Moved from “avast! Free/Pro/Suite” according to directions from Para-Noid.

I’ve noticed a couple of previous queries concerning Win32:VBCrypt-CSL[Trj] on the board, and that they’ve usually been dismissed as false positives. I am however a bit concerned about my detection of Win32:VBCrypt-CSL[Trj] in the file ntuser.dat.log2 since I’ve noticed other files reported as infected over time (Avast! has however been able to deal with those but concistently fails to repair or delete ntuser.dat.log2 - on occasion the infected file is log1 instead of log2 though - or on occasion both .log1 and .log2 show up as infected).

The file/s can’t be removed, copied or read in any other known way known to me, which makes it impossible to submit it for analysis. Not as a user nor an administrator. During startup scan the flags are reported as “incompatible” which also is the reason given for Avast! being unable to access the file.

Malwarebyte’s AntiMalware does not report any detections. I have no log available at the time of writing this. Should anyone find it useful, I can provide one though.

I do, however, attach the logs from OTL in accordance with the general instructions. As for aswMBR it is said not to be compatible with Windows 8.x, so I refrain from running that program for now.

I also submit a screenshot of Avast!'s scan report (in Swedish, but the essentials should be obvious regardless of language) for your consideration. Any feedback would be appreciated. If at all possible, I would like to avoid a re-install.

Operating system affected: Windows 8.1

Bump…? :-X

Hi sorry for the delay, the two files concerned are windows system files and track changes made to the user registry, so initially I would treat them as false positives. Are you experiencing any problems ?

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF

:Commands
[CREATERESTOREPOINT]

:OTL
O3:64bit: - HKLM\..\Toolbar: (no name) - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - No CLSID value found.
O3:64bit: - HKLM\..\Toolbar: (no name) - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - No CLSID value found.
O3 - HKU\S-1-5-21-1504314721-59211910-2708283320-1001\..\Toolbar\WebBrowser: (no name) - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - No CLSID value found.
O8:64bit: - Extra context menu item: Free YouTube Download - C:\Users\iz\AppData\Roaming\DVDVideoSoftIEHelpers\freeytvdownloader.htm File not found
O8:64bit: - Extra context menu item: Free YouTube to MP3 Converter - C:\Users\iz\AppData\Roaming\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm File not found
[2014-04-02 19:49:21 | 000,035,904 | ---- | M] (VirusBlokAda Ltd.) -- C:\WINDOWS\SysWow64\drivers\jzxjsk8z.sys
[2013-10-11 15:02:50 | 000,000,000 | ---D | M] -- C:\Users\iz\AppData\Roaming\0F1F1C2Y1H1P1C0I0T
[2013-12-31 17:07:36 | 000,000,000 | ---D | M] -- C:\Users\iz\AppData\Roaming\0W1L1G1Q1F2W1Bzz0D1F2W1G1I1F1T1Q1B

:Commands
[resethosts]
[emptytemp]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Not much of a delay really - it’s just me being anxious.

I did experience some anomalies a while back (the system not shutting down properly, software refusing to start or being generally sluggish and so on and so forth) which made me run a complete scan during which Avast! turned up this suspected false positive (Win32:VBCrypt-CSL[Trj]). It may, or may not be related. I’m not experiencing those problems anymore though.

I’ve attached the requested log. I did however manage to run OTL twice with the fix you provided before I did the quick scan. I can’t see how this would affect the result, but I thought I should at least mention it. The Win32:VBCrypt-CSL[Trj] is still reported by Avast! regardless.

And thanks for bothering with an anxious ignoramus such as myself

Not a problem, I am absolutely rubbish at plumbing

Does Avast only detect this on a full scan as opposed to a quick scan

No detection using “quick scan”.

Detection is reported on “Full scan” and “startup scan” only.

I am currently of the opinion that it is a false positive, but lets confirm that

Go to Virustotal
Click Choose File and navigate to c:\users\iz\ntuser.dat.log2 and select it
Then press scan it

Once it has completed could you copy the link and post it here

“NtUser.dat.LOG2 the file is in use. Choose another name or close the file which is in use by another program”, is the message I’m getting when trying to upload it to Virus Total.

OK I will create a copy and move it to the root C: drive so that you can upload it to VT from there it from there

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF

:Commands
[CREATERESTOREPOINT]

:Files
c:\users\iz\ntuser.dat.log2|c:\ntuser.dat.log2 /replace 

:Commands
[resethosts]
[emptytemp]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

I decided to run another full scan before using your script, for a number of reasons. The most prominent being that the positive has been known alternate between NTuser.dat.LOG2 and NTuser.dat.LOG1 (mostly NTuser.dat.LOG2 though) from scan to scan. This time, however, Avast! reported no hits at all. I ran another scan after a reboot; still no hit.

I don’t know what’s happened, if it’s an update that’s eliminated a false positive, an actual infestation finally being eliminated, or some of the scripts you supplied that seemingly caused the problem to go away. I’ll keep a watchful eye open during the near future, but for now I see no reason to submit any of those files for analysis. Should the positive, false or otherwise, turn up again I will report back to this thread.

And finally I’d like to thank you very much for your kind assistance in this matter, without which I’d probably been utterly lost. Thank you!

My feeling is that it was a false positive now corrected. Once you are happy let me know and I will tidy up

Well, what do you know… Turns out the positive is back - with a proverbial vengeance. NtUser.dat.LOG1 and NtUser.dat.LOG2 are both reported as infected. :

I ran the script you provided, but it was unable to copy the file NtUser.dat.LOG2 to root or anywhere else, so the file has not been analyzed by VT. I also ran a quick scan immediatly after the reboot as suggested, and I’ve attached the log file.

OK I will remove them both but I will create a restore point first. Once the fix has run then reboot the computer several times to regenerate the logs

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF

:Commands
[CREATERESTOREPOINT]

:Files
c:\users\iz\ntuser.dat.log2
c:\users\iz\ntuser.dat.log1

:Commands
[resethosts]
[emptytemp]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

This time around it worked. According to Virus Total Avast! alone reports a positive on these files. So either Avast! is reporting false positives, or all other antivirus software known by Virus Total fail to recognize this particular brand of - malware(?).

I would concur with the false positive, has Avast put it in the chest ?

Only the copies created by your script has been moved to the chest by Avast!

They are good enough could you right click them in the virus chest and select send to virus labs. On the form select false positive

Done, done and - done. The files will be reported to Avast! as false positives during the next update.

OK lets clear my rubbish

Subject to no further problems

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Download and run Delfix

https://dl.dropboxusercontent.com/u/73555776/delfix.JPG

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

CryptoPrevent install this programme to lock down and prevent crypto ransome ware

https://dl.dropboxusercontent.com/u/73555776/CryptoPrevent.JPG

Malwarebytes.

Update and run weekly to keep your system clean

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe

I’ve been running “Avast! Antivirus”, “Malwarebyte’s AntiMalware” and “Comodo Firewall” for the last couple of years, and found them to be a quite effecient combination. I will add, according to your recommendation, “CryptoPrevent” to improve even further on that constellation.

Once again; many thanks for your kind assistance.