Win32:patched-awq[trj]

Avast detects the infection but it can not remove the file as read only. Attached Adition.txt and FRST.txt

Thanks in advance

Also post name and location of detected file… Full file path

C:\windows\SysWOW64\DNSAPI.dll

Thank you

The MBam log file is missing.

What is KMS doing on your system ?

I am sorry but what do you mean by KMS?

C:\windows\SysWOW64\DNSAPI.dll
Upload and test it at www.virustotal.com if scanned before, click [b]rescan[/b] for a fresh result Post[b] link[/b] to scan result here

This is the scan result:

https://www.virustotal.com/es/file/47a76eb96ad8ff65eb29ae722115960a9587ef8da4610383ecc92c5a9f1cb90f/analysis/1480276103/

Do you experience redirects when searching / surfing? it seems you may have a dns hijacker

Malware expert is notified, he is located in Canada so may not be online before tomorrow

No redirects but I can´t use the browser when avast is active as it says DNS Server is not responding. I will wait till tomorrow then. No problem

Many thanks for the hard work!

This may be a little tricky as we need to have two FRST Fixlist runs to fix the files that are hijacked.

FIXLIST Run #1

Open notepad by pressing the Windows Key + R Key, typing in Notepad in the Run dialog and then pressing Enter. Please copy the contents of the Code box below. To do this highlight the contents of the box by clicking [Select] next to Code: , then right click on any of the highlighted text and select copy. Paste this into the open notepad. Save it to your desktop as fixlist.txt



Start
CreateRestorePoint:
CloseProcesses:
HKLM-x32\...\Run: [] => [X]
GroupPolicy: Restriction <======= ATTENTION
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-21-3107235756-3664478794-1005142315-1006 -> DefaultScope {6C1288FE-F38B-4805-BEEF-AFE08DF3C30A} URL =
SearchScopes: HKU\S-1-5-21-3107235756-3664478794-1005142315-1006 -> {6C1288FE-F38B-4805-BEEF-AFE08DF3C30A} URL =
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
CHR DefaultSearchURL: Default -> hxxps://es.search.yahoo.com/search?p={searchTerms}&fr=yset_chr_syc_oracle&type=default
CHR DefaultSearchKeyword: Default -> Yahoo
CHR DefaultSuggestURL: Default -> hxxps://es.search.yahoo.com/sugg/ie?output=fxjson&command={searchTerms}&nResults=10
CHR Extension: (Presentaciones de Google) - C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2016-10-04]
CHR Extension: (Google Drive) - C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2016-10-04]
CHR Extension: (Sistema de pagos de Chrome Web Store) - C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-10-04]
CHR Extension: (Yahoo Partner) - C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\npdicihegicnhaangkdmcgbjceoemeoo [2016-11-25]
CHR Extension: (Chrome Media Router) - C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-11-25]
C:\Users\Juan\AppData\Local\Temp\CpqMC.dll
C:\Users\Juan\AppData\Local\Temp\CWPCUNLR.dll
C:\Users\Juan\AppData\Local\Temp\HPQSi.exe
C:\Users\Juan\AppData\Local\Temp\MSN5A80.exe
C:\Users\Juan\AppData\Local\Temp\ose00000.exe
C:\Users\Juan\AppData\Local\Temp\ose00001.exe
cmd: sfc /scanfile=C:\windows\SysWOW64\dnsapi.dll
Task: {568DFD83-B6A3-4D3C-B3D5-389C14E96F6C} - System32\Tasks\runTask => C:\Users\admin\AppData\Local\Temp/Updater.exe
C:\Users\admin\AppData\Local\Temp/Updater.exe
Task: {8AAC341E-2557-401A-882E-6BF601510039} - System32\Tasks\updateTask => c:\task.vbs
c:\task.vbs
Task: {93391E7C-6065-4CB0-A211-02E16EF8C9EB} - System32\Tasks\{8032D920-A732-4170-AADC-897D14D41B3B} => pcalua.exe -a C:\Users\Usuario\Desktop\converter.exe -d C:\Users\Usuario\Desktop
Task: {985E93E7-EBC0-4863-8EFA-D9FD27BA4D63} - System32\Tasks\EBWRVOEWPWEGWWNN => C:\ProgramData\Service1291\Service1291.exe <==== ATTENTION
C:\ProgramData\Service1291
Task: {BD45669F-A93E-4367-B367-96DDB80D3CA1} - System32\Tasks\{EDAA61E6-6B95-45BC-9808-51CF430517F8} => Chrome.exe 
Task: {DCE8E4ED-F85A-4BDF-BEC3-811A9C3491BB} - System32\Tasks\AutoKMS => C:\windows\AutoKMS\AutoKMS.exe [2015-04-18] ()
C:\windows\AutoKMS
Task: C:\windows\Tasks\EBWRVOEWPWEGWWNN.job => C:\ProgramData\Service1291\Service1291.exe <==== ATTENTION
AlternateDataStreams: C:\ProgramData:gs5sys [2816]
AlternateDataStreams: C:\Users\All Users:gs5sys [2816]
AlternateDataStreams: C:\Users\Usuario:gs5sys [3074]
AlternateDataStreams: C:\ProgramData\Application Data:gs5sys [2816]
AlternateDataStreams: C:\ProgramData\TEMP:6D586241 [212]
AlternateDataStreams: C:\Users\Public\Documents\desktop.ini:gs5sys [2560]
AlternateDataStreams: C:\Users\Usuario\Configuración local:gs5sys [2048]
AlternateDataStreams: C:\Users\Usuario\Cookies:gs5sys [2560]
AlternateDataStreams: C:\Users\Usuario\Datos de programa:gs5sys [2048]
AlternateDataStreams: C:\Users\Usuario\Plantillas:gs5sys [3074]
AlternateDataStreams: C:\Users\Usuario\Desktop\desktop.ini:gs5sys [2048]
AlternateDataStreams: C:\Users\Usuario\AppData\Local:gs5sys [2048]
AlternateDataStreams: C:\Users\Usuario\AppData\Roaming:gs5sys [2048]
AlternateDataStreams: C:\Users\Usuario\AppData\Local\Datos de programa:gs5sys [2048]
AlternateDataStreams: C:\Users\Usuario\AppData\Local\Historial:gs5sys [3074]
AlternateDataStreams: C:\Users\Usuario\Documents\desktop.ini:gs5sys [3074]
cmd: ipconfig /flushdns
cmd: netsh advfirewall reset
cmd: netsh advfirewall set allprofiles state on
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
CMD: bitsadmin /reset /allusers
RemoveProxy:
EmptyTemp:
Reboot:
end


