Jump to content

DClogs Backdoor.DarkComet - Help


Go to solution Solved by kevinf80,

Recommended Posts

Hi everybody!

Long story short, I did a scan with Malwarebytes today and it found 106 threats and some logs that seem to be logging whatever I typed, whatever I opened up. I searched on the forum and on other sites, and several people seem to have been hit by the same thing but most users stop responding and the whole situation stays unresolved. I'd like to get this resolved and possibly help others  in the same situation when they search for it in the future. I'm not great at security, I know the basics but  unfortunately lacked of when it comes to security for some time now. That's my bad and I've learned my lesson. My PC was not behaving differently in the time where this has been going on. After I used MB I used Windows Defender and it found nothing, I've used ESET Online Scanner that I found here and it found nothing as either. I'm pretty sure I'm going to use the wrong nomenclature from time to time and I apologize.

Logs.txt

 

I attached the logs of Malwarebytes.

 

1) The folder where the logs of the keylogger have been has been quarantined. I don't see any logs anymore and there are no new ones coming up (it's only been 3 hours though). Am I safe now or should I suspect it's still going on somewhere in the background?

2) Assuming I use 2FA for my bank accounts (fingerprint scanner on mobile phone, SMS,...) and assuming the trojans/keyloggers have been quarantined. 

3) I assume the only way to be completely safe is to do a complete wipe of the computer, right? How unsafe is it to use the PC without doing that? The only other person who uses it and who has data on it is away for at least 2 weeks and I'd rather she safe her files herself before I reinstall everything.

4) How can I prevent this in the future other than doing regular searches?

 

Link to post
Share on other sites

I'm sorry I realize I haven't finished my second question:

 

4 hours ago, rollerstroller said:

2) Assuming I use 2FA for my bank accounts (fingerprint scanner on mobile phone, SMS,...) and assuming the trojans/keyloggers have been quarantined. 

Is it safe to keep using my accounts with those keywords (I use a password manager and those passwords are very secure)? I have never had suspicious activity so far. 

Link to post
Share on other sites
Hello rollerstroller and welcome to Malwarebytes,

Run the following scan, lets see if anything shows up:

Download Farbar Recovery Scan Tool and save it to your desktop.

Alternative download option: http://www.techspot.com/downloads/6731-farbar-recovery-scan-tool.html

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way...

Be aware FRST must be run from an account with Administrator status... Right click on FRST/FRST64 and rename FRSTEnglish/FRST64English if English is not your primary language
 
  • Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.)
  • Make sure Addition.txt is checkmarked under "Optional scans"
    user posted image
     
  • Press Scan button to run the tool....
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The tool will also make a log named (Addition.txt) Please attach that log to your reply.


Thank you,

Kevin
Link to post
Share on other sites
Upload a File to Virustotal

Go to http://www.virustotal.com/
 
  • Click the Choose file button
  • Navigate to the file C:\Program Files (x86)\Tautulli\Tautulli.exe
  • Click the Scan it tab
  • If you get a message saying File has already been analyzed: click Reanalyze file now
  • Copy and paste the URL address back here please.
Link to post
Share on other sites

https://www.virustotal.com/gui/file/8b22fae1c6741d578948ce657f4d4d9555d0221959a73557f4a79725fa2d04f4/detection

Tautulli does show up on Virus total. It's weird, but apparently that does happen. It's a nifty monitoring tool for Plex that I'd like to keep. Would you get rid of it? There's several posts on reddit about how it shows up for other people too. 

Link to post
Share on other sites
  • Solution

Hiya rollerstroller,

I got mixed reviews when doing a Google search, hence I asked you to upload to ViruTotal. Although there are 5 hits at VT i`m still not sure Tautulli  is malicious. If you know of and trust this software then its really your choice whether to keep or remove...

Continue:

Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from.

NOTE. It's important that both files, FRST or FRSTEnglish, and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

NOTE-1: This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files.

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed.

The following directories are emptied:
 
  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Flash Player cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin



Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

user posted image

The system will be rebooted after the fix has run.

Next,

Open Malwarebytes, select > small cog wheel top right hand corner, that will open "settings" from there select "Security" tab.

Scroll down to "Scan Options" ensure Scan for Rootkits and Scan within Archives are both on....

Clsoe out the settings window, this will take you back to "DashBoard" select the Blue "Scan Now" tab......

When the scan completes quarantine any found entries...

To get the log from Malwarebytes do the following:
 
  • Click on the Detection History tab > from main interface.
  • Then click on "History" that will open to a historical list
  • Double click on the Scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have two options:
    Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
    Text file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply

     
  • Please use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…


Next,

Download AdwCleaner by Malwarebytes onto your Desktop.

Or from this Mirror
 
  • Right-click on AdwCleaner.exe and select http://i.imgur.com/Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Accept the EULA (I accept), then click on Scan
  • Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Quarantine button. This will kill all the active processes
  • Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it
  • After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply


Next,


Download "Microsoft's Safety Scanner" and save direct to the desktop

Ensure to get the correct version for your system....

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download


Right click on the Tool, select Run as Administrator the tool will expand to the options Window
In the "Scan Type" window, select Quick Scan
Perform a scan and Click Finish when the scan is done.


Retrieve the MSRT log as follows, and post it in your next reply:

1) Select the Windows key and R key together to open the "Run" function
2) Type or Copy/Paste the following command to the "Run Line" and Press Enter:

notepad c:\windows\debug\msert.log

The log will include log details for each time MSRT has run, we only need the most recent log by date and time....

Let me see those logs in your reply...

Thank you,

Kevin..

fixlist.txt

Link to post
Share on other sites

Hello Kevin

 

Ok, so I did what you told me. I ran the Farbar Recovery Scan Tool with the Fixlist you attached. I ran MWB and the AdwCleaner (both clean) and I ran the Microsoft Safety Cleaner. On the last one I accidentally used the full scan. 

 

And here is msert.log:

Microsoft Safety Scanner v1.333, (build 1.333.730.0)
Started On Thu Mar 18 20:53:57 2021

Engine: 1.1.17900.7
Signatures: 1.333.730.0
MpGear: 1.1.16330.1
Run Mode: Interactive Graphical Mode

Results Summary:
----------------
No infection found.
Successfully Submitted MAPS Report
Successfully Submitted Heartbeat Report
Microsoft Safety Scanner Finished On Thu Mar 18 20:56:45 2021


Return code: 0 (0x0)
 

AdwCleaner[C02].txt MWB after Fixlog.txt Fixlog.txt

Link to post
Share on other sites

Hello rollerstroller,

Yes your system is clean, all we need to do now is clean up:

Right click on FRST here: C:\Users\Goran\Desktop\FRST.exe and rename uninstall.exe when complete right click on uninstall.exe and select "Run as Administrator"

If you do not see the .exe appended that is because file extensions are hidden, in that case just rename FRST to uninstall

That action will remove FRST and all created files and folders...

Next,

Remove all System Restore Points: https://www.tenforums.com/tutorials/33593-delete-system-restore-points-windows-10-a.html#option2

Create clean fresh Restore Point: http://www.thewindowsclub.com/create-system-restore-point

Run Windows Disk Clean Up Utility - https://neosmart.net/wiki/disk-cleanup/

Condsider the following:

Malwarebytes Browser Guard (Free) for Firefox: https://addons.mozilla.org/en-GB/firefox/addon/malwarebytes/

Malwarebytes Browser Guard (Free) for Chrome: https://chrome.google.com/webstore/detail/malwarebytes-browser-guar/ihcjicgdanjaechkgeegckofjjedodee

PatchMyPC, keep all your software upto date - https://patchmypc.com/home-updater#download

From there you should be good to go...

Next,

Read the following links to fully understand PC Security and Best Practices, you may find them useful....

Answers to Common Security Questions and best Practices

Do I need a Registry Cleaner?

Take care and surf safe

Kevin... user posted image
Link to post
Share on other sites

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following for Tips to help protect from infection

Thank you

 

 

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.