HI,
I’m getting warnings every 5 sec by Avast saying that this file: C:\ProgramData\Microsoft\Crypto\RSA64\rsa64.dll (or these files: C:\ProgramData\Microsoft\Crypto\RSA64\temp* ) are infected by said trojan.
I’m running win 8 64. I tried to follow the post to post logs, but i am unable to download Malwarebytes’ Anti-Malware.
Can somebody help / give a hint?
many thanks!
s.
What error do you get when downloading malwarebytes?..removal expert have other tools that replace mbam if no success
The most important log is OTL.txt
I get a ‘not found’ error and i’m not able to download.
Here are the otl logs
Try from here http://www.bleepingcomputer.com/download/malwarebytes-anti-malware/
Removal experts are notified. It is soon midnight here in europe so you may not recive a reply today…
Hi slyv,
Where is aswMBR.txt log? Posted OTL log doesn’t show activity. I would like to get one more look:
1. Please download Farbar Recovery Scan Tool (
http://www.mcshield.net/personal/magna86/Images/FRST_canned.png
) by Farbar and save it to your desktop.
Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.
[*]Double-click to run it. When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
[*]The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
2. Once again we shall use FRST for additional checks. Re-run FRST/FRST64 by double-clicking:
[*]Type rsa64.dll into the Search: field in FRST then click the Search File(s) button.
[*]FRST will search your computer for files and when finished it will produce a log Search.txt in the same directory the tool is run.
[*]Please attach it to your reply.
Thanks for your replies.
Here are the logs for FRST and MBAM.
Hi slyv,
According to logs you have been disable your AntiVirus. I just want you to be aware of that , to turn protection later on.
AV: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AV: avast! Antivirus (Disabled - Up to date) {17AD7D40-BA12-9C46-7131-94903A54AD8B}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Spybot - Search and Destroy (Disabled - Out of date) {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}
AS: avast! Antivirus (Disabled - Up to date) {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}
Btw, I would remove Spybot S&D as this software cannot follow the current security standard.
Your mashine is infected with malware. MBAM has been target the PUP leftovers but not the malware itself. We shall tell FRST to target this thing …
FRST’s FixList
1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system
Start
C:\ProgramData\Microsoft\Crypto\RSA64\CryptoProvider.dll
C:\Users\sylvain\AppData\Local\Google\Chrome\User Data\Default\Extensions\hehijbfgiekmjfkfjpbkbammjbdenadd
C:\Users\sylvain\AppData\Roaming\CamLayout.ini
C:\Users\sylvain\AppData\Roaming\CamShapes.ini
HKLM-x32\...\Run: [] - [X]
AlternateDataStreams: C:\Users\Public\DRM:احتضان
AlternateDataStreams: C:\Users\sylvain\Cookies:uaSAfaumr6dUA3vw9aSG48Efm4sK
AlternateDataStreams: C:\Users\sylvain\Local Settings:TbSt28ZbZQSi0D45KWDcXdNa0zx
AlternateDataStreams: C:\Users\sylvain\AppData\Local:TbSt28ZbZQSi0D45KWDcXdNa0zx
End
2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.
3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.
TempFileCleaner
Please download TFC by OldTimer to your desktop
[*]Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
[*]It will close all programs when run, so make sure you have saved all your work before you begin.
[*]Click the Start button to begin the process. Depending on how often you clean temp
files, execution time should be anywhere from a few seconds to a minute
or two. Let it run uninterrupted to completion.
[*]Once it’s finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.
Re-check
Re-run FRST64 . . .
[*]Double-click to run it.
[*] [*]Under Optional Scan ensure “Addition.txt” are ticked.
[*]Press Scan button.
[*]It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
[*]Tool will create another log (Addition.txt). Please attach it to your reply as well.
Once again we shall use FRST for additional checks. Re-run FRST/FRST64 by double-clicking:
[*]Type (Copy) CryptoProvider.dll;rsa64.dll;hehijbfgiekmjfkfjpbkbammjbdenadd into the Search: field in FRST then click the Search File(s) button.
[*]FRST will search your computer for files and when finished it will produce a log Search.txt in the same directory the tool is run.
[*]Please attach it to your reply.
Hi Magna86
Thanks for taking care!
Here is fixlog.txt.
