Avast will not delete file as read only!

I have Avast Pro, and it is stopping me logging on to the internet, if I disable it I can access the internet no problem.

The infected file is Win32:Patched-AWQTPJ Every time I try to delete or move it to the virus chest I cannot because it comes up with Read Only (6009)
The file seems to be in C:\windows\systemWOW64\dnsapidii if that helps.

Please could someone help as I need to use the internet but not keen on doing so with no virus protection.

Thanks

C:\\windows\systemWOW64\[b]dnsapidii[/b]
Are you sure this is correct? or should it be dnsapi.dll ?

Follow instructions here and attach requested logs (the two first pictures) >> https://forum.avast.com/index.php?topic=53253.0

Sounds like a dns/lsp hijack.
Here is a example of it > https://blog.malwarebytes.com/cybercrime/2015/09/shopperz-alters-dnsapi-dll/

Follow the instructions in the link Pondus provided.

Files as requested

Since the malware analyst is located in Canada he may not be online for many hours, check back tomorrow

Ok, thanks for that, UK time here!

Sorry about the delay in replying; the bad news is that you posted the same file twice; once as FRST.txt and then as Addition.txt. Because of that, this may not be a complete fix right now but it should fix the DNS hijacking.

https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/FRST.gif
Fix with Farbar Recovery Scan Tool

https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
[b] This fix was created for this user for use on that particular machine.
https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif

https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
Running it on another one may cause damage and render the system unstable.
https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
[/b]
Download attached fixlist.txt file and save it to the Desktop:

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

- Right-click on 

https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/FRST.gif
icon and select
https://sites.google.com/site/cannedfixes/home/hosted-images-tools/RunAsAdmin.jpg
Run as Administrator to start the tool.
(XP users click run after receipt of Windows Security Warning - Open File).
- Press the Fix button just once and wait.
- If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
- When finished FRST will generate a log on the Desktop, called Fixlog.txt.
Please attach it to your reply.

HI,
Many thanks for your reply.
Have done what you asked, but still unable to log onto the internet without avast being disabled.

Just curious but what other AntiVirus have you had installed on this machine before Avast?

We need to get a fresh scan from FRST.

[*]If you still have the Addition.txt file on your desktop, please delete it now.
[*]Right click the FRST file on your desktop and select “Run as Administrator…” (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
[*]If an update is available, the program will inform you and download the update. Allow it do this please. Otherwise, just wait for the “The tool is ready to use.” message.
[*]Please check the Addition.txt in the Option Scan section of FRST.
[*]Press the Scan button.
[*]It will produce a log called FRST.txt in the same directory the tool is run from.
[*]Please copy and paste log back here.
[*]The tool will generate will another log (Addition.txt - also located in the same directory as FRST.exe/FRST64.exe). Please also paste that along with the FRST.txt into your reply.

Always used avast, have done for a long time over numerous computers.

Here are the files you have asked for, thanks again!

Just wondering about the other AVs as there appeared to be some McAfee files on the system.


Open notepad by pressing the Windows Key + R Key, typing in Notepad in the Run dialog and then pressing Enter. Please copy the contents of the Code box below. To do this highlight the contents of the box by clicking [Select] next to Code: , then right click on any of the highlighted text and select copy. Paste this into the open notepad. Save it to your desktop as fixlist.txt



Start
CreateRestorePoint:
CloseProcesses:
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
CHR Extension: (Google Slides) - C:\Users\Williams PC\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2016-11-27]
cmd: sfc /scanfile=C:\Windows\SysWOW64\dnsapi.dll
Task: {BF37869C-9632-4488-8A68-DEE072729C24} - \Cawlez -> No File <==== ATTENTION
FirewallRules: [TCP Query User{578B0195-2AD0-4A5D-9447-06508A3814FB}C:\program files (x86)\google\chrome\application\chrome.exe] => (Block) C:\program files (x86)\google\chrome\application\chrome.exe
FirewallRules: [UDP Query User{77535AEA-B45E-4FB8-BAD2-3BC4D255CD6A}C:\program files (x86)\google\chrome\application\chrome.exe] => (Block) C:\program files (x86)\google\chrome\application\chrome.exe
cmd: ipconfig /flushdns
cmd: netsh advfirewall reset
cmd: netsh advfirewall set allprofiles state on
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
CMD: bitsadmin /reset /allusers
RemoveProxy:
EmptyTemp:
Reboot:
end


NOTE. It’s important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 by right clicking on the FRST64.exe file, selecting “Run as Administrator…”. The User Account Control may open up; if it does, select Yes to continue to let FRST open and load.

