got scammed to installing remote hijack,and don't know how to properly remove it

Today someone added me and asked me to play together with them.

they want to chat and sent me this

later he send me this link hXXp://raidcallsoft.com/download.html

it send me some zip file with said program inside.

my avast didn’t detect anything and after that
i got hijacked and he got to use some kind of way to use remote desktop connection on me (even when i’m actually using the computer)

can you help me identify and properly remove said program i have big internal hard drive and it would kill me to complete format it.(at least not until i backup my data first , even then i’m afraid that said program also got copied)

please help me dude
–UPDATE—
looking up https://www.virustotal.com/en/file/a8e09d39a95b399d6c386a8d1c884319c58734a63aad8ec51f70066082f8ffcb/analysis/

said program goes undetected to most form of av protection

How to recive help instructions. https://forum.avast.com/index.php?topic=53253.0
Attach requested logs

sry didn’t know about it before , will upload logs ASAP

log folder attached on the first post. for the malwarebytes scan i accidentaly scan it for the second time, and can’t export the first log files to txt, so i just convert the xml format from programdata/malwarebytes to txt

Let me know if this stops it

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

HKLM\...\Run: [LogMeIn Hamachi Ui] => C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe [3802448 2014-09-04] (LogMeIn Inc.) SearchScopes: HKCU - {70D46D94-BF1E-45ED-B567-48701376298E} URL = http://127.0.0.1:4664/search&s=G5L9HfOU_iEf45oSsf6wO0FKxUA?q={searchTerms} SearchScopes: HKCU - {AD22EBAF-0D18-4fc7-90CC-5EA0ABBE9EB8} URL = http://www.daemon-search.com/search?q={searchTerms} Toolbar: HKCU - No Name - {32099AAC-C132-4136-9E9A-4E364A424E17} - No File FF Plugin: @raidcall.en/RCplugin -> C:\Users\Ayu\AppData\Roaming\raidcall\plugins\nprcplugin.dll (Raidcall) FF NetworkProxy: "backup.ftp", "118.97.95.174" FF NetworkProxy: "backup.ftp_port", 8080 FF NetworkProxy: "backup.socks", "118.97.95.174" FF NetworkProxy: "backup.socks_port", 8080 FF NetworkProxy: "backup.ssl", "118.97.95.174" FF NetworkProxy: "backup.ssl_port", 8080 FF NetworkProxy: "ftp", "120.203.215.11" FF NetworkProxy: "ftp_port", 80 FF NetworkProxy: "gopher", "" FF NetworkProxy: "gopher_port", 0 FF NetworkProxy: "http", "120.203.215.11" FF NetworkProxy: "http_port", 80 FF NetworkProxy: "no_proxies_on", "localhost, 127.0.0.1,youtube.com/*,facebook.com/*," FF NetworkProxy: "share_proxy_settings", true FF NetworkProxy: "socks", "120.203.215.11" FF NetworkProxy: "socks_port", 80 FF NetworkProxy: "ssl", "120.203.215.11" FF NetworkProxy: "ssl_port", 80 FF NetworkProxy: "type", 0 2014-10-28 21:07 - 2014-10-28 06:33 - 00105521 _____ () C:\raidcall_v7.3.6.zip C:\Users\MC\jdk-6u11-windows-i586-p.exe C:\Users\MC\jre-6u11-windows-i586-p.exe 2014-10-28 06:27 - 2014-10-28 06:27 - 00000000 ____D () C:\Users\Ayu\AppData\Roaming\raidcall 2014-10-28 06:26 - 2014-10-28 06:26 - 00000989 _____ () C:\Users\Ayu\AppData\Roaming\Microsoft\Windows\Start Menu\RaidCall.lnk 2014-10-28 06:26 - 2014-10-28 06:26 - 00000965 _____ () C:\Users\Ayu\Desktop\RaidCall.lnk 2014-10-28 06:26 - 2014-10-28 06:26 - 00000965 _____ () C:\Users\Ayu\Desktop\RaidCall.lnk 2014-10-28 06:29 - 2012-12-01 11:26 - 00000000 ____D () C:\Program Files\RaidCall C:\Users\MineCraft Full Version\MinecraftSP.bat C:\Users\MineCraft Full Version\MinecraftSP.exe AlternateDataStreams: C:\ProgramData:gs5sys AlternateDataStreams: C:\Users\All Users:gs5sys AlternateDataStreams: C:\Users\Ayu:gs5sys AlternateDataStreams: C:\ProgramData\Application Data:gs5sys AlternateDataStreams: C:\ProgramData\Templates:gs5sys AlternateDataStreams: C:\Users\Ayu\.DS_Store:AFP_AfpInfo AlternateDataStreams: C:\Users\Ayu\Application Data:gs5sys AlternateDataStreams: C:\Users\Ayu\Cookies:gs5sys AlternateDataStreams: C:\Users\Ayu\Local Settings:gs5sys AlternateDataStreams: C:\Users\Ayu\Templates:gs5sys AlternateDataStreams: C:\Users\Ayu\Desktop\.DS_Store:AFP_AfpInfo AlternateDataStreams: C:\Users\Ayu\Desktop\ARIF.jpeg:3or4kl4x13tuuug3Byamue2s4b AlternateDataStreams: C:\Users\Ayu\Desktop\ARIF.jpeg:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d} AlternateDataStreams: C:\Users\Ayu\Desktop\ARIF2.jpeg:3or4kl4x13tuuug3Byamue2s4b AlternateDataStreams: C:\Users\Ayu\Desktop\ARIF2.jpeg:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d} AlternateDataStreams: C:\Users\Ayu\Desktop\Surat Kerja Praktek.jpeg:3or4kl4x13tuuug3Byamue2s4b AlternateDataStreams: C:\Users\Ayu\Desktop\Surat Kerja Praktek.jpeg:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d} AlternateDataStreams: C:\Users\Ayu\Downloads\.DS_Store:AFP_AfpInfo AlternateDataStreams: C:\Users\Ayu\AppData\Local:gs5sys AlternateDataStreams: C:\Users\Ayu\AppData\Roaming:gs5sys AlternateDataStreams: C:\Users\Ayu\AppData\Local\Application Data:gs5sys AlternateDataStreams: C:\Users\Ayu\AppData\Local\History:gs5sys AlternateDataStreams: C:\Users\Ayu\Documents\asdfghjk.txt.jpeg:3or4kl4x13tuuug3Byamue2s4b AlternateDataStreams: C:\Users\Ayu\Documents\asdfghjk.txt.jpeg:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d} AlternateDataStreams: C:\Users\Ayu\Documents\desktop.ini:gs5sys AlternateDataStreams: C:\Users\Public\Documents\desktop.ini:gs5sys EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that

