Crypto malware?

[Richard William Posner]

avast! has suddenly started grabbing executables from K:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA64\temp (see attachment)

This began after I restarted the "Automatic Updates" service, which had been disabled for a very long time. That seems like too much of a "coincidence" to ignore. I've disabled Automatic Updates again but these executable files seem to be created in the RSA64\temp folder each time I turn on my computer. I've been thinking of getting a graphics tablet and the system requirements include SP3. That's why I turned the auto update service on. I really wish I hadn't done that.

I'm running XP Professional, SP2 and I don't want to "upgrade" to any newer platform. I would have stayed with Windows 98 but, years ago, I wanted to upgrade a couple of my apps and they updates wouldn't run under 98. I'd now rather stick with the versions of the apps I've got than go to any of the newer versions of Windows.

So, bottom line, does anyone know what these executables are, how I can get rid of them and stop them from regenerating? Can I get rid of the whole "Crypto" folder or the RSA64 folder? I have no idea what their function is so I won't delete them until I know doing so won't crash my system.

Once upon a time, the internet was a really great thing. It opened up a whole world of possibilities. Unfortunately a lot of those possibilities turn out to be extremely negative.

[Michael (alan1998)]

Just 2 questions and 1 request.

1st Question: Is wscript.exe running inside your Task Manager?
2nd Question: Windows XP 32Bit SP2 is very vulnerable. I understand you have Apps you want to keep, but do some investigating. They should work with SP3

Request: go to http://forum.avast.com/index.php?topic=53253.0 and attach MBAM, OTL & aswMBR

Edit: 1 more request. Find that folder/file. Upload all 3 to www.virustotal.com and attach all three scan repots.

[seeker15]

Well, Hello! Same here. Today it detected out of nowhere the following files as Trojans. I am not sure either as to what their functions are but looking at the names of folders and files, it seems that they are somehow associated with the security/encryption. Does that mean we are at risk of browsing secure sites, possible because the files had just been deleted? (I am not seeing any effect so far). There is another file however, named rsa64.dll which is not detected to be any kind of threat.

what is going on? If they are false positive, then we might encounter problem in the future when those files would be needed.

[Michael (alan1998)]

Add them to the exclusions list. It is a FP. After that, restore them to thefile locations

[seeker15]

Avast should make sure that they are false positive because we don't know whether it had been infected somehow. Excluding some system file is not a good idea, IMO. I would have excluded if I had known what it does and where it came from. For now, its best I keep it in v.chest!

[Secondmineboy]

Right click the files and choose submit to virus lab. Select suspected false positive and fill
the form for all files. They will be sent for investigation on next update.

[magna86]

Hi Richard William Posner,

This isn't FP. This is a live malware. If you wanna get rid of it (and analysis) please run the following:


---     ---     ---     ---     ---
Primary Scan

Please download Farbar Recovery Scan Tool () by Farbar and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

• Double-click to run it. When the tool opens click Yes to disclaimer.
  
• Press Scan button.
  
• It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  
• The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

Once again we shall use FRST for additional checks. Re-run FRST/FRST64 by double-clicking:

• Type CryptoProvider.dll;rsa64.dll into the Search: field in FRST then click the Search File(s) button.
  
• FRST will search your computer for files and when finished it will produce a log Search.txt in the same directory the tool is run.
  
• Please attach it to your reply.

---     ---     ---     ---     ---
RootKit Scan




Please download GMER, the RootKit Detector tool from the link below and save it to your Desktop:

Gmer download link
Note: file will be random named

Double-clicking to run GMER.

• Wait for initial scan to finish - if there is any query, click No;
  
• Click [ Scan ] button and wait until the full scan is complete;
  
• Click [ Save ... ]- save the report to the Desktop (named ARK );
  
  
• Then click the >>> button and select Autostart card;
  
• Click [ Scan ] button;
  
• After quick scan, click Copy button;
  
• Open notepad and Paste text. Save report to the Desktop (named autostart )

> Attach here both Gmer logreports. (ARK.txt and autostart.txt)