NOTE. It’s important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 by right clicking on the FRST64.exe file, selecting “Run as Administrator…”. The User Account Control may open up; if it does, select Yes to continue to let FRST open and load.

The tool will check for an updated version of itself every time it loads; please allow it to do this and the program will either inform you it is downloading an updated copy (and to wait until it is safe to continue) or show nothing (meaning there is no update found) and you can continue on. Press the Fix button just once and wait. The tool will create a restore point, process the script and ask for a restart of your system.

http://i1351.photobucket.com/albums/p785/dbreeze2/just%20stuff/Press%20the%20FIX%20button_zpsdd5zi3mt.png

If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.

When finished FRST will generate a log on the Desktop (Fixlog.txt). Please attach it to your reply post.

FIXLIST Run #2

Open notepad by pressing the Windows Key + R Key, typing in Notepad in the Run dialog and then pressing Enter. Please copy the contents of the Code box below. To do this highlight the contents of the box by clicking [Select] next to Code: , then right click on any of the highlighted text and select copy. Paste this into the open notepad. Save it to your desktop as fixlist.txt



Start
CreateRestorePoint:
CloseProcesses:
cmd: sfc /scanfile=C:\windows\system32\dnsapi.dll
cmd: ipconfig /flushdns
cmd: netsh advfirewall reset
cmd: netsh advfirewall set allprofiles state on
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
CMD: bitsadmin /reset /allusers
RemoveProxy:
EmptyTemp:
Reboot:
end


NOTE. It’s important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 by right clicking on the FRST64.exe file, selecting “Run as Administrator…”. The User Account Control may open up; if it does, select Yes to continue to let FRST open and load.