fixlog attached here

How is the computer behaving now

Do us a favour and break your active links in the first post (Namely the radicall one).

(Edit > the http://www.facebook.com should be something like hXXp://wxw.facebook.c0m)

raidcallsoft.com/download.html
https://www.virustotal.com/en/url/c85a4cc6dba2d3a9508b3c2b72e5bbb9d29f816e59667e3ff20dc3cc7358483f/analysis/1414685977/

raidcall_v7.3.6.exe - First submission 2014-10-28 15:11:20 UTC ( 2 days, 1 hour ago )
https://www.virustotal.com/en/file/a8e09d39a95b399d6c386a8d1c884319c58734a63aad8ec51f70066082f8ffcb/analysis/1414686046/

Copyright TeamViewer GmbH Publisher Elastas Product TeamViewer Original name TeamViewer.exe Internal name TeamViewer File version 9.0.32494.0 Description TeamViewer 9 Signature verification A certificate chain could not be built to a trusted root authority.

BlueCoat/Norman added detection as raidcall_v7.3.6.exe: Agent.BKNBD

Thanks for this , thruthfully there doesn’t seem any weird behaviour going on my pc, but so does at the time i was hijacked (i was playing some game when he hijack my steam account and transfer the item) i hope that the solution provided here help to remove the malicious software.

hopefully i can safely backup my C: now and do a clean reinstall of windows.

I’ve directed MBAM to this thread incase they need any info so they can add it too there scanners or see what it does,

Once you are happy let me know and I will tidy up

You are late, that was done yesterday :wink: https://forums.malwarebytes.org/index.php?/topic/159933-suspicious-gen4hfbbp/

Malwarebytes - raidcall_v7.3.6.exe = Trojan.Pseudo.tvwr