system
October 28, 2014, 3:05pm
1
Today someone added me and asked me to play together with them.
they want to chat and sent me this
later he send me this link hXXp://raidcallsoft.com/download.html
it send me some zip file with said program inside.
my avast didn’t detect anything and after that
i got hijacked and he got to use some kind of way to use remote desktop connection on me (even when i’m actually using the computer)
can you help me identify and properly remove said program i have big internal hard drive and it would kill me to complete format it.(at least not until i backup my data first , even then i’m afraid that said program also got copied)
please help me dude
–UPDATE—
looking up https://www.virustotal.com/en/file/a8e09d39a95b399d6c386a8d1c884319c58734a63aad8ec51f70066082f8ffcb/analysis/
said program goes undetected to most form of av protection
Pondus
October 28, 2014, 3:20pm
2
How to recive help instructions. https://forum.avast.com/index.php?topic=53253.0
Attach requested logs
system
October 28, 2014, 3:39pm
3
sry didn’t know about it before , will upload logs ASAP
system
October 29, 2014, 12:05am
4
log folder attached on the first post. for the malwarebytes scan i accidentaly scan it for the second time, and can’t export the first log files to txt, so i just convert the xml format from programdata/malwarebytes to txt
Let me know if this stops it
CAUTION : This fix is only valid for this specific machine, using it on another may break your computer
Open notepad and copy/paste the text in the quotebox below into it:
HKLM\...\Run: [LogMeIn Hamachi Ui] => C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe [3802448 2014-09-04] (LogMeIn Inc.)
SearchScopes: HKCU - {70D46D94-BF1E-45ED-B567-48701376298E} URL = http://127.0.0.1:4664/search&s=G5L9HfOU_iEf45oSsf6wO0FKxUA?q={searchTerms}
SearchScopes: HKCU - {AD22EBAF-0D18-4fc7-90CC-5EA0ABBE9EB8} URL = http://www.daemon-search.com/search?q={searchTerms}
Toolbar: HKCU - No Name - {32099AAC-C132-4136-9E9A-4E364A424E17} - No File
FF Plugin: @raidcall.en/RCplugin -> C:\Users\Ayu\AppData\Roaming\raidcall\plugins\nprcplugin.dll (Raidcall)
FF NetworkProxy: "backup.ftp", "118.97.95.174"
FF NetworkProxy: "backup.ftp_port", 8080
FF NetworkProxy: "backup.socks", "118.97.95.174"
FF NetworkProxy: "backup.socks_port", 8080
FF NetworkProxy: "backup.ssl", "118.97.95.174"
FF NetworkProxy: "backup.ssl_port", 8080
FF NetworkProxy: "ftp", "120.203.215.11"
FF NetworkProxy: "ftp_port", 80
FF NetworkProxy: "gopher", ""
FF NetworkProxy: "gopher_port", 0
FF NetworkProxy: "http", "120.203.215.11"
FF NetworkProxy: "http_port", 80
FF NetworkProxy: "no_proxies_on", "localhost, 127.0.0.1,youtube.com/*,facebook.com/*,"
FF NetworkProxy: "share_proxy_settings", true
FF NetworkProxy: "socks", "120.203.215.11"
FF NetworkProxy: "socks_port", 80
FF NetworkProxy: "ssl", "120.203.215.11"
FF NetworkProxy: "ssl_port", 80
FF NetworkProxy: "type", 0
2014-10-28 21:07 - 2014-10-28 06:33 - 00105521 _____ () C:\raidcall_v7.3.6.zip
C:\Users\MC\jdk-6u11-windows-i586-p.exe
C:\Users\MC\jre-6u11-windows-i586-p.exe
2014-10-28 06:27 - 2014-10-28 06:27 - 00000000 ____D () C:\Users\Ayu\AppData\Roaming\raidcall
2014-10-28 06:26 - 2014-10-28 06:26 - 00000989 _____ () C:\Users\Ayu\AppData\Roaming\Microsoft\Windows\Start Menu\RaidCall.lnk
2014-10-28 06:26 - 2014-10-28 06:26 - 00000965 _____ () C:\Users\Ayu\Desktop\RaidCall.lnk
2014-10-28 06:26 - 2014-10-28 06:26 - 00000965 _____ () C:\Users\Ayu\Desktop\RaidCall.lnk
2014-10-28 06:29 - 2012-12-01 11:26 - 00000000 ____D () C:\Program Files\RaidCall
C:\Users\MineCraft Full Version\MinecraftSP.bat
C:\Users\MineCraft Full Version\MinecraftSP.exe
AlternateDataStreams: C:\ProgramData:gs5sys
AlternateDataStreams: C:\Users\All Users:gs5sys
