Hello,
I was doing an Avast scan, and this infected file “Win32:Crypt-RQA[Trj]” associated with C:\System Value Information\EfaData\SYMEFA.DB). I am unable to delete the file, repair it, or quarantine even after doing full system scans and boot scans.
I do not know what to do now. Is there any ways to resolve this?
PS: I have attached to scan 2x logs files from FRST.
Thanks.
C:\System Value Information\EfaData\SYMEFA.DB).You mean C:\System[b] Volume Information[/b]\EfaData\SYMEFA.DB).
It is located in a restore point … turn off system restore, reboot … turn on system restore
You also seems to have some leftover crap files … come back later and essexboy will remove them with a fix for you
Ah yes. Sorry for the typo.
Will try your advice.
Thanks
The file above seems to be related to Norton endpoint … is or have Norton endpoint been installed?
Hi,
I have never used Norton products. The PC did come with Norton AV, but I never used it and uninstalled all it associated products. I checked the Programs and Features list and cannot find any associated software.
Is there another way to check to make sure?
Thanks,
I see essexboy is online now, he will remove any norton/symantec leftovers with a fix
Next time you find removal tools here https://singularlabs.com/uninstallers/security-software/
Did you reset your restore points ?
CAUTION : This fix is only valid for this specific machine, using it on another may break your computer
Open notepad and copy/paste the text in the quotebox below into it:
CreateRestorePoint: URLSearchHook: HKU\S-1-5-21-437563094-1486141438-3885727711-1000 - (No Name) - {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - No File BHO: No Name -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> No File BHO: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre6\bin\jp2ssv.dll No File Toolbar: HKLM - avast! Online Security - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - No File Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - No File Toolbar: HKU\S-1-5-21-437563094-1486141438-3885727711-1000 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File Toolbar: HKU\S-1-5-21-437563094-1486141438-3885727711-1000 -> No Name - {88C7F2AA-F93F-432C-8F0E-B7D85967A527} - No File CHR Extension: (No Name) - C:\Users\Daniel AU\AppData\Local\Google\Chrome\User Data\Default\Extensions\mhfdcmehmjcclgopdodkjdicohagipid [2012-05-18] S1 SBRE; \??\C:\Windows\system32\drivers\SBREdrv.sys [X] 2015-01-18 15:51 - 2015-01-18 15:51 - 00896048 _____ () C:\Users\Daniel AU\Downloads\Norton_Removal_Tool.exe 2015-01-18 15:21 - 2015-01-18 15:21 - 00000000 __SHD () C:\Users\Daniel AU\AppData\Local\EmieBrowserModeList 2015-01-18 06:51 - 2015-01-18 06:54 - 00000000 ____D () C:\Users\Daniel AU\AppData\Local\{F852AA19-D07C-49E3-A674-FC47DDB8076A} 2015-01-17 06:54 - 2015-01-17 06:54 - 00000000 ____D () C:\Users\Daniel AU\AppData\Local\{0348B29C-3065-4DBC-A9F5-B40549E8EA83} 2015-01-16 18:13 - 2015-01-16 18:14 - 00000000 ____D () C:\Users\Daniel AU\AppData\Local\{563499DE-D7BF-467E-83F3-F69AB814736A} 2015-01-15 18:20 - 2015-01-15 18:21 - 00000000 ____D () C:\Users\Daniel AU\AppData\Local\{A9A54B29-BD01-4218-9C7D-B4C63A78B745} 2015-01-14 17:17 - 2015-01-14 17:17 - 00000000 ____D () C:\Users\Daniel AU\AppData\Local\{B5C8D963-5C19-49F1-A5D4-E5F93F9E027A} 2015-01-13 19:28 - 2015-01-14 18:29 - 00000000 ____D () C:\Users\Daniel AU\Downloads\John.Wick.2014.HDRip.XViD-juggs[ETRG] 2015-01-13 18:17 - 2015-01-13 18:17 - 00000000 ____D () C:\Users\Daniel AU\AppData\Local\{B0B2CBDA-88FB-40D0-A49A-DAF74FC9F379} 2015-01-12 20:12 - 2015-01-12 20:15 - 00000000 ____D () C:\Users\Daniel AU\Downloads\The.Hobbit.2014.Battle.Of.The.Five.Armies.2014.DVDScr.XVID.AC3.HQ.Hive-CM8 2015-01-12 20:12 - 2015-01-12 20:13 - 00000000 ____D () C:\Users\Daniel AU\Downloads\The.Interview.2014.WEB-DL.XviD.MP3-RARBG 