Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: dclogs directory found may have something to do with wshom.exe

02 Nov 2013   #11
andis59

Microsoft Windows 7 Ultimate 32-bit 7601 Multiprocessor Free Service Pack 1
 
 

Hello Jacee and thank you for all the work you have put into this!

I'm not doubting you but if you have some more information so I can trace back my actions so I don't do the same thing again. (will find new ways of messing up TM)

I try not to download cracks or keygens but sometimes I want to try out a program before buying it and sometimes there isn't a trial...

This Rootkit seems (to me) like it appeared just a couple of weeks ago and I have no recollection of installing a crack at that time. Was actually rather a long time since I used this way of trial...

So if you could tell me what Rootkit I have and where you located it, so I may learn from this!

Thank you very much!


My System SpecsSystem Spec
.
02 Nov 2013   #12
Jacee
Microsoft MVP

Windows 7 Ultimate 32bit SP1
 
 

Your DDS .txt log shows this information:

=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, GMER - Rootkit Detector and Remover
Windows 6.1.7601 Disk: ST750LX003-1AC154 rev.SM12 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: >>UNKNOWN [0x82E38000]<< >>UNKNOWN [0x8B5D5000]<< >>UNKNOWN [0x8B600000]<< >>UNKNOWN [0x8AFCA000]<< >>UNKNOWN [0x82E01000]<< >>UNKNOWN [0x8B1E8000]<< >>UNKNOWN [0x8B1DE000]<<
_asm { DEC EBP; POP EDX; NOP ; ADD [EBX], AL; ADD [EAX], AL; ADD [EAX+EAX], AL; ADD [EAX], AL; }
1 ntkrnlpa!IofCallDriver[0x82E6EBBA] -> \Device\Harddisk0\DR0[0x861D8030]
\Driver\Disk[0x85426398] -> IRP_MJ_CREATE -> 0x8B5D939F
3 [0x8B5D959E] -> ntkrnlpa!IofCallDriver[0x82E6EBBA] -> \Device\Ide\IdeDeviceP0T0L0-0[0x860B3908]
\Driver\atapi[0x860B1910] -> IRP_MJ_CREATE -> 0x8AFE48CE
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; MOV CX, 0x4; MOV BP, 0x7be; CMP BYTE [BP+0x0], 0x0; }
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !


Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and double click on TDSSKiller.exe to run the application, then on Start Scan.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
My System SpecsSystem Spec
04 Nov 2013   #13
andis59

Microsoft Windows 7 Ultimate 32-bit 7601 Multiprocessor Free Service Pack 1
 
 

Hello Jacee,

Since I can't paste the log (too long) I attach it and also a screendump of the program after running.

// Anders


Attached Images
dclogs directory found may have something to do with wshom.exe-tdsskiller.gif 
Attached Files
File Type: txt TDSSKiller.3.0.0.16_04.11.2013_16.53.47_log.txt (218.5 KB, 1 views)
My System SpecsSystem Spec
.

04 Nov 2013   #14
Jacee
Microsoft MVP

Windows 7 Ultimate 32bit SP1
 
 

Okay, that came back clean.

Scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push
My System SpecsSystem Spec
04 Nov 2013   #15
Jacee
Microsoft MVP

Windows 7 Ultimate 32bit SP1
 
 

dmview.exe
wshom.exe


Also see this: ThreatExpert Report
My System SpecsSystem Spec
05 Nov 2013   #16
andis59

Microsoft Windows 7 Ultimate 32-bit 7601 Multiprocessor Free Service Pack 1
 
 

Ok, Eset found two threats

Quote:
C:\Users\All Users\Spybot - Search & Destroy\Recovery\WinDownloadergen.zip Win32/Bagle.gen.zip worm
C:\ProgramData\Spybot - Search & Destroy\Recovery\WinDownloadergen.zip Win32/Bagle.gen.zip worm cleaned by deleting - quarantined
By the looks of it Spybot has already found them but I haven't deleted the quarantined files.
I did delete the files this time.

I had a look at ThreatExpert Report and the files, which I have removed, was located where they say and the directory dclogs also. The Registry Keys and Values I can't find using RegEdit - Find, so maybe I found the threat before it activated (of maybe there is a new version that does things differently...)

Is there anything more I should do?
My System SpecsSystem Spec
05 Nov 2013   #17
Jacee
Microsoft MVP

Windows 7 Ultimate 32bit SP1
 
 

Delete the quarantined files that Eset found. Also, delete all of these files and folders (folders are located in C:\Program files\) :

