Jump to content
LuxHyperion

"All-Radio 4.27 Portable" malware is unremovable - LuxHyperion

Recommended Posts

Hi guys, just figured it out by looking at the fixlist file :)

It seems the malware is located on
C:\Users\"Your Name"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ihiwijai.lnk   

**the .lnk file changes so just delete any .lnk in that path.

@Aura can you confirm if this is correct?

Share this post


Link to post
Share on other sites

Hi LuxHyperion :)

My name is Aura and I'll be assisting you with your malware issue. Since we'll be working together, you can call me Aura or Yoan, which is my real name, it's up to you! Now that we've broke the ice, I'll just ask you a few things during the time we'll be working together to clean your system and get it back to an operational state.

  • As you'll notice, the logs we are asking for here are quite lenghty, so it's normal for me to not reply exactly after you post them. This is because I need some time to analyse them and then act accordingly. However, I'll always reply within 24 hours, 48 hours at most if something unexpected happens
  • As long as I'm assisting you on Malwarebytes Forums, in this thread, I'll ask you to not seek assistance anywhere else for any issue related to the system we are working on. If you have an issue, question, etc. about your computer, please ask it in this thread and I'll assist you
  • The same principle applies to any modifications you make to your system, I would like you to ask me before you do any manipulations that aren't in the instructions I posted. This is to ensure that we are operating in sync and I know exactly what's happening on your system
  • If you aren't sure about an instruction I'm giving you, ask me about it. This is to ensure that the clean-up process goes without any issue. I'll answer you and even give you more precise instructions/explanations if you need. There's no shame in asking questions here, better be safe than sorry!
  • If you don't reply to your thread within 3 days, I'll bump this thread to let you know that I'm waiting for you. If you don't reply after 5 days, it'll be closed. If you return after that period, you can send me a PM to get it unlocked and we'll continue where we left off;
  • Since malware can work quickly, we want to get rid of them as fast as we can, before they make unknown changes to the system. This being said, I would appreciate if you could reply to this thread within 24 hours of me posting. This way, we'll have a good clean-up rhythm and the chances of complications will be reduced
  • I'm against any form of pirated, illegal and counterfeit software and material. So if you have any installed on your system, I'll ask you to uninstall them right now. You don't have to tell me if you indeed had some or not, I'll give you the benefit of the doubt. Plus, this would be against Malwarebytes Forums's rules
  • In the end, you are the one asking for assistance here. So if you wish to go a different way during the clean-up, like format and reinstall Windows, you are free to do so. I would appreciate you to let me know about it first, and if you need, I can also assist you in the process
  • I would appreciate if you were to stay with me until the end, which means, until I declare your system clean. Just because your system isn't behaving weirdly anymore, or is running better than before, it doesn't mean that the infection is completely gone
    This being said, I have a full time job so sometimes it'll take longer for me to reply to you. Don't worry, you'll be my first priority as soon as I get home and have time to look at your thread


This being said, it's time to clean-up some malware, so let's get started, shall we? :)

Follow the instructions in the thread below, and provide me both FRST logs (FRST.txt and Addition.txt) and the Malwarebytes log. You can attach them in your next post, or copy/paste their content.

https://forums.malwarebytes.com/topic/9573-im-infected-what-do-i-do-now/
 

Share this post


Link to post
Share on other sites

iO3R662.pngFarbar Recovery Scan Tool (FRST) - Fix mode
Follow the instructions below to execute a fix on your system using FRST, and provide the log in your next reply.

  • Download the attached fixlist.txt file, and save it on your Desktop (or wherever your FRST.exe/FRST64.exe executable is located)
  • Right-click on the FRST executable and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Click on the Fix button
    NYA5Cbr.png
  • On completion, a message will come up saying that the fix has been completed and it'll open a log in Notepad
  • Copy and paste its content in your next reply

fixlist.txt

Share this post


Link to post
Share on other sites

That's good :) Can you do me a favor? Can you .zip the C:\FRST\Quarantine folder and attach it here?

Share this post


Link to post
Share on other sites

I'm at work, will send it maybe 12 hours from now.  :) Thank you again for your awesome service mate!

Share this post


Link to post
Share on other sites

All good, I'll be waiting :) No problem!

Share this post


Link to post
Share on other sites

One more question: Is it normal for the install path of Malwarebytes to be "protected" (i.e. I can't even add,copy,cut files in the folder)? even though I'm the system admin?

 

image.png.a7e163969501116b495fc56f3ecd6b30.png

Share this post


Link to post
Share on other sites
1 hour ago, LuxHyperion said:

Also, I just noticed that every time I startup, malwarebytes detects an outbound connection to www.officialkmspico.com which I know is the source of the infection. How do I stop this? :(

See attached export.

malwarebytes website blocked.txt

just an update on this, I have updated Firefox and restarted. No outbound connections to the site are now detected. (chrome is also not affected)

Share this post


Link to post
Share on other sites

Sorry Lux, I'm at work right now so my response time is quite delayed.

And yes, it's normal for the Malwarebytes installation directory to be protected. If I were you, I would uninstall it and install it to its proper default location (C:\Program Files (x86)\Malwarebytes) to avoid these kind of issues, as you don't want to use that folder to store other files (such as FRST).

Share this post


Link to post
Share on other sites

If I could do that as a full time job, I would be happy :P 

How's your system behaving now?

