Problem with RSA 64

system · July 19, 2014, 7:24pm

HI! THIS IS MI FIRST TOPIC;

HOPE YOU CAN HELP ME:

I´VE THIS ISSUE WITH THESE 2 FILES, THAT ARE IN A FOLDER CALLED “CRYPTO”

1- RSA64.DLL (MY ESET AND MBAM FIND IT EVERYTIME I RESTART MI COMPUTER, THEY CLEAN IT , BUT IT APPEARS AGAIN AND AGAIN)

THIS IS WHAT ESET SHOWS ON THE LOG : C:\ProgramData\Microsoft\Crypto\RSA64\rsa64.dll - una variante de Win64/Sathurbot.A troyano - desinfectado por eliminación (tras el próximo reinicio) - puesto en cuarentena

2-CryptoProvider.DLL (THIS ONE I CANT GET RID OF EITHER; THE DIFERENCE? WELL, IT SAYS TO ME THAT IS BEING USED BY MICTOSOFT, SO, THERE`S NO CHANCE FOR THE ANTIVIRUS-SPYWARE TO OPEN IT, AS WELL AS FOR ME TRYING TO ERASE IT MANUALLY.

NOW, I`VE READ THAT YOU CAN SOLVE IT USING THIS PROGRAM: COMBOFIX ; BUT I ALSO KNOW THAT SOMEONE HAS TO HELP ME WITH THE LOGS …HOPE SOMEONE HERE CAN.

THANKS ANYWAY… HAVE A GREAT DAY

JUAN .

essexboy · July 19, 2014, 7:25pm

No need for combofix as that is a bit of an overkill

Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

[*]Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
[*]Select additions at the bottom
[*]Press Scan button.

https://dl.dropboxusercontent.com/u/73555776/frst.JPG

[*]It will produce a log called FRST.txt in the same directory the tool is run from.
[*]Please attach both logs generated.

system · July 19, 2014, 11:27pm

[b]I run the 64-bit Version, wich equals mi system. Got the results, But,

I dont know how to attach them . i looked up in the forum but could not understand well ; wait for an answer

thanks.
[/b]

Asyn · July 20, 2014, 6:39am

If you reply here you’ll find the option below the text box → “Attachments and other options”

essexboy · July 20, 2014, 10:35am

Click the attachments link, then browse to the logs and select them

system · July 20, 2014, 12:32pm

attached. Thanks again!

essexboy · July 20, 2014, 1:36pm

Let me know how the computer is behaving after this

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

ShellIconOverlayIdentifiers: 1CryptoProviderIcons -> {24808826-C2BF-4269-B3BA-89D1D5F431A4} => C:\ProgramData\Microsoft\Crypto\RSA64\CryptoProvider.dll () SearchScopes: HKCU - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = Toolbar: HKCU - No Name - {DB131C55-60C8-4ADC-84DC-9E76AB06E2DC} - No File Task: {0699F15A-C941-4AD1-8663-A8F33E77A543} - \ITECIR Filter Application for RCMM No Task File <==== ATTENTION Task: {1262E9A0-50CD-4448-ABA2-F9F84D713438} - \Adobe Flash Player Updater No Task File <==== ATTENTION Task: {3246C76F-AA54-4131-860F-9AFFCA508011} - \Adobe Reader Speed Launcher No Task File <==== ATTENTION Task: {49F10D19-3053-42AC-ACB0-E4487C88C90D} - \Adobe ARM No Task File <==== ATTENTION Task: {5E10A301-709C-4441-827C-3BA18313E11D} - \NBAgent No Task File <==== ATTENTION Task: {9EFEA96C-CD46-4FF8-96B7-FD6CD1AA10D4} - \CCleanerSkipUAC No Task File <==== ATTENTION Task: {D2EA2056-E424-4FA7-BB1D-559E4CEF1602} - \{0031401E-0857-44D7-9F32-A59CEB475613} No Task File <==== ATTENTION AlternateDataStreams: C:\ProgramData\Microsoft:0Nr6YKxHk4bMG1A75CclSgMiJtkKT AlternateDataStreams: C:\ProgramData\Microsoft:0oeqdNThHcmwnAjawAx1NPnna AlternateDataStreams: C:\ProgramData\Microsoft:cXioX7YUNxCDTxw0lwnmEA AlternateDataStreams: C:\ProgramData\Microsoft:d9Cpg6AhHoOSuLA4DaXHfk AlternateDataStreams: C:\ProgramData\Microsoft:nPr4VWmIEh10VVOaBhvAaNIctB AlternateDataStreams: C:\ProgramData\Microsoft:QeeXtw5oTbXgLI7IyKKrAzZl AlternateDataStreams: C:\ProgramData\Microsoft:ZH0AbYAgvPzTHADjHYH AlternateDataStreams: C:\ProgramData\Temp:1AAB2E68 AlternateDataStreams: C:\ProgramData\Temp:1CE11B51 AlternateDataStreams: C:\ProgramData\Temp:373E1720 AlternateDataStreams: C:\Users\Juan Fran\Cookies:a6PwG0F5LWknVyoZ4cC AlternateDataStreams: C:\Users\Juan Fran\Cookies:xRRIbGuF2Uc1fp2mXCBTa AlternateDataStreams: C:\Users\Juan Fran\AppData\Local\Archivos temporales de Internet:Nf5XByHMZjq5rhOABup0ls AlternateDataStreams: C:\Users\Juan Fran\AppData\Local\gFTTboucLw:lLCpFfB6RDUPodfPTaweImFxc AlternateDataStreams: C:\Users\Juan Fran\AppData\Local\Temp:2LMDDLMEhdBGXVcyPQzrMItx2T2b AlternateDataStreams: C:\Users\Juan Fran\AppData\Local\Temp:wNiusi21CtOogNdSmelv4 C:\ProgramData\Microsoft\Crypto CMD: bitsadmin /reset /allusers CMD: DEL %TEMP%\*.* /F /S /Q CMD: RD /S /Q %TEMP% REBOOT:

Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that

system · July 20, 2014, 1:59pm

Attached. WAIT FOR AN ANSWER.

THANKS AGAIN MATE!

essexboy · July 20, 2014, 3:09pm

I think you will find that the miscreant is now gone could you check with MBAM please

system · July 20, 2014, 3:55pm

I´TS GONE!

THANKS!

WHAT CAN I DO TO PREVENT FURTHER INFECTIONS?

THANKS AGAIN! HAVE A NICE DAY! ;D

essexboy · July 20, 2014, 4:30pm

Unfortunately automated tools only take out the offending file and leave the rest to have more babies

Subject to no further problems

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Download and run Delfix

https://dl.dropboxusercontent.com/u/73555776/delfix.JPG

: Keep Java Updated :

WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java
See this article

I would recommend that you completely uninstall Java unless you need it to run an important software.
In that instance I would recommend that you disable Java in your browsers until you need it for that software and then enable it. (See How to diasble Java in your web browser and How to unplug Java from the browser)

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

CryptoPrevent install this programme to lock down and prevent crypto ransome ware

https://dl.dropboxusercontent.com/u/73555776/CryptoPrevent.JPG

Malwarebytes.

Update and run weekly to keep your system clean

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe

bob3160 · July 20, 2014, 4:40pm

If I can make a suggestion, Winpatrol is another product that informs you of changes
being made to your system. Winpatrol also monitors quite a few of the registry entries often attacked
by malware.

essexboy · July 20, 2014, 4:48pm

Out of curiosity Bob does it monitor this key ?

ShellIconOverlayIdentifiers:

system · July 20, 2014, 5:39pm

Thanks! that are some good news .

last issue: when i try to install CryptoPrevent it cames i¿out with the following text:

“unable to execute file in the temporary directory. setup aborted. Error 5: acces denied” ( i´m sure it´s 64-bit version and i moved it to desktop, but still appears)

thanks a lot for what you are doing to help!

bob3160 · July 20, 2014, 5:53pm

I don’t know Martin but, I’ve requested information directly from the horses mouth
and will let you know as soon as I know.

essexboy · July 20, 2014, 7:23pm

Thanks Bob

Juan8 could you run cryptoprevent as administrator

system · July 21, 2014, 12:50pm

same issue! >:(

essexboy · July 21, 2014, 1:19pm

Could you try the following

The problem is with the security permissions on your profile temp folder. To fix it navigate to %temp% or C:\Users\[Username]\AppData\Local and right click on the Temp folder and choose properties, then click the security tab and click advanced.
On the permissions tab you should see the permissions that are there. There should 3 which are:

‘SYSTEM’ with Full control which applies to ‘This folder, subfolders and files’

‘Administrators’ with Full control which applies to ‘This folder, subfolders and files’

‘Your Username’ with Full control which applies to ‘This folder, subfolders and files’
and all 3 should be inherited from the C:\Users[Username]\ folder.

If you don’t have the ‘Include inheritable permissions from this object’s parent’ option ticked, then tick it and click continue if there are any problems, then remove the permissions that aren’t inherited.

Once you click ‘Apply’ and click ‘OK’ you should have the permissions to write to the directory and you won’t get those error messages any more.

system · July 21, 2014, 10:37pm

i´m afraid i cant do that :(: the las time i tried to change the account permissions my computer started having lots of problems…

any other way?

thanks again! ;D

essexboy · July 22, 2014, 1:06pm

OK this is a little more longwinded but safer

Download Windows All In One Repair from Tweaking.com to your desktop
Install the programme and run
Select Step 5 : Back up your registry and create a system restore point

https://dl.dropboxusercontent.com/u/73555776/waiobackup.JPG

Then select the Start repairs tab and click Start

https://dl.dropboxusercontent.com/u/73555776/waiorepair.JPG

Select the following repair number items :

2

Once it has completed then reboot the system

Problem with RSA 64

Announcements