Author Topic: Win32:VB-OJQ (Read 7361 times)

REDACTED · « **on:** October 29, 2018, 08:21:31 AM »

Hi guys, got a problem with this worm, its spreading in my filles, please help me with.

Asyn · « **Reply #1 on:** October 29, 2018, 08:24:40 AM »

Attach your basic diagnostic logs. (MBAM and FRST)
Instructions: https://forum.avast.com/index.php?topic=194892

REDACTED · « **Reply #2 on:** October 29, 2018, 08:44:06 AM »

Hello, thanks for reply so fast, there is it.

Pondus · « **Reply #3 on:** October 29, 2018, 11:15:07 AM »

Since this is a worm it is also recomended to run MCShield
See last step in guide, this log you Copy Paste here

It may take hours before malware expert is online

REDACTED · « **Reply #4 on:** October 29, 2018, 01:50:39 PM »

i don't know how take this results...

Pondus · « **Reply #5 on:** October 29, 2018, 05:50:13 PM »

CopyPaste

>>> MCShield AllScans.txt <<<

-----------------------------

MCShield ::Anti-Malware Tool:: http://www.mcshield.net/

>>> v 3.0.5.28 / DB: 2016.2.21.1 / Windows 8.1 <<<

10/29/2018 6:57:41 AM > Drive C: - scan started (no label ~146 GB, NTFS HDD )...

=> The drive is clean.

10/29/2018 6:57:42 AM > Drive D: - scan started (no label ~298 GB, NTFS HDD )...

=> The drive is clean.

10/29/2018 6:57:42 AM > Drive F: - scan started (no label ~785 GB, NTFS HDD )...

=> The drive is clean.

Sass Drake · « **Reply #6 on:** October 29, 2018, 10:12:24 PM »

Open Notepad (click Start button -> type notepad.exe -> press Enter)
Copy text from code block below and paste it into Notepad

Code: [Select]

HKLM-x32\...\Run: [SVCHOST] => c:\windows\system\svchost.exe [211801 2018-06-23] () <==== ATTENTION
2018-10-27 16:55 - 2018-10-27 16:55 - 000211924 _____ (Microsoft) C:\Users\Kilbert\AppData\Roaming\mrsys.exe
2018-06-23 07:46 - 2018-10-20 10:20 - 000003390 _____ () C:\Users\Kilbert\AppData\Local\icsys.icn
2018-10-27 16:55 - 2018-10-27 16:55 - 000211857 _____ (Microsoft) C:\Users\Kilbert\AppData\Local\icsys.icn.exe
2018-10-27 16:55 - 2018-10-27 16:55 - 000211875 _____ (Microsoft) C:\Users\Kilbert\AppData\Local\stsys.exe
HKU\S-1-5-21-935070100-2946189954-2999311673-1001\...\ChromeHTML: ->  <==== ATTENTION
VirusTotal: c:\windows\system\svchost.exe
c:\windows\system

Go to File -> Save As
Make sure that UTF-8 is selected as Encoding (left side of Save button)
Save it as fixlist.txt on Desktop
Open again FRST and click on button Fix
Wait until FRST finishes
fixlog.txt should be genereted and opened. Attach it your post and wait further instructions.

REDACTED · « **Reply #7 on:** October 29, 2018, 10:41:43 PM »

Quote from: Sass Drake on October 29, 2018, 10:12:24 PM

Open Notepad (click Start button -> type notepad.exe -> press Enter)
Copy text from code block below and paste it into Notepad
Code: [Select]
HKLM-x32\...\Run: [SVCHOST] => c:\windows\system\svchost.exe [211801 2018-06-23] () <==== ATTENTION 2018-10-27 16:55 - 2018-10-27 16:55 - 000211924 _____ (Microsoft) C:\Users\Kilbert\AppData\Roaming\mrsys.exe 2018-06-23 07:46 - 2018-10-20 10:20 - 000003390 _____ () C:\Users\Kilbert\AppData\Local\icsys.icn 2018-10-27 16:55 - 2018-10-27 16:55 - 000211857 _____ (Microsoft) C:\Users\Kilbert\AppData\Local\icsys.icn.exe 2018-10-27 16:55 - 2018-10-27 16:55 - 000211875 _____ (Microsoft) C:\Users\Kilbert\AppData\Local\stsys.exe HKU\S-1-5-21-935070100-2946189954-2999311673-1001\...\ChromeHTML: -> <==== ATTENTION VirusTotal: c:\windows\system\svchost.exe c:\windows\system
Go to File -> Save As
Make sure that UTF-8 is selected as Encoding (left side of Save button)
Save it as fixlist.txt on Desktop
Open again FRST and click on button Fix
Wait until FRST finishes
fixlog.txt should be genereted and opened. Attach it your post and wait further instructions.

DONE

Sass Drake · « **Reply #8 on:** October 29, 2018, 11:15:47 PM »

What is system status now?

REDACTED · « **Reply #9 on:** October 30, 2018, 06:30:45 AM »

Quote from: Sass Drake on October 29, 2018, 11:15:47 PM

What is system status now?

Well, its seems are less infected files but there still too many according with avast full virus scan and second mbam scan.
Maybe did something wrong..?

Pondus · « **Reply #10 on:** October 30, 2018, 07:39:37 AM »

Quote

Maybe did something wrong..?

Your Malwarebytes log say " No Action By User" do you let malwarebytes remove what it find?

REDACTED · « **Reply #11 on:** October 30, 2018, 02:53:47 PM »

Quote from: Pondus on October 30, 2018, 07:39:37 AM

Quote
Maybe did something wrong..?
Your Malwarebytes log say " No Action By User" do you let malwarebytes remove what it find?

Well, i did several scans with mbam and take de malwares and suspicius files to quarantine and delete, theres still give me 2 or 3 "potentially unwanted programs" but no malwares. Anyway, Avast FVS still show a bunch of .exe's with Win32:VB-OJQ. Whats the next step?

Pondus · « **Reply #12 on:** October 30, 2018, 05:04:03 PM »

Quote

Well, i did several scans with mbam and take de malwares and suspicius files to quarantine and delete,

If you delete from quarantine you dont have the option to restore if detection was wrong ...

Quote

Anyway, Avast FVS still show a bunch of .exe's with Win32:VB-OJQ. Whats the next step?

Post log from avast so that @Sass Drake can see what and where

Sass Drake · « **Reply #13 on:** October 30, 2018, 08:37:56 PM »

And post new FRST.txt and Addition.txt logs.

REDACTED · « **Reply #14 on:** November 01, 2018, 10:23:17 AM »

Quote from: Sass Drake on October 30, 2018, 08:37:56 PM

And post new FRST.txt and Addition.txt logs.

Done

Author Topic: Win32:VB-OJQ (Read 7361 times)

REDACTED

Win32:VB-OJQ

Asyn

Re: Win32:VB-OJQ

REDACTED

Re: Win32:VB-OJQ

Pondus

Re: Win32:VB-OJQ

REDACTED

Re: Win32:VB-OJQ

Pondus

Re: Win32:VB-OJQ

Sass Drake

Re: Win32:VB-OJQ

REDACTED

Re: Win32:VB-OJQ

Sass Drake

Re: Win32:VB-OJQ

REDACTED

Re: Win32:VB-OJQ

Pondus

Re: Win32:VB-OJQ

REDACTED

Re: Win32:VB-OJQ

Pondus

Re: Win32:VB-OJQ

Sass Drake

Re: Win32:VB-OJQ

REDACTED

Re: Win32:VB-OJQ