Win32:Crypt-RQA Potential Infection?

Viruses and worms
1

Hello!

Last night, I was going through a weekly scheduled Avast scan when I decided to go through the scan logs and realized Avast had found a Win32:Crypt-RQA[Trj] in C:\System Volume Information\EfaData\SYMEFA.DB on January 25. The file could not be quarantined (Error message: Access is Denied(5)). I started to worry and completed a full system scan last night and a boot-time scan this morning. Both scans (and all scans since January 25) have revealed nothing. I searched your forums for some answers and came across /u/jjessen who seemed to have similar problems [link to post here: https://forum.avast.com/index.php?topic=164373.0].

I haven’t noticed my computer running any differently and unlike /u/jjessen, the win32:crypt-RQA hasn’t revealed itself again. I am worried however that it may be dormant somewhere in my system files. I have run the Farbar Recovery Scan Tool and have attached both logs (as suggested in the /u/jjessen post). I hope you are able to help.

Thank you!

2

did you previous use Norton/Symantec on this computer?

3

Drivers and tasks

S3 ccSet_NIS; C:\Windows\system32\drivers\NISx64\1400000.088\ccSetx64.sys [168608 2012-05-25] (Symantec Corporation)
S0 SymELAM; C:\Windows\System32\drivers\NISx64\1400000.088\SymELAM.sys [23448 2012-06-20] (Symantec Corporation)
Task: {0C4135B9-1CC2-45C5-8D71-6CC30E104F26} - System32\Tasks\Norton Internet Security\Norton Error Processor => C:\Program Files (x86)\Norton Internet Security\Engine\20.0.0.136\SymErr.exe

4

Thanks for getting back to me so fast.

I used Norton Power Eraser last night to see if that would get rid of the trojan. It didn’t seem to find anything and since it didn’t seem to install on my computer, I left it. Do I need to get rid of it? and if so, How do I do that? (it’s nowhere on my uninstall list).

5

I can remove it for you if you wish… The file that avast is alerting on is an unencrypted virus signature in your system restore. So clearing restore points will remove it

6

Okay, It sound like that might work. Let me know what I need to do. Thank you.

7

This will remove it

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: S3 ccSet_NIS; C:\Windows\system32\drivers\NISx64\1400000.088\ccSetx64.sys [168608 2012-05-25] (Symantec Corporation) S0 SymELAM; C:\Windows\System32\drivers\NISx64\1400000.088\SymELAM.sys [23448 2012-06-20] (Symantec Corporation) C:\Windows\system32\drivers\NISx64 2015-02-02 02:07 - 2015-02-02 02:08 - 00000000 ____D () C:\NPE 2015-02-02 02:06 - 2015-02-02 02:26 - 00000000 ____D () C:\Users\Kimberly\AppData\Local\NPE CHR HKLM-x32\...\Chrome\Extension: [mkfokfffehpeedafpekjeddnmnjhmcmk] - C:\Program Files (x86)\Norton Internet Security\Engine\20.0.0.136\Exts\Chrome.crx [Not Found] C:\Program Files (x86)\Norton Internet Security Task: {0C4135B9-1CC2-45C5-8D71-6CC30E104F26} - System32\Tasks\Norton Internet Security\Norton Error Processor => C:\Program Files (x86)\Norton Internet Security\Engine\20.0.0.136\SymErr.exe Task: {6A323748-BE06-4B3B-95BE-530277481925} - System32\Tasks\Norton Internet Security\Norton Error Analyzer => C:\Program Files (x86)\Norton Internet Security\Engine\20.0.0.136\SymErr.exe Task: {B73C550E-FF6A-4694-AA8E-A9AAF94AFC46} - System32\Tasks\Norton WSC Integration => C:\Program Files (x86)\Norton Internet Security\Engine\20.0.0.136\WSCStub.exe HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SMR430 => ""="Service" EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

THEN

To clear the restore points and remove the tools

Download and run Delfix

https://dl.dropboxusercontent.com/u/73555776/delfix.JPG

8

Okay, I’ve attached the fixlog. and I’ve ran Delfix as instructed.

9

Norton should now be history and fingers crossed Avast will no longer alert on system restore

10

Okay, thank you so much for your time and help. I’m going to run another scan now and if there are any more problems, I’ll post. But I doubt there will be :slight_smile:

11

:slight_smile: