How to remove a read only Trojan horse? Help!

Viruses and worms
1

Hello, GiGi here.
I have avast free as my anti virus. I installed it right during a malware attack since it was the first thing i thought about doing that would help the situation. Avast has helped me to delete/fix/repair/move to chest most of the malware that was coming and had on my computer. However, anytime i run full system scans or a boot time scan it will leave me with one infectious file (avast actually registers it as two files, although i think its one as both have the same file location), file name (really the location): C:\Windows\SysWOW64\dnsapi.dll with high severity registered by avast and the threat is called: Win32:Patched-AWK[Trj] and avast will not repair/delete or move the file to chest because its a read only file with error code 6009. When it tries to fix it says that it is open in another program. I know how to get to the file but i can’t delete it because it says it is open in avast.
This Trojan will limit my connection to the internet. For example, it will not let me go on Minecraft servers at times, it won’t let me go to certain webpages at certain times, when i try to move a window across my screen it will go real slowly and you can see the pointer (mouse) on the screen moving it with another pointer which i can move freely but can preform no actions, it won’t let me view photos on the internet (i was in avast and it would let me view photos on some threads), it will not let me send photos on skype, it will not let me connect to the internet on Spotify, and finally it will not let me open at all Mozillia Firefox (it “crashes” as soon as i try to open it). Also, curiously enough, it installed something called MPC cleaner with some other stuff on my computer branded by MPC and it sets my search engine to asearch.com whenever i change it to google.com.

Help anyone?

2

Follow instructions and attach requested logs >> https://forum.avast.com/index.php?topic=53253.0

C:\Windows\SysWOW64\dnsapi.dll
also upload and test the file at www.virustotal.com if tested before, click rescan for a fresh result and post link to scan result here
3

It will not let me test the file. Rather windows won’t let me open the file as it says it contains a “potentially unwanted virus or malware”. I also tried putting the whole SysWOW64 folder in there… But that doesnt seem to work. Lol
Also, when i try to open it i get a popup stating the following, "There was a problem starting C:\Program files\AVAST Software\Avast\defs\16080700\bcuengine.dll

Also at the moment i am running a command (sfc /scannow) in command propt (admin)

4

Please follow the instructions in the link Pondus gave you.

5

Yeah but i can’t open the page which leads me to install malwarebytes. Google chrome says “www.malwarebytes.org’s server DNS address could not be found.
DNS_PROBE_FINISHED_NXDOMAIN”

6

Wait no. Manage to install but connecting and disconnecting my ethernet

7

So i can’t install Malwarebytes because it says: Runtime error at 110:137, could not call proc

8

Get and use Farbar and attach the requested log files.

9

Here are the logs from Farbar
(Attachments below)

10

Now you wait for one of the malware experts listed in the guide to arrive, it may take hours

11

I will examine the logs closer later but run this to fix the DNSapi.dll issue:

https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/FRST.gif
Fix with Farbar Recovery Scan Tool

https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
[b] This fix was created for this user for use on that particular machine.
https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif

https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
Running it on another one may cause damage and render the system unstable.
https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
[/b]
Download attached fixlist.txt file and save it to the Desktop:

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

- Right-click on

https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/FRST.gif
icon and select
https://sites.google.com/site/cannedfixes/home/hosted-images-tools/RunAsAdmin.jpg
Run as Administrator to start the tool.
(XP users click run after receipt of Windows Security Warning - Open File).
- Press the Fix button just once and wait.
- If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
- When finished FRST will generate a log on the Desktop, called Fixlog.txt.
Please attach it to your reply.

12

Done. Here is the file!
What do you need me to do now?

13

I have finished examining your FRST logs and am ready to proceed.

FIRST >>>>

Please go to START (Windows Orb) >> Control Panel >> Uninstall a Program or Programs and Features and remove the following (if listed):

Body Text Feathering
CleanBrowser
DailyWiki - DailyWiki for Desktop
QuickTime 7
Window Rules Manager

To do so, left clicking on the name once and then click Uninstall/Change at the bar above the list window.

Follow the prompts of the uninstaller BUT please read carefully any questions it asks before answering; some uninstallers will try and deceive you into keeping the software.

SECOND >>>>

https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/FRST.gif
Fix with Farbar Recovery Scan Tool
https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
[b] This fix was created for this user for use on that particular machine.
https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif

https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
Running it on another one may cause damage and render the system unstable.
https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
[/b]Download attached fixlist.txt file and save it to the Desktop:

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

14

Hello sorry I took a while.
When my PC booted it seemed pretty normal. Like it used to be. However, at one moment (like after 3 minutes of rebooting) massive lag spikes occurred. I could barely move the mouse. And Google Chrome nor files wouldn’t open. But when starting my PC, Steam was updating its self. After that i got a notification from Windows asking me to check my network connection. This was my first red flag.
I open the file location of dnsapi, and scan it with avast. It tells be the same thing it would before. “Threat detected…” and so on. I attached some screenshots. The fixlog is also below.

View the fix log.

15

Today when booting up my pc…

16

Please start a Administrator Level Command Prompt window.
To do so, click on Start, type cmd in the Search bar and then wait for the search list to populate.
Right click on cmd.exe and select Run as Administrator.

In the window, type in the following

sfc /scanfile=C:\Windows\SysWOW64\dnsapi.dll

then press enter. Does this produce a error or a command completed / fixed result?

17

This error occurred. :\

18

We will need to repair the Windows Image Store if possible to fix your system.

Open a Administrator Level CMD prompt again (same as you did before) and run the following commands one at a time:

Dism /Online /Cleanup-Image /CheckHealth

Dism /Online /Cleanup-Image /ScanHealth

Dism /Online /Cleanup-Image /RestoreHealth

A article on using these commands can be found here if you need any details on the process. If there are any errors produced, please attach the DISM log found at C:\Windows\Logs\DISM\dism.log

19

No errors at all…

20

Please try the sfc scan for the 64 bit DNS file again.

Open a Administrator Level Command window.

Copy and past the following command and run it by pressing enter.

sfc /scanfile=C:\WINDOWS\SysWOW64\dnsapi.dll

Does it complete now or do you still get an error?