at a loss to find the virus -- SOLVED!!!

[polonus]

Hi theladyupstairs,

With essexboy's expert help you are in the best of hands really, the man is a qualified certified malware eliminator trained at geek2go online academies and that is as heavy a bootcamp as they come and these folks are only let loose at victims of malware as they have proven beyond any doubt they can do so and handle the malcode (take this as a recommendation), he is one of the top malware eliminator we have here in our forums (there are some more) and I know what I am talking about, DavidR is a good general help and confident but to cleanse malware from your computer in a certified way you need the help of our specialist essexboy.

Good you found essexboy here,

polonus

[theladyupstairs]

essexboy:  thanks for being on board.  you are highly recommended!

so, i started following your directions: i downloaded tdsskiller, extracted the file & ran it.  then i got a black & white screen with the following text, which i have copied by hand because i'm not sure about looking in the root directory, or what i should do next.  it wants me to shut down so it can cure my problem.  it says:

file "C:Windows\system32\drivers\mouclass.sys" infected by tdss rootkit.  will be cured on next reboot.
Registry objects infected 0/0/0
File object infected (cured) cured on reboot 1/0/1
to finalize removal of infection & avoid losing data program will reboot your pc now.  close all programs & chose Y to restart or N."

can i look in the root directory for this log before rebooting?  should i reboot?

what should i do?

[theladyupstairs]

i have not yet rebooted but i did find that log in the root directory.  sorry i didn't look first.  i tried to copy it into this post but because it exceed the maximum allowed length for a message, i've attached it instead.

now i will do nothing until i hear from you, except downloading combofix & saving it to my desktop.  i will stop there & await your instructions.  i have not rebooted yet.  waiting for you.

thank you!

[DavidR]

i thank you also, essex boy.

david - i assume you agree & have nothing to add to essex boy's directions?  i just printed them out & will start work now, but if there's anything you wish to add (considering my lack of tech savvy) please tell me now.  thanks!

In fact I asked him if he had time to pop along

You only need to check the viruses and worms forum and you will see he is the most experienced malware specialist in the forums.

So my advice is to follow his suggestions.

[theladyupstairs]

thank you, david.  had i known i wouldn't have embarrassed myself by doubting.  please blame my inexperience.

will essex carry on now?

meanwhile, i'm in trouble.  while waiting for word about the log from tdsskiller that i sent as an attachment, i clicked on link 2  and downloaded the combofix file.  i then clicked run, but didn't get a screen that asked where the file should go.  instead, i got some beeps with a "disclaimer" stating that "hrrp://wxw.combofixdownload.biz, hrrp://wxw.combofix.org, and hrrp://wxw.combofixdownload.com are not affiliated to combofix.  and if i was asked to buy something, i should not do it.  and there was more warning info.  so i said "no" and closed the screen.  i am afraid it could be the virus.  i don't know what to do.  i don't know if combofix is downloaded or installed.  please help.

also, while i was opening link 2 i got a screen that i am certain was fake, about downloading a virus scan.  

waiting for further advice.  i'm so eager to get this thing going, so please tell me the little details that i might not know along the way of following the directions.

what's next?

thank you.

[theladyupstairs]

i am impatient.  i reopened combofix from my downloads folder & this time i clicked "yes" to the disclaimer, and the file started running.  i got a message to disable antivirus & antispyware and that it would continue to run anyway.  i closed it down while it was running.  i don't know how to get combofix to my desktop, which i am told is IMPORTANT!!! .   i have failed here.  i don't want to disable my anti stuff until i do it right.

please tell me what to do now.  i'm going to lie down & wait for your reply to all my latest frantic posts.  sorry for all that.

[DavidR]

Well it looks to have cleaned one of the two that GMER found suspicious mouclass.sys.

File "C:\WINDOWS\system32\DRIVERS\mouclass.sys" infected by TDSS rootkit ... 10:07:34:573 3776   Backup copy found, using it..

But not the atapi.sys, however the tdsskiller is a specialist tool in the tdss rootkit regard so my guess on what essexbox would say is to proceed to the next step and run combofix as per his instructions. I take it that you have rebooted since running tdsskiller ?

I think that may be a general warning as there are other sites/leaches/pond scum (and you should modify the links you posted so they aren't active, change http to hXXp) that are trying to prey on users looking for combofix to download. The installation is just making you aware of such sites.

I guess you would get the same general warning if you used Link 1, so you could download combofix from that one and try it and see if you get the same warning, a malicious combofix clone/look alike is hardly likely to give such a warning.

What do you mean by "while i was opening link 2 i got a screen that i am certain was fake, about downloading a virus scan. " ?
That is a direct link to the executable file and all you need do is right click in the link and select Save As, Save Link As or Save File As depending on your browser, I think in directly clicking on an executable link your browser is warning, what browser are you using ?

[DavidR]

i am impatient.  i reopened combofix from my downloads folder & this time i clicked "yes" to the disclaimer, and the file started running.  i got a message to disable antivirus & antispyware and that it would continue to run anyway.  i closed it down while it was running.  i don't know how to get combofix to my desktop, which i am told is IMPORTANT!!! .   i have failed here.  i don't want to disable my anti stuff until i do it right.

please tell me what to do now.  i'm going to lie down & wait for your reply to all my latest frantic posts.  sorry for all that.

Right click on the file in the download folder and select Copy, now right click on an empty part of the desktop and select Paste, that should send a complete copy to the desktop.

[theladyupstairs]

no!  i did not reboot yet.  according to essex instructions i was only to run tdsskiller, save it to my desktop, run it & send him the contents of the log, which i did in an attachment.  i believe i'm to wait for further instructions.  is that correct?

so i don't know who cleaned one of the two suspicious things.  (i don't really understand the reports)  i don't understand your second sentence, about mouclass.sys.  or the beginning of your third  paragraph about atapi.

then, i am unable to proceed to the next step in essex instructions & run combofix because he stresses the IMPORTANCE of saving combofix to the desktop, which i can't seem to do.  i'm not asked where to save it.  it's in my downloads folder & when i click it, it just starts working & tells me to disable my anti stuff.

link 1 was in spanish, and that's why i used link 2 instead.  and yes, i proceeded with it but cannot put it on my desktop.  can you tell me how to do that?

i don't believe that screen was legit.  maybe i am wrong, but it sure looked fake to me. not like any other program i've ever downloaded.  i'm using mozilla firefox browser.

how can i start all over again with combofix?  it's not in program files so i can't uninstall.  should i delete it from my download folder & then download it again?

and should i reboot first?

[theladyupstairs]

yes, but doesn't that mean it's also in my computer, where essex doesn't want it?  i think the reason he wanted it on the desktop is because it shouldn't be on my computer (my documents) when i run it.

 i really don't know what i'm talking about, but haven't i made a mistake by not placing it on the desktop in the first place?  will it not be effective now?  doesn't placing a copy of the desktop defeat the purpose? 

and should i reboot before doing anything else so the tdsskiller can do its work?

[essexboy]

No problem - Reboot after running TDSSKiller and it will do the necessary cleaning,  once done then run combofix, agree to the disclaimer and if you are not sure how to turn off Avast then let combofix run - it will do no harm

But not the atapi.sys, however the tdsskiller is a specialist tool in the tdss rootkit regard so my guess on what essexbox would say is to proceed to the next step and run combofix as per his instructions. I take it that you have rebooted since running tdsskiller ?

Atapi.sys is not actually infected, it has been hooked by the other file to give the appearance of being infected

[DavidR]

The URLs/links you have posted in the Reply #49 that combofix warned about ate potentially malicious so they need to be edited so they aren't active, avoiding accidental exposure to the curious, e.g. hXXp://wXw.combofixdownload.biz, notice how it isn't active, can't be clicked. So click the Modify button in Reply #49 above and change the URLs in the same way as my example.

For my way of thinking if tdsskiller has this in order to be sure it is completely removed it would need a reboot and this appears to be confirmed at the bottom of the report (bold text):

10:07:44:738 3776   Cure on reboot scheduled successfully
10:07:44:738 3776   Completed
10:07:44:738 3776   Results:
10:07:44:738 3776   File objects infected / cured / cured on reboot:   1 / 0 / 1
10:07:44:748 3776   KLMD(ARK) unloaded successfully

Now given that either tdsskiller would have rebooted the system (?) or you would need to manually have done it. So yes you should reboot first.

Have you not done as I suggested Copy and Paste in my last reply or haven't you caught up with that yet ?

[DavidR]

No problem - Reboot after running TDSSKiller and it will do the necessary cleaning,  once done then run combofix, agree to the disclaimer and if you are not sure how to turn off Avast then let combofix run - it will do no harm

So does it matter if it isn't on the desktop or does theladyupstairs have to copy it there as I showed ?

But not the atapi.sys, however the tdsskiller is a specialist tool in the tdss rootkit regard so my guess on what essexbox would say is to proceed to the next step and run combofix as per his instructions. I take it that you have rebooted since running tdsskiller ?

Atapi.sys is not actually infected, it has been hooked by the other file to give the appearance of being infected

Thanks for that I understood that it wasn't infected not that it would be sneaky making it look infected.

[essexboy]

That is combofix stating that you should not download from the links stated - which in this case makes your copy genuine

it should be on the desktop as that is where it expects to be located

[theladyupstairs]

essex: did you receive the contents of the log of tdsskiller that i sent in an attachment?  i thought i needed to wait for further instruction after sending it.

now, is it okay that i do as david suggested - make a copy of combofix from my download folder & place it on my desktop?

i believe i'm able to disable anti virus & spyware so they don't interfere with combofix work, but first i need to know if it's okay to make a copy for the desktop.  i'm sorry i'm so ignorant about these things.  i'm afraid i need to have step by step instructions.

i will first restart my computer because i'm sure tdsskiller wants to cure the bad files.  and that will surely change the job of combofix.  is that correct?  (i didn't do that because you didn't tell me to.)

sorry about the links, which i have modified as david explained.

thank you.