Jump to content

DarkComet dclogs folder found, what next?


Recommended Posts

I was browsing some sketchier websites (sorry for being stupid) while Malwarebytes was running scans in the background when a threat detection notification popped up saying it found something. I immediately looked at the report and it said it found the logs folder from a DarkComet RAT. That was the only thing detected, no actual log files sitting in the folder like most other people found when they detected the problem folder. After doing some initial research about the threat, I found some conflicting information on what to do next. I found this article saying to just nuke the drive and start over from complete scratch because of the nature of RATs, which I'd rather not do if I could continue using this computer with a reasonable amount of safety. I also found a more recent article about an issue with the same malware which seemed to have many more tests being done but didn't end up fully resolved. Not sure where to go next, but for now I'm leaving Malwarebytes running overnight doing a scan of both my drives with the maximum thoroughness settings (before messing with the advanced scan settings).

I haven't restarted my computer since the folder was detected, too worried something could happen. As soon as I make this post I'm going to disable the wireless card and just let it finish up running scans. On the bright side, the folder hasn't reappeared in the ~3 hours since it was removed, and I have wireshark installed which I'll be happy to turn on if anybody wants/needs some traffic logs.

Additional guidance would be highly appreciated. Hoping this is somehow just a fluke and I don't actually have to worry about anything.

P.S. I removed my account name from the attached logs and replaced it with just "username". You can call me Jayce.

Addition.txt FRST.txt original-malwarebytes-scan-log.txt

Link to post
Share on other sites

Hello Jayce and welcome to Malwarebytes,

Do not see any obvious Malware or Infection in logs from FRST, can you tell me if you recognise or are aware ofthe following entries:

Quote

Shortcut: C:\Users\username\Desktop\SnippingTool+OCR.lnk -> C:\Users\username\Downloads\SnippingTool+OCR\run me.bat ()
Shortcut: C:\Users\username\Desktop\thotpolice saltycup.lnk -> C:\Users\username\Documents\GitHub\ThotPolice\v3\saltycup.bat ()
Shortcut: C:\Users\username\Desktop\thotPolice.lnk -> C:\Users\username\Documents\GitHub\ThotPolice\v3\run.bat ()

Next,

user posted imageScan with Autoruns

Please download Sysinternals Autoruns from the following link: https://live.sysinternals.com/autoruns.exe save it to your desktop.

Note: If using Windows Vista, Windows 7, Windows 8/8.1 or Windows 10 then you also need to do the following:
 
  • Right-click on Autoruns.exe and select Properties
  • Click on the Compatibility tab
  • Under Privilege Level check the box next to Run this program as an administrator
  • Click on Apply then click OK
     
  • Double-click Autoruns.exe to run it.
  • Once it starts, please press the Esc key on your keyboard.
  • Now that scanning is stopped, click on the Options button at the top of the program and verify that the following are checked, if they are unchecked, check them:

    Hide empty locations
    Hide Windows entries

     
  • Click on the Options button at the top of the program and select Scan Options... then in the Autoruns Scan Options dialog enable/check the following two options:

    Verify code signatures
    Check VirusTotal.com

     
  • Once that's done click the Rescan button at the bottom of the Autoruns Scan Options dialog and this will start the scan again, this time let it finish.
  • When it's finished and says Ready. on the lower left of the program window, please click on the File button at the top of the program and select Save and save the file to your desktop and close Autoruns.
  • Right click on the file on your desktop that you just saved and hover your mouse over Send To and select Compressed (zipped) Folder
  • Attach the ZIP folder you just created to your next reply

Thank you,

Kevin

Link to post
Share on other sites

My system has been working normally for the most part so far. 

My biggest concern is that there's still some kind of backdoor or other malware still present that is hiding itself, as this post seems to claim is possible.

If you guys can confirm that isn't possible, I'll be on my merry way and we can close up this thread. 

Many thanks.

Link to post
Share on other sites

I understand your concerns, the post you quoted was from 2012 and the folder in question had several entries. In your case the folder is empty, the question still requiring an answer is: how was the folder created, also why..

dclogs directory and its contents are produced by infostealer malware, usually that folder would have many entries with logged data. I believe in your case the original infection must have been stopped before it got the chance to do any damage. Lets run another indepth scan and see if anything is found...

Download Kaspersky Virus Removal Tool (KVRT) from here: https://www.kaspersky.com/downloads/thank-you/free-virus-removal-tool and save to your Desktop.

Select the Windows Key and R Key together, the "Run" box should open.

user posted image

Drag and Drop KVRT.exe into the Run Box.

user posted image

C:\Users\{your user name}\DESKTOP\KVRT.exe will now show in the run box.

user posted image

add -dontcryptsupportinfo Note the space between KVRT.exe and -dontcryptsupportinfo

C:\Users\{your user name}\DESKTOP\KVRT.exe -dontcryptsupportinfo should now show in the Run box.

user posted image

That addendum to the run command is very important, when the scan does eventually complete the resultant report is normally encrypted, with the extra command it is saved as a readable file.

Reports are saved here C:\KVRT_data\Reports and look similar to this report_20200727_103821.klr Right click direct onto that report, select > open with > Notepad. Save that file and attach to your reply.

To start the scan select OK in the "Run" box.

user posted image

The Windows Protected your PC window will open, select "More Info"

user posted image

A new Window will open, select "Run anyway"

user posted image

A EULA window will open, tick both confirmation boxes then select "Accept"

user posted image

In the new window select "Change Parameters"

user posted image

In the new window ensure all selection boxes are ticked, then select "OK" The scan should now start...

user posted image

When complete if entries are found there will be options, if "Cure" is offered leave as is. For any other options change to "Delete" then select "Continue"

user posted image

When complete, or if nothing was found select "Close"

user posted image

Attach the report information as previously instructed....
 