c:\jdownloader\jd\plugins\hoster\crackedcom.class
c:\program files\git\bin\ssh-keygen.exe
c:\program files\ik multimedia\instruments\sampletank 2 sounds\drums\acoustic\smack crack.stip
c:\program files\ik multimedia\sampletank 2.5\instruments\drums\acoustic\all about crackle.stip
c:\program files\ik multimedia\sampletank 2.5\instruments\drums\acoustic\crack down mama.stip
c:\program files\ik multimedia\sampletank 2.5\instruments\drums\acoustic\smack crack.stip
c:\program files\ik multimedia\sampletank 2.5\instruments\sampletank 2 sounds\drums\acoustic\smack crack.stip
c:\program files\inkscape\python\lib\site-packages\numpy\f2py\crackfortran.py
c:\users\ame\documents\abc notation\the abc music project\abcmidi\crack.c
c:\users\ame\documents\ableton\library\presets\audio effects\vinyl distortion\crack.adv
c:\users\ame\documents\trusted\hashcatgui\cap2hccap\aircrack-ng-help.cmd
c:\users\ame\documents\trusted\hashcatgui\cap2hccap\aircrack-ng.exe
c:\users\ame\documents\visual studio 2010\projects\private\music\midisheetmusic-2.3-win-src\songs\tchaikovsky__nutcracker_-_dance_of_the_reed_flutes.mid
c:\users\ame\documents\visual studio 2010\projects\private\music\midisheetmusic-2.3-win-src\songs\tchaikovsky__nutcracker_-_dance_of_the_sugar_plum_fairies.mid
c:\users\ame\documents\visual studio 2010\projects\private\music\midisheetmusic-2.3-win-src\songs\tchaikovsky__nutcracker_-_march_of_the_toy_soldiers.mid
c:\users\ame\documents\visual studio 2010\projects\private\music\midisheetmusic-2.3-win-src\songs\tchaikovsky__nutcracker_-_waltz_of_the_flowers.mid
c:\users\ame\downloads\crark34\crackme.def
c:\users\ame\downloads\midisheetmusic-2.4-win-src\midisheetmusic-2.4-win-src\songs\tchaikovsky__nutcracker_-_dance_of_the_reed_flutes.mid
c:\users\ame\downloads\midisheetmusic-2.4-win-src\midisheetmusic-2.4-win-src\songs\tchaikovsky__nutcracker_-_dance_of_the_sugar_plum_fairies.mid
c:\users\ame\downloads\midisheetmusic-2.4-win-src\midisheetmusic-2.4-win-src\songs\tchaikovsky__nutcracker_-_march_of_the_toy_soldiers.mid
c:\users\ame\downloads\midisheetmusic-2.4-win-src\midisheetmusic-2.4-win-src\songs\tchaikovsky__nutcracker_-_waltz_of_the_flowers.mid
c:\users\ame\downloads\sampletank_free_sounds\sampletank free sounds\instruments\sampletank 2 sounds\drums\acoustic\smack crack.stip
scanner sequence 3.ZZ.11.FONAJZ

Once you have done the above, download Security Check by screen317 from here http://screen317.spywareinfoforum.org/SecurityCheck.exe or here http://screen317.spywareinfoforum.org/
Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt.
Please post the contents of that document.
My System SpecsSystem Spec
06 Nov 2013   #18
andis59

Microsoft Windows 7 Ultimate 32-bit 7601 Multiprocessor Free Service Pack 1
 
 

I removed all the files, although most of them are only on the list because of their name containing the word 'crack', e.g. tchaikovsky__nutcracker_.

here is the result:

Results of screen317's Security Check version 0.99.76
Windows 7 Service Pack 1 x86 (UAC is enabled)
Internet Explorer 10
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
Microsoft Security Essentials
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
Secunia PSI (3.0.0.2004)
Malwarebytes Anti-Malware version 1.75.0.1300
CCleaner
JavaFX 2.1.1
Java 7 Update 45
Adobe Flash Player 11.9.900.117
Adobe Reader XI
Mozilla Firefox (Firefox,. Firefox out of Date!
Mozilla Thunderbird (24.1.0)
Google Chrome 30.0.1599.101
Google Chrome Plugins...
````````Process Check: objlist.exe by Laurent````````
Microsoft Security Essentials MSMpEng.exe
Microsoft Security Essentials msseces.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 0%
````````````````````End of Log``````````````````````

I have checked and I have the latest version of Firefox, so there is something wrong with the program...
My System SpecsSystem Spec
06 Nov 2013   #19
Jacee
Microsoft MVP

Windows 7 Ultimate 32bit SP1
 
 

Tell me how your computer is now.
My System SpecsSystem Spec
08 Nov 2013   #20
andis59

Microsoft Windows 7 Ultimate 32-bit 7601 Multiprocessor Free Service Pack 1
 
 

What I can see it's OK!

Thanks for all the work you have put into this!

Best Wishes
My System SpecsSystem Spec
Reply

 dclogs directory found may have something to do with wshom.exe




Thread Tools Search this Thread
Search this Thread:

Advanced Search




Similar help and support threads
Thread Forum
Database Directory Not Found
About twice each day under Win 7 I get a small window shown in the attachment. I've no idea what causes it and can discern no pattern to its happening. My guess it is associated with eMClient because that is the only program I use that maintains a database but that is a SWAG. Can find...
General Discussion
directory path in application save not found in windows explorer
I have an application that has a default path for config files, if you go to save or load a config file it comes up with it by default. However, I can't find it just showing in a win explorer directory tree or win explorer searching for it!!!! how could this happen? how can I find the real file...
General Discussion
Cannot change directory (CD) to a directory with space in the name
Following the directions outlined in http://www.sevenforums.com/general-discussion/144154-change-directory-command-prompt.html including enabling command extensions outlined in http://www.sevenforums.com/general-discussion/41993-command-line.html does not permit the CD command to change the...
General Discussion
404 - File or directory not found.
404 - File or directory not found. The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable. I get this message when I go to the thred I posted, what does it mean? And how would I find out witch of the three it is TIA
Chillout Room
Replace files in multiple directory, from a single directory
I have a 10 files that have all been categorised into about 40 folders. These files have been damaged. I have a backup of all these files, but they are not categorised and sit in a single directory. Does anyone know of an easy technique to batch replace the damaged files with the originals? ...
General Discussion


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 01:43.

Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App