AlternateDataStreams: C:\Users\Ayu:gs5sys
AlternateDataStreams: C:\ProgramData\Application Data:gs5sys
AlternateDataStreams: C:\ProgramData\Templates:gs5sys
AlternateDataStreams: C:\Users\Ayu\.DS_Store:AFP_AfpInfo
AlternateDataStreams: C:\Users\Ayu\Application Data:gs5sys
AlternateDataStreams: C:\Users\Ayu\Cookies:gs5sys
AlternateDataStreams: C:\Users\Ayu\Local Settings:gs5sys
AlternateDataStreams: C:\Users\Ayu\Templates:gs5sys
AlternateDataStreams: C:\Users\Ayu\Desktop\.DS_Store:AFP_AfpInfo
AlternateDataStreams: C:\Users\Ayu\Desktop\ARIF.jpeg:3or4kl4x13tuuug3Byamue2s4b
AlternateDataStreams: C:\Users\Ayu\Desktop\ARIF.jpeg:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
AlternateDataStreams: C:\Users\Ayu\Desktop\ARIF2.jpeg:3or4kl4x13tuuug3Byamue2s4b
AlternateDataStreams: C:\Users\Ayu\Desktop\ARIF2.jpeg:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
AlternateDataStreams: C:\Users\Ayu\Desktop\Surat Kerja Praktek.jpeg:3or4kl4x13tuuug3Byamue2s4b
AlternateDataStreams: C:\Users\Ayu\Desktop\Surat Kerja Praktek.jpeg:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
AlternateDataStreams: C:\Users\Ayu\Downloads\.DS_Store:AFP_AfpInfo
AlternateDataStreams: C:\Users\Ayu\AppData\Local:gs5sys
AlternateDataStreams: C:\Users\Ayu\AppData\Roaming:gs5sys
AlternateDataStreams: C:\Users\Ayu\AppData\Local\Application Data:gs5sys
AlternateDataStreams: C:\Users\Ayu\AppData\Local\History:gs5sys
AlternateDataStreams: C:\Users\Ayu\Documents\asdfghjk.txt.jpeg:3or4kl4x13tuuug3Byamue2s4b
AlternateDataStreams: C:\Users\Ayu\Documents\asdfghjk.txt.jpeg:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
AlternateDataStreams: C:\Users\Ayu\Documents\desktop.ini:gs5sys
AlternateDataStreams: C:\Users\Public\Documents\desktop.ini:gs5sys
EmptyTemp:
CMD: bitsadmin /reset /allusers
Save this as fixlist.txt , in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that
How is the computer behaving now
Do us a favour and break your active links in the first post (Namely the radicall one).
(Edit > the http://www.facebook.com should be something like hXXp://wxw.facebook.c0m)
Pondus
October 30, 2014, 4:24pm
9
raidcallsoft.com/download.html
https://www.virustotal.com/en/url/c85a4cc6dba2d3a9508b3c2b72e5bbb9d29f816e59667e3ff20dc3cc7358483f/analysis/1414685977/
raidcall_v7.3.6.exe - First submission 2014-10-28 15:11:20 UTC ( 2 days, 1 hour ago )
https://www.virustotal.com/en/file/a8e09d39a95b399d6c386a8d1c884319c58734a63aad8ec51f70066082f8ffcb/analysis/1414686046/
Copyright TeamViewer GmbH
Publisher Elastas
Product TeamViewer
Original name TeamViewer.exe
Internal name TeamViewer
File version 9.0.32494.0
Description TeamViewer 9
Signature verification A certificate chain could not be built to a trusted root authority.
BlueCoat/Norman added detection as raidcall_v7.3.6.exe: Agent.BKNBD
system
October 31, 2014, 3:07pm
10
Thanks for this , thruthfully there doesn’t seem any weird behaviour going on my pc, but so does at the time i was hijacked (i was playing some game when he hijack my steam account and transfer the item) i hope that the solution provided here help to remove the malicious software.
hopefully i can safely backup my C: now and do a clean reinstall of windows.
I’ve directed MBAM to this thread incase they need any info so they can add it too there scanners or see what it does,
Once you are happy let me know and I will tidy up
Pondus
October 31, 2014, 5:42pm
13
Michael (alan1998) post:11:
I’ve directed MBAM to this thread incase they need any info so they can add it too there scanners or see what it does,
You are late, that was done yesterday https://forums.malwarebytes.org/index.php?/topic/159933-suspicious-gen4hfbbp/
Malwarebytes - raidcall_v7.3.6.exe = Trojan.Pseudo.tvwr