Win32:VB-OJQ

system · October 29, 2018, 7:21am

Hi guys, got a problem with this worm, its spreading in my filles, please help me with.

Asyn · October 29, 2018, 7:24am

Attach your basic diagnostic logs. (MBAM and FRST)
Instructions: https://forum.avast.com/index.php?topic=194892

system · October 29, 2018, 7:44am

Hello, thanks for reply so fast, there is it.

Pondus · October 29, 2018, 10:15am

Since this is a worm it is also recomended to run MCShield
See last step in guide, this log you Copy Paste here

It may take hours before malware expert is online

system · October 29, 2018, 12:50pm

i don’t know how take this results…

Pondus · October 29, 2018, 4:50pm

CopyPaste

MCShield AllScans.txt <<<

MCShield ::Anti-Malware Tool:: http://www.mcshield.net/

v 3.0.5.28 / DB: 2016.2.21.1 / Windows 8.1 <<<

10/29/2018 6:57:41 AM > Drive C: - scan started (no label ~146 GB, NTFS HDD )…

=> The drive is clean.

10/29/2018 6:57:42 AM > Drive D: - scan started (no label ~298 GB, NTFS HDD )…

=> The drive is clean.

10/29/2018 6:57:42 AM > Drive F: - scan started (no label ~785 GB, NTFS HDD )…

=> The drive is clean.

SassDrake · October 29, 2018, 9:12pm

Open Notepad (click Start button → type notepad.exe → press Enter)
Copy text from code block below and paste it into Notepad

HKLM-x32\...\Run: [SVCHOST] => c:\windows\system\svchost.exe [211801 2018-06-23] () <==== ATTENTION
2018-10-27 16:55 - 2018-10-27 16:55 - 000211924 _____ (Microsoft) C:\Users\Kilbert\AppData\Roaming\mrsys.exe
2018-06-23 07:46 - 2018-10-20 10:20 - 000003390 _____ () C:\Users\Kilbert\AppData\Local\icsys.icn
2018-10-27 16:55 - 2018-10-27 16:55 - 000211857 _____ (Microsoft) C:\Users\Kilbert\AppData\Local\icsys.icn.exe
2018-10-27 16:55 - 2018-10-27 16:55 - 000211875 _____ (Microsoft) C:\Users\Kilbert\AppData\Local\stsys.exe
HKU\S-1-5-21-935070100-2946189954-2999311673-1001\...\ChromeHTML: ->  <==== ATTENTION
VirusTotal: c:\windows\system\svchost.exe
c:\windows\system

Go to File → Save As
Make sure that UTF-8 is selected as Encoding (left side of Save button)
Save it as fixlist.txt on Desktop
Open again FRST and click on button Fix
Wait until FRST finishes
fixlog.txt should be genereted and opened. Attach it your post and wait further instructions.

system · October 29, 2018, 9:41pm

Sass Drake post:7:

Open Notepad (click Start button → type notepad.exe → press Enter)

Copy text from code block below and paste it into Notepad
HKLM-x32\...\Run: [SVCHOST] => c:\windows\system\svchost.exe [211801 2018-06-23] () <==== ATTENTION
2018-10-27 16:55 - 2018-10-27 16:55 - 000211924 _____ (Microsoft) C:\Users\Kilbert\AppData\Roaming\mrsys.exe
2018-06-23 07:46 - 2018-10-20 10:20 - 000003390 _____ () C:\Users\Kilbert\AppData\Local\icsys.icn
2018-10-27 16:55 - 2018-10-27 16:55 - 000211857 _____ (Microsoft) C:\Users\Kilbert\AppData\Local\icsys.icn.exe
2018-10-27 16:55 - 2018-10-27 16:55 - 000211875 _____ (Microsoft) C:\Users\Kilbert\AppData\Local\stsys.exe
HKU\S-1-5-21-935070100-2946189954-2999311673-1001\...\ChromeHTML: ->  <==== ATTENTION
VirusTotal: c:\windows\system\svchost.exe
c:\windows\system
Go to File → Save As

Make sure that UTF-8 is selected as Encoding (left side of Save button)

Save it as fixlist.txt on Desktop

Open again FRST and click on button Fix

Wait until FRST finishes

fixlog.txt should be genereted and opened. Attach it your post and wait further instructions.

DONE

SassDrake · October 29, 2018, 10:15pm

What is system status now?

system · October 30, 2018, 5:30am

Well, its seems are less infected files but there still too many according with avast full virus scan and second mbam scan.
Maybe did something wrong…?

Pondus · October 30, 2018, 6:39am

Maybe did something wrong..?

Your Malwarebytes log say " No Action By User" do you let malwarebytes remove what it find?

system · October 30, 2018, 1:53pm

Well, i did several scans with mbam and take de malwares and suspicius files to quarantine and delete, theres still give me 2 or 3 “potentially unwanted programs” but no malwares. Anyway, Avast FVS still show a bunch of .exe’s with Win32:VB-OJQ. Whats the next step?

Pondus · October 30, 2018, 4:04pm

Well, i did several scans with mbam and take de malwares and suspicius files to quarantine and [b]delete[/b],

If you delete from quarantine you dont have the option to restore if detection was wrong ...

Anyway, Avast FVS still show a bunch of .exe's with Win32:VB-OJQ. Whats the next step?

Post log from avast so that @Sass Drake can see what and where

SassDrake · October 30, 2018, 7:37pm

And post new FRST.txt and Addition.txt logs.

system · November 1, 2018, 9:23am

Done

SassDrake · November 1, 2018, 5:45pm

Uninstall PSafe AV.

Open Notepad (click Start button → type notepad.exe → press Enter)
Copy text from code block below and paste it into Notepad

HKLM-x32\...\Winlogon: [Shell] C:\Windows\explorer.exe,Explorer.exe [ ] () <=== ATTENTION

Go to File → Save As
Make sure that UTF-8 is selected as Encoding (left side of Save button)
Save it as fixlist.txt on Desktop
Open again FRST and click on button Fix
Wait until FRST finishes
fixlog.txt should be genereted and opened. Attach it your post and wait further instructions.

system · November 1, 2018, 10:55pm

Sass Drake post:16:

Uninstall PSafe AV.

Open Notepad (click Start button → type notepad.exe → press Enter)

Copy text from code block below and paste it into Notepad
HKLM-x32\...\Winlogon: [Shell] C:\Windows\explorer.exe,Explorer.exe [ ] () <=== ATTENTION
Go to File → Save As

Make sure that UTF-8 is selected as Encoding (left side of Save button)

Save it as fixlist.txt on Desktop

Open again FRST and click on button Fix

Wait until FRST finishes

fixlog.txt should be genereted and opened. Attach it your post and wait further instructions.

DONE

SassDrake · November 1, 2018, 11:35pm

Status now?

system · November 2, 2018, 12:56pm

Still same… I guess miss something…

Pondus · November 2, 2018, 5:26pm

Have you changed avast default scan settings?

Win32:VB-OJQ

Announcements