Solved dclogs directory found may have something to do with wshom.exe

[andis59]

It started with that I found some processes that I didn't recognized
dmview.exe
wshom.exe

http://www.sevenforums.com/general-discussion/309725-programs-appdata-microsoft-windows.html

I ( Malwarebytes Anti-Malware) then found a directory and some files named dclogs
Folders Detected: 1
C:\Users\ame\AppData\Roaming\dclogs (Stolen.Data) -> Quarantined and deleted successfully.
Files Detected: 2
C:\Users\ame\AppData\Roaming\dclogs\2013-10-26-7.dc (Stolen.Data) -> Quarantined and deleted successfully.
C:\Users\ame\AppData\Roaming\dclogs\2013-10-27-1.dc (Stolen.Data) -> Quarantined and deleted successfully.

So I have deleted the programs and the files and directory. What do I do next?

 

[Jacee]

Clean out all temporary folders. Download TFC by Old Timer TFC - Temp File Cleaner by OldTimer - Geeks to Go Forums and save it to your desktop.
Save any unsaved work. TFC will close ALL open programs including your browser!
Double-click on TFC.exe to run it. If you are using Vista/Windows 7 right-click on the file and choose Run As Administrator.
Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.

 

[andis59]

Ok, I have now run TCF and it removed 750 MB.

Should I do anything else?

PS! Sorry about the delay I've been into hospital for a operation, back almost like new...

 

[Jacee]

Hope you're doing a bit better after surgery

You didn't say if your computer was doing any better after using TFC, so if not, download DDS from one of these links:
DDS.com
DDS.pif

• Disable any script blocking protection
• Double click the dds icon to run the tool.
• When done, DDS will open two (2) logs:
  1. DDS.txt
  2. Attach.txt <--- will be minimized in the task tray
• Save both reports to your desktop.

Include the contents of both logs in your next post.
The scan will instruct you to post Attach.txt as an attachment.

 

[andis59]

Just to be sure. Should I attach both logs or should I paste DDS.txt and attach Attach.txt or paste both?

 

[Jacee]

Yes, you can attach both logs.

 

[andis59]

OK, here they are.

 

[Jacee]

Download CKScanner by askey127 from HERE
Important - Save it to your desktop.
Doubleclick CKScanner.exe and click Search For Files.

After a very short time, when the cursor hourglass disappears, click Save List To File. It will appear that CKS isn't doing anything...it is, so just be patient!

A message box will verify the file saved.
Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.

 

[andis59]

Here is the result

================================
CKScanner 2.4 - Additional Security Risks - These are not necessarily bad
c:\jdownloader\jd\plugins\hoster\crackedcom.class
c:\program files\git\bin\ssh-keygen.exe
c:\program files\ik multimedia\instruments\sampletank 2 sounds\drums\acoustic\smack crack.stip
c:\program files\ik multimedia\sampletank 2.5\instruments\drums\acoustic\all about crackle.stip
c:\program files\ik multimedia\sampletank 2.5\instruments\drums\acoustic\crack down mama.stip
c:\program files\ik multimedia\sampletank 2.5\instruments\drums\acoustic\smack crack.stip
c:\program files\ik multimedia\sampletank 2.5\instruments\sampletank 2 sounds\drums\acoustic\smack crack.stip
c:\program files\inkscape\python\lib\site-packages\numpy\f2py\crackfortran.py
c:\users\ame\documents\abc notation\the abc music project\abcmidi\crack.c
c:\users\ame\documents\ableton\library\presets\audio effects\vinyl distortion\crack.adv
c:\users\ame\documents\trusted\hashcatgui\cap2hccap\aircrack-ng-help.cmd
c:\users\ame\documents\trusted\hashcatgui\cap2hccap\aircrack-ng.exe
c:\users\ame\documents\visual studio 2010\projects\private\music\midisheetmusic-2.3-win-src\songs\tchaikovsky__nutcracker_-_dance_of_the_reed_flutes.mid
c:\users\ame\documents\visual studio 2010\projects\private\music\midisheetmusic-2.3-win-src\songs\tchaikovsky__nutcracker_-_dance_of_the_sugar_plum_fairies.mid
c:\users\ame\documents\visual studio 2010\projects\private\music\midisheetmusic-2.3-win-src\songs\tchaikovsky__nutcracker_-_march_of_the_toy_soldiers.mid
c:\users\ame\documents\visual studio 2010\projects\private\music\midisheetmusic-2.3-win-src\songs\tchaikovsky__nutcracker_-_waltz_of_the_flowers.mid
c:\users\ame\downloads\crark34\crackme.def
c:\users\ame\downloads\midisheetmusic-2.4-win-src\midisheetmusic-2.4-win-src\songs\tchaikovsky__nutcracker_-_dance_of_the_reed_flutes.mid
c:\users\ame\downloads\midisheetmusic-2.4-win-src\midisheetmusic-2.4-win-src\songs\tchaikovsky__nutcracker_-_dance_of_the_sugar_plum_fairies.mid
c:\users\ame\downloads\midisheetmusic-2.4-win-src\midisheetmusic-2.4-win-src\songs\tchaikovsky__nutcracker_-_march_of_the_toy_soldiers.mid
c:\users\ame\downloads\midisheetmusic-2.4-win-src\midisheetmusic-2.4-win-src\songs\tchaikovsky__nutcracker_-_waltz_of_the_flowers.mid
c:\users\ame\downloads\sampletank_free_sounds\sampletank free sounds\instruments\sampletank 2 sounds\drums\acoustic\smack crack.stip
scanner sequence 3.ZZ.11.FONAJZ
----- EOF -----

