Hello, I’m really hoping someone here can help me as I’ve been trying to remove a Trojan for several days with no luck. I have done extensive googling but can’t find a definitive method to remove it.

When I do a full scan with Avast, it detects a trojan in my System Volume Information. When I click to fix or delete it, Avast says that the action will be taken on reboot. It then asks me to do a boot-time scan.

The boot-time scan detects this same Trojan, called Win 32: Crypt-RQA [Trj]. No matter which option I then select (fix, delete, move to chest, etc.) I get “Error OXC0000043” saying it cannot be deleted because “share access flags are incompatible”.

I have also tried to clear out my system restore (per some other googled suggestions), which did not help. Also, Malwarebytes cannot detect the trojan at all (I made sure to include rootkits in the scan).

Please help! Is there no way to remove this virus from my machine? Thanks in advance to anyone with any ideas!

It is located in a restore point…
Turn off system restore, reboot computer and turn on system restore

Did you use Norton before?
Is it uninstalled?
Did you run Norton removal tool?

Thank you for the quick response! I am at work currently but will try your solutions once I’m back home.

Also, to my memory I’ve never used Norton on my current laptop, but could you provide a link to the tool you referenced just in case? Thanks!

the reason i ask is that we have seen several of exact same detections lately and it seems to be related to a Norton signature file

you find removal tools here https://www.avast.com/en-eu/faq.php?article=AVKB11#artTitle
or here https://singularlabs.com/uninstallers/security-software/

you may attach a diagnostic log, then Essexboy will take a look
go here https://forum.avast.com/index.php?topic=53253.0 scoll down to Farbar Recovery Scan Tool … run as instructed and attach the two diagnostic logs

Ok, I followed all of your instructions:
Turned system restore off, rebooted, turned back on.
Ran Norton removal tool.
Ran Farbar, the two logs are attached.

Please let me know what to do now, and thanks again for the assistance!

AV: avast! Antivirus (Enabled - Up to date) {17AD7D40-BA12-9C46-7131-94903A54AD8B} AV: Trend Micro Titanium Internet Security 2012 (Disabled - Up to date) {7193B549-236F-55EE-9AEC-F65279E59A92} AS: Trend Micro Titanium Internet Security 2012 (Disabled - Up to date) {CAF254AD-0555-5A60-A05C-CD200262D02F} AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} AS: avast! Antivirus (Enabled - Up to date) {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}

Only run one AV so one must go … you know where to find removal tools

Essexboy is notified and will check your logs when online

seems you may have had Panda in there also

Panda Cloud Cleaner (HKLM-x32\...\{92B2B132-C7F0-43DC-921A-4493C04F78A4}_is1) (Version: 1.0.107 - Panda Security) Panda Devices Agent (x32 Version: 1.05.00 - Panda Security) Hidden Panda Free Antivirus (Version: 7.23.00.0000 - Panda Security) Hidden

Hi before you run the following fix please uninstall these programmes :

Panda Cloud Cleaner
Panda Devices Agent
Panda Free Antivirus
Trend Micro Titanium (Version: 5.00 - Trend Micro Inc.)
Trend Micro Titanium Internet Security 2012

Then download and run the following uninstall tools :

Panda http://www.pandasecurity.com/resources/sop/UNINSTALLER.exe
Trend Micro http://solutionfile.trendmicro.com/solutionfile/Titanium-2015/1104855/Ti_80_win_global_UninstallTool_hfb0001.exe

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: HKLM\...\Run: [VizorHtmlDialog.exe] => C:\Program Files\Trend Micro\Titanium\UIFramework\VizorHtmlDialog.exe [1654992 2011-10-26] (Trend Micro Inc.) HKLM\...\Run: [Trend Micro Client Framework] => C:\Program Files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe [213824 2011-10-04] (Trend Micro Inc.) HKLM\...\Run: [Trend Micro Titanium] => C:\Program Files\Trend Micro\Titanium\VizorShortCut.exe [416992 2011-08-02] (Trend Micro Inc.) Handler: tmbp - {1A77E7DC-C9A0-4110-8A37-2F36BAE71ECF} - C:\Program Files\Trend Micro\AMSP\Module\20002\7.0.1081\7.0.1081\TmBpIe64.dll (Trend Micro Inc.) Handler-x32: tmbp - {1A77E7DC-C9A0-4110-8A37-2F36BAE71ECF} - C:\Program Files\Trend Micro\AMSP\Module\20002\7.0.1081\7.0.1081\TmBpIe32.dll (Trend Micro Inc.) Handler: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - C:\Program Files\Trend Micro\AMSP\Module\20004\2.0.1313\6.8.1072\TmIEPlg.dll (Trend Micro Inc.) Handler-x32: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - C:\Program Files\Trend Micro\AMSP\Module\20004\2.0.1313\6.8.1072\TmIEPlg32.dll (Trend Micro Inc.) FF HKLM-x32\...\Firefox\Extensions: [{38783831-6098-4faa-A9C9-1EE1E343F4D2}] - C:\Program Files\Trend Micro\AMSP\Module\20002\7.0.1081\7.0.1081\firefoxextension FF Extension: Trend Micro BEP Firefox Extension - C:\Program Files\Trend Micro\AMSP\Module\20002\7.0.1081\7.0.1081\firefoxextension [2012-03-06] FF HKLM-x32\...\Firefox\Extensions: [{22C7F6C6-8D67-4534-92B5-529A0EC09405}] - C:\Program Files\Trend Micro\AMSP\module\20004\FxExt\firefoxextension FF Extension: Trend Micro NSC Firefox Extension - C:\Program Files\Trend Micro\AMSP\module\20004\FxExt\firefoxextension [2012-03-06] FF HKLM-x32\...\Firefox\Extensions: [{23fcfd51-4958-4f00-80a3-ae97e717ed8b}] - C:\Program Files (x86)\DivX\DivX Plus Web Player\firefox\DivXHTML5 BHO: TmIEPlugInBHO Class -> {1CA1377B-DC1D-4A52-9585-6E06050FAC53} -> C:\Program Files\Trend Micro\AMSP\Module\20004\2.0.1313\6.8.1072\TmIEPlg.dll (Trend Micro Inc.) BHO: TmBpIeBHO Class -> {BBACBAFD-FA5E-4079-8B33-00EB9F13D4AC} -> C:\Program Files\Trend Micro\AMSP\Module\20002\7.0.1081\7.0.1081\TmBpIe64.dll (Trend Micro Inc.) BHO-x32: TmIEPlugInBHO Class -> {1CA1377B-DC1D-4A52-9585-6E06050FAC53} -> C:\Program Files\Trend Micro\AMSP\Module\20004\2.0.1313\6.8.1072\TmIEPlg32.dll (Trend Micro Inc.) BHO-x32: TmBpIeBHO Class -> {BBACBAFD-FA5E-4079-8B33-00EB9F13D4AC} -> C:\Program Files\Trend Micro\AMSP\Module\20002\7.0.1081\7.0.1081\TmBpIe32.dll (Trend Micro Inc.) CHR HKLM-x32\...\Chrome\Extension: [fdhbkaahephniejapepaiggngjnedpci] - No Path R2 TiMiniService; C:\Program Files\Trend Micro\Titanium\TiMiniService.exe [247072 2011-08-02] (Trend Micro Inc.) S3 Amsp; "C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe" coreFrameworkHost.exe -m=rb -dt=60000 -ad [X] R1 NNSALPC; C:\Windows\System32\DRIVERS\NNSAlpc.sys [96800 2014-06-04] (Panda Security, S.L.) R1 NNSHTTP; C:\Windows\System32\DRIVERS\NNSHttp.sys [162336 2014-06-18] (Panda Security, S.L.) R1 NNSHTTPS; C:\Windows\System32\DRIVERS\NNSHttps.sys [112160 2014-06-04] (Panda Security, S.L.) R1 NNSIDS; C:\Windows\System32\DRIVERS\NNSIds.sys [115232 2014-06-04] (Panda Security, S.L.) R1 NNSNAHSL; C:\Windows\System32\DRIVERS\NNSNAHSL.sys [46336 2014-01-16] (Panda Security, S.L.) R1 NNSPICC; C:\Windows\System32\DRIVERS\NNSPicc.sys [95776 2014-06-04] (Panda Security, S.L.) R1 NNSPIHSW; C:\Windows\System32\DRIVERS\NNSPihsw.sys [70176 2014-06-04] (Panda Security, S.L.) R1 NNSPOP3; C:\Windows\System32\DRIVERS\NNSPop3.sys [125984 2014-06-04] (Panda Security, S.L.) R1 NNSPROT; C:\Windows\System32\DRIVERS\NNSProt.sys [306720 2014-06-04] (Panda Security, S.L.) R1 NNSPRV; C:\Windows\System32\DRIVERS\NNSPrv.sys [169504 2014-06-04] (Panda Security, S.L.) R1 NNSSMTP; C:\Windows\System32\DRIVERS\NNSSmtp.sys [115744 2014-06-04] (Panda Security, S.L.) R1 NNSSTRM; C:\Windows\System32\DRIVERS\NNSStrm.sys [261152 2014-06-04] (Panda Security, S.L.) R1 NNSTLSC; C:\Windows\System32\DRIVERS\NNSTlsc.sys [109088 2014-06-04] (Panda Security, S.L.) R3 panda_url_filteringd; C:\ProgramData\Panda Security URL Filtering\panda_url_filteringd.sys [51288 2014-03-19] (Visicom Media Inc.) R2 