Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


A suspicious directory and file keep reappearing after I've deleted them

  • Please log in to reply
1 reply to this topic

#1 Zelithe


  • Members
  • 6 posts
  • Local time:04:36 PM

Posted 31 October 2009 - 05:42 PM

This is the directory name:

C:\Documents and Settings\User\Application Data\Microsoft\Crypto\RSA\S-1-5-21-(random numbers, SID from what I've read after this point)

The filename after the above folder is another series of random numbers and letters also separated with hyphens, and I've submitted it to virustotal and nothing shows up for a virus. Virustotal says it has been scanned before and says it is clean, but is there any way I can be even more sure?

All the Googling I've done has pointed to it being one. My scans show nothing, though. I've deleted the directory and locked it down with a program so that no changes can be made to it. The thing that makes me suspicious is that the file reappeared after I deleted both that folder and the files in it that were made a while ago when I mistakenly downloaded a virus.

What is this file? I can't seem to find a clear explanation for what it's purpose even is. I don't trust it.

BC AdBot (Login to Remove)


#2 stevansky


  • Members
  • 41 posts
  • Gender:Male
  • Local time:04:36 PM

Posted 31 October 2009 - 07:27 PM

Sounds like it might be associated with RSA encryption that is used when you access or use a secure website. If so then this is probably legit. Have you run any other anti-virus / spy removal programs? Malwarebytes and Spybot S&D (www.safer-networking.org) are a couple of good ones. Another feature in Spybot that I like is a program called TeaTimer. It runs in the background and prevents changes to critical system settings without your approval. Both are free but they do appreciate donations.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users