Ok so I got a serious trojan on my laptop I need help with. This is what Avast comes up with and it cant do anything about it.

C:\System Volume Information\Efa Data\SYMEFA.DB The threat is Win32:Crypt-RQA [trj]

It has a hold of my laptop using IP 192.230.59.249 and makes everything slow on the net.

I read this kind of trojan will take over. I am a dummy when it comes to codes and things so anyone can please help me walk me through this. Treat me like a baby and guide me step by step on what I need to do to remove this.

PLEASE!!!

Attach your basic logs. (MBAM, FRST and aswMBR…!!)
Instructions: https://forum.avast.com/index.php?topic=53253.0

It has a hold of my laptop using IP 192.230.59.249 and makes everything slow on the net.

C:\System Volume Information\Efa Data\[b]SYMEFA.DB[/b]

SYMEFA.DB file belongs to Norton … do you have Norton/Symantec installed?

I do have norton installed but turned everything off…do I need to completly uninstall it?

Why Using Multiple Antivirus Programs is a Bad Idea http://blog.kaspersky.com/multiple-antivirus-programs-bad-idea/

General: Uninstalling a third-party antivirus software https://www.avast.com/en-eu/faq.php?article=AVKB11#artTitle

then turn off system restore, reboot computer turn on system restore

Ok after I uninstall norton, then i will turn off system restore. When I reboot and it fully boots I will turn on system restore. Then do I do a full system scan again?

yes, and detection should be gone

if you want a check, see the link Asyn posted above, follow instructions and attach the requested logs
a malware expert will then check the logs for any infections/leftover files that need to be removed

Is the system restore off on ALL DRIVES or just Disck D, C

Ok so I did the other scan and still was there after restore was off. So I did the steps here → https://forum.avast.com/index.php?topic=53253.0

Attached are my logs. PLEASE help me get rid of this crap. The IP is still on my computer and it is making it super slow and losing connection since the IP is from Russia.

Thank you so much

log experts are in bed now, check back tomorrow

Hi first thing to do is uninstall McAfee. Download and run this tool http://download.mcafee.com/products/licensed/cust_support_patches/MCPR.exe