Here are the second run logs of FRST64…
… And here is the result of the search:
Don’t know if I’m clean yet, but I don’t get any warnings from avast and my desktop is stable (it was constantly switching to the windows 8 welcome screen)
Hi slyv,
Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 11-03-2014
Ran by sylvain at 2014-03-12 20:01:57 Run:2
Running from C:\Users\sylvain\Downloads
Boot Mode: Normal
You have been run FixList two time. The posted FixLog.txt doesn’t say if malware is removed or not. Just it can find the targeted file. I’ll need to see the first FixLog.
It is located here:
C:\FRST\Logs. Post here FixLog<date_time>.txt
Also, I will need some additional checking:
1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system
Folder: C:\ProgramData\Microsoft\Crypto
2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.
3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.
Sorry.
Here is the last fixlog:
And here is the required fixlog.txt
Hi,
Just to tell you, you have new malware variant. Therefore I wanna to collect more info I could get.
Please download SystemLook (64-bit) and save it to your desktop.
http://jpshortstuff.247fixes.com/SystemLook_x64.exe
Double-click on the SystemLook_x64.exe icon to run it.
Copy the content of the following quote into the main textfield:
:regfind
CryptoProvider.dll
rsa64.dll
hehijbfgiekmjfkfjpbkbammjbdenadd
:filefind
CryptoProvider.dll
rsa64.dll
hehijbfgiekmjfkfjpbkbammjbdenadd
Click the [b]Look[/b] button to start the scan.
When finished, a notepad window will open with the results of the scan. Please attach the log to the log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
Hi again!
sweet 
here is the log:
SystemLook 30.07.11 by jpshortstuff
Log created at 22:24 on 12/03/2014 by sylvain
Administrator - Elevation successful
========== regfind ==========
Searching for "CryptoProvider.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{24808826-C2BF-4269-B3BA-89D1D5F431A4}\InprocServer32]
@="C:\ProgramData\Microsoft\Crypto\RSA64\CryptoProvider.dll"
Searching for "rsa64.dll"
No data found.
Searching for "hehijbfgiekmjfkfjpbkbammjbdenadd "
No data found.
========== filefind ==========
Searching for "CryptoProvider.dll"
No files found.
Searching for "rsa64.dll"
No files found.
Searching for "hehijbfgiekmjfkfjpbkbammjbdenadd"
No files found.
-= EOF =-
Hahaha … ;D
Ok, according to log malware is neutralized. This FRST script shall target the remains:
1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system
Start
c:\programdata\Microsoft\Crypto\RSA64
REG: reg add "HKLM\SOFTWARE\Classes\CLSID\{24808826-C2BF-4269-B3BA-89D1D5F431A4}\InprocServer32" /v @ /t REG_SZ /d "" /f
AlternateDataStreams: C:\Users\sylvain\Cookies:uaSAfaumr6dUA3vw9aSG48Efm4sK
End
2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.
3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.
Hi again!
Here you go:
Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 11-03-2014
Ran by sylvain at 2014-03-12 23:22:48 Run:4
Running from C:\Users\sylvain\Downloads
Boot Mode: Normal
==============================================
Content of fixlist:
*****************
Start
c:\programdata\Microsoft\Crypto\RSA64
REG: reg add "HKLM\SOFTWARE\Classes\CLSID\{24808826-C2BF-4269-B3BA-89D1D5F431A4}\InprocServer32" /v @ /t REG_SZ /d "" /f
AlternateDataStreams: C:\Users\sylvain\Cookies:uaSAfaumr6dUA3vw9aSG48Efm4sK
End
*****************
C:\ProgramData\Microsoft\Crypto\RSA64 => Moved successfully.
========= reg add "HKLM\SOFTWARE\Classes\CLSID\{24808826-C2BF-4269-B3BA-89D1D5F431A4}\InprocServer32" /v @ /t REG_SZ /d "" /f =========
L'op‚ration a r‚ussi.
========= End of Reg: =========
"C:\Users\sylvain\Cookies" => ":uaSAfaumr6dUA3vw9aSG48Efm4sK" ADS not found.
==== End of Fixlog ====
Good. This now looks very good. I think we are done here. Malware and his configuration entries has been removed. But I would like you to preform the boot-time scan via avast! AntiVirus at the very end.
It does not have to be done immediately but for a time when you will don’t need a PC because scanning time may be long (up to 4 hours), depending on the size of the disk.
Make sure that avast! remove all detected items. When avast finish the boot-time scan, it shall create the logreprot named aswBoot.txt located here:
C:\ProgramData\AVAST Software\Avast\report[b]aswBoot.txt[/b]
Please attach the report here:
Hi!
Thanks. Scan running since 12h, reaching 50%. I’ll be back!
S.