Author Topic: How to remove a read only Trojan horse? Help!  (Read 12514 times)

0 Members and 1 Guest are viewing this topic.

REDACTED

  • Guest
How to remove a read only Trojan horse? Help!
« on: August 08, 2016, 09:01:41 PM »
Hello, GiGi here.
I have avast free as my anti virus. I installed it right during a malware attack since it was the first thing i thought about doing that would help the situation. Avast has helped me to delete/fix/repair/move to chest most of the malware that was coming and had on my computer. However, anytime i run full system scans or a boot time scan it will  leave me with one infectious file (avast actually registers it as two files, although i think its one as  both have the same file location), file name (really the location): C:\Windows\SysWOW64\dnsapi.dll with high severity registered by avast and the threat is called: Win32:Patched-AWK[Trj] and avast will not repair/delete or move the file to chest because its a read only file with error code 6009. When it tries to fix it says that it is open in another program. I know how to get to the file but i can't delete it because it says it is open in avast.
This Trojan will limit my connection to the internet. For example, it will not let me go on Minecraft servers at times, it won't let me go to certain webpages at certain times, when i try to move a window across my screen it will go real slowly and you can see the pointer (mouse) on the screen moving it with another pointer which i can move freely but can preform no actions, it won't let me view photos on the internet (i was in avast and it would let me view photos on some threads), it will not let me send photos on skype, it will not let me connect to the internet on Spotify, and finally it will not let me open at all Mozillia Firefox (it "crashes" as soon as i try to open it). Also, curiously enough, it installed something called MPC cleaner with some other stuff on my computer branded by MPC and it sets my search engine to asearch.com whenever i change it to google.com.
'
Help anyone?
'
« Last Edit: August 08, 2016, 09:04:11 PM by GiGi AZ Official »

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37509
  • Not a avast user
Re: How to remove a read only Trojan horse? Help!
« Reply #1 on: August 08, 2016, 09:06:24 PM »
Follow instructions and attach requested logs  >>  https://forum.avast.com/index.php?topic=53253.0


Quote
C:\Windows\SysWOW64\dnsapi.dll
also upload and test the file at www.virustotal.com
if tested before, click rescan for a fresh result and post link to scan result here

« Last Edit: August 08, 2016, 09:12:25 PM by Pondus »

REDACTED

  • Guest
Re: How to remove a read only Trojan horse? Help!
« Reply #2 on: August 08, 2016, 09:31:26 PM »
It will not let me test the file. Rather windows won't let me open the file as it says it contains a "potentially unwanted virus or malware". I also tried putting the whole SysWOW64 folder in there... But that doesnt seem to work. Lol
Also, when i try to open it i get a popup stating the following, "There was a problem starting C:\Program files\AVAST Software\Avast\defs\16080700\bcuengine.dll

Also at the moment i am running a command (sfc /scannow) in command propt (admin)

Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31080
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re: How to remove a read only Trojan horse? Help!
« Reply #3 on: August 08, 2016, 09:38:06 PM »
Please follow the instructions in the link Pondus gave you.

REDACTED

  • Guest
Re: How to remove a read only Trojan horse? Help!
« Reply #4 on: August 08, 2016, 09:45:43 PM »
Yeah but i can't open the page which leads me to install malwarebytes. Google chrome says "www.malwarebytes.org’s server DNS address could not be found.
DNS_PROBE_FINISHED_NXDOMAIN"

REDACTED

  • Guest
Re: How to remove a read only Trojan horse? Help!
« Reply #5 on: August 08, 2016, 09:49:07 PM »
Wait no. Manage to install but connecting and disconnecting my ethernet

REDACTED

  • Guest
Re: How to remove a read only Trojan horse? Help!
« Reply #6 on: August 08, 2016, 09:59:29 PM »
So i can't install Malwarebytes because it says: Runtime error at 110:137, could not call proc

Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31080
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re: How to remove a read only Trojan horse? Help!
« Reply #7 on: August 08, 2016, 10:04:11 PM »
Get and use Farbar and attach the requested log files.