================================

 

[Jacee]

You have a Rootkit and no doubt it's due to downloading "cracks and keygens" ---> (Stolen.Data).

You can clean all this up by doing a 'wipe' and "clean install", providing your copy of Windows 7 is legit. http://www.sevenforums.com/tutorials/1649-clean-install-windows-7-a.html

Good luck!

 

[andis59]

Hello Jacee and thank you for all the work you have put into this!

I'm not doubting you but if you have some more information so I can trace back my actions so I don't do the same thing again. (will find new ways of messing up TM)

I try not to download cracks or keygens but sometimes I want to try out a program before buying it and sometimes there isn't a trial...

This Rootkit seems (to me) like it appeared just a couple of weeks ago and I have no recollection of installing a crack at that time. Was actually rather a long time since I used this way of trial...

So if you could tell me what Rootkit I have and where you located it, so I may learn from this!

Thank you very much!

 

[Jacee]

Your DDS .txt log shows this information:

=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, GMER - Rootkit Detector and Remover
Windows 6.1.7601 Disk: ST750LX003-1AC154 rev.SM12 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: >>UNKNOWN [0x82E38000]<< >>UNKNOWN [0x8B5D5000]<< >>UNKNOWN [0x8B600000]<< >>UNKNOWN [0x8AFCA000]<< >>UNKNOWN [0x82E01000]<< >>UNKNOWN [0x8B1E8000]<< >>UNKNOWN [0x8B1DE000]<<
_asm { DEC EBP; POP EDX; NOP ; ADD [EBX], AL; ADD [EAX], AL; ADD [EAX+EAX], AL; ADD [EAX], AL; }
1 ntkrnlpa!IofCallDriver[0x82E6EBBA] -> \Device\Harddisk0\DR0[0x861D8030]
\Driver\Disk[0x85426398] -> IRP_MJ_CREATE -> 0x8B5D939F
3 [0x8B5D959E] -> ntkrnlpa!IofCallDriver[0x82E6EBBA] -> \Device\Ide\IdeDeviceP0T0L0-0[0x860B3908]
\Driver\atapi[0x860B1910] -> IRP_MJ_CREATE -> 0x8AFE48CE
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; MOV CX, 0x4; MOV BP, 0x7be; CMP BYTE [BP+0x0], 0x0; }
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !


Please read carefully and follow these steps.

• Download TDSSKiller and save it to your Desktop.
• Extract its contents to your desktop.
• Once extracted, open the TDSSKiller folder and double click on TDSSKiller.exe to run the application, then on Start Scan.
• If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
• If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

 

[andis59]

Hello Jacee,

Since I can't paste the log (too long) I attach it and also a screendump of the program after running.

// Anders

 

[Jacee]

Okay, that came back clean.

Scan your machine with ESET OnlineScan

1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
   ESET OnlineScan
2. Click the
   
   button.
3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
   1. Click on
      
      to download the ESET Smart Installer. Save it to your desktop.
   2. Double click on the
      
      icon on your desktop.
4. Check
   
5. Click the
   
   button.
6. Accept any security warnings from your browser.
7. Check
   
8. Push the Start button.
9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
10. When the scan completes, push
    
11. Push
    
    , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
12. Push the
    
    button.
13. Push
    

 

[Jacee]

dmview.exe
wshom.exe

Also see this: ThreatExpert Report

 

[andis59]

Ok, Eset found two threats

C:\Users\All Users\Spybot - Search & Destroy\Recovery\WinDownloadergen.zip Win32/Bagle.gen.zip worm
C:\ProgramData\Spybot - Search & Destroy\Recovery\WinDownloadergen.zip Win32/Bagle.gen.zip worm cleaned by deleting - quarantined

By the looks of it Spybot has already found them but I haven't deleted the quarantined files.
I did delete the files this time.