Thank you,
 
Kevin
Link to post
Share on other sites

Looks like we got a hit for a DarkComet backdoor.

image.png.d39c8060e25127c2b966b569dd28d87e.png

The other stuff was just detecting files from SecLists. I downloaded it a while ago for educational reasons and forgot about it, when it started showing up in this scan I just decided to delete the repo. I stopped the scan when I realized it was trying to scan through 42.zip, going to restart now and see if it finds anything else. 

I had the infected file on my computer for about a year but I never actually touched it... (kind of a stupid question but) could it really do a whole lot just sitting on my computer without ever actually being run by me? Is it time to go full damage control and reset all passwords? Finding the malware has been a huge weight off, but now I have to worry about how much damage - if any - was already done. Could it have been passively collecting data all this time without my knowledge or would the passive collection have to be consolidated in those log files like the other people saw? Was the dclogs folder only found recently because the backdoor was used recently? Is the folder just something the program generates when run, or was it detected because my copy of Malwarebytes forced me to accept the premium trial and a better scan found it, or did I find it out of sheer luck?

Any answers you can offer would be hugely appreciated but I understand some are rather specific to this piece of malware and you may not have the answers immediately available.

Your help so far has been superb. I don't expect to find anything else from the scan but I'll be sure to post it here if I do. 

Link to post
Share on other sites

Hello airplane1256,

I would definitely renew/change all passwords only when we are sure your system is clean, specifically any with a financial impact. If you could change them from a different PC or smart phone, eg banking, ebay, amazon, credit card services etc I would do it now..

If you have not seen any activity on any financially impacted apps I would worry a lot less. As you`ve iniated another scan lets wait and see what the log says this time...

Thank you,

Kevin...

Link to post
Share on other sites

It seemed like it ran into some sort of error scanning my boot drive, pictured below.image.thumb.png.a30318589a12688d86da427384342620.png

I scanned just my games drive and it seemed clear:

image.png.7c19ede3fd08b2352714d95561931211.png

 

I spent last night trying to let it run on my boot drive again but it ended with the same results message, but with a slightly smaller amount of objects processed. Going to scan individual folders this time.

Sorry for going silent, I just wanted to see if it would have the same error a second time, and these scans I leave running overnight.

 

Link to post
Share on other sites

Hiya airplane1256,

We still need an indepth scan to ensure your system is clean, try the following:

Download Sophos Free Virus Removal Tool and save it to your desktop.

If your security alerts to this scan either accept the alert or turn off your security to allow Sophos to run and complete.....

Please Do Not use your PC whilst the scan is in progress.... This scan is very thorough so may take several hours...
 
  • Double click the icon and select Run
  • Click Next
  • Select I accept the terms in this license agreement, then click Next twice
  • Click Install
  • Click Finish to launch the program
  • Once the virus database has been updated click Start Scanning
  • If any threats are found click Details, then View log file... (bottom left hand corner)
  • Copy and paste the results in your reply
  • Close the Notepad document, close the Threat Details screen, then click Start cleanup
  • Click Exit to close the program
  • If no threats were found please confirm that result....



The Virus Removal Tool scans the following areas of your computer:
  • Memory, including system memory on 32-bit (x86) versions of Windows
  • The Windows registry
  • All local hard drives, fixed and removable
  • Mapped network drives are not scanned.



Note: If threats are found in the computer memory, the scan stops. This is because further scanning could enable the threat to spread. You will be asked to click Start Cleanup to remove the threats before continuing the scan.

Saved logs are found here: C:\ProgramData\Sophos\Sophos Virus Removal Tool\Logs

Thank you,

Kevin

Link to post
Share on other sites

No threats found from virus removal, log file attached.

However in the mean time Malwarebytes logged some apparently suspicious traffic coming from my computer. Normally I don't worry about this sort of traffic as they're all coming from files that normally run updates on the games I have installed and I've had false alarms in the past on my other computers, but when I saw three of the four logs were trying to connect to the same IP all for different games by different companies I thought it was too suspicious to be ignored. I could just be extra paranoid because of recent events but I'll still attach the MB logs for those cases if you want to take a look.

SophosVirusRemovalTool.log log1.txt log2.txt log3.txt log4.txt

Link to post
Share on other sites

Hello airplane1256,

IP Address: 181.113.119.134 Seems to be legitimate, there is no evidence of spamming or hijacking. https://cleantalk.org/blacklists/181.113.119.134 One of several searches...

IP Information for 181.113.119.134
Quick Stats
IP Location     Ecuador Ecuador Santo Domingo De Los Colorados Corporacion Nacional De Telecomunicaciones - Cnt Ep
ASN     Ecuador AS28006 CORPORACION NACIONAL DE TELECOMUNICACIONES - CNT EP, EC (registered Oct 06, 2008)
Whois Server     whois.lacnic.net
IP Address     181.113.119.134

IP Address: 188.169.20.90 Is known for spamming and suspicious activity. https://cleantalk.org/blacklists/188.169.20.90 One of several searches.

IP Information for 188.169.20.90
Quick Stats
IP Location     Georgia Georgia Tbilisi Jsc Silknet
ASN     Georgia AS35805 SILKNET-AS, GE (registered Oct 31, 2005)
Resolve Host     188-169-20-90.dsl.utg.ge
Whois Server     whois.ripe.net
IP Address     188.169.20.90

Malwarebytes is blocking both IP addresses so your system is quite safe. I suppose the only way to block such calls totally would be to uninstall the relevent software.

Thanks,

Kevin...

Link to post
Share on other sites

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Tips to help protect from infection

Thanks

 

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.