Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Fake Voice-Comms installed malware


  • This topic is locked This topic is locked
3 replies to this topic

#1 orowles

orowles

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:56 AM

Posted 18 August 2015 - 09:18 AM

Yesterday I joined a pre-game lobby of Counter-Strike Global Offensive and they asked me to download a voice comms called "razer Comms." Razer Comms is actually a voice comms but the link they provided me wasn't the legit "Razer Comms" but a ghosts site which looked identical to Razers download site (even the url was razer-comms.com). So when downloading it I had no thoughts that it would be a malware/virus because normally I am quite careful and smart with catching people trying to make me download viruses. But once I downloaded the installer I open the installer and it closed automatically and then obviously downloaded some malware onto my pc. 
 
I am now unable to open any .exe like Malware bytes and Spybot wont even install. I have tried Microsofts one time scanner software and it came back clean. I am also unable to open Norton as I need administrator privileges even though I have them and I have also tried installing/opening all these programs in safe mode and had no luck. 
 
When the malware installed I think I know where it is located because in my task manager there are files which appear like this: hxxttps://gyazo.com/98b5d61e6f4019ed9d1b095bf8368d26
 
The green logo is the Razer Comms logo and "Gyazo" is a screenshot tool in which I have used for years and when I try to kill the programs it loads up around 4 more of them. When I try to browse the location the file it sends me to a temp folder where there are many numbered text files and a file called helper.exe which also has the green Razer Comms logo, which are impossible to delete or move around due to needed administrator privileges. 
 
Is there a way anyone can help me? 
 
EDIT: Apparently this is a known malware which is used to trick people into thinking they are downloading a well known voice comms but getting malware instead. Here is a article about it: http://www.pcworld.com/article/2879985/warning-bogus-razer-comms-game-chat-app-comes-loaded-with-malware.html

Edited by nasdaq, 19 August 2015 - 08:24 AM.
Bad link obfuscated.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,523 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:56 AM

Posted 19 August 2015 - 08:26 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Download Malwarebytes' Anti-Malware from Here

Double-click mbam-setup-2.X.X.XXXX.exe to install the application (X's are the current version number).
  • Make sure a checkmark is placed next to Launch Malwarebytes' Anti-Malware, then click Finish.
  • Once MBAM opens, when it says Your databases are out of date, click the Fix Now button.
  • Click the Settings tab at the top, and then in the left column, select Detections and Protections, and if not already checked place a checkmark in the selection box for Scan for rootkits.
  • Click the Scan tab at the top of the program window, select Threat Scan and click the Scan Now button.
  • If you receive a message that updates are available, click the Update Now button (the update will be downloaded, installed, and the scan will start).
  • The scan may take some time to finish,so please be patient.
  • If potential threats are detected, ensure that Quarantine is selected as the Action for all the listed items, and click the Apply Actions button.
  • While still on the Scan tab, click the link for View detailed log, and in the window that opens click the Export button, select Text file (*.txt), and save the log to your Desktop.
  • The log is automatically saved by MBAM and can also be viewed by clicking the History tab and then selecting Application Logs.
POST THE LOG FOR MY REVIEW.

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).
===

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
===


How is the computer running now?
Wait for further instructions.

#3 orowles

orowles
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:56 AM

Posted 19 August 2015 - 10:24 AM

Could someone close this or remove this post from the forum as I cant find a way to do it myself. 

 

Thanks



#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,523 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:56 AM

Posted 19 August 2015 - 12:59 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users