2015-01-12 18:15 - 2015-01-12 18:15 - 00000000 ____D () C:\Users\Daniel AU\AppData\Local\{C5EEB361-D627-43F1-B289-E55F5BEFA98A} 2015-01-11 08:04 - 2015-01-11 08:05 - 00000000 ____D () C:\Users\Daniel AU\AppData\Local\{3842A833-14C0-4C09-A600-9E8A68AB5BCF} 2015-01-10 06:59 - 2015-01-10 06:59 - 00000000 ____D () C:\Users\Daniel AU\AppData\Local\{4D7C4203-E873-4FE1-8848-8CD66FD2D084} 2015-01-09 06:39 - 2015-01-09 06:39 - 00000000 ____D () C:\Users\Daniel AU\AppData\Local\{6AAFA749-C485-4639-A104-975A0EA0BDBA} 2015-01-08 17:04 - 2015-01-08 17:04 - 00000000 ____D () C:\Users\Daniel AU\AppData\Local\{74DF576A-7EE2-40DA-A7C4-54E9A13E91C8} 2015-01-07 18:13 - 2015-01-07 18:13 - 00000000 ____D () C:\Users\Daniel AU\AppData\Local\{4B8C72B8-84F0-4E8D-B768-B47D6C1133F2} 2015-01-06 17:08 - 2015-01-06 17:08 - 00000000 ____D () C:\Users\Daniel AU\AppData\Local\{64D50923-DAC8-4907-845D-47AD691544C5} 2015-01-05 18:14 - 2015-01-05 18:14 - 00000000 ____D () C:\Users\Daniel AU\AppData\Local\{43AC8663-B574-47E8-824F-2172E9260407} 2015-01-04 07:59 - 2015-01-04 07:59 - 00000000 ____D () C:\Users\Daniel AU\AppData\Local\{CAFE6C1D-F97F-4778-BA2F-179AEEC2AFD5} 2015-01-03 07:15 - 2015-01-03 07:15 - 00000000 ____D () C:\Users\Daniel AU\AppData\Local\{84BB05A0-5EA2-4517-8D12-A236B973EE5C} 2015-01-02 17:47 - 2015-01-02 17:49 - 00000000 ____D () C:\Users\Daniel AU\AppData\Local\{33415C80-051D-4859-9D78-64B45954FC21} 2015-01-01 08:15 - 2015-01-01 08:15 - 00000000 ____D () C:\Users\Daniel AU\AppData\Local\{E8598C77-ADA9-4312-BC93-1830A49F9713} 2014-12-31 16:51 - 2014-12-31 16:51 - 00000000 ____D () C:\Users\Daniel AU\AppData\Local\{CA69BBB5-4448-466B-A69F-BC335F0470D8} 2014-12-30 18:17 - 2014-12-30 18:17 - 00000000 ____D () C:\Users\Daniel AU\AppData\Local\{FA8B3C6E-2BE2-42B0-8167-7324ADFE2DBC} 2014-12-29 16:09 - 2014-12-29 16:09 - 00000000 ____D () C:\Users\Daniel AU\AppData\Local\{EF7E575E-B091-4E10-A6C1-7E56F5DDC995} 2014-12-28 16:51 - 2014-12-29 16:56 - 00000000 ____D () C:\Users\Daniel AU\Downloads\Top_Gear.2014_Special.Patagonia.HDTV_x264-FoV[ettv] 2014-12-27 07:40 - 2014-12-27 07:42 - 00000000 ____D () C:\Users\Daniel AU\AppData\Local\{99366AB1-566D-47F3-A3BD-0D54CE6485C8} 2014-12-26 06:38 - 2014-12-26 06:38 - 00000000 ____D () C:\Users\Daniel AU\AppData\Local\{11C48EC3-ABCA-4067-918C-742C6BD8B192} 2014-12-25 05:49 - 2014-12-25 05:49 - 00000000 ____D () C:\Users\Daniel AU\AppData\Local\{60A66CAD-AC55-4355-ABD5-D7349BBDAE10} 2014-12-24 17:43 - 2014-12-24 17:43 - 00000000 ____D () C:\Users\Daniel AU\AppData\Local\{755073B7-E329-45BB-964B-70B40A3627D7} 2014-12-23 18:09 - 2014-12-23 18:09 - 00000000 ____D () C:\Users\Daniel AU\AppData\Local\{093D61BC-D570-4055-84D8-4141DDDB4634} 2014-12-22 18:12 - 2014-12-22 18:12 - 00000000 ____D () C:\Users\Daniel AU\AppData\Local\{463943F1-500F-4D32-B961-66CD71311265} 2014-12-21 14:33 - 2014-12-21 14:33 - 00000000 ____D () C:\Users\Daniel AU\AppData\Local\{7DDB026C-73F3-4701-8742-84FE81ABDF2B} 2014-12-21 06:20 - 2014-12-21 06:20 - 00000000 ____D () C:\Users\Daniel AU\AppData\Local\{AA481425-DAE7-4874-A124-E77B44EDE2C5} 2014-12-20 20:07 - 2014-12-20 20:08 - 00000000 ____D () C:\Users\Daniel AU\AppData\Local\{549030F7-5BCE-4B1D-A165-FA008802BD67} 2014-12-20 05:55 - 2014-12-20 05:55 - 00000000 ____D () C:\Users\Daniel AU\AppData\Local\{FADE0999-F1D2-4B88-9179-8FDF15BBA069} 2014-12-19 17:00 - 2014-12-19 17:00 - 00000000 ____D () C:\Users\Daniel AU\AppData\Local\{7DDD4564-5368-4124-ABC7-8BD9A633B164} 2015-01-18 15:56 - 2011-10-20 20:44 - 00000000 ____D () C:\ProgramData\Norton 2015-01-18 15:54 - 2011-10-20 20:44 - 00000000 ____D () C:\Program Files\Common Files\Symantec Shared Task: {2BA4BC33-022E-4CBE-A1F4-62285320A9A6} - System32\Tasks\Hybrid => C:\IORRT\IORRT.bat [2014-07-23] () Task: {3F039701-9E0F-4AFF-A4AC-530EE3ECB2F9} - System32\Tasks\Ad-Aware Antivirus Scheduled Scan => C:\PROGRA~2\AD-AWA~1\AdAwareLauncher.exe Task: {D6ED21B8-DA56-453D-8EFD-04922658B5F0} - System32\Tasks\IORRT => C:\IORRT\IORRT.bat [2014-07-23] () Task: {E298A76E-B06C-481F-96C1-4F5BDE5C2024} - System32\Tasks\Ad-Aware Update (Weekly) => C:\Program Files (x86)\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe EmptyTemp: CMD: bitsadmin /reset /allusers
