I have a problem Avast threat patch-AWQ. Can only connect to the internet in Safe Mode with either IE or Chrome and Malwarebytes will not run in normal mode Win 7 SP1 64 bit. Problem seems to be dnsapi.dll
uploaded dnsapi.dll to totalvirus this is the link
https://www.virustotal.com/en/file/102c09040f6994fa8d298e802da618e4d09cf0401352934a316bbd2cbe98aabf/analysis/1480335803/
Hope you can help
You where asked to follow the instructions for help and provide the log files.
Not sure if they attached last time, so try again
Finally managed to do a Boot Scan, file attached
System is infected.
Wait for one of the listed malware removers to guide you.
Please do the following in order. Thanks.
FIRST >>>>
Please go to START (Windows Orb) >> Control Panel >> Uninstall a Program or Programs and Features and remove the following (if listed):
Coupon Printer
To do so, left clicking on the name once and then click Uninstall/Change at the bar above the list window.
Follow the prompts of the uninstaller BUT please read carefully any questions it asks before answering; some uninstallers will try and deceive you into keeping the software.
SECOND >>>>
Open notepad by pressing the Windows Key + R Key, typing in Notepad in the Run dialog and then pressing Enter. Please copy the contents of the Code box below. To do this highlight the contents of the box by clicking [Select] next to Code: , then right click on any of the highlighted text and select copy. Paste this into the open notepad. Save it to your desktop as fixlist.txt
Start
CreateRestorePoint:
CloseProcesses:
C:\Program Files (x86)\Coupon Printer
HKLM\...\Policies\Explorer: [EnableShellExecuteHooks] 1
HKU\S-1-5-21-3813172360-2210423691-3603406528-1000\...\Policies\system: [DisableLockWorkstation] 0
HKU\S-1-5-21-3813172360-2210423691-3603406528-1000\...\Policies\system: [DisableChangePassword] 0
HKU\S-1-5-21-3813172360-2210423691-3603406528-1000\...\MountPoints2: F - F:\laucher.exe
ShellExecuteHooks-x32: - UPB:{B5A7F190-DDA6-4420-B3BA-52453494E6CD} - No File [ ]
SearchScopes: HKLM -> DefaultScope {EA4BF43F-670B-4119-9BD7-66E4FE86F274} URL = hxxp://www.bing.com/search?q={searchTerms}&form=HPNTDF&pc=HPNTDF&src=IE-SearchBox
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM -> {749586CF-B1F4-4525-9EED-51BA4B586071} URL = hxxp://uk.search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=chr-hp-psg&type=HPNTDF
SearchScopes: HKLM -> {92921F01-DE9E-4CBE-9B2B-F45DA361AB83} URL = hxxp://en.wikipedia.org/wiki/Special:Search?search={searchTerms}
SearchScopes: HKLM -> {EA4BF43F-670B-4119-9BD7-66E4FE86F274} URL = hxxp://www.bing.com/search?q={searchTerms}&form=HPNTDF&pc=HPNTDF&src=IE-SearchBox
SearchScopes: HKLM-x32 -> DefaultScope {EA4BF43F-670B-4119-9BD7-66E4FE86F274} URL = hxxp://www.bing.com/search?q={searchTerms}&form=HPNTDF&pc=HPNTDF&src=IE-SearchBox
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 -> {749586CF-B1F4-4525-9EED-51BA4B586071} URL = hxxp://uk.search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=chr-hp-psg&type=HPNTDF
SearchScopes: HKLM-x32 -> {92921F01-DE9E-4CBE-9B2B-F45DA361AB83} URL = hxxp://en.wikipedia.org/wiki/Special:Search?search={searchTerms}
SearchScopes: HKLM-x32 -> {EA4BF43F-670B-4119-9BD7-66E4FE86F274} URL = hxxp://www.bing.com/search?q={searchTerms}&form=HPNTDF&pc=HPNTDF&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-3813172360-2210423691-3603406528-1000 -> DefaultScope {EA4BF43F-670B-4119-9BD7-66E4FE86F274} URL = hxxp://www.bing.com/search?FORM=UP97DF&PC=UP97&q={searchTerms}&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-3813172360-2210423691-3603406528-1000 -> {749586CF-B1F4-4525-9EED-51BA4B586071} URL = hxxp://uk.search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=chr-hp-psg&type=HPNTDF
SearchScopes: HKU\S-1-5-21-3813172360-2210423691-3603406528-1000 -> {92921F01-DE9E-4CBE-9B2B-F45DA361AB83} URL = hxxp://en.wikipedia.org/wiki/Special:Search?search={searchTerms}
SearchScopes: HKU\S-1-5-21-3813172360-2210423691-3603406528-1000 -> {EA4BF43F-670B-4119-9BD7-66E4FE86F274} URL = hxxp://www.bing.com/search?FORM=UP97DF&PC=UP97&q={searchTerms}&src=IE-SearchBox
BHO-x32: No Name -> {5C255C8A-E604-49b4-9D64-90988571CECB} -> No File
Toolbar: HKU\S-1-5-21-3813172360-2210423691-3603406528-1000 -> No Name - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - No File
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
CHR HomePage: Default -> msn.com/?pc=__PARAM__&ocid=__PARAM__DHP&osmkt=en-us
CHR StartupUrls: Default -> "hxxp://www.google.com"
CHR DefaultSearchURL: Default -> hxxp://www.bing.com/search?FORM=__PARAM__DF&PC=__PARAM__&q={searchTerms}
CHR DefaultSearchKeyword: Default -> bing.com
CHR DefaultSuggestURL: Default -> hxxp://www.bing.com/osjson.aspx?FORM=__PARAM__DF&PC=__PARAM__&query={searchTerms}
CHR Plugin: (Native Client) - C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.99\ppGoogleNaClPluginChrome.dll => No File
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.99\pdf.dll => No File
CHR Plugin: (Shockwave Flash) - C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.99\gcswf32.dll => No File
CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.111\npGoogleUpdate3.dll => No File
CHR Plugin: (Silverlight Plug-In) - c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrl.dll => No File
CHR Extension: (Bing) - C:\Users\Clive And Margaret\AppData\Local\Google\Chrome\User Data\Default\Extensions\fcfenmboojpjinhpgggodefccipikbpd [2016-09-21]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Clive And Margaret\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-15]
CHR Extension: (Chrome Media Router) - C:\Users\Clive And Margaret\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-11-28]
CHR HKU\S-1-5-21-3813172360-2210423691-3603406528-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [fcfenmboojpjinhpgggodefccipikbpd] - hxxps://clients2.google.com/service/update2/crx
R2 CouponPrinterService; C:\Program Files (x86)\Coupon Printer\CouponPrinterService.exe [177648 2014-09-05] (Coupons.com Inc.)
S4 LMIRfsClientNP; no ImagePath
S2 LMIInfo; \??\C:\Program Files (x86)\LogMeIn\x64\RaInfo.sys [X]
C:\Program Files (x86)\LogMeIn\x64\RaInfo.sys
C:\Users\Clive And Margaret\AppData\Local\Temp\Extract.exe
C:\Users\Clive And Margaret\AppData\Local\Temp\HPQSi.exe
C:\Users\Clive And Margaret\AppData\Local\Temp\incredibar_installer.exe
C:\Users\Clive And Margaret\AppData\Local\Temp\jre-6u26-windows-i586-iftw-rv.exe
C:\Users\Clive And Margaret\AppData\Local\Temp\MSETUP4.EXE
C:\Users\Clive And Margaret\AppData\Local\Temp\ose00000.exe
C:\Users\Clive And Margaret\AppData\Local\Temp\Resource.exe
C:\Users\Clive And Margaret\AppData\Local\Temp\SkypeSetup.exe
C:\Users\Clive And Margaret\AppData\Local\Temp\SP51650.exe
C:\Users\Clive And Margaret\AppData\Local\Temp\sp52110.exe.exe
C:\Users\Clive And Margaret\AppData\Local\Temp\SP53133.exe
C:\Users\Clive And Margaret\AppData\Local\Temp\SP53546.exe
C:\Users\Clive And Margaret\AppData\Local\Temp\SP53794.exe
C:\Users\Clive And Margaret\AppData\Local\Temp\sp54373.exe
C:\Users\Clive And Margaret\AppData\Local\Temp\sp54620.exe
C:\Users\Clive And Margaret\AppData\Local\Temp\uninstall.exe
C:\Users\Clive And Margaret\AppData\Local\Temp\UninstallHPSA.exe
C:\Users\Clive And Margaret\AppData\Local\Temp\UninstallHPTCA.exe
C:\Users\Clive And Margaret\AppData\Local\Temp\vcredist_x64.exe
C:\Users\Clive And Margaret\AppData\Local\Temp\vlc-2.0.2-win32.exe
C:\Users\Clive And Margaret\AppData\Local\Temp\vlc-2.0.4-win32.exe
C:\Users\Clive And Margaret\AppData\Local\Temp\vlc-2.1.2-win32.exe
C:\Users\Clive And Margaret\AppData\Local\Temp\_is1D21.exe
C:\Users\Clive And Margaret\AppData\Local\Temp\_is87B5.exe
C:\Users\Clive And Margaret\AppData\Local\Temp\{36069335-3F1F-44C1-92F7-C64F320AAB4C}-47.0.2526.111_47.0.2526.106_chrome_updater_3stage.exe
cmd: sfc /scanfile=C:\Windows\system32\dnsapi.dll
Task: {0B04D135-71B6-4B86-9553-6D48F01F37F0} - \Microsoft\Windows\Setup\GWXTriggers\OnIdle-5d -> No File <==== ATTENTION
Task: {8652A42E-5F32-4004-8445-3695B6556633} - \Cawlez -> No File <==== ATTENTION
cmd: ipconfig /flushdns
cmd: netsh advfirewall reset
cmd: netsh advfirewall set allprofiles state on
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
CMD: bitsadmin /reset /allusers
RemoveProxy:
EmptyTemp:
Reboot:
end
NOTE. It’s important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
Run FRST64 by right clicking on the FRST64.exe file, selecting “Run as Administrator…”. The User Account Control may open up; if it does, select Yes to continue to let FRST open and load.
The tool will check for an updated version of itself every time it loads; please allow it to do this and the program will either inform you it is downloading an updated copy (and to wait until it is safe to continue) or show nothing (meaning there is no update found) and you can continue on. Press the Fix button just once and wait. The tool will create a restore point, process the script and ask for a restart of your system.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please attach it to your reply post. Also, tell me how your system is running now.
THIRD >>>>
Open notepad by pressing the Windows Key + R Key, typing in Notepad in the Run dialog and then pressing Enter. Please copy the contents of the Code box below. To do this highlight the contents of the box by clicking [Select] next to Code: , then right click on any of the highlighted text and select copy. Paste this into the open notepad. Save it to your desktop as fixlist.txt
Start
CreateRestorePoint:
CloseProcesses:
cmd: sfc /scanfile=C:\Windows\SysWOW64\dnsapi.dll
cmd: ipconfig /flushdns
cmd: netsh advfirewall reset
cmd: netsh advfirewall set allprofiles state on
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
CMD: bitsadmin /reset /allusers
RemoveProxy:
EmptyTemp:
Reboot:
end
NOTE. It’s important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
Run FRST64 by right clicking on the FRST64.exe file, selecting “Run as Administrator…”. The User Account Control may open up; if it does, select Yes to continue to let FRST open and load.
The tool will check for an updated version of itself every time it loads; please allow it to do this and the program will either inform you it is downloading an updated copy (and to wait until it is safe to continue) or show nothing (meaning there is no update found) and you can continue on. Press the Fix button just once and wait. The tool will create a restore point, process the script and ask for a restart of your system.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please attach it to your reply post. Also, tell me how your system is running now.