so I stupidly deactivated my Avast! just in time to activate and spread this worm, now this thing is infecting my whole computer and I don’t know how can I stop it from infecting my PC.
I don’t know almost anything on how to remove this worm so any help is great.
Thanks in advance!
You need help with cleansing this spyware from your device from a qualified malware remover here.
Wait for someone to appear and in the meantime provide us with the scan logs,
as listed here: https://forum.avast.com/index.php?topic=194892.0
polonus
Thanks for answering!
here I have the logs:
(also I am sorry but the mbam file has some words in spanish so tell me if I need to send it again in english)
- Open Notepad (click Start button → type notepad.exe → press Enter)
- Copy text from code block below and paste it into Notepad
HKLM-x32\...\Winlogon: [Shell] C:\Windows\explorer.exe,Explorer.exe [ ] () <=== ATTENTION
IFEO\anydesk.exe: [Debugger] "C:\Program Files (x86)\AVAST Software\Avast Cleanup\autoreactivator.exe"
IFEO\leapcontrolpanel.exe: [Debugger] "C:\Program Files (x86)\AVAST Software\Avast Cleanup\autoreactivator.exe"
IFEO\leapmotionapphome.exe: [Debugger] "C:\Program Files (x86)\AVAST Software\Avast Cleanup\autoreactivator.exe"
IFEO\vrvisualizer.exe: [Debugger] "C:\Program Files (x86)\AVAST Software\Avast Cleanup\autoreactivator.exe"
CHR NewTab: Profile 1 -> Not-active:"chrome-extension://ommbgnllpkjnidkcnginhlacffdcdijc/index.html"
VirusTotal: C:\Users\Usuario\AppData\Roaming\mrsys.exe;C:\Users\Usuario\AppData\Local\stsys.exe;C:\Windows\system\spoolsv.exe;C:\Users\Usuario\AppData\Local\icsys.icn.exe;C:\Users\Usuario\AppData\Roaming\Microsoft\1pdf1.pdf;C:\Users\Usuario\AppData\Roaming\Microsoft\1pdf2.pdf
C:\Users\Usuario\AppData\Roaming\mrsys.exe
C:\Users\Usuario\AppData\Local\stsys.exe
C:\Windows\system\spoolsv.exe
C:\Users\Usuario\AppData\Local\icsys.icn.exe
2017-03-25 21:40 - 2017-03-31 11:07 - 000040979 _____ () C:\Users\Usuario\AppData\Roaming\Microsoft\1pdf1.pdf
2017-03-31 12:25 - 2017-03-31 12:25 - 000040979 _____ () C:\Users\Usuario\AppData\Roaming\Microsoft\1pdf2.pdf
2018-01-01 15:45 - 2018-01-01 19:32 - 000003390 _____ () C:\Users\Usuario\AppData\Local\icsys.icn
- Go to File → Save As
- Make sure that UTF-8 is selected as Encoding (left side of Save button)
- Save it as fixlist.txt on Desktop
- Open again FRST and click on button Fix
- Wait until FRST finishes
- fixlog.txt should be genereted and opened. Attach it your post and wait further instructions.
done!
What is system status now?
well, at first avast would pop up a lot showing a lot of infeted files (a lot of .exe files) now it doesn’t, but that might be because Avast! is infected.
I never noticed if this infection ever did a change in my PC so I don’t know if it is gone or not.
Is there any way to detect if this worm is still there?
It is not because Avast is infected. If Avast detections are now gone that means that we were able to remove malware from your PC.
• The following will implement some post-cleanup procedures:
=> Please download DelFix by Xplode to your Desktop.
Run the tool and check the following boxes below;
[i]
http://www.mcshield.net/personal/magna86/Images/checkmark.png
Remove disinfection tools
http://www.mcshield.net/personal/magna86/Images/checkmark.png
Create registry backup
http://www.mcshield.net/personal/magna86/Images/checkmark.png
Purge System Restore [/i]
Click Run button and wait a few seconds for the programme completes his work.
At this point all the tools we used here should be gone. Tool will create an report for you (C:[b]DelFix.txt[/b])
The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.
okay it is done, what’s the next step?
That was it. Your PC is clean now according to FRST logs.
okay!, Thank you so much for helping me clean this thing!!! 
you were really helpful!!!