Win32:VBCrypt-CSL [Trj] and lost NTUSER.DAT

As follow up to This Post, please find attached the required files (hoping I did it right).

I doubt there’s any way to restore NTUSER.DAT (lacking a recent backup), but would welcome any suggestions.

Thanks in advance.

Hi,

Posted logs do not shows presence of any form of malware.

Let’s see what is avast found and flaged in his boot time scan. Post me aswBoot.txt logreprot.

C:\Documents and Settings\All Users\Application Data\AVAST Software\Avast\report[b]aswBoot.txt [/b]

Hint to myself: http://forum.avast.com/index.php?topic=143653.msg1042015#msg1042015

Hi magna86,

Boot scan immediately after infection found (as recommended):

12/29/2013 15:52
Scan of all local drives

File C:\Documents and Settings\Colin\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\quarantine.db|>data Error 42125 {ZIP archive is corrupted.}
File C:\Documents and Settings\Colin\My Documents\Downloads\w_E_20120615.mp3.zip|>w_E_20120615_01.mp3 Error 42125 {ZIP archive is corrupted.}
File C:\Program Files\McAfee\SiteAdvisor\Download\s2tc.c|>$TEMP$[32]\MSADMLKit.cab|>sares.dll Error 42127 {CAB archive is corrupted.}
File C:\Program Files\McAfee\SiteAdvisor\Download\s3l8.c|>$TEMP$[32]\MSADMLKit.cab|>sares.dll Error 42127 {CAB archive is corrupted.}
Number of searched folders: 8137
Number of tested files: 430596
Number of infected files: 0

I did a new one today, but the results are practically no different.
12/31/2013 08:32
Scan of C:

File C:\Documents and Settings\Colin\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\quarantine.db|>data Error 42125 {ZIP archive is corrupted.}
File C:\Documents and Settings\Colin\My Documents\Downloads\w_E_20120615.mp3.zip|>w_E_20120615_01.mp3 Error 42125 {ZIP archive is corrupted.}
File C:\Program Files\McAfee\SiteAdvisor\Download\s2tc.c|>$TEMP$[32]\MSADMLKit.cab|>sares.dll Error 42127 {CAB archive is corrupted.}
File C:\Program Files\McAfee\SiteAdvisor\Download\s3l8.c|>$TEMP$[32]\MSADMLKit.cab|>sares.dll Error 42127 {CAB archive is corrupted.}
Number of searched folders: 9735
Number of tested files: 438588
Number of infected files: 0

What worries me is there are some unusually named folders on my machine, all containing copies of NTUSER.DAT which do show as infected with the same thing, when I scan the files individually.
My user name folder is C:Documents and Settings\Colin
There are three others now, I haven’t seen before, and have added ‘.Computer Name.and some numbers.’ to their names. Like so:
C:Documents and Settings\Colin.COLIN-130824
C:Documents and Settings\Colin.COLIN-130824.0000
C:Documents and Settings\Colin.COLIN-130824.0001

All three are being missed by Boot Scan, it would seem. That is a concern, because it looks like malicious behavior to me - replicating and hiding! (Plus, I’m still hooked into one of those ntuser.dat’s anyway - since there isn’t one in my own user folder.)

On the other hand, here is the result fom Virustotal. Could it be a false positive?

I read elsewhere on this forum that the “VB” part stands for Visual Basic. It happens I was prompted to update Silverlight a few days ago, and gather Visual Basic is part of Silverlight set up, so I would guess that is where the problem came from.

Additional point, in case it might be helpful:

I ran a normal full system scan (just to check) and it does find the same ‘infection’.
In C:Documents and Settings\Colin.COLIN-130824; NTUSER.DAT and ntuser.dat - one is a text file, I think.
That is my currently active NTUSER.DAT.

Hi,

Detected files are not malware. They are caught by heuristic scan, but they are not malware related.

Detected file is FP, you may report this as FP detection.

Re-run OTL and click on CleanUp! button.

You will be asked to reboot the machine to finish the cleanup process, choose Yes.
After the reboot all the tools we used should be gone.
Note: Some more recently created tools may not yet be removed by OTL. Feel free to manually delete any tools it leaves behind.

OK, thank you.
I have emailed one of the files as “False Positive” to virus AT avast DOT com.
I’m still not clear on why there is three copies of it (in the three oddly named folders), but it might be a good thing there is. First off, I couldn’t copy the one “in use” but could send one of the others. Secondly, (I’m hoping) it ought to be easy enough to restore my system by copying NTUSER.DAT back into my username folder.

EDIT: Nope, that didn’t work. But, afterwards, System Restore does. (Went back one week to be sure. I’m not sure if more recent restore points will work now - with NTUSER.DAT replaced - they did’t before.)

I can now confirm the source of this problem. It was not the Silverlight update.
It comes about from installing Comodo Firewall.

I also now understand, seeing avast! Internet Security suite incorporates it’s own firewall, that my using Comodo is neither necessary nor advisable.
I installed it again only as a test to see if I could replicate the problem.

Assuming it is still a false positive, but open to further advice.

Thanks.