PSINAflt; C:\Windows\System32\DRIVERS\PSINAflt.sys [163088 2014-10-13] (Panda Security, S.L.) R2 PSINFile; C:\Windows\System32\DRIVERS\PSINFile.sys [121616 2014-10-13] (Panda Security, S.L.) R1 PSINKNC; C:\Windows\System32\DRIVERS\psinknc.sys [195616 2014-07-24] (Panda Security, S.L.) R2 PSINProc; C:\Windows\System32\DRIVERS\PSINProc.sys [122400 2014-07-24] (Panda Security, S.L.) R2 PSINProt; C:\Windows\System32\DRIVERS\PSINProt.sys [132128 2014-07-24] (Panda Security, S.L.) R2 PSINReg; C:\Windows\System32\DRIVERS\PSINReg.sys [107792 2014-10-13] (Panda Security, S.L.) S3 PSKMAD; C:\Windows\System32\DRIVERS\PSKMAD.sys [47632 2013-04-29] (Panda Security, S.L.) R1 tmactmon; C:\Windows\System32\DRIVERS\tmactmon.sys [91920 2011-08-11] (Trend Micro Inc.) R1 tmcomm; C:\Windows\System32\DRIVERS\tmcomm.sys [167696 2011-08-11] (Trend Micro Inc.) R1 tmevtmgr; C:\Windows\System32\DRIVERS\tmevtmgr.sys [70928 2011-08-11] (Trend Micro Inc.) R1 tmtdi; C:\Windows\System32\DRIVERS\tmtdi.sys [105744 2011-09-29] (Trend Micro Inc.) HKLM-x32\...\Run: [PSUAMain] => "C:\Program Files (x86)\Panda Security\Panda Security Protection\PSUAMain.exe" /LaunchSysTray HKLM-x32\...\Run: [Panda Security URL Filtering] => "C:\ProgramData\Panda Security URL Filtering\Panda_URL_Filtering.exe" BHO: Panda Security Toolbar -> {B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4} -> C:\Program Files (x86)\pandasecuritytb\pandasecurityDx64.dll () Toolbar: HKLM-x32 - Panda Security Toolbar - {B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4} - No File Toolbar: HKU\S-1-5-21-1019861180-2837227188-2845067024-1000 -> No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File 2015-01-29 18:45 - 2015-01-29 18:45 - 03044736 _____ (Enigma Software Group USA, LLC.) C:\Users\Erin\Downloads\SpyHunter-Installer.exe 2015-01-29 18:08 - 2015-01-29 18:08 - 00000000 ____D () C:\NPE 2015-01-29 18:04 - 2015-01-29 18:40 - 00000000 ____D () C:\Users\Erin\AppData\Local\NPE 2015-01-29 18:04 - 2015-01-29 18:04 - 00000000 ____D () C:\ProgramData\Norton 2015-01-29 18:03 - 2015-01-29 18:03 - 03060320 ____N (Symantec Corporation) C:\Users\Erin\Downloads\NPE.exe 2015-01-20 22:54 - 2015-01-20 22:54 - 00001288 _____ () C:\Users\Public\Desktop\Panda Cloud Cleaner.lnk 2015-01-20 22:54 - 2015-01-20 22:54 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Panda Security 2015-01-20 22:52 - 2015-01-20 22:53 - 32515240 _____ (Panda Security ) C:\Users\Erin\Downloads\PandaCloudCleaner.exe 2015-01-20 22:51 - 2015-01-20 22:52 - 58208296 _____ () C:\Users\Erin\Downloads\FREEAV (2).exe 2015-01-20 22:44 - 2015-01-20 22:46 - 00000000 ____D () C:\SMCLpav 2015-01-20 22:40 - 2015-01-20 22:40 - 58208296 _____ () C:\Users\Erin\Downloads\FREEAV.exe 2015-01-20 22:38 - 2015-01-20 22:38 - 58208296 _____ () C:\Users\Erin\Downloads\FREEAV (1).exe 2015-01-20 22:24 - 2015-01-20 22:44 - 00757656 _____ () C:\Users\Erin\Downloads\UNINSTALLER.exe 2015-01-30 17:01 - 2014-12-28 08:55 - 00000000 ____D () C:\ProgramData\panda_url_filtering 2015-01-28 23:44 - 2012-07-18 16:10 - 00000000 ____D () C:\ProgramData\P4G 2015-01-20 22:54 - 2014-12-28 08:51 - 00000000 ____D () C:\Program Files (x86)\Panda Security 2015-01-20 22:50 - 2014-12-28 08:49 - 01630952 _____ () C:\Users\Erin\Downloads\PANDAFREEAV.exe 2015-01-20 22:29 - 2014-12-28 08:51 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Panda Free Antivirus 2015-01-20 22:27 - 2014-12-28 08:49 - 00000000 ____D () C:\ProgramData\Panda Security 2015-01-20 21:23 - 2014-12-28 08:53 - 00000000 ____D () C:\Program Files (x86)\pandasecuritytb 2015-01-20 17:55 - 2014-12-28 08:53 - 00000000 ____D () C:\Users\Erin\AppData\Roaming\Panda Security Task: {D7182ECA-8D25-4516-B47C-27F1A2D5AB7C} - System32\Tasks\sepversion => Wscript.exe C:\VT-SEPVersion\SEPversion.vbs HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NanoServiceMain => ""="Service" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSUAService => ""="Service" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NanoServiceMain => ""="Service" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\PSUAService => ""="Service" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SMR430 => ""="Service" EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