The 192 IP address is your router

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: HKLM-x32\...\Run: [vProt] => C:\Program Files (x86)\AVG Secure Search\vprot.exe [2640408 2014-08-31] () Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk ShortcutTarget: McAfee Security Scan Plus.lnk -> C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe (McAfee, Inc.) CHR HKU\S-1-5-21-391708627-4280249806-3753823356-1000\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION ProxyEnable: [S-1-5-21-391708627-4280249806-3753823356-1000] => Internet Explorer proxy is enabled. ProxyServer: [S-1-5-21-391708627-4280249806-3753823356-1000] => 192.230.59.249:15500 BHO-x32: No Name -> {0E8A89AD-95D7-40EB-8D9D-083EF7066A01} -> No File BHO-x32: No Name -> {95B7759C-8C7F-4BF1-B163-73684A933233} -> No File Toolbar: HKLM - No Name - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - No File Toolbar: HKLM-x32 - No Name - {95B7759C-8C7F-4BF1-B163-73684A933233} - No File Toolbar: HKU\S-1-5-21-391708627-4280249806-3753823356-1000 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File Handler-x32: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:\Program Files (x86)\Common Files\AVG Secure Search\ViProtocolInstaller\18.1.9\ViProtocol.dll (AVG Secure Search) FF Plugin-x32: @avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin -> C:\Program Files (x86)\Common Files\AVG Secure Search\SiteSafetyInstaller\18.1.9\\npsitesafety.dll No File FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\avg-secure-search.xml FF HKU\S-1-5-21-391708627-4280249806-3753823356-1000\...\Firefox\Extensions: [{e4f94d1e-2f53-401e-8885-681602c0ddd8}] - C:\ProgramData\McAfee Security Scan\Extensions\{e4f94d1e-2f53-401e-8885-681602c0ddd8}.xpi CHR HKLM-x32\...\Chrome\Extension: [bopakagnckmlgajfccecajhnimjiiedh] - No Path R2 vToolbarUpdater18.1.9; C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\18.1.9\ToolbarUpdater.exe [1820184 2014-08-11] (AVG Secure Search) 2015-01-31 15:17 - 2013-06-06 07:46 - 00000350 _____ () C:\windows\Tasks\AVG-Secure-Search-Update_JUNE2013_HP_rmv.job 2015-01-31 15:17 - 2013-06-03 07:03 - 00000350 _____ () C:\windows\Tasks\AVG-Secure-Search-Update_JUNE2013_TB_rmv.job Task: {4D5F648B-2E6A-4078-B8A4-24A9B04A9281} - System32\Tasks\0814tbUpdateInfo => C:\ProgramData\Avg_Update_0814tb\0814tb_{E0F633AA-46EE-4281-A635-41F0BE91F433}.exe [2014-08-27] () Task: {65B9342C-1114-4752-84BC-61A5DA1C6A11} - System32\Tasks\AVG-Secure-Search-Update_JUNE2013_TB_rmv => C:\windows\TEMP\{B6ACEF1B-DAA3-4311-81F8-E385F8B73A27}.exe Task: C:\windows\Tasks\AVG-Secure-Search-Update_JUNE2013_HP_rmv.job => C:\windows\TEMP\{3B1D6E8D-7B76-4BE5-8A8C-B6CF6F63F1AC}.exe Task: C:\windows\Tasks\AVG-Secure-Search-Update_JUNE2013_TB_rmv.job => C:\windows\TEMP\{B6ACEF1B-DAA3-4311-81F8-E385F8B73A27}.exe C:\Users\ricky\captcha_breaker (15).exe C:\Users\ricky\captcha_breaker.exe C:\Users\ricky\GoogleVoiceAndVideoSetup.exe C:\Users\ricky\ibp 12.0.4 a..(2).exe C:\Users\ricky\IBP-Installer.exe C:\Users\ricky\install_flashplayer11x32_mssd_au_aih.exe C:\Users\ricky\install_flashplayer13x32au_ltr5x64d_awc_aih.exe C:\Users\ricky\search_engine_ranker.exe C:\Users\ricky\SEOLinkRobotPro_Setup.exe C:\Users\ricky\TeamViewer_Setup_en.exe C:\Users\ricky\Uninstall.exe C:\Program Files (x86)\AVG Secure Search C:\Program Files\McAfee Security Scan EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S1].txt as well.

Ok I did not see a report for the FRST64 run with the fixit .txt but I did do it…here is the report from the ADWCleaner

Also the IP is not of my router as I have a differnet computer on my network and it pulls the ip of the router and it is different. This ip is based out of Russia and is also known for spam

if you enter that IP in your adressbar and hit enter you get this http://192.230.59.249/ Apache 2 Test Page
if you check that IP here, you end up in Atlanta / Gerogia USA http://www.ip-adress.com/whois/192.230.59.249

192.230.59.0 - 192.230.59.255 is an IP address range owned by Micfo and located in United States

none the less I got it to work and we are ok…Thank you everyone I can not stress enough the help here!!! Thank you

What did you do to get it to work ?

@essexboy… nothing but follow step by step what you told me

Ah I thought you found another trick or it had returned

Subject to no further problems

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Remove tools

Download and run Delfix

https://dl.dropboxusercontent.com/u/73555776/delfix.JPG

: Keep Java Updated :

WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java
See this article

I would recommend that you completely uninstall Java unless you need it to run an important software.
In that instance I would recommend that you disable Java in your browsers until you need it for that software and then enable it. (See How to diasble Java in your web browser and How to unplug Java from the browser)

If you do need to keep Java then download JavaRa
Run the programme and select Remove Java Runtime. Uninstall all versions of Java present
Once done then run it again and select Update Java runtime > Download and install Latest version

https://dl.dropboxusercontent.com/u/73555776/javara.JPG

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

CryptoPrevent install this programme to lock down and prevent crypto ransome ware

https://dl.dropboxusercontent.com/u/73555776/CryptoPrevent.JPG

Malwarebytes.

Update and run weekly to keep your system clean

Unchecky

Click on the link above to be taken to Unchecky.com
click the very large Download button.
click Save
Click Open folder
Right click on the Unchecky_setup and choose to Run as Administrator
Once open click the Install button.
Then click on Finish
Unchecky is now installed and will help you keep unwanted check boxes unchecked, this is a fire and forget programme

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe