG add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\system /v DisableTaskMgr /t REG_DWORD /d 0 /f >NUL

REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoControlPanel /t REG_DWORD /d 0 /f >NUL

REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoWindowsUpdate /t REG_DWORD /d 0 /f >NUL

REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\system /v DisableRegistryTools /t REG_DWORD /d 0 /f >NUL

REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\system /v DisableTaskMgr /t REG_DWORD /d 0 /f >NUL

REG Delete "HKCU\Software\Policies\Microsoft\internet explorer\control panel" /f >NUL

REG Delete "HKCU\Software\Policies\Microsoft\internet explorer\restrictions" /f >NUL

Exit





 

RE: Removing Whitesmoke Translator virus

(OP)
Yes, I followed your instructions and logged in as Admin in Safe Mode and ran rkill and MB to completion, then rebooted and repeated (my PC had to reboot to remove some of the stuff). Upon rebooting, it complained abut a missing file (qltyey.dll) and rkill seemed to turn off my taask bar (I noticed a message about C:\Windows\Explorer.EXE (sic) failing and was suspicious about the funny case and noticed that file extensions are hidden and could not find the tools option to make them visible.  

RE: Removing Whitesmoke Translator virus

(OP)

Quote (goombawaho):

You can use this to undo the administrative lockouts.  Save this as a batch file (.bat) after pasting into notepad.  Double click it and allow it run.  It's safe for XP.
I forgot to ask. Do I run this in Safe Mode as Admin?
 

RE: Removing Whitesmoke Translator virus

Doesn't matter - safe or regular, but run as ADMIN equivalent user.

Try combofix next.  Allow it to finish - don't interrupt it.

Then run an SFC /scannow after the last reboot that it does.

RE: Removing Whitesmoke Translator virus

(OP)
I ran the batch file and it complained about the last two commands (not found).

I attempted to run ComboFix but it complained about AVG on my PC during the install and told me to uninstall it, but my PC didn't let me uninstall AVG.

At this point I gave up and took it to a computer shop to see what they could do, but it sounds like they're going to have to wipe the drive and reinstall XP. I've been thinking about upgrading my PC. Perhaps the computer gawds are telling me it's time.

Thanks for your help, though.

RE: Removing Whitesmoke Translator virus

Yeah, it can get to the point of giving up for time or $$$$ reasons.  Wish I could have gotten my hands on it.

RE: Removing Whitesmoke Translator virus

weberm,

I'm sure it could still be fixed... more than likely anyway, but a clean install will give you the best piece of mind.  Plus, if you didn't have anything on the machine (I'm assuming this one) of any importance, then it's likely the quickest answer to a mean infection anyhow.

Besides getting rid of the virus, if your install was older than a few months, and had any decent amount of usage, you'll get a little bit of performance benefit out of the format and reinstall anyway.  smile

If you want to talk about upgrading hardware (since you mentioned an upgrade), try tossing around some ideas, asking questions over in forum602: PC hardware - General discussion

I was going to say more, but I'm starting to wander off into the weeds. wink

RE: Removing Whitesmoke Translator virus

(OP)
Luckily I am pretty good about making backups and have partially moved my data to a secondary drive. smarty

I also noticed a LOT less directories on files on my hard drive after it was reloaded. lol

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members! Already a Member? Login

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close