Jump to content

VBS/Runner.OBI !!!


Recommended Posts

The problem is in my home laptop, I'll put the log ASAP.
But if this help, I opened it and read the log
the destination mentioned is   C:\ProgramData\Microsoft\IOBitUnlocker\loader.vbs

but I searched for it and didn't find it,
More info.. I've just re installed windows 10, after that I installed essential programs (office,winrar,....) and Eset is one of these programs.
After finishing and restarting , Eset doesn't work as usual and refused to be uninstalled
I searched and found a special tool from ESET Site that works only in Safemode, i used it an uninstalled Eset then I installed it again and it worked properly, then I got this message.

I do not know if this concern the problem

Link to comment
Share on other sites

  • Administrators

The VB script runs this PowerShell script:

C:\ProgramData\Microsoft\IObitUnlocker\Report.ps1

It's unlikely that a legit app would install its files in the Microsoft folder even if you had IOBit Unlocker app. We'll see if there's anything suspicious in the logs once you provide them. Are there any files in the C:\ProgramData\Microsoft\IObitUnlocker folder after ESET has cleaned the malware?

Link to comment
Share on other sites

  • Most Valued Members
29 minutes ago, bmekhaled said:

Try to set ESET Realtime protection to everything aggressive and run a deep scan and see if it picks few other things because I think from what you downloaded had something malicious or the windows you installed is not a clean one

Link to comment
Share on other sites

  • Most Valued Members
5 minutes ago, bmekhaled said:

would you please tell me the steps I should do

https://help.eset.com/ees/10/en-US/?idh_config_scanner.html

Set all the settings to Aggressive

And then run a deep scan

https://support.eset.com/en/kb2909-advanced-scanning-options-in-eset-windows-home-products

Edited by Nightowl
Link to comment
Share on other sites

As far as IoBit Unlocker goes, it is legit software: https://www.iobit.com/en/iobit-unlocker.php used to change file permissions in Windows. However, it has been used in malware attacks;

Quote

Also some ransomware (like Dharma variants) have also been employing Iobit Unlocker to make encyption and deletion easier for the malware.

https://www.wilderssecurity.com/threads/wisevector-stop-x.431502/page-8#post-2942745

Unless you intentionally installed IoBit Unlocker, assume it is being used on your device for malicious purposes.

Link to comment
Share on other sites

  • Administrators

We'll add detection for Loader.vbs which attempts to load Report.ps1 that no longer exists on the disk. After detection, the file will be cleaned and removed from autostart locations as well.

There is also a benign image image.png in the IOBitUnlocker folder which was seen to have been dropped by an Agent trojan as well. I'd recommend deleting the whole folder C:\ProgramData\Microsoft\IObitUnlocker.

Link to comment
Share on other sites

Just note

 

I didn't install Iobitunlocker and i do not know at all before.

But when i faced this problem, i looked up for it and downloaded it and install it, the reason is to get uninstall.exe for it cause before i didnt find it.

Bur nothing changed after installing and unibstalling

Link to comment
Share on other sites

  • Most Valued Members
3 minutes ago, bmekhaled said:

Just note

 

I didn't install Iobitunlocker and i do not know at all before.

But when i faced this problem, i looked up for it and downloaded it and install it, the reason is to get uninstall.exe for it cause before i didnt find it.

Bur nothing changed after installing and unibstalling

Is the office cracked or any of the software you downloaded after the clean install was pirated somehow?, could be that where it came from.

Edited by Nightowl
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...