Pop up from avast that there is a trojan!

Hello,
1st time poster, my husband’s laptop runs Windows 7, avast free antivirus. So kept getting pop up that dnsapi.dll in systemWOW64 has a trojan! tried a boot scan, and others, it says it can’t deal with, Error when trying to fix it. So we followed some advice on other forums to deal with it. Tried to run software to clean it up such as spyhunter 4. kept saying that the laptop wasn’t on the net, when we could get to web pages. tried to reinstall Windows 7, and have found that now laptop will not connect to the net at all! We are so frustrated. Please help us to deal with this. Thank you in advance.

Attach your basic diagnostic logs. (MBAM, FRST and aswMBR)
Instructions: https://forum.avast.com/index.php?topic=53253

OK I know what this is… Are you experiencing pop up ads ?

Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

[*]Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
[*]Select additions at the bottom
[*]Press Scan button.

https://dl.dropboxusercontent.com/u/73555776/frst.JPG

[*]It will produce a log called FRST.txt in the same directory the tool is run from.
[*]Please attach both logs generated.

Thank you for the replies, but his laptop can not connect to the net so how do i get this software? thanks

Download the software and use a floppy, usb stick, cd/dvd, external drive to transfer it to the laptop.

I would not recommend spyhunter

I did as you asked and downloaded Farbar, here are the two logs:

Hi again, once you have completed the FRST and AdwCleaner runs could you please run a fresh FRST scan so that I can confirm that the altered files have been replaced

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: URLSearchHook: HKU\S-1-5-21-3413281169-3986683716-1588196878-1000 - (No Name) - {d40b90b4-d3b1-4d6b-a5d7-dc041c1b76c0} - No File BHO-x32: No Name -> {B69F34DD-F0F9-42DC-9EDD-957187DA688D} -> No File Toolbar: HKLM - avast! Online Security - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - No File Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - No File Toolbar: HKU\S-1-5-21-3413281169-3986683716-1588196878-1000 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File Toolbar: HKU\S-1-5-21-3413281169-3986683716-1588196878-1000 -> No Name - {D40B90B4-D3B1-4D6B-A5D7-DC041C1B76C0} - No File FF Plugin-x32: @funwebproducts.com/Plugin -> C:\Program Files (x86)\FunWebProducts\Installr\1.bin\NPFunWeb.dll [No File] 2016-03-03 22:57 - 2016-03-03 23:04 - 03286400 _____ (Enigma Software Group USA, LLC.) C:\Users\staples\Downloads\SpyHunter-Installer (1).exe 2016-03-03 22:54 - 2016-03-03 22:54 - 03286400 _____ (Enigma Software Group USA, LLC.) C:\Users\staples\Downloads\SpyHunter-Installer.exe 2016-03-03 21:50 - 2016-03-03 21:54 - 00772016 _____ (Reimage®) C:\Users\staples\Downloads\ReimageRepair.exe 2016-03-04 13:06 - 2015-11-11 16:06 - 00000278 _____ C:\Windows\Tasks\UpdateTask.job 2016-03-04 13:01 - 2015-11-11 16:08 - 00000266 _____ C:\Windows\Tasks\HeavCoppe7.job Task: {0E168C2D-58DC-4080-9291-64A1AD352B45} - \Cawlez -> No File <==== ATTENTION Task: {152B2ED0-C918-4556-BDF3-DE62FDA39835} - System32\Tasks\4945 => C:\Windows\system32\wscript.exe [2013-10-12] (Microsoft Corporation) <==== ATTENTION Task: {2F57269B-1E09-4E2D-AB1E-B0FDAC7D279C} - \Microsoft\Windows\WindowsBackup\ConfigNotification -> No File <==== ATTENTION Task: {5CC4AB60-A7FD-42C0-B9EC-F611570F3CFE} - \Microsoft\Windows\Windows Activation Technologies\ValidationTaskDeadline -> No File <==== ATTENTION Task: {60453F6C-A9FC-452E-B245-F282657175C3} - System32\Tasks\Regwork => C:\Program Files (x86)\RegWork\RegWork.exe Task: {626C1C30-4BD0-4176-8606-504C4D45314A} - \Microsoft\Windows\Windows Activation Technologies\ValidationTask -> No File <==== ATTENTION Task: {AC4E5ACF-89F7-4220-BA21-81EE183975E2} - \Microsoft\Windows\Application Experience\AitAgent -> No File <==== ATTENTION Task: {CC8FEC67-B81B-4D55-88CD-963102BCFCE1} - System32\Tasks\FierGrai9 => C:\Users\staples\AppData\Local\CRAIMP~1\Crpromote.exe Task: {CEE64558-E1A7-4D9D-80A7-2001912BE5B5} - \Microsoft\Windows\MemoryDiagnostic\CorruptionDetector -> No File <==== ATTENTION Task: {D5A8F417-195D-441D-B51B-0CFEDB0EAEAE} - System32\Tasks\HeavCoppe7 => C:\Users\staples\AppData\Local\CraImpul5\Crsettle.exe Task: {E23884A4-03A0-4D19-A05E-5E894DFEF4DD} - System32\Tasks\UpdateTask => C:\Users\staples\AppData\Local\{4AB67~1\UNINST~1.EXE Task: {E5E74DAD-7C41-4D17-A8EB-356FA017C915} - System32\Tasks\0 => Iexplore.exe <==== ATTENTION Task: {FA2BC0A6-8D4B-458A-85C8-2B8C72487513} - \Microsoft\Windows\MemoryDiagnostic\DecompressionFailureDetector -> No File <==== ATTENTION Task: C:\Windows\Tasks\FierGrai9.job => C:\Users\staples\AppData\Local\CRAIMP~1\Crpromote.exe Task: C:\Windows\Tasks\HeavCoppe7.job => C:\Users\staples\AppData\Local\CraImpul5\Crsettle.exe Task: C:\Windows\Tasks\Regwork.job => C:\Program Files (x86)\RegWork\RegWork.exe-shed C:\Program Files (x86)\RegWork\RegWork.exe Task: C:\Windows\Tasks\UpdateTask.job => C:\Users\staples\AppData\Local\{4AB67~1\UNINST~1.EXE C:\Users\staples\AppData\Local\CraImpul5 C:\Program Files (x86)\FunWebProducts Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f RemoveProxy: EmptyTemp: CMD: bitsadmin /reset /allusers cmd: sfc /scanfile=C:\Windows\system32\dnsapi.dll cmd: sfc /scanfile=C:\Windows\SysWOW64\dnsapi.dll

