Assistance please - RSA64.dll - Win64:Bot-A[Trj] - Cannot remove virus

Viruses and worms
1

Hello,

This is my first post as a long time Avast user. I have long been a supporter and fan of Avast for over 5 years, and it has never failed me, until now.

I have a new virus that keeps popping up every time I reboot and login. I have been unable to get rid of it with Avast full and boot time scan, coupled with MBAM.
Operating system: Windows 7, SP1. I’ve read through some previous posts on here from people experiencing the same problem, and I am following the guidance previously provided up to this point:
I have downloaded and ran the Farbar Scan and Recovery Tool, and attached are the FRST.TXT, Addition.txt, and the Search.txt file based on a search of rsa64.dll.
The Search did not return any results. I can only assume this is because every time I log in the virus is detected, the file is quarantined.
Also attached is the mbam log, which also came back clean.

This may be completely unrelated to the virus, but I am unable to create other profiles on the operating system. When I do, and the profile loads, it crashes and gives me an explorer.exe error. Again, this could have nothing to do with it. I’m primarily concerned with how to get rid of this virus. Can someone please help?

Many thanks in advance

2

1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system


Start
HKU\S-1-5-21-139485654-749325832-2014894534-1000\...\Run: [Oqics] - regsvr32.exe C:\Users\Tim\AppData\Local\Oqics\KoanBox.dll <===== ATTENTION
HKU\S-1-5-21-139485654-749325832-2014894534-1000\...\MountPoints2: {c4244e9f-b952-11e1-bb25-8c89a5c14714} - F:\SISetup.exe
HKU\S-1-5-21-139485654-749325832-2014894534-1000\...\MountPoints2: {f5d15c89-9e76-11e2-ad5f-8c89a5c14714} - F:\eTflash.exe
SearchScopes: HKLM-x32 - DefaultScope {1AA6DD69-6BAA-42E7-8C65-9F0CB60A709B} URL = 
SearchScopes: HKCU - DefaultScope {1AA6DD69-6BAA-42E7-8C65-9F0CB60A709B} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3306061&CUI=UN18386346551155520&UM=2
SearchScopes: HKCU - {1AA6DD69-6BAA-42E7-8C65-9F0CB60A709B} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3306061&CUI=UN18386346551155520&UM=2
SearchScopes: HKCU - {300B388D-E8D1-4ACC-9A2E-4284699287D6} URL = http://search.findwide.com/serp?guid={42ECBAB5-39E3-46C8-A6D7-A8BDBB43079E}&action=default_search&serpv=22&k={searchTerms}
CHR HKLM-x32\...\Chrome\Extension: [kiplfnciaokpcennlkldkdaeaaomamof] - C:\Users\Tim\AppData\Local\Torch\Plugins\TorchPlugin.crx [2013-03-01]
R2 TorchCrashHandler; C:\Users\Tim\AppData\Local\Torch\Update\TorchCrashHandler.exe [1216520 2014-02-28] (TorchMedia Inc.)
2014-03-04 10:28 - 2014-01-01 20:33 - 00000000 ____D () C:\Users\Tim\AppData\Local\Torch
C:\Users\Tim\AppData\Local\Temp\Execute2App.exe
C:\Users\Tim\AppData\Local\Temp\msvcp90.dll
C:\Users\Tim\AppData\Local\Temp\msvcr90.dll
CHR HKLM-x32\...\Chrome\Extension: [lipgolpfajiadodbcbljdpmbmbdmfcil] - C:\Users\Tim\AppData\Local\CRE\lipgolpfajiadodbcbljdpmbmbdmfcil.crx [2014-01-02]
Torch (HKCU\...\Torch) (Version: 29.0.0.6058 - Torch Media, Inc) <==== ATTENTION
HKLM-x32\...\Run: [] - [X]
End

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.

3

Thank you for responding so quickly. The fixlog is attached.

4

Ok, do you still have a problem?

5

Yes.
Attached is the screenshot of the message I receive after reboot and logging in.
FRST re-ran, FRST.TXT attached.
Please let me know how else I can help or what else I can provide.

Thank you so much for your assistance with this.

Tim

6

You did not copy the entire script. Do the same with this script.

