Pop up from avast that there is a trojan!

[wannabe_lara]

Hello,
1st time poster, my husband's laptop runs Windows 7, avast free antivirus. So kept getting pop up that dnsapi.dll in systemWOW64 has a trojan! tried a boot scan, and others, it says it can't deal with, Error when trying to fix it. So we followed some advice on other forums to deal with it. Tried to run software to clean it up such as spyhunter 4. kept saying that the laptop wasn't on the net, when we could get to web pages. tried to reinstall Windows 7, and have found that now laptop will not connect to the net at all! We are so frustrated. Please help us to deal with this. Thank you in advance.

[Asyn]

Attach your basic diagnostic logs. (MBAM, FRST and aswMBR)
Instructions: https://forum.avast.com/index.php?topic=53253

[essexboy]

OK I know what this is...  Are you experiencing pop up ads ?

Please download Farbar Recovery Scan Tool and save it to your Desktop.
 
Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
 

• Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
  
• Select  additions at the bottom
• Press Scan button.
  
  
• It will produce a log called FRST.txt in the same directory the tool is run from. 
  
• Please attach both logs generated.

[wannabe_lara]

Thank you for the replies, but his laptop can not connect to the net so how do i get this software? thanks

[Eddy]

Download the software and use a floppy, usb stick, cd/dvd, external drive to transfer it to the laptop.

[essexboy]

I would not recommend spyhunter

[wannabe_lara]

I did as you asked and downloaded Farbar, here are the two logs:

[essexboy]

Hi again, once you have completed the FRST and AdwCleaner runs could you please run a fresh FRST scan so that I can confirm that the altered files have been replaced

CAUTION :  This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:
 

CreateRestorePoint:
URLSearchHook: HKU\S-1-5-21-3413281169-3986683716-1588196878-1000 - (No Name) - {d40b90b4-d3b1-4d6b-a5d7-dc041c1b76c0} - No File
BHO-x32: No Name -> {B69F34DD-F0F9-42DC-9EDD-957187DA688D} -> No File
Toolbar: HKLM - avast! Online Security - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} -  No File
Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} -  No File
Toolbar: HKU\S-1-5-21-3413281169-3986683716-1588196878-1000 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
Toolbar: HKU\S-1-5-21-3413281169-3986683716-1588196878-1000 -> No Name - {D40B90B4-D3B1-4D6B-A5D7-DC041C1B76C0} -  No File
FF Plugin-x32: @funwebproducts.com/Plugin -> C:\Program Files (x86)\FunWebProducts\Installr\1.bin\NPFunWeb.dll [No File]
2016-03-03 22:57 - 2016-03-03 23:04 - 03286400 _____ (Enigma Software Group USA, LLC.) C:\Users\staples\Downloads\SpyHunter-Installer (1).exe
2016-03-03 22:54 - 2016-03-03 22:54 - 03286400 _____ (Enigma Software Group USA, LLC.) C:\Users\staples\Downloads\SpyHunter-Installer.exe
2016-03-03 21:50 - 2016-03-03 21:54 - 00772016 _____ (Reimage®) C:\Users\staples\Downloads\ReimageRepair.exe
2016-03-04 13:06 - 2015-11-11 16:06 - 00000278 _____ C:\Windows\Tasks\UpdateTask.job
2016-03-04 13:01 - 2015-11-11 16:08 - 00000266 _____ C:\Windows\Tasks\HeavCoppe7.job
Task: {0E168C2D-58DC-4080-9291-64A1AD352B45} - \Cawlez -> No File <==== ATTENTION
Task: {152B2ED0-C918-4556-BDF3-DE62FDA39835} - System32\Tasks\4945 => C:\Windows\system32\wscript.exe [2013-10-12] (Microsoft Corporation) <==== ATTENTION
Task: {2F57269B-1E09-4E2D-AB1E-B0FDAC7D279C} - \Microsoft\Windows\WindowsBackup\ConfigNotification -> No File <==== ATTENTION
Task: {5CC4AB60-A7FD-42C0-B9EC-F611570F3CFE} - \Microsoft\Windows\Windows Activation Technologies\ValidationTaskDeadline -> No File <==== ATTENTION
Task: {60453F6C-A9FC-452E-B245-F282657175C3} - System32\Tasks\Regwork => C:\Program Files (x86)\RegWork\RegWork.exe
Task: {626C1C30-4BD0-4176-8606-504C4D45314A} - \Microsoft\Windows\Windows Activation Technologies\ValidationTask -> No File <==== ATTENTION
Task: {AC4E5ACF-89F7-4220-BA21-81EE183975E2} - \Microsoft\Windows\Application Experience\AitAgent -> No File <==== ATTENTION
Task: {CC8FEC67-B81B-4D55-88CD-963102BCFCE1} - System32\Tasks\FierGrai9 => C:\Users\staples\AppData\Local\CRAIMP~1\Crpromote.exe
Task: {CEE64558-E1A7-4D9D-80A7-2001912BE5B5} - \Microsoft\Windows\MemoryDiagnostic\CorruptionDetector -> No File <==== ATTENTION
Task: {D5A8F417-195D-441D-B51B-0CFEDB0EAEAE} - System32\Tasks\HeavCoppe7 => C:\Users\staples\AppData\Local\CraImpul5\Crsettle.exe
Task: {E23884A4-03A0-4D19-A05E-5E894DFEF4DD} - System32\Tasks\UpdateTask => C:\Users\staples\AppData\Local\{4AB67~1\UNINST~1.EXE
Task: {E5E74DAD-7C41-4D17-A8EB-356FA017C915} - System32\Tasks\0 => Iexplore.exe  <==== ATTENTION
Task: {FA2BC0A6-8D4B-458A-85C8-2B8C72487513} - \Microsoft\Windows\MemoryDiagnostic\DecompressionFailureDetector -> No File <==== ATTENTION
Task: C:\Windows\Tasks\FierGrai9.job => C:\Users\staples\AppData\Local\CRAIMP~1\Crpromote.exe
Task: C:\Windows\Tasks\HeavCoppe7.job => C:\Users\staples\AppData\Local\CraImpul5\Crsettle.exe
Task: C:\Windows\Tasks\Regwork.job => C:\Program Files (x86)\RegWork\RegWork.exe-shed C:\Program Files (x86)\RegWork\RegWork.exe
Task: C:\Windows\Tasks\UpdateTask.job => C:\Users\staples\AppData\Local\{4AB67~1\UNINST~1.EXE
C:\Users\staples\AppData\Local\CraImpul5
C:\Program Files (x86)\FunWebProducts
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
RemoveProxy:
EmptyTemp:
CMD: bitsadmin /reset /allusers
cmd: sfc /scanfile=C:\Windows\system32\dnsapi.dll
cmd: sfc /scanfile=C:\Windows\SysWOW64\dnsapi.dll

 
Save this as fixlist.txt, in the same location as FRST.exe

Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your desktop.

• Close all open programs and internet browsers.
• Double click on AdwCleaner.exe to run the tool.
  
• Click on Scan.
  
• After the scan is complete click on "Clean"
• Confirm each time with Ok.
  
• Your computer will be rebooted automatically. A text file will open after the restart.
• Please post the content of that logfile with your next answer.
• You can find the logfile at C:\AdwCleaner[S0].txt as well.
  

[wannabe_lara]

Thanks for your reply, Avast on my PC won't let me download AdwCleaner.exe as it says it's a threat! do i run it on my husband's laptop after the copy and paste of your notepad list?

[Pondus]

Thanks for your reply, Avast on my PC won't let me download AdwCleaner.exe as it says it's a threat! do i run it on my husband's laptop after the copy and paste of your notepad list?

Right click avast tray icon and pause shields

[essexboy]

Once you have killed the initial infection I will then look at re-instating your network connection

Or you could use this fixlist (attached ) which has the necessary commands in

[wannabe_lara]

So I ran them as advised. The AdwCleaner didn't give a text window. So when I went to where you directed, it wasn't there either! I hope that I've copied the correct one.

[essexboy]

Yep that is right, how is the computer at the moment.  When you try to connect to the net what error do you get ?

Run this fix and then try to connect

CAUTION :  This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:
 

CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state ON
CMD: ipconfig /flushdns
CMD: netsh winsock reset catalog
CMD: netsh int ip reset c:\resetlog.txt
CMD: ipconfig /release
CMD: ipconfig /renew
CMD: netsh int ipv4 reset
CMD: netsh int ipv6 reset
EmptyTemp:

 
Save this as fixlist.txt, in the same location as FRST.exe

Run FRST and press Fix
On completion a log will be generated please post that

[wannabe_lara]

No joy for the net! It's still saying connected to wifi and is stuck at idenifying! I think we're going to leave it here today. It's consumed our whole weekend. We are both very grateful for all your help. If you can think of anything else it would be so appreciated. Thank you for all your time.

[essexboy]

Can you connect using an ethernet cable ?

Please download MiniToolBox, save it to your desktop and run it.

Checkmark the following checkboxes:

• Flush DNS
• Report IE Proxy Settings
• Reset IE Proxy Settings
• Report FF Proxy Settings
• Reset FF Proxy Settings
• List content of Hosts
• List IP configuration
• List Winsock Entries
• List last 10 Event Viewer log
• List Installed Programs
• List Devices
• List Users, Partitions and Memory size.
• List Minidump Files

Click Go and post the result (Result.txt). A copy of MTB.txt will be saved in the same directory the tool is run.
 
Note: When using "Reset FF Proxy Settings" option Firefox should be closed.