rsa64.dll Win64:Bot-A

Having the same issue as http://forum.avast.com/index.php?topic=147437.0

mbam didn’t find anything

posting logs in a minute

OTL and Extras txt

aswMBR log

[*] Please download ComboFix by sUBs and save it to your Desktop.
You may read how Combofix works here.

[*] Temporarily disable your AntiVirus program, usually via a right click on the System Tray icon. They may interfere with Combofix.
If you are unsure how to do this please read this or this Instruction.

[*] Run ComboFix. Click on I Agree! & follow the prompts.
Note: If you see a message like “Illegal operation attempted on a registry key that has been marked for deletion” just restart your computer.

[*] When finished, it will produce a report for you. Please attach log reports (ComboFix.txt) back to topic.
(typical log location: C:\ComboFix.txt )

Can you get this RSA64.dll file and upload it to Wikisend and send me that file? I’m going to report it to MBAM to be added to the Blacklist.

combofix log

and the dll as requested:
http://wikisend.com/download/498198/rsa64.dll

Open notepad and copy/paste the text present inside the code box below:



Regystry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1CryptoProviderIcons]
[-HKEY_CLASSES_ROOT\CLSID\{24808826-C2BF-4269-B3BA-89D1D5F431A4}]

Folder::
c:\programdata\Microsoft\Crypto\RSA64

Save this as CFScript.txt

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )
.

Do you have Comodo firewall?

combofix log after using it with specified text file

nope, don’t have comodo firewall, although i do remember having it at one point and that i had problems with it

Open notepad and copy/paste the text present inside the code box below:



File::
c:\windows\system32\DRIVERS\cmderd.sys
c:\windows\system32\DRIVERS\cmdguard.sys
c:\windows\system32\DRIVERS\cmdhlp.sys

Folder::
c:\programdata\Microsoft\Crypto\RSA64

Driver::
cmderd
cmdGuard
cmdHlp

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1CryptoProviderIcons]
[-HKEY_CLASSES_ROOT\CLSID\{24808826-C2BF-4269-B3BA-89D1D5F431A4}]


Save this as CFScript.txt

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )

3rd combofix log

Do you still problem?

Restarted the laptop and everything seems fine, thank you for your help :), it’s great to see such level of professional support offered to avast users.

I do wish to ask tho: Was this a serious threat to my pc, and what would have happened if this virus, or whatever it is, wouldn’t have been stopped by an antivirus

Thanks again,

D. Attila

OK :wink:

It is necessary to uninstall ComboFix :

[*] Click Start (or
http://amf.mycity.rs/pg/images/VistaStartButton.png
) then Run.

On Windows7 or Vista you may use Start Search field if Run is not available.

[*] In the line of text type in (Copy) the following:

ComboFix /Uninstall

Note that there is a space between " ComboFix " and " /Uninstall " .

[*] then click OK (or press Enter ).

Wait for the uninstall process is complete.
.

=> Please download DelFix by Xplode to your Desktop.

Run the tool and check the following boxes below;
[i]
http://www.mcshield.net/personal/magna86/Images/checkmark.png
Remove disinfection tools

http://www.mcshield.net/personal/magna86/Images/checkmark.png
Create registry backup

http://www.mcshield.net/personal/magna86/Images/checkmark.png
Purge System Restore [/i]
Click Run button and wait a few seconds for the programme completes his work.
At this point all the tools we used here should be gone. Tool will create an report for you (C:[b]DelFix.txt[/b])

The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.
.

I recommended to use MCShield if you will.
You may download MCShield from one of the following links:

MyCity - Official download link
Softpedija - Mirror download link

It will prevent infection by computer via USB flash drive, mobile phone or any other memory card.
And not only will prevent infection, but it will immediately clean flash drive, memory card or external HDD.

It is not a virus but is malware and every malware is threat.
Virus is just kind of malware.

Thanks for the advice, i just installed MCshield, looking forward to seeing it in action.

Was it actually some kind of cryptolocker?

It’s antimalware (worms) program. Read the explanation here.

http://forum.avast.com/index.php?topic=147582.msg1073843#msg1073843

I’m having the same problem.
Can I follow the same procedure? or do I need a specific one for my pc?

Please start your own topic and attach your logs. (MBAM, OTL and aswMBR…!!)
Instructions: http://forum.avast.com/index.php?topic=53253.0