REDACTED

  • Guest
Re: How to remove a read only Trojan horse? Help!
« Reply #8 on: August 08, 2016, 10:35:12 PM »
Here are the logs from Farbar
(Attachments below)

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37509
  • Not a avast user
Re: How to remove a read only Trojan horse? Help!
« Reply #9 on: August 08, 2016, 10:43:08 PM »
Now you wait for one of the malware experts listed in the guide to arrive, it may take hours


Offline dbrisendine

  • Malware Fighter
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1258
Re: How to remove a read only Trojan horse? Help!
« Reply #10 on: August 08, 2016, 11:44:01 PM »
I will examine the logs closer later but run this to fix the DNSapi.dll issue:


Fix with Farbar Recovery Scan Tool
This fix was created for this user for use on that particular machine.
Running it on another one may cause damage and render the system unstable.
Download attached fixlist.txt file and save it to the Desktop:

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

  • Right-click on icon and select Run as Administrator to start the tool.
    (XP users click run after receipt of Windows Security Warning - Open File).
  • Press the Fix button just once and wait.
  • If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
  • When finished FRST will generate a log on the Desktop, called Fixlog.txt.
Please attach it to your reply.
Win7 x32 Ult. SP1, Brain 2.0 / Win10 x64, Brain2.5
My help is always free but if you would like to help encourage me or show your thanks -----> DONATE

REDACTED

  • Guest
Re: How to remove a read only Trojan horse? Help!
« Reply #11 on: August 09, 2016, 12:49:15 AM »
Done. Here is the file!
What do you need me to do now?
« Last Edit: August 09, 2016, 03:47:38 AM by GiGi AZ Official »

Offline dbrisendine

  • Malware Fighter
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1258
Re: How to remove a read only Trojan horse? Help!
« Reply #12 on: August 09, 2016, 08:04:14 AM »
I have finished examining your FRST logs and am ready to proceed.



FIRST >>>>

Please go to START (Windows Orb) >> Control Panel >> Uninstall a Program or Programs and Features and remove the following (if listed):

Body Text Feathering
CleanBrowser
DailyWiki - DailyWiki for Desktop
QuickTime 7
Window Rules Manager


To do so, left clicking on the name once and then click Uninstall/Change at the bar above the list window. 

Follow the prompts of the uninstaller BUT please read carefully any questions it asks before answering; some uninstallers will try and deceive you into keeping the software.


SECOND >>>>

Fix with Farbar Recovery Scan Tool
This fix was created for this user for use on that particular machine.
Running it on another one may cause damage and render the system unstable.
Download attached fixlist.txt file and save it to the Desktop:

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

  • Right-click on icon and select Run as Administrator to start the tool.
    (XP users click run after receipt of Windows Security Warning - Open File).
  • Press the Fix button just once and wait.
  • If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
  • When finished FRST will generate a log on the Desktop, called Fixlog.txt.
Please attach it to your reply.  Also, tell me how your system is running now?  Do you still get the DNS files warning from Avast?
« Last Edit: August 09, 2016, 08:06:19 AM by dbrisendine »
Win7 x32 Ult. SP1, Brain 2.0 / Win10 x64, Brain2.5
My help is always free but if you would like to help encourage me or show your thanks -----> DONATE

REDACTED

  • Guest
Re: How to remove a read only Trojan horse? Help!
« Reply #13 on: August 10, 2016, 05:04:59 AM »
Hello sorry I took a while.
When my PC booted it seemed pretty normal. Like it used to be. However, at one moment (like after 3 minutes of rebooting) massive lag spikes occurred. I could barely move the mouse. And Google Chrome nor files wouldn't open. But when starting my PC, Steam was updating its self. After that i got a notification from Windows asking me to check my network connection. This was my first red flag.
I open the file location of dnsapi, and scan it with avast. It tells be the same thing it would before. "Threat detected..." and so on. I attached some screenshots. The fixlog is also below.

View the fix log.

REDACTED

  • Guest
Re: How to remove a read only Trojan horse? Help!
« Reply #14 on: August 11, 2016, 12:50:31 AM »
Today when booting up my pc..