Author Topic: Win32: VBCrypt-CSL (trj) ????  (Read 8687 times)

0 Members and 1 Guest are viewing this topic.

thekochs

  • Guest
Win32: VBCrypt-CSL (trj) ????
« on: December 26, 2013, 04:11:13 PM »
Ok, I have several W7 64-bit SP1 machines and I'm a techy.
I use MBAM Pro for realtime scan and scanner runs at night.
I also have Avast V8 (waiting for V9/2014 to stabilize) with scan every night.
I also ran the CryptoPrevent util.
The machines are basically MS Office machines with IE11 use.
I also have CCleaner installed and run it daily to clean the temp files out.

From time to time on machines I'll get a memory block "virus" result but usually a reboot and CCleaner run and re-scan shows nothing.
Today I woke up and one machine had server memory block items.....of course you cannot "apply" these into the Virus Chest.
I rebooted and CCleaned and ran again......got one left Threat: Win32:VBCrypt-CSL (Trj).
Process 1972 (taskhost.exe), memory block (0x0000000008828000, block size 32768 (WebcacheV01.dat)
Of course all Viruses and Malware scare me but with CryptoLock out there I am really scared.
I have no idea if the word "crypt" in the Trojan means it is this.
I ran MBAM memory scan and it found nothing.
I also did a search within the registry for the HKLM\......\CurrentVersion\Run "CryptoLocker" and also
HKEY_CLASSES_ROOT for keyword "Myjiaabodehhltd" and the search found nothing.
I CCLeaned and rebooted again and ran Avast Memory scan and this time clean......puzzling or good ?
I ran a full MBAM scan....everything shows clean.

Thoughts ?
 
 
« Last Edit: December 26, 2013, 05:01:57 PM by thekochs »

Offline magna86

  • Anti Malware Fighter
  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4235
    • Ambulanta MyCity Forum - ASAP Member
Re: Win32: VBCrypt-CSL (trj) ????
« Reply #1 on: December 26, 2013, 06:08:08 PM »
Hi,

Uh ... this can be very bad. Do you have access to all your personal files like pictures, music or documents? If so, do a backup immediately on some non-system drive/space!

If you have active CryptoLocker this may be verry bad for your system and for your personal files.

We're still low with the utility that can do the decryption of files.







Please download Farbar Recovery Scan Tool () by Farbar and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.


  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Under Optional Scan ensure "Driver MD5" are ticked.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37524
  • Not a avast user
Re: Win32: VBCrypt-CSL (trj) ????
« Reply #2 on: December 26, 2013, 06:58:51 PM »
Quote
Ok, I have several W7 64-bit SP1 machines and I'm a techy.
I use MBAM Pro for realtime scan and scanner runs at night.
I also have Avast V8 (waiting for V9/2014 to stabilize) with scan every night.
well ...then i guess you know that both avast and mbam PRO have realtime protection .... so scanning this frequent is not necessary



Quote
Today I woke up and one machine had server memory block items.....of course you cannot "apply" these into the Virus Chest.
nope .....bc it is not a file, but a process run in memory .... you cant move a process


Quote
I rebooted and CCleaned and ran again......got one left Threat: Win32:VBCrypt-CSL (Trj).
Process 1972 (taskhost.exe), memory block (0x0000000008828000, block size 32768 (WebcacheV01.dat)
Have you changed the default scan settings?
have you selected scan memory ?


thekochs

  • Guest
Re: Win32: VBCrypt-CSL (trj) ????
« Reply #3 on: December 26, 2013, 07:03:11 PM »
Hi,

Uh ... this can be very bad. Do you have access to all your personal files like pictures, music or documents? If so, do a backup immediately on some non-system drive/space!

If you have active CryptoLocker this may be verry bad for your system and for your personal files.

We're still low with the utility that can do the decryption of files.

Please download Farbar Recovery Scan Tool () by Farbar and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.


  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Under Optional Scan ensure "Driver MD5" are ticked.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

I've downloaded the 64-bit version.....attached are the logs.
All my personal (eg, doc, xls, jpg, pdf, pst) launch/run fine.
I also can run Outlook no problem.
I've done another reboot and run both Avast FULL & MBAM Full and nothing shows.
I also went into the registry and looked for the cryptolock keywords.....not there.
I'm not sure just because this Trojan has the word "crypt" in it that this is Cryptolock but I'm by far no expert.
My files are backup up....offline.

thekochs

  • Guest
Re: Win32: VBCrypt-CSL (trj) ????
« Reply #4 on: December 26, 2013, 07:03:47 PM »
....other FarBar attachment

thekochs

  • Guest
Re: Win32: VBCrypt-CSL (trj) ????
« Reply #5 on: December 26, 2013, 07:06:13 PM »
Pondus, I run a custom scan which does have scan memory included.

I also do realize that I have realtime on Avast & MBAM but these scans run at night while asleep and I'm paranoid. :)

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37524
  • Not a avast user
Re: Win32: VBCrypt-CSL (trj) ????
« Reply #6 on: December 26, 2013, 07:12:23 PM »
Quote
Pondus, I run a custom scan which does have scan memory included.
and i am 99% sure this is your problem...

the scan memory setting will give some weird scan results ....posted many times in here, it is the second most frequently asked question in the forum
files that can not be scanned is number 1 .... so lots of info if you forum search

anyway, short story DO NOT USE the scan memory setting   ;)
unless you know what you are doing, and the result of doing it i recomend using default scan setting for a problem free avast operation



« Last Edit: December 26, 2013, 07:19:34 PM by Pondus »

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37524
  • Not a avast user
Re: Win32: VBCrypt-CSL (trj) ????
« Reply #7 on: December 26, 2013, 07:18:49 PM »
Quote
Win32:VBCrypt-CSL (Trj)
and i think VBCrypt means visual basic crypt ...... and is not the new dangerous one
Quote
Trojan:VBS/Crypter.A is a Trojan that spreads as a malevolent Visual Basic script (VBS

http://www.pcworld.com/article/246499/trojan_cons_victims_with_fake_trial.html


thekochs

  • Guest
Re: Win32: VBCrypt-CSL (trj) ????
« Reply #8 on: December 26, 2013, 07:27:45 PM »
Pondus, thx !!!!!!!!!!!!!!!....points/advice noted.

Magna86, let me know what you think of a the FarBar attachments ?
« Last Edit: December 26, 2013, 07:32:41 PM by thekochs »

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37524
  • Not a avast user
Re: Win32: VBCrypt-CSL (trj) ????
« Reply #9 on: December 26, 2013, 07:32:43 PM »
your welcome...

check back later for magna86 verdict on those logs   ;)


Offline magna86

  • Anti Malware Fighter
  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4235
    • Ambulanta MyCity Forum - ASAP Member
Re: Win32: VBCrypt-CSL (trj) ????
« Reply #10 on: December 27, 2013, 01:34:26 AM »
Hi,

Yes, Pondus is right. You have been run CryptoPrevent, and this tool perform some prohibitions using group policy which prevents the cryptlocker to been installed.

In other words you are malware free. You may remove FRST by drag & drop into Recycle.

C:\FRST <= folder you may delete, but subfolder \Hivs\ contains your healthy hivs (registry) backup so you may keep this just in case or you may delete if you wish.

thekochs

  • Guest
Re: Win32: VBCrypt-CSL (trj) ????
« Reply #11 on: December 27, 2013, 02:47:00 AM »
Guys, thx.

tr3mix

  • Guest
Re: Win32: VBCrypt-CSL (trj) ????
« Reply #12 on: December 27, 2013, 04:35:42 PM »
Hi, I have the same problem (Win32: VBCrypt-CSL). What sited in the NTUSER.DAT file, format the primary disk and reistale windows and appeared again today, I think that is stored on my other drive. Avast delete it, but then reappears. Help. thanks


Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37524
  • Not a avast user
Re: Win32: VBCrypt-CSL (trj) ????
« Reply #13 on: December 27, 2013, 04:54:15 PM »
Hi, I have the same problem (Win32: VBCrypt-CSL). What sited in the NTUSER.DAT file, format the primary disk and reistale windows and appeared again today, I think that is stored on my other drive. Avast delete it, but then reappears. Help. thanks
for help, start Your own topic and follow guide  http://forum.avast.com/index.php?topic=53253.0