Got threat warning for Win32:VBCrypt-CSL [trj]

When I try to let avast fix it, it says it will finish with restart. When I restart everything is gone. I have to restore my whole system to get everything back. It starts with a temporary profile with no files until I restore. Can you tell me a safe way to remove this, please?

EDIT:
I forgot to mention a very important piece. I was first alerted there was a problem by a different program. I have 'Scotty" that alerts me of any change to my start menu and gets approval before it allows change. When I first came on, it started going off saying program after program that was set to starts was no longer going to start.

My knee jerk reaction was to shut down. That was the first time I restarted to basically a new system with almost everything gone and all files gone. That is when I did first restore and had to try a couple, maybe 3 restore points to get to one that worked. the first ones said they were corrupted and did not work so I would try one a bit older until one worked. Then I got the threat detected by Avast.

Follow instructions and attach logs http://forum.avast.com/index.php?topic=53253.0

We need Malwarebytes / OTL / aswMBR logs

I will run as instructed but I have tried to have both Avast and Malwarebytes fix and when it has to restart it goes to a cleaned out version of windows with no files or folder. It even had to make a tmp profile. I had to do multiple restores to gte to a restore point that was not corrupted. I have started the Malwarebytes scan as you instructed do you want me to continue with instructions or will this info change things?

I do appreciate your help and will follow your directions.

I also tried to run FRST and did not finish with the instruction for that last night and now I have an additional alert from Avast overnight scan that there are now 2 files the second being in Frst\Hives\Users\0000001\ntuser.dat.

The malware expert need all logs to see the problem…

OK, thanks for your response. I am attaching the Malware Malwarebytes log and the the OTL text documents. As for aswMBR I believe it is hung up. I will wait to see how you want me to proceed on that one. It is “scanning” putty.exe on the desktop but it hasn’t moved in a while and there are no other lines flashing like I saw before as it scanned the previous locations. It also has exe to the far right of the line that has not changed either.

Again, thanks for your help.

Hi,

removers notified. Sorry for stepping on your toes Pondus.

Note: Most removers are in the UK. So it will be several hours until someone answers.

Thanks for your response.
I will just leave the aswMBR alone and wait until they tell me what they want me to do with it. If it somehow restarts or continues i will add that log.

Edit:
Just FYI-- all I had to do was give up on it and after 2 hours it moved to another file so hopefully it will finish the scan.

If you’re trying to run aswMBR and it isn’t working try safe mode.

I will try that because it is not running right. It started fine and has just ground to a halt. It is frustrating because it got so far yet it would probably be much faster to just start it over in safe mode so I will do that now. My only worry is when i restart, I go to a cleaned out version and have to do a restore but hopefully I can get it to run and be of some use. I hope this one will save a log of what it did scan if stopped? Thanks.

If you are trying to say it didn’t make a log you should do something.

See picture attached below

Note: My system was built for Windows 8. So my partitions and techie stuff are different. My Scan and your scan CAN be different

OK, I ran it in safe mode. It took a long time, as you will see but it did finish and I got the log. I will attach it here.

Remover has been notified.

Thanks for the log. Seems something is wrong. “18:55:17.003 Service WINIO D:\WINIO.sys LOCKED 21”

I’ll let the experts tell you the verdict though

Thanks and yes something is definitely wrong. My Avast has the threat warning at severe and show the Win32:VBCrypt-CSL trojan virus. I am definitely infected with a nasty virus and need help to safely move it as soon as
possible. I am going to move files to a separate computer as a back up but can’t even do that until I get this removed or I will infect my backup location as well.

I personally wouldn’t run the risk until a remover gets here. It’d be very risky

Agreed, I am waiting to do anything with it and to do any backup until I get help from the remover. Too risky and just plain stupid in my eyes…haha

Hi,

Win32:VBCrypt-CSL [trj]
We found from earlier cases that this avast detection is FP. No one from avast team has sounded yet, I guess they are busy.

Posted logs do not show evidence of active malware. OTL shows traces of some remains … we shall use tool known as Zoek to clean that …

Please download [b]zoek.zip[/b] or [b]zoek.rar[/b] by [b]smeenk[/b] (

http://www.mcshield.net/personal/magna86/Images/Zoek_icon.png
) from here or here and save it to your Desktop.
Unpack the archive…

[*]Close any open browsers
[*] Temporarily disable your [b]AntiVirus[/b] program. ([i]If necessary[/i])
 If you are unsure how to do this please read [url=http://www.techsupportforum.com/forums/f50/how-to-disable-your-security-applications-490111.html][b][i]this[/i][/b][/url] or [url=http://www.bleepingcomputer.com/forums/topic114351.html][i][b]this[/b][/i][/url] Instruction.

[*]Double click on [b]zoek.exe[/b] to run the tool .
[i]Please wait while the tool does not start...[/i]

[*]Copy the text present inside the code box below and paste it into the large window in the zoek tool:
CHRDefaults;
koegeopamaoljbmhnfjbclbocehhgmkm;CHR
EmptyCLSID;
{FB16E5C3-A9E2-47A2-8EFC-319E775E62CC};C
{2318C2B1-4965-11d4-9B18-009027A5CD4F};C
C:\Program Files\AdTrustMedia\PrivDog;FS
C:\Windows\SysNative\*.tmp;F
C:\Windows\SysNative\drivers\*.tmp;F
C:\Windows\*.tmp;F
AutoClean;

[*] Click on
http://www.mcshield.net/personal/magna86/Images/Run%20Script%20by%20zoek.png
button.
Please wait until a logreport will open (this can be after reboot)

[*]Save notepad to your Desktop and attach here [b]zoek-results.log[/b]
[i][b]Note:[/b] It will also create a log in the [b]C:\ [/b]directory named "[b]zoek-results.log[/b]"[/i]

Next …

Re-check …

[2013/12/30 14:53:49 | 001,931,302 | ---- | C] (Farbar) -- C:\Users\Tracy\Desktop\FRST64.exe

[*]Double-click to run it. When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
[*]The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

Thank you will try your suggestions and post results. You are aware that the latest scan from Avast still shows the Win32:VBCrypt-CSL [trj] correct? It actually show twice now as one instance is in FRST.

Thanks again for your input. I will proceed now and I do appreciate the help as the Avast team must be busy and I really want this gone!

Both finished and will attach the logs as requested. I had error when re-starting said notepad could not be found and did not save the Zoek results log to desktop but I believe I found the file you wanted. Also Chrome will not load properly. Will you let me know if I can restore my preferences safely? I will include the error message and my saved setting are not loading. I opened Chrome a few times to check and always get the error of which I am attaching the screen shot.

Thanks

Run this fix and tell me how the things are now?

Download FixList.txt from attachments …

FixList.txt must be in the same location where FRST.exe tool is!

Re-run FRST.exe as you did before …

[*] Press the Fix button once and wait.
[*] FRST will process fixlist.txt
[*] When finished, it will produce a log fixlog.txt and will keep that log in the same folder where FRST.exe is.

Attach here fixlog.txt logreport.

I am sorry my mistake. I had already run it one and thought the FRST. txt on Desktop, where it was saved, was the fist one. Would you like me to run it over? I will attach the one from the desktop, (the same place FRST program is saved) . One other thing though is now my chrooome browser will not open. I apologize for not getting back to you yesterday but i was in a serious car accident and unable to respond. Actually having a head time seeing now so my apologies if there are typos I am missing.

I attached the one that was run when asked the first time am I to understand you would like a fresh run?