Author Topic: Win32:VBCrypt-CSL [Trj] found during scan (clean boot scan) in NTUSER.DAT  (Read 1821 times)

0 Members and 1 Guest are viewing this topic.

Offline WhatIsTheFussAbout

  • Newbie
  • *
  • Posts: 2
Avast just found  Win32:VBCrypt-CSL [Trj] during a full scan in NTUSER.DAT.  I then ran a boot time scan that came back clean.  I re-ran the full scan and it once again found the trojan.  However Avast cannot repair this file since it is in use - I believe it is part of the windows registry.  MalwareBytes Anti-Malware did not find this in a scan.

1) Why would the boot scan not find it and the standard scan find it?
2) How do I know if this is a false positive?
3) How do I go about backuping up and cleaning this file? 

I attached the report from the scans.

Thanks

Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31309
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Upload the file to https://www.virustotal.com/ and post the report link here.
Also tell us where exactly the file is located.

Offline WhatIsTheFussAbout

  • Newbie
  • *
  • Posts: 2
Thank you for your help.

https://www.virustotal.com/en/file/c3f2e1e9a0e15fe36dc74c430b78f7b3dd72d175319c0da7cd02edfd5fdcc63c/analysis/1388739889/

When I copied this file I renamed the copy to infected-ntuser.dat which I uploaded here.

The original file is c:\users\home\ntuser.dat   My Windows 7 user name is home.

Thank you

Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31309
  • Watching (over?) you
    • Malware removal, Biljart and other things.
It looks like a false positive.
Please report it using this form: http://www.avast.com/contact-form.php

jwoods301

  • Guest
Another user reported this yesterday in the "viruses and worms" forum.
« Last Edit: January 03, 2014, 08:08:33 PM by jwoods301 »