I followed these instructions but encountered a problem.

When I try to run FRST I get the following error: “C:\Users\Erin\Desktop\FRST64.exe is not a valid Win32 application.”

In addition, my browsers no longer allow downloads to complete, and some pages/images are appearing garbled or not loading. Something is very wrong…

Any suggestions? Please help!

Was this after trend was removed ?

Go to control panel > internet options > advanced tab
Click Reset
OK out

Then download a fresh copy of FRST and run the fix

Please download Farbar Recovery Scan Tool and save it to your Desktop.

Yes, this problem occurred after trend was removed. I followed your instructions exactly in order.

However, I was able to run FRST after I re-downloaded it. My log is attached.

HOWEVER, none of my browsers (IE, Firefox, Chrome) allow me to download anymore, nor will they open your links (even after I followed your IE reset instructions above). I had to download FRST to a flash drive on a different comp., then move it to mine. These broken browsers are a new issue that did not occur before I made this help request, so I’m not sure what’s going on there.

Could you run a fresh FRST scan for me please, I will also like an additionl.txt as well

OK here are the text files from the new scan. Thanks.

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Save the attached fixlist.txt, to the USB then copy to the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

Then try the internet again

Thanks! Here is the new text file after running the fix. I think things are working now with my browsers, I was able to open sites that would not load before the scan, and downloading appears to be working again.

So, does this also mean the trojan is gone? Or are we still working on that?

Actually you were not infected, you were just alerting on one of the virus definition files from either Pand or Trend

Trend sometimes breaks the network when you uninstall it.

How is the computer behaving now ?

Ah, I had no idea. That’s exactly what happened then, my network went all weird after deleting Trend.

I think things are fixed! I will continue to monitor for strange activity but as of this moment my computer is booting up faster, my last Avast scan came up clean, and the internet is working. I cannot thank you enough for your help! Thank you!

I guess you can now see that more than one antivirus is not good for you

Subject to no further problems

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Remove tools

Download and run Delfix

https://dl.dropboxusercontent.com/u/73555776/delfix.JPG

: Keep Java Updated :

WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java
See this article

I would recommend that you completely uninstall Java unless you need it to run an important software.
In that instance I would recommend that you disable Java in your browsers until you need it for that software and then enable it. (See How to diasble Java in your web browser and How to unplug Java from the browser)

If you do need to keep Java then download JavaRa
Run the programme and select Remove Java Runtime. Uninstall all versions of Java present
Once done then run it again and select Update Java runtime > Download and install Latest version

https://dl.dropboxusercontent.com/u/73555776/javara.JPG

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

CryptoPrevent install this programme to lock down and prevent crypto ransome ware

https://dl.dropboxusercontent.com/u/73555776/CryptoPrevent.JPG

Malwarebytes.

Update and run weekly to keep your system clean

Unchecky

Click on the link above to be taken to Unchecky.com
click the very large Download button.
click Save
Click Open folder
Right click on the Unchecky_setup and choose to Run as Administrator
Once open click the Install button.
Then click on Finish
Unchecky is now installed and will help you keep unwanted check boxes unchecked, this is a fire and forget programme

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe

Great, I will follow your instructions to clean up. Thanks again.

A quick question about Delfix: when I run it, should I select the four boxes you have indicated in the screenshot you attached, or should I only “remove disinfection tools” (this is what the program defaults to when I open it)?

The other three are optional…

Purge restore points clears all restore points and then set a new one
Reset system settings re-hides any system files that should be hidden
Thinking about it the registry backup is not really needed