Join or sign in Register for your free TechRepublic membership or if you are already a member, sign in using your preferred method below. Use Your Email Use FacebookUse Linkedin

Malware removal (SmokeLoader)

Locked

Tags: Security, Security

Hi all,

first of all thanks for offering your help in these forums, this is great!

Over Christmas, my Laptop got infected with a Smoke Loader Trojan and I can’t get rid of it. Hence I am thankful for any advice!

Ok, I try to get it sorted and provide the history:
In order to burn an mp4 video file to DVD, I plugged my external WD hard drive into my mothers Laptop (a quite old Acer Aspire notebook). As the DVD failed to be played on her player I aimed to convert the file into a suitable format on my laptop using the VLC player. My system is a Lenovo Yoga Thinkpad P40 (no dvd player, hence the HDD) with Windows10 Pro.
After converting the video file, my Laptop showed symptoms like fully occupied CPU and a lot of jumping windows services in the task manager, symptoms that I afterwards also detected on the spreader laptop. I took both laptops from the net and tried to get rid of the malware that was identified as SmokeLoader by 2 antimalware softwares (

What I tried so far did not help:

1) Checking the system with Avira AntiVir, McAfee and Malwarebytes (in windows normal and safe mode)
–> I could quarantine the malware, but upon clearing the laptop crashed during restart (guess an escape mechanism of the trojan)

2) Restore the laptop using a restoration time point before infection –> failed

3) Restoring the laptop with and without deleting personal data
–> Malware still there on the restored Windows system

Is there another thing to consider before formatting the hard drive and running a clean install? I don’t have the key of my windows distribution and don’t want to reconnect the laptop to the internet or USB sources, so a readout from the laptop is no option (or is it?).

Regarding the HDD, is there a way to remove the malware? Can professional IT services provide a guaranteed removal of such malware in order to prevent reinfection or should it be trash-binned? As there is some non-backupped data on it I would prefer a professional rescue.

Sorry for the long post and many thanks in advance! Please let me know if more information is required!

Best wishes,
Chris

Topic

I think….

In reply to Malware removal (SmokeLoader)

….that the only guarantee to remove all elements of the malware would be a reformat of your HDD and reinstall of the OS and programs. Unless you had a physical backup prior to the infection, it will be a lengthy process. The biggest problem is that malware can get into multiple programs/applications and deleting it in one location won’t remove it in all locations. They usually worm their way into multiple files.

Thanks!

In reply to I think….

Thanks for your fast response!
I expected this would be the only safe way to remove it.

Do you have a suggestion regarding the external hard drive thar transferred the malware? Can this be rescued by IT services?

Best wishes,
Chris

Re: external hard drive

In reply to Thanks!

Connect that drive to a PC running Linux (it’s free to make bootable DVD with Linux) and use that to copy the files you don’t yet have a backup of to a USB-stick (check the date last change of those files, if that’s before you used it on your mothers PC they should be safe). Then – after copying the files from the stick to your running and clean laptop and it’s backup) format the hard disk from Linux.

Re: malware removal

In reply to Malware removal (SmokeLoader)

If you can’t remove it, a clean install of Windows 10 seems a good solution. On another Windows device, make a bootable USB stick from https://www.microsoft.com//software-download/windows10 and boot from that in your laptop.
You don’t need a license key. Microsoft already has in their database and the setup program knows how to find it.

If you want to try again.

In reply to Malware removal (SmokeLoader)

My nod is to Bleepingcomputer.com forums as they use different tools and methods. I know folk that like them and others that yell “Hey, it’s so complicated.” But if it can be cleaned up without a clean install (format as some call it) that would be the place.

Thanks for the hint!

In reply to If you want to try again.

Will try it there and if it doesn’t work out I’ll go with the bootable USB stick as Kees_B suggested.
Thanks for the help 🙂

Malware removal working

In reply to Malware removal (SmokeLoader)

did the malware removal work for you?
I’d check your systems are fully safe if you did manage to remove it. Check to see how it may have got there in the first place. Is there a chance it can be added back in if there is no protection on your system? Hope you managed to get it sorted.

Updated: Have you had a look at things like eliminating malware at its delivery mechanism? Because phishing attacks are on the rise and expecting to be this year as mentioned on TitanHQ’s site it may be worth revisiting your devices. Have a look at this info too https://www.titanhq.com/blog/eliminating-malware-at-its-delivery-mechanism/

Malware removal

In reply to Malware removal working

Hi and sorry for not giving an update!

In the end I set up a clean system as I did not manage to get rid of it. I gave the HDD to an IT service to clean it and installed a professional antimalware software. Since then I didn’t have any problems.
Nevertheless, I’d like to thank everyone for the fast response and the help!
Best wishes,
Chris

[Author]

Replies