Avast WEBforum
Other => Viruses and worms => Topic started by: thekochs on December 26, 2013, 04:11:13 PM
-
Ok, I have several W7 64-bit SP1 machines and I'm a techy.
I use MBAM Pro for realtime scan and scanner runs at night.
I also have Avast V8 (waiting for V9/2014 to stabilize) with scan every night.
I also ran the CryptoPrevent util.
The machines are basically MS Office machines with IE11 use.
I also have CCleaner installed and run it daily to clean the temp files out.
From time to time on machines I'll get a memory block "virus" result but usually a reboot and CCleaner run and re-scan shows nothing.
Today I woke up and one machine had server memory block items.....of course you cannot "apply" these into the Virus Chest.
I rebooted and CCleaned and ran again......got one left Threat: Win32:VBCrypt-CSL (Trj).
Process 1972 (taskhost.exe), memory block (0x0000000008828000, block size 32768 (WebcacheV01.dat)
Of course all Viruses and Malware scare me but with CryptoLock out there I am really scared.
I have no idea if the word "crypt" in the Trojan means it is this.
I ran MBAM memory scan and it found nothing.
I also did a search within the registry for the HKLM\......\CurrentVersion\Run "CryptoLocker" and also
HKEY_CLASSES_ROOT for keyword "Myjiaabodehhltd" and the search found nothing.
I CCLeaned and rebooted again and ran Avast Memory scan and this time clean......puzzling or good ?
I ran a full MBAM scan....everything shows clean.
Thoughts ?
-
Hi,
Uh ... this can be very bad. Do you have access to all your personal files like pictures, music or documents? If so, do a backup immediately on some non-system drive/space!
If you have active CryptoLocker this may be verry bad for your system and for your personal files.
We're still low with the utility that can do the decryption of files.
Please download Farbar Recovery Scan Tool (http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/) ((http://www.mcshield.net/personal/magna86/Images/FRST_canned.png)) by Farbar and save it to your desktop.
Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.
- Double-click to run it. When the tool opens click Yes to disclaimer.
- Under Optional Scan ensure "Driver MD5" are ticked.
- Press Scan button.
- It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
- The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
-
Ok, I have several W7 64-bit SP1 machines and I'm a techy.
I use MBAM Pro for realtime scan and scanner runs at night.
I also have Avast V8 (waiting for V9/2014 to stabilize) with scan every night.
well ...then i guess you know that both avast and mbam PRO have realtime protection .... so scanning this frequent is not necessary
Today I woke up and one machine had server memory block items.....of course you cannot "apply" these into the Virus Chest.
nope .....bc it is not a file, but a process run in memory .... you cant move a process
I rebooted and CCleaned and ran again......got one left Threat: Win32:VBCrypt-CSL (Trj).
Process 1972 (taskhost.exe), memory block (0x0000000008828000, block size 32768 (WebcacheV01.dat)
Have you changed the default scan settings?
have you selected scan memory ?
-
Hi,
Uh ... this can be very bad. Do you have access to all your personal files like pictures, music or documents? If so, do a backup immediately on some non-system drive/space!
If you have active CryptoLocker this may be verry bad for your system and for your personal files.
We're still low with the utility that can do the decryption of files.
Please download Farbar Recovery Scan Tool (http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/) ((http://www.mcshield.net/personal/magna86/Images/FRST_canned.png)) by Farbar and save it to your desktop.
Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.
- Double-click to run it. When the tool opens click Yes to disclaimer.
- Under Optional Scan ensure "Driver MD5" are ticked.
- Press Scan button.
- It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
- The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
I've downloaded the 64-bit version.....attached are the logs.
All my personal (eg, doc, xls, jpg, pdf, pst) launch/run fine.
I also can run Outlook no problem.
I've done another reboot and run both Avast FULL & MBAM Full and nothing shows.
I also went into the registry and looked for the cryptolock keywords.....not there.
I'm not sure just because this Trojan has the word "crypt" in it that this is Cryptolock but I'm by far no expert.
My files are backup up....offline.
-
....other FarBar attachment
-
Pondus, I run a custom scan which does have scan memory included.
I also do realize that I have realtime on Avast & MBAM but these scans run at night while asleep and I'm paranoid. :)
-
Pondus, I run a custom scan which does have scan memory included.
and i am 99% sure this is your problem...
the scan memory setting will give some weird scan results ....posted many times in here, it is the second most frequently asked question in the forum
files that can not be scanned is number 1 .... so lots of info if you forum search
anyway, short story DO NOT USE the scan memory setting ;)
unless you know what you are doing, and the result of doing it i recomend using default scan setting for a problem free avast operation
-
Win32:VBCrypt-CSL (Trj)
and i think VBCrypt means visual basic crypt ...... and is not the new dangerous one
Trojan:VBS/Crypter.A is a Trojan that spreads as a malevolent Visual Basic script (VBS
http://www.pcworld.com/article/246499/trojan_cons_victims_with_fake_trial.html
-
Pondus, thx !!!!!!!!!!!!!!!....points/advice noted.
Magna86, let me know what you think of a the FarBar attachments ?
-
your welcome...
check back later for magna86 verdict on those logs ;)
-
Hi,
Yes, Pondus is right. You have been run CryptoPrevent, and this tool perform some prohibitions using group policy which prevents the cryptlocker to been installed.
In other words you are malware free. You may remove FRST by drag & drop into Recycle.
C:\FRST <= folder you may delete, but subfolder \Hivs\ contains your healthy hivs (registry) backup so you may keep this just in case or you may delete if you wish.
-
Guys, thx.
-
Hi, I have the same problem (Win32: VBCrypt-CSL). What sited in the NTUSER.DAT file, format the primary disk and reistale windows and appeared again today, I think that is stored on my other drive. Avast delete it, but then reappears. Help. thanks
-
Hi, I have the same problem (Win32: VBCrypt-CSL). What sited in the NTUSER.DAT file, format the primary disk and reistale windows and appeared again today, I think that is stored on my other drive. Avast delete it, but then reappears. Help. thanks
for help, start Your own topic and follow guide http://forum.avast.com/index.php?topic=53253.0