Assistance please - RSA64.dll - Win64:Bot-A[Trj] - Cannot remove virus

[schwack]

Same result.  Attached.

[argus]

Remove it from the desktop, right click delete.

Restart PC.

-------------

Do you still warning?

[schwack]

Yes.  Same result.
Screen capture attached.

[argus]

Please download Malwarebytes AntiRootkit (MBAR) and save it to your desktop.
For full instructions how MBAR works, read this article


> Doubleclick on the MBAR file () and allow it to run.
•  Click OK on the next screen, to allow the package to extract the contents of the file to its own folder named mbar.
•  mbar.exe will launch automatically. On some systems, this may take a few extra seconds. Please be patient and wait for the program to open.
•  After reading the Introduction, click Next if you agree.

•  On the Update Database screen, click on the Update button. Once you see 'Success: Database was successfully updated' click on Next
•  Under Scan Targets ensure all boxes are ticked. Then click the Scan button.

Notice: with some infections, you may see two messages boxes:
-  'Could not load protection driver'. Click 'OK'.
-  'Could not load DDA driver'. Click 'Yes' to this message, to allow the driver to load after a restart. Allow the computer to restart. Continue with the rest of these instructions.

>>  If malware is not detected, click the Exit button to close the program and post the mbar-log-year-month-day.txt and system-log.txt reports.

>>  If an infection/s are found ensure Create Restore Point are ticked. Then select the "Cleanup! button to remove threats.
•  The clean up procedure will be scheduled for process, pop-up will be shown.
Select the Yes button and the system should re-boot to complete the cleaning process.


>>  Notice: only if an RootKit are detected, ensure to run fixdamage.exe tool located in mbar folder, \Plugins\fixdamage.exe
- Run fixdamage.exe, at the black window to continue type Y (alias for Yes). Wait few seconds for execution ...
- When you see "press any key to exit" fix is completed, press any key to close the window. Reboot the system.




> The following reports will be created in mbar folder:
1. mbar-log-year-month-day (hour-minute-second).txt
2. system-log.txt

Please post both logs in your next reply.

[schwack]

Nothing detected.  Files you requested attached.  This virus is a real pain.  And a stealthy one.

[argus]

• Please download ComboFix by sUBs and save it to your Desktop.
  You may read how Combofix works here.
  
  
• Temporarily disable your AntiVirus program, usually via a right click on the System Tray icon. They may interfere with Combofix.
  If you are unsure how to do this please read this or this Instruction.
  
  
• Run ComboFix. Click on I Agree! & follow the prompts.
  Note: If you see a message like "Illegal operation attempted on a registry key that has been marked for deletion" just restart your computer.
  
  
• When finished, it will produce a report for you. Please attach log reports (ComboFix.txt) back to topic.
  (typical log location: C:\ComboFix.txt )

[schwack]

Completed and attached.
Note:  After reboot, virus still remains.  Not sure if this tool was an identifier or a cleaner.

[argus]

Will continue tomorrow, here is a late evening.

[schwack]

OK Thank you.

[argus]

Open notepad and copy/paste the text present inside the code box below:

Code: [Select]


Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1CryptoProviderIcons]
[-HKEY_CLASSES_ROOT\CLSID\{24808826-C2BF-4269-B3BA-89D1D5F431A4}]

Folder::
c:\programdata\Microsoft\Crypto\RSA64


Save this as CFScript.txt



Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:\ComboFix.txt )

[schwack]

I think the problem is finally fixed.  After running with the script, it took the actions you specified.  After reboot, the pop-up is gone.
Combofix.txt attached.

[argus]

It is necessary to uninstall ComboFix :

• Click Start (or ) then Run.
  
  
  On Windows7 or Vista you may use Start Search field if Run is not available.
  
  
• In the line of text type in (Copy) the following:

Code: [Select]

ComboFix /Uninstall

Note that there is a space between " ComboFix " and " /Uninstall " .

• then click OK (or press Enter ).

Wait for the uninstall process is complete.

.








=> Please download DelFix by Xplode to your Desktop.

Run the tool and check the following boxes below;
Remove disinfection tools
Create registry backup
Purge System Restore
Click Run button and wait a few seconds for the programme completes his work.
At this point all the tools we used here should be gone. Tool will create an report for you (C:\DelFix.txt)

The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.



Greeting!

[schwack]

Done and done.  I think I'm good!  It even fixed the explorer error when logging into a different profile.

Thanks so much for your help with this!

Cheers!