HKU\S-1-5-21-139485654-749325832-2014894534-1000\...\Run: [Oqics] - regsvr32.exe C:\Users\Tim\AppData\Local\Oqics\KoanBox.dll <===== ATTENTION
7

Created a new fixlist.txt with this code:
HKU\S-1-5-21-139485654-749325832-2014894534-1000.…\Run: [Oqics] - regsvr32.exe C:\Users\Tim\AppData\Local\Oqics\KoanBox.dll <===== ATTENTION

Saved to the desktop (same location as FRST) - reran FRST /fix.
Fixlog attached. Rebooted, problem remains. Error the same as previous screenshot. Re-ran FRST, FRST.TXT attached.

8

Please upload detected files on Virustotal.

https://www.virustotal.com/

9

I’ve done this and it provides an analysis, along with some other data.
What can I provide you with as a result of the virustotal scan?

10

Just Copy/paste the link from the adress bar here.

11
What can I provide you with as a result of the virustotal scan?

Yes, please URL link.

12

https://www.virustotal.com/en/file/51e580a54db96d38bf8d8a48f4839119ab05c2f2830442a86772b6e9fbdf624f/analysis/

Thank you so much Argus for helping me with this. I hope we can find a solution.

13

Once again we shall use FRST for additional checks. Re-run FRST/FRST64 by double-clicking:

[*]Type rsa64.dll into the Search: field in FRST then click the Search File(s) button.
[*]FRST will search your computer for files and when finished it will produce a log Search.txt in the same directory the tool is run.
[*]Please attach it to your reply.

14

Attached. Please note: I had to move the file out of quarantine to the desktop so I could submit it to virustotal.

15

Please download SystemLook from one of the links below and save it to your desktop.

http://jpshortstuff.247fixes.com/SystemLook.exe
http://images.malwareremoval.com/jpshortstuff/SystemLook.exe

Temporarily disable your antivirus and any antispyware real time protection before performing a scan.

Double-click [b]SystemLook.exe[/b] to run it.
Copy the contents of the following codebox into the main textfield.

:filefind
rsa64.dll

Click the [b]Look [/b]button to start the scan.
[b]Note[/b]: The scan may take some time so please just let it do its work and be patient (or do something else unrelated to the computer).
When finished, a notepad window will open with the results of the scan. Please post the log. The log can also be found on your desktop entitled [b]SystemLook.txt[/b]
16

Same result. Attached.

17

Remove it from the desktop, right click delete.

Restart PC.

Do you still warning?

18

Yes. Same result.
Screen capture attached.

19

Please download Malwarebytes AntiRootkit (MBAR) and save it to your desktop.
[i]For full instructions how MBAR works, read this article

> Doubleclick on the MBAR file (
http://www.mcshield.net/personal/magna86/Images/mbar.png
) and allow it to run.
• Click OK on the next screen, to allow the package to extract the contents of the file to its own folder named mbar.
mbar.exe will launch automatically. On some systems, this may take a few extra seconds. Please be patient and wait for the program to open.
• After reading the Introduction, click Next if you agree.

• On the Update Database screen, click on the Update button. Once you see ‘Success: Database was successfully updated’ click on Next
• Under Scan Targets ensure all boxes are ticked. Then click the Scan button.

Notice: with some infections, you may see two messages boxes:

  • ‘Could not load protection driver’. Click ‘OK’.
  • ‘Could not load DDA driver’. Click ‘Yes’ to this message, to allow the driver to load after a restart. Allow the computer to restart. Continue with the rest of these instructions.

>> If malware is not detected, click the Exit button to close the program and post the mbar-log-year-month-day.txt and system-log.txt reports.

>> If an infection/s are found ensure Create Restore Point are ticked. Then select the "Cleanup! button to remove threats.
• The clean up procedure will be scheduled for process, pop-up will be shown.
Select the Yes button and the system should re-boot to complete the cleaning process.

>> Notice: only if an RootKit are detected, ensure to run fixdamage.exe tool located in mbar folder, \Plugins\fixdamage.exe

  • Run fixdamage.exe, at the black window to continue type Y (alias for Yes). Wait few seconds for execution …
  • When you see “press any key to exit” fix is completed, press any key to close the window. Reboot the system.

> The following reports will be created in mbar folder:

  1. mbar-log-year-month-day (hour-minute-second).txt
  2. system-log.txt

Please post both logs in your next reply.

20

Nothing detected. Files you requested attached. This virus is a real pain. And a stealthy one.