Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Missing File in Windows


  • Please log in to reply
8 replies to this topic

#1 kg7

kg7

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:14 AM

Posted 15 November 2017 - 12:52 PM

Hello!

AVG Anti-virus recently flagged the following file on my Win 7 32-bit PC.

c:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-19\7e22207fe9846926e18c29d3e675240e_c9e67637-32f8-4f30-9eee-e046f29469ef

Please note that this is in the Windows directory. I am not asking about the User directory.

I have quarantined the file, and at the moment, my computer appears to operating normally.

I have also checked on some of our other PCs, and they have a file in the exact same place -- just a slightly different file name.

So my question is: do I need to somehow replace this file on my computer in order for my computer to continue to run correctly? Will the fact that this file is now deleted from my system (it is saved in AVG's virus vault) cause any problems? And also, what is this missing file supposed to do? What program does it belong to?

Thanks for your help!


Edited by hamluis, 15 November 2017 - 01:14 PM.
Moved from Win 7 to Gen Security - Hamluis.


BC AdBot (Login to Remove)

 


#2 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:14 PM

Posted 15 November 2017 - 03:23 PM

The C:\Windows\ServiceProfiles folder is like the C:\Users folder, but for system profiles: LocalService and NetworkService.

 

The RSA folder contains files for cryptographic operations, like keys and certificates.

 

It's unusual to get an AV alert on these files.

 

What was the signature reported by AVG?


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#3 kg7

kg7
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:14 AM

Posted 15 November 2017 - 03:34 PM

Thanks. Here's a screenshot from AVG

 

avg1.gif


Edited by kg7, 15 November 2017 - 04:22 PM.


#4 kg7

kg7
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:14 AM

Posted 15 November 2017 - 04:23 PM

Screenshot didn't work the first time. I have re-uploaded. Thanks.



#5 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:14 PM

Posted 15 November 2017 - 04:30 PM

It's a detection for "unknown virus". That doesn't help much. This could be a false positive.

 

If you want I can take a look at the file. You will need to get it out of quarantine, and submit it to virustotal.com, and then report the link to the virustotal report back here.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#6 kg7

kg7
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:14 AM

Posted 15 November 2017 - 04:58 PM

Thank you. I will consider that.

 

In the meantime, can you tell me if my computer needs that file for normal operation? Will my computer still boot up and operate normally without it? Any insight is appreciated.

 

Thanks again!



#7 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:14 PM

Posted 15 November 2017 - 05:10 PM

No, these files contain certificates and keys created for the services when they need it, they are not essential components of the operating system.

New certificates and keys will be created when required.

 

It could even be that this is an older file, that has not been used for quite some time.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#8 kg7

kg7
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:14 AM

Posted 15 November 2017 - 06:26 PM

Thank you so much!



#9 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:14 PM

Posted 16 November 2017 - 04:31 AM

You're welcome!


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users