I just re-installed Windows, downloaded a few programs (itunes, firefox, google earth, spybot, and adaware) and updated. I was looking through the processes to get rid of the usuals at start up, like quicktime. I ran into an odd one: crypt32chain, so I googled it. Everyone says that it's spyware, on a brand new install?

iirc, crypt32.dll is something to do with NT encryption -- its started by winlogon, and the registry key that starts it (under winlogon/notify) is called crypt32chain.

 

so... if you have a file, called crypt32.dll, that's reffered to in the startup moniter as crypt32chain, it's fine

 

If you have an actual file called crypt32chain.dll, it's a trojan, trying to spoof the legitimate file.

Oh, okay. It looks like I'm okay

Install Sysinternals Process Explorer. Run it to see what processes are running and what processes own them. Pausing your cursor over each process will show the complete path so that you can locate it. Crypt32chain.dll is a trojan. Kill it and the process that owns it. Delete it from the system at the path given.

 

If it's a trojan it may be harder to delete than one might think. After deleting it reboot your machine to see if it returns. Some trojan variants will store a copy of themselves somewhere else on the machine in order to restore themselves when you reboot. This is usually handled by some registry entry. If this happens install a copy of regmon, enable the boot logger and reboot. It will write a log file of all the registry processes executed during boot so you can track down what regkeys are restoring it.

 

HTH,

It's loading from crypt32.dll not crypt32chain.dll - that mean I'm okay?

crypt32chain.dll is a file which is part of a trojan.

 

crypt32.dll is a Windows file and is fine.

 

Therefore you are ok.

after you posted the subject i was curious. and the file that runs is crypt32.dll. just to be sure i checked the file with KIS 7. nothing. so it must be a windows file.

Edited June 17, 201015 yr by Pangloss
post approved by mod, site link appears to be legit