Hi,
This may be similar to an issue that’s already been reported on here.

I moved the VB Crypt-CSL detection to the chest then ran another boot scan which came back ‘clean’. I uploaded the file from the chest to virustotal.com, which is saying 0/47.

But a couple of odd things have happened on my machine after this detection. I tried a search in Google but got a message “unusual traffic from your computer network” , and asking me to type a code to prove that it was me making the request. Never seen this before from Google.

I shut down my laptop after that and only restarted last night to run MBAM, OTL and aswMBR, which I had downloaded to a USB stick on another machine. I wanted to update MBAM on the “infected” machine through an Orange USB dongle but it kept telling me “disconnected”. Impossible to get a connection even after apparently successfully re-installing the dongle. Never had this before, and the Orange stick is working fine on another machine.

So is my machine infected? I would be grateful for any help with this.

Cheers
Paul

01/16/2014 20:56
Scan of all local drives

File D:\PAUL-PC\Backup Set 2013-07-21 205926\Backup Files 2013-08-25 234939\Backup files 1.zip|>C\Users\Paul\AppData\Local\Microsoft\Windows\WebCache\V010004D.log is infected by Win32:VBCrypt-CSL [Trj], Moved to chest
Number of searched folders: 24623
Number of tested files: 352636
Number of infected files: 1

01/16/2014 23:57
Scan of all local drives

Number of searched folders: 24625
Number of tested files: 352545
Number of infected files: 0

alwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2014.01.14.04

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 11.0.9600.16476
Paul :: PAUL-PC [administrator]

17/01/2014 16:42:17
mbam-log-2014-01-17 (16-42-17).txt

Scan type: Custom scan (F:|)
Scan options enabled: File System | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled: Memory | Startup | Registry | Heuristics/Extra
Objects scanned: 251
Time elapsed: 1 minute(s), 57 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

aswMBR version 0.9.9.1771 Copyright(c) 2011 AVAST Software
Run date: 2014-01-18 01:27:53

01:27:53.736 OS Version: Windows x64 6.1.7601 Service Pack 1
01:27:53.736 Number of processors: 2 586 0x200
01:27:53.752 ComputerName: PAUL-PC UserName: Paul
01:27:54.937 Initialize success
01:27:58.697 AVAST engine defs: 14011600
01:29:49.145 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP0T0L0-0
01:29:49.145 Disk 0 Vendor: ST9320325AS 0003SDM1 Size: 305245MB BusType: 11
01:29:49.223 Disk 0 MBR read successfully
01:29:49.223 Disk 0 MBR scan
01:29:49.239 Disk 0 Windows 7 default MBR code
01:29:49.255 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 102400 MB offset 2048
01:29:49.286 Disk 0 Partition 2 00 1B Hidd FAT32 MSDOS5.0 15360 MB offset 209717248
01:29:49.317 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 187468 MB offset 241174528
01:29:49.348 Disk 0 Partition 4 00 EF EFI FAT 16 MB offset 625108992
01:29:49.426 Disk 0 scanning C:\windows\system32\drivers
01:30:03.310 Service scanning
01:30:32.139 Modules scanning
01:30:32.155 Disk 0 trace - called modules:
01:30:32.233 ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0xfffffa8003c762c0]<<sptd.sys ataport.SYS PCIIDEX.SYS hal.dll msahci.sys
01:30:32.248 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0xfffffa8004be9060]
01:30:32.264 3 CLASSPNP.SYS[fffff88000dba43f] → nt!IofCallDriver → \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa80046a8680]
01:30:32.280 \Driver\atapi[0xfffffa80046711a0] → IRP_MJ_CREATE → 0xfffffa8003c762c0
01:30:32.982 AVAST engine scan C:\windows
01:30:34.900 AVAST engine scan C:\windows\system32
01:33:52.787 AVAST engine scan C:\windows\system32\drivers
01:34:10.259 AVAST engine scan C:\Users\Paul
01:37:41.093 AVAST engine scan C:\ProgramData
01:39:25.395 Scan finished successfully
01:40:06.822 Disk 0 MBR has been saved successfully to “C:\Users\Paul\Desktop\MBR.dat”
01:40:06.837 The log file has been saved successfully to “C:\Users\Paul\Desktop\aswMBR.txt”

Hi,

Please download Farbar Recovery Scan Tool by Farbar and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

[*]Double-click to run it. When the tool opens click Yes to disclaimer.
[*]Under Optional Scan ensure “List BCD” and “Driver MD5” are ticked.
[*]Press Scan button.
[*]It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
[*]The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

==================================================

Download TDSSKiller and save it to your desktop

Execute TDSSKiller.exe by doubleclicking on it.
Confirm “End user Licence Agreement” and “KSN Statement” dialog box by clicking on Accept button.

[*] Press Start Scan
[*] If Suspicious object is detected, the default action will be Skip, click on Continue.
[*] If Malicious objects are found, select Cure.

Once complete, a log will be produced at the root drive which is typically C:\ ,for example, C:\TDSSKiller.<version_date_time>log.txt

Please post the contents of that log in your next reply.

Hi,

Thanks for helping with this.

Please find Farbar reports attached. I have also attached the TDSS log - I can’t actually paste it in the reply because I am getting an error for pasting more than 10K characters in a message.

PC seems clean…are you still having alerts?

No more alerts. There was only one alert for VB Crypt - CSL. After it was moved to the chest the boot scans have come back clean. Also the problems with the USB stick internet connection and the message from Google have “gone away”.

I think I didn’t re-install the USB stick correctly the first time I tried, but that message from Google is still a mystery as far as I am concerned.

I think I didn’t re-install the USB stick correctly the first time I tried

Thank you for your quick response and help on this - and also for the advice on MC shield.

Cheers

Paul