dclogs directory found may have something to do with wshom.exe

Page 2 of 3 FirstFirst 123 LastLast

  1. Posts : 77
    Microsoft Windows 7 Ultimate 32-bit 7601 Multiprocessor Free Service Pack 1
    Thread Starter

    Hello Jacee and thank you for all the work you have put into this!

    I'm not doubting you but if you have some more information so I can trace back my actions so I don't do the same thing again. (will find new ways of messing up TM)

    I try not to download cracks or keygens but sometimes I want to try out a program before buying it and sometimes there isn't a trial...

    This Rootkit seems (to me) like it appeared just a couple of weeks ago and I have no recollection of installing a crack at that time. Was actually rather a long time since I used this way of trial...

    So if you could tell me what Rootkit I have and where you located it, so I may learn from this!

    Thank you very much!
      My Computer

  2. Posts : 8,608
    Windows 7 Ultimate 32bit SP1

    Your DDS .txt log shows this information:

    =================== ROOTKIT ====================
    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, GMER - Rootkit Detector and Remover
    Windows 6.1.7601 Disk: ST750LX003-1AC154 rev.SM12 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
    device: opened successfully
    user: MBR read successfully
    Disk trace:
    called modules: >>UNKNOWN [0x82E38000]<< >>UNKNOWN [0x8B5D5000]<< >>UNKNOWN [0x8B600000]<< >>UNKNOWN [0x8AFCA000]<< >>UNKNOWN [0x82E01000]<< >>UNKNOWN [0x8B1E8000]<< >>UNKNOWN [0x8B1DE000]<<
    _asm { DEC EBP; POP EDX; NOP ; ADD [EBX], AL; ADD [EAX], AL; ADD [EAX+EAX], AL; ADD [EAX], AL; }
    1 ntkrnlpa!IofCallDriver[0x82E6EBBA] -> \Device\Harddisk0\DR0[0x861D8030]
    \Driver\Disk[0x85426398] -> IRP_MJ_CREATE -> 0x8B5D939F
    3 [0x8B5D959E] -> ntkrnlpa!IofCallDriver[0x82E6EBBA] -> \Device\Ide\IdeDeviceP0T0L0-0[0x860B3908]
    \Driver\atapi[0x860B1910] -> IRP_MJ_CREATE -> 0x8AFE48CE
    kernel: MBR read successfully
    _asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; MOV CX, 0x4; MOV BP, 0x7be; CMP BYTE [BP+0x0], 0x0; }
    user & kernel MBR OK
    Warning: possible TDL3 rootkit infection !

    Please read carefully and follow these steps.

    • Download TDSSKiller and save it to your Desktop.
    • Extract its contents to your desktop.
    • Once extracted, open the TDSSKiller folder and double click on TDSSKiller.exe to run the application, then on Start Scan.
    • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
    • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
      My Computer

  3. Posts : 77
    Microsoft Windows 7 Ultimate 32-bit 7601 Multiprocessor Free Service Pack 1
    Thread Starter

    Hello Jacee,

    Since I can't paste the log (too long) I attach it and also a screendump of the program after running.

    // Anders
    Attached Thumbnails Attached Thumbnails dclogs directory found may have something to do with wshom.exe-tdsskiller.gif  
    dclogs directory found may have something to do with wshom.exe Attached Files
      My Computer

  4. Posts : 8,608
    Windows 7 Ultimate 32bit SP1

    Okay, that came back clean.

    Scan your machine with ESET OnlineScan
    1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
      ESET OnlineScan
    2. Click the button.
    3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
      1. Click on to download the ESET Smart Installer. Save it to your desktop.
      2. Double click on the icon on your desktop.
    4. Check
    5. Click the button.
    6. Accept any security warnings from your browser.
    7. Check
    8. Push the Start button.
    9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    10. When the scan completes, push
    11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    12. Push the button.
    13. Push
      My Computer

  5. Posts : 8,608
    Windows 7 Ultimate 32bit SP1


    Also see this: ThreatExpert Report
      My Computer

  6. Posts : 77
    Microsoft Windows 7 Ultimate 32-bit 7601 Multiprocessor Free Service Pack 1
    Thread Starter

    Ok, Eset found two threats

    C:\Users\All Users\Spybot - Search & Destroy\Recovery\WinDownloadergen.zip Win32/Bagle.gen.zip worm
    C:\ProgramData\Spybot - Search & Destroy\Recovery\WinDownloadergen.zip Win32/Bagle.gen.zip worm cleaned by deleting - quarantined
    By the looks of it Spybot has already found them but I haven't deleted the quarantined files.
    I did delete the files this time.