Save this as fixlist.txt, in the same location as FRST.exe
https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG
Run FRST and press Fix
On completion a log will be generated please post that
THEN
Please download AdwCleaner by Xplode onto your desktop.
[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S1].txt as well.
Thanks for the advice both Pondus and Essexboy.
I have attached the following logs.
I will re-scan with avast full system scan to confirm.
However, for me this usually takes minimum 3 hours to complete. Is this normal?
Thanks.
However, for me this usually takes minimum 3 hours to complete. Is this normal?Depends how full your HD is ..... have you changed avast default scan settings?
My hard drive (579gb) is just over 50% full and I have not changed any settings.
Thanks.
As the miscreant was in system restore did you reset them ?
Also how is the computer behaving now ?
I did turn the restore point for C: drive off, reboot PC then turn it on. However, the recovery drive was already off.
I’m doing a full system scan now but that will take ages. On the other hand, PC works much quicker now.
Thanks.
Hi Essexboy,
After scanning using Avast Full System scan, the scan problem still persists.
Thanks.
OK lets use an automated tool to clear the restore points and tidy. The alert is not a problem as it is a Norton definition file
I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems
Now the best part of the day ----- Your log now appears clean 
A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:
Remove tools
Download and run Delfix
https://dl.dropboxusercontent.com/u/73555776/delfix.JPG
: Keep Java Updated :
WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java
See this article
I would recommend that you completely uninstall Java unless you need it to run an important software.
In that instance I would recommend that you disable Java in your browsers until you need it for that software and then enable it. (See How to diasble Java in your web browser and How to unplug Java from the browser)
If you do need to keep Java then download JavaRa
Run the programme and select Remove Java Runtime. Uninstall all versions of Java present
Once done then run it again and select Update Java runtime > Download and install Latest version
https://dl.dropboxusercontent.com/u/73555776/javara.JPG
Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
CryptoPrevent install this programme to lock down and prevent crypto ransome ware
https://dl.dropboxusercontent.com/u/73555776/CryptoPrevent.JPG
Update and run weekly to keep your system clean
Click on the link above to be taken to Unchecky.com
click the very large Download button.
click Save
Click Open folder
Right click on the Unchecky_setup and choose to Run as Administrator
Once open click the Install button.
Then click on Finish
Unchecky is now installed and will help you keep unwanted check boxes unchecked, this is a fire and forget programme 
It is critical to have both a firewall and anti virus to protect your system and to keep them updated.
To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe 
Thank you for your time and effort. Will do as told.
Greatly Appreciated.
Hi,
After completing that last step using delfix. I re-scanned and the problem persisted. However, this time I was able to move it into quarantine with further scans not alerting anymore. So I guessed its resolved.
Thanks.