Share this post


Link to post
Share on other sites

haha, all visible signs of the infection are now removed (including the accessing of the website when starting up firefox). Have you taken a look at the zip file and the malwarebytes website blocked.txt  and the zip C.7z ?

I've also sent the link of the specific virus I got. I was so foolish to trust that site, ugh

Share this post


Link to post
Share on other sites

I did, thank you. Me and my colleagues are analyzing everything related to that infection right now. I would like you to run a scan with MBAR, as we might have found a rootkit in that infection as well.

a6csRll.pngMalwarebytes Anti-Rootkit Beta

  • Download Malwarebytes Anti-Rootkit Beta and extract it to your desktop (MBAR will be launched shortly after the extraction)
  • Click on Next, and then on the Update button to let it update its database. Once the database has been successfully updated, click on Next
  • Make sure all the checkboxes are checked, then click on the Scan button, and let it completes its scan (this can take a while)
  • Once the scan is done, make sure that every item is checked, and click on the Cleanup button (a reboot might be required)
  • After that (and the reboot, if one was required), go back in the mbar folder and look for a text file called mbar-log-TODAY'S-DATE.txt
  • Copy/paste the content of that log in your next reply

Share this post


Link to post
Share on other sites

Not quite yet! I just want to make absolutely sure that there's nothing left.

iO3R662.pngFarbar Recovery Scan Tool (FRST) - Recovery Environment Scan
Follow the instructions below to download and execute a scan on your system with FRST from the Recovery Environment, and provide the logs in your next reply.

Item(s) required:

  • USB Flash Drive (size depend on if you have to create a USB Recovery or Installation media)
  • CD/DVD (optional: only needed if you need to create a Recovery or Installation media and your USB Flash Drive is too small)
  • Another computer (optional: only needed if you cannot work from the infected computer directly)

Preparing the USB Flash Drive

  • Download the right version of FRST for your system:
    • FRST 32-bit
    • FRST 64-bit
      Note: Only the right version will run on your system, the other will throw an error message. So if you don't know what your system's version is, simply download both of them, and the one that works is the one you should be using.
  • Move the executable (FRST.exe or FRST64.exe) on your USB Flash Drive

Boot in the Recovery Environment

  • Plug your USB Flash Drive in the infected computer
  • To enter the Recovery Environment with Windows Vista and Windows 7, follow the instructions below:
    • Restart the computer
    • Once you've seen your BIOS splashscreen (the computer manufacturer logo), tap the F8 key repeatedly until the Advanced Boot Options menu appears
    • Use the arrow keys to select Repair your computer, and press on Enter
    • Select your keyboard layout (US, French, etc.) and click on Next
    • Click on Command Prompt to open the command prompt
      Note:If you can't access the Recovery Environment using the F8 method above, you'll need to create a Windows installation or repair media. It can be made on the computer itself or another one running the same version of Windows as the one you plan to use it on. For more information, check out this tutorial on SevenForums.
  • To enter the Recovery Environment with Windows 8 or Windows 8.1, follow the instructions in this tutorial on EightForums
    Note:If you can't access the Recovery Environment using the method above, you'll need to create a Windows installation or repair media. It can be made on the computer itself or another one running the same version of Windows as the one you plan to use it on. For more information, check out this tutorial.
  • To enter the Recovery Environment with Windows 10, follow the instructions in this tutorial on TenForums
    Note:If you can't access the Recovery Environment using the method above, you'll need to create a Windows installation or repair media. It can be made on the computer itself or another one running the same version of Windows as the one you plan to use it on. For more information, check out this tutorial on TenForums.

Once in the command prompt

  • In the command prompt, type notepad and press on Enter
  • Notepad will open. Click on the File menu and select Open
  • Click on Computer/This PC, find the letter for your USB Flash Drive, then close the window and Notepad
  • In the command prompt, type e:\frst.exe (for the x64 version, type e:\frst64.exe and press on Enter
  • Note: Replace the letter e with the drive letter of your USB Flash Drive
  • FRST will open
  • Click on Yes to accept the disclaimer
  • Click on the Scan button and wait for the scan to complete
  • A log called FRST.txt will be saved on your USB Flash Drive. Attach it in your next reply

Share this post


Link to post
Share on other sites

Can you download a new copy of it, move it on the USB and try again?

Share this post


Link to post
Share on other sites

Alright, FRST doesn't report anything. Next we'll run a scan with GMER. A simple scan shouldn't make your system crash, but it COULD happen. Therefore, I would ask you to run the scan with GMER and leave it be. Do not use your computer until the scan is done. It shouldn't take too long anyway.

TvjiHbt.pngGMER
Note: Make sure that all your programs are closed and do not touch your computer while the GMER scan is running.

  • Download gmer.zip and extract it
  • Right-click on gmer.exe from the extracted .zip and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • On execution, a quick scan will be launched automatically. Give it time to complete.
  • If you receive a warning about rootkit activity being detected on your system, click on the No button to decline the full system scan
  • Once done, uncheck these two checkboxes, and leave the rest checked:
    • IAT/EAT
    • Show all
  • Once done, click on the Scan button
  • If you see a window about rootkit activity (again), click on the Ok button
  • After the scan, click on the Save... button to save the GMER log. Save it on your desktop, and name it gmer.txt
  • Now, attach or copy/paste the content of gmer.txt in your next reply

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.