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S0].txt as well.

Thanks for your reply, Avast on my PC won’t let me download AdwCleaner.exe as it says it’s a threat! do i run it on my husband’s laptop after the copy and paste of your notepad list?

Right click avast tray icon and pause shields

Once you have killed the initial infection I will then look at re-instating your network connection

Or you could use this fixlist (attached ) which has the necessary commands in

So I ran them as advised. The AdwCleaner didn’t give a text window. So when I went to where you directed, it wasn’t there either! I hope that I’ve copied the correct one.

Yep that is right, how is the computer at the moment. When you try to connect to the net what error do you get ?

Run this fix and then try to connect

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CMD: netsh advfirewall reset CMD: netsh advfirewall set allprofiles state ON CMD: ipconfig /flushdns CMD: netsh winsock reset catalog CMD: netsh int ip reset c:\resetlog.txt CMD: ipconfig /release CMD: ipconfig /renew CMD: netsh int ipv4 reset CMD: netsh int ipv6 reset EmptyTemp:

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

No joy for the net! It’s still saying connected to wifi and is stuck at idenifying! I think we’re going to leave it here today. It’s consumed our whole weekend. We are both very grateful for all your help. If you can think of anything else it would be so appreciated. Thank you for all your time.

Can you connect using an ethernet cable ?

Please download MiniToolBox, save it to your desktop and run it.

https://dl.dropbox.com/u/73555776/minitoolbox.JPG

Checkmark the following checkboxes:

[]Flush DNS
[
]Report IE Proxy Settings
[]Reset IE Proxy Settings
[
]Report FF Proxy Settings
[]Reset FF Proxy Settings
[
]List content of Hosts
[]List IP configuration
[
]List Winsock Entries
[]List last 10 Event Viewer log
[
]List Installed Programs
[]List Devices
[
]List Users, Partitions and Memory size.
[*]List Minidump Files

Click Go and post the result (Result.txt). A copy of MTB.txt will be saved in the same directory the tool is run.

Note: When using “Reset FF Proxy Settings” option Firefox should be closed.