The tool will check for an updated version of itself every time it loads; please allow it to do this and the program will either inform you it is downloading an updated copy (and to wait until it is safe to continue) or show nothing (meaning there is no update found) and you can continue on. Press the Fix button just once and wait. The tool will create a restore point, process the script and ask for a restart of your system.

http://i1351.photobucket.com/albums/p785/dbreeze2/just%20stuff/Press%20the%20FIX%20button_zpsdd5zi3mt.png

If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.

When finished FRST will generate a log on the Desktop (Fixlog.txt). Please attach it to your reply post. Also, tell me how your system is running now.

The McAfee came with the Sony laptop but I have never used it.

Will try later when I get home.

Thanks again!

I have just logged on the internet again with avast still running, you sir are a genius!

Please could you tell me what the infected file was and is there anything I can do to stop it happening again?

Log enclosed as requested.

Thank you!!!

You find removal tool / instructions for McAfee here > https://www.avast.com/faq.php?article=AVKB11#artTitle

Many thanks, McAfee now removed!

The error was in the fake DNSapi.dll files that the hijacking malware placed on your system. You can prevent much of this type of hijacking by hardening your browser settings to make your online experience more secure. Check the following for some tips: https://heimdalsecurity.com/blog/ultimate-guide-secure-online-browsing/

Also, please consider emptying your temporary files more often; you had 44+ Gigabytes of data removed on the first FRST fixlist run. That’s a lot of old browser data to keep around; it could include bad files and routines just waiting for the proper commands to activate the malware on your system.


One more check for safety sake …

AdwCleaner by Xplode

Download AdwCleaner from here or from here. Save the file to the desktop.

NOTE: If you are using IE 8 or above you may get a warning that stops the program from downloading. Just click on the warning and allow the download to complete.

Close all open windows and browsers.

- [b]Vista/7/8 users:[/b] Right click the [b]AdwCleaner[/b] icon on the desktop, click [b]Run as administrator[/b] and accept the UAC prompt to run AdwCleaner.

You will see the following console:

http://i1351.photobucket.com/albums/p785/dbreeze2/Scanners%20screens/AdwCleaner_v5016_zpsf8ln0fea.png

- Click the [b]Scan[/b] button and wait for the scan to finish.
- After the Scan has finished the window may or may not show what it found and above, in the progress bar, you will see: [b]Waiting for action. Please uncheck elements you don't want to remove.[/b]
- Click the [b]Clean[/b] button.
- [b]Everything checked[/b] will be deleted.
- When the program has finished cleaning a report appears.
- Once done it will ask to reboot, allow this

http://1.bp.blogspot.com/-vitKqfMQS4o/UEDylIQ7HJI/AAAAAAAABLc/Hx-IwqKoaxg/s1600/adwcleaner_delete_restart.jpg

- On reboot a log will be produced; please attach that in your next reply. This report is also saved to [b]C:\AdwCleaner\AdwCleaner[C#].txt[/b]

Optional:

NOTE: If you see AVG Secure Search being targeted for deletion, Here’s Why and Here. You can always Reinstall it.

Many thanks for your help again. I will certainly work through and change my browser settings and clear my temporary internet files more regularly!!

I will make a donation to you later tonight in appreciation for what you have done for me.

Thanks again!

Have scanned with AdwCleaner and it found more files to be deleted!
File copy enclosed.

That is to be expected as the fight against malware is an on-going one and the findings change to keep up with new malware.

How is your system running now?

Very well, internet side seems to be running quicker than before.

Did you receive the donation?