    I had a look at ThreatExpert Report and the files, which I have removed, was located where they say and the directory dclogs also. The Registry Keys and Values I can't find using RegEdit - Find, so maybe I found the threat before it activated (of maybe there is a new version that does things differently...)

    Is there anything more I should do?
      My Computer

  7. Posts : 8,608
    Windows 7 Ultimate 32bit SP1

    Delete the quarantined files that Eset found. Also, delete all of these files and folders (folders are located in C:\Program files\) :

    c:\program files\git\bin\ssh-keygen.exe
    c:\program files\ik multimedia\instruments\sampletank 2 sounds\drums\acoustic\smack crack.stip
    c:\program files\ik multimedia\sampletank 2.5\instruments\drums\acoustic\all about crackle.stip
    c:\program files\ik multimedia\sampletank 2.5\instruments\drums\acoustic\crack down mama.stip
    c:\program files\ik multimedia\sampletank 2.5\instruments\drums\acoustic\smack crack.stip
    c:\program files\ik multimedia\sampletank 2.5\instruments\sampletank 2 sounds\drums\acoustic\smack crack.stip
    c:\program files\inkscape\python\lib\site-packages\numpy\f2py\crackfortran.py
    c:\users\ame\documents\abc notation\the abc music project\abcmidi\crack.c
    c:\users\ame\documents\ableton\library\presets\audio effects\vinyl distortion\crack.adv
    c:\users\ame\documents\visual studio 2010\projects\private\music\midisheetmusic-2.3-win-src\songs\tchaikovsky__nutcracker_-_dance_of_the_reed_flutes.mid
    c:\users\ame\documents\visual studio 2010\projects\private\music\midisheetmusic-2.3-win-src\songs\tchaikovsky__nutcracker_-_dance_of_the_sugar_plum_fairies.mid
    c:\users\ame\documents\visual studio 2010\projects\private\music\midisheetmusic-2.3-win-src\songs\tchaikovsky__nutcracker_-_march_of_the_toy_soldiers.mid
    c:\users\ame\documents\visual studio 2010\projects\private\music\midisheetmusic-2.3-win-src\songs\tchaikovsky__nutcracker_-_waltz_of_the_flowers.mid
    c:\users\ame\downloads\sampletank_free_sounds\sampletank free sounds\instruments\sampletank 2 sounds\drums\acoustic\smack crack.stip
    scanner sequence 3.ZZ.11.FONAJZ

    Once you have done the above, download Security Check by screen317 from here http://screen317.spywareinfoforum.org/SecurityCheck.exe or here http://screen317.spywareinfoforum.org/
    Save it to your Desktop.
    Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
    A Notepad document should open automatically called checkup.txt.
    Please post the contents of that document.
      My Computer

  8. Posts : 77
    Microsoft Windows 7 Ultimate 32-bit 7601 Multiprocessor Free Service Pack 1
    Thread Starter

    I removed all the files, although most of them are only on the list because of their name containing the word 'crack', e.g. tchaikovsky__nutcracker_.

    here is the result:

    Results of screen317's Security Check version 0.99.76
    Windows 7 Service Pack 1 x86 (UAC is enabled)
    Internet Explorer 10
    ``````````````Antivirus/Firewall Check:``````````````
    Windows Firewall Enabled!
    Microsoft Security Essentials
    Antivirus up to date!
    `````````Anti-malware/Other Utilities Check:`````````
    Secunia PSI (
    Malwarebytes Anti-Malware version
    JavaFX 2.1.1
    Java 7 Update 45
    Adobe Flash Player 11.9.900.117
    Adobe Reader XI
    Mozilla Firefox (Firefox,. Firefox out of Date!
    Mozilla Thunderbird (24.1.0)
    Google Chrome 30.0.1599.101
    Google Chrome Plugins...
    ````````Process Check: objlist.exe by Laurent````````
    Microsoft Security Essentials MSMpEng.exe
    Microsoft Security Essentials msseces.exe
    `````````````````System Health check`````````````````
    Total Fragmentation on Drive C: 0%
    ````````````````````End of Log``````````````````````

    I have checked and I have the latest version of Firefox, so there is something wrong with the program...
      My Computer

  9. Posts : 8,608
    Windows 7 Ultimate 32bit SP1

    Tell me how your computer is now.
      My Computer

  10. Posts : 77
    Microsoft Windows 7 Ultimate 32-bit 7601 Multiprocessor Free Service Pack 1
    Thread Starter

    What I can see it's OK!

    Thanks for all the work you have put into this!

    Best Wishes
      My Computer

Page 2 of 3 FirstFirst 123 LastLast

  Related Discussions
Our Sites
Site Links
About Us
Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd
All times are GMT -5. The time now is 15:45.
Find Us