The tool will check for an updated version of itself every time it loads; please allow it to do this and the program will either inform you it is downloading an updated copy (and to wait until it is safe to continue) or show nothing (meaning there is no update found) and you can continue on. Press the Fix button just once and wait. The tool will create a restore point, process the script and ask for a restart of your system.

http://i1351.photobucket.com/albums/p785/dbreeze2/just%20stuff/Press%20the%20FIX%20button_zpsdd5zi3mt.png

If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.

When finished FRST will generate a log on the Desktop (Fixlog.txt). Please attach it to your reply post. Also, tell me how your system is running now.

Hi guys,

attached both fixlog files. Right now I can use the browser, even with avast active, and without virus alerts.

Glad to hear that; some final checks before we send you off…

FIRST >>>>

Junkware Removal Tool
Please download JRT from here to your desktop.

Note: Temporarily disable/shut down your protection software now to avoid potential conflicts, how to do so can be read here.

Double click the JRT.exe file to run the application.

The application will open an Command Prompt window and run from there (this is normal for this program, so not to be alarmed).

When it is asked, press any key to allow the program to continue / run.

This will create a log on the desktop; please copy and paste the JRT.txt log text in your next post.

Note: After the log file is created, please enable your protection software / reboot your system and verify your protection software is enabled.

SECOND >>>>

AdwCleaner by Xplode

Download AdwCleaner from here or from here. Save the file to the desktop.

NOTE: If you are using IE 8 or above you may get a warning that stops the program from downloading. Just click on the warning and allow the download to complete.

Close all open windows and browsers.

Vista/7/8 users: Right click the AdwCleaner icon on the desktop, click Run as administrator and accept the UAC prompt to run AdwCleaner.
You will see the following console:

http://i1351.photobucket.com/albums/p785/dbreeze2/Scanners%20screens/AdwCleaner_v5016_zpsf8ln0fea.png

Click the Scan button and wait for the scan to finish.

After the Scan has finished the window may or may not show what it found and above, in the progress bar, you will see: Waiting for action. Please uncheck elements you don’t want to remove.

Click the Clean button.

Everything checked will be deleted.

When the program has finished cleaning a report appears.

Once done it will ask to reboot, allow this

http://1.bp.blogspot.com/-vitKqfMQS4o/UEDylIQ7HJI/AAAAAAAABLc/Hx-IwqKoaxg/s1600/adwcleaner_delete_restart.jpg

On reboot (if one is needed) a log will be produced; please copy / paste that in your next reply. This report is also saved to C:\AdwCleaner\AdwCleaner[C#].txt

Optional:
NOTE: If you see AVG Secure Search being targeted for deletion, Here’s Why and Here. You can always Reinstall it.

LAST >>>>

Malwarebytes’ Anti-Malware
Please start Malwarebytes’ Anti-Malware.

When the main screen opens, if the database is out of date, you can click on the Fix Now banner or the Update Now link

http://i1351.photobucket.com/albums/p785/dbreeze2/MBAM2_0/v2-1-4-1018/Main%20Screen_zpsnnwza0ky.png

Once the program has loaded and updated, select “Scan Now >>” to start the scan.

http://i1351.photobucket.com/albums/p785/dbreeze2/MBAM2_0/v2-1-4-1018/Main%20Screen_zpsnnwza0ky.png

The scan may take some time to finish, so please be patient.

If any malware is found, you will be presented with a screen like the one below.

http://i1351.photobucket.com/albums/p785/dbreeze2/MBAM2_0/v2-1-4-1018/mbam21-removeselected_zpsg83p7wis.jpg

If any malware is found, make sure that everything is checked, and click Remove Selected.
When the scan is complete, click View detailed log >> to view the results.
The report screen will open.
At the bottom click on Export and select as txt file, save the file to your desktop and click OK. When the export is complete, select OPEN.
The log file will be opened in your default text file viewer (usually Notepad); select the whole text (Ctrl + A) and copy (Ctrl + c) it to paste here in a reply.