I had a look at ThreatExpert Report and the files, which I have removed, was located where they say and the directory dclogs also. The Registry Keys and Values I can't find using RegEdit - Find, so maybe I found the threat before it activated (of maybe there is a new version that does things differently...)

Is there anything more I should do?

 

[Jacee]

Delete the quarantined files that Eset found. Also, delete all of these files and folders (folders are located in C:\Program files\) :

c:\jdownloader\jd\plugins\hoster\crackedcom.class
c:\program files\git\bin\ssh-keygen.exe
c:\program files\ik multimedia\instruments\sampletank 2 sounds\drums\acoustic\smack crack.stip
c:\program files\ik multimedia\sampletank 2.5\instruments\drums\acoustic\all about crackle.stip
c:\program files\ik multimedia\sampletank 2.5\instruments\drums\acoustic\crack down mama.stip
c:\program files\ik multimedia\sampletank 2.5\instruments\drums\acoustic\smack crack.stip
c:\program files\ik multimedia\sampletank 2.5\instruments\sampletank 2 sounds\drums\acoustic\smack crack.stip
c:\program files\inkscape\python\lib\site-packages\numpy\f2py\crackfortran.py
c:\users\ame\documents\abc notation\the abc music project\abcmidi\crack.c
c:\users\ame\documents\ableton\library\presets\audio effects\vinyl distortion\crack.adv
c:\users\ame\documents\trusted\hashcatgui\cap2hccap\aircrack-ng-help.cmd
c:\users\ame\documents\trusted\hashcatgui\cap2hccap\aircrack-ng.exe
c:\users\ame\documents\visual studio 2010\projects\private\music\midisheetmusic-2.3-win-src\songs\tchaikovsky__nutcracker_-_dance_of_the_reed_flutes.mid
c:\users\ame\documents\visual studio 2010\projects\private\music\midisheetmusic-2.3-win-src\songs\tchaikovsky__nutcracker_-_dance_of_the_sugar_plum_fairies.mid
c:\users\ame\documents\visual studio 2010\projects\private\music\midisheetmusic-2.3-win-src\songs\tchaikovsky__nutcracker_-_march_of_the_toy_soldiers.mid
c:\users\ame\documents\visual studio 2010\projects\private\music\midisheetmusic-2.3-win-src\songs\tchaikovsky__nutcracker_-_waltz_of_the_flowers.mid
c:\users\ame\downloads\crark34\crackme.def
c:\users\ame\downloads\midisheetmusic-2.4-win-src\midisheetmusic-2.4-win-src\songs\tchaikovsky__nutcracker_-_dance_of_the_reed_flutes.mid
c:\users\ame\downloads\midisheetmusic-2.4-win-src\midisheetmusic-2.4-win-src\songs\tchaikovsky__nutcracker_-_dance_of_the_sugar_plum_fairies.mid
c:\users\ame\downloads\midisheetmusic-2.4-win-src\midisheetmusic-2.4-win-src\songs\tchaikovsky__nutcracker_-_march_of_the_toy_soldiers.mid
c:\users\ame\downloads\midisheetmusic-2.4-win-src\midisheetmusic-2.4-win-src\songs\tchaikovsky__nutcracker_-_waltz_of_the_flowers.mid
c:\users\ame\downloads\sampletank_free_sounds\sampletank free sounds\instruments\sampletank 2 sounds\drums\acoustic\smack crack.stip
scanner sequence 3.ZZ.11.FONAJZ

Once you have done the above, download Security Check by screen317 from here http://screen317.spywareinfoforum.org/SecurityCheck.exe or here http://screen317.spywareinfoforum.org/
Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt.
Please post the contents of that document.

 

[andis59]

I removed all the files, although most of them are only on the list because of their name containing the word 'crack', e.g. tchaikovsky__nutcracker_.

here is the result:

Results of screen317's Security Check version 0.99.76
Windows 7 Service Pack 1 x86 (UAC is enabled)
Internet Explorer 10
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
Microsoft Security Essentials
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
Secunia PSI (3.0.0.2004)
Malwarebytes Anti-Malware version 1.75.0.1300
CCleaner
JavaFX 2.1.1
Java 7 Update 45
Adobe Flash Player 11.9.900.117
Adobe Reader XI
Mozilla Firefox (Firefox,. Firefox out of Date!
Mozilla Thunderbird (24.1.0)
Google Chrome 30.0.1599.101
Google Chrome Plugins...
````````Process Check: objlist.exe by Laurent````````
Microsoft Security Essentials MSMpEng.exe
Microsoft Security Essentials msseces.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 0%
````````````````````End of Log``````````````````````

I have checked and I have the latest version of Firefox, so there is something wrong with the program...

 

[Jacee]

Tell me how your computer is now.

 

[andis59]

What I can see it's OK!

Thanks for all the work you have put into this!

Best Wishes