Solved win32:Patched-AWQ [Trj] Infestation on Windows 7

grumpy

New Member
Thread author
Dec 12, 2016
7
My Lenovo G560, which runs Windows 7/64, has become unusable due to a malware infection. Malwarebytes will not run, and Avast cannot remove the infection, though it identifies it as win32:patched-AWQ [Trj] attached to dnsapi.dll, and tries unsuccessfully to remove it through a boot-time scan. Google Chrome, like Malwarebytes, will not run.

My experience with viruses and malware up to now has been that Malwarebytes will usually remove them, and if not, Avast will. I am clearly out of my depth with this problem, and believe I need expert assistance.
 

Attachments

  • Addition.txt
    30.5 KB · Views: 6
  • FRST.txt
    21.4 KB · Views: 7

TwinHeadedEagle

Level 41
Verified
Mar 8, 2013
22,627
Hello,


FRST.gif
FRST search

Once again we shall use FRST for additional checks. Re-run FRST/FRST64 by double-clicking:
  • Copy dnsapi.dll into the Search: field in FRST then click the Search Files button.
  • FRST will search your computer for files and when finished it will produce a log Search.txt in the same directory the tool is run.
  • Please attach it to your reply.
 

grumpy

New Member
Thread author
Dec 12, 2016
7
I can't copy the file. I can right click on dnsapi.dll and select copy, but then I cannot paste it anywhere. Right clicking on the search box in FRST shows the paste option as shadowed. If I try to paste into a Windows directory I get Error 0x800700E1: Operation did not complete successfully because the file contains a virus. There may be a work-around for this but if so, I don't know it.
 

grumpy

New Member
Thread author
Dec 12, 2016
7
I have booted the computer in safe mode, with both the infected dll and FRST on a USB stick. I opened FRST, copied the dll, and tried to paste it into FRST's window. The result was the same as in normal mode: cut, copy, paste and delete are all greyed out.
 

grumpy

New Member
Thread author
Dec 12, 2016
7
I made an unauthorised experiment, but it seemed harmless and the result might be of interest to you. I typed dnsapi.dll into the window of FRST64 and pressed the search button. The result was a list of ten copies of the file on the computer. Seven of them were digitally signed by Microsoft, and three were not. The three that were not were the copy in c:\Windows\Syswow64, which is the one that Avast singles out as the source of the virus; a copy in c:\Windows\System32; and a copy in my downloads directory which I had downloaded from the internet for an experiment, thinking it to be genuine. I wonder if the reason I achieved nothing by renaming the one in Syswow64 and replacing it with the downloaded one, was simply that the second copy of the infested file in System32 then became active.
 

grumpy

New Member
Thread author
Dec 12, 2016
7
Thank you. I appreciate you help in this - I am simply out of my depth. I have uploaded Search.txt.
 

Attachments

  • Search.txt
    2.2 KB · Views: 4

TwinHeadedEagle

Level 41
Verified
Mar 8, 2013
22,627
FRST.gif
Fix with Farbar Recovery Scan Tool

icon_exclaim.gif
This fix was created for this user for use on that particular machine.
icon_exclaim.gif

icon_exclaim.gif
Running it on another one may cause damage and render the system unstable.
icon_exclaim.gif

Download attached fixlist.txt file and save it to the Desktop:

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

  • Right-click on
    FRST.gif
    icon and select
    RunAsAdmin.jpg
    Run as Administrator to start the tool.
    (XP users click run after receipt of Windows Security Warning - Open File).
  • Press the Fix button just once and wait.
  • If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
  • When finishes FRST will generate a log on the Desktop, called Fixlog.txt.

Please attach it to your reply.



Please download Zemana AntiMalware and save it to your Desktop.
  • Install the program and once the installation is complete it will start automatically.
  • Without changing any options, press Scan to begin.
  • After the short scan is finished, if threats are detected press Next to remove them.
Note: If restart is required to finish the cleaning process, you should click Reboot. If reboot isn't required, please restart your computer manually.
  • Open Zemana AntiMalware again.
  • Click on
    4zu6vb.jpg
    icon and double click the latest report.
  • Now click File > Save As and choose your Desktop before pressing Save.
  • The only left thing is to attach saved report in your next message.
 

Attachments

  • fixlist.txt
    3.5 KB · Views: 8

grumpy

New Member
Thread author
Dec 12, 2016
7
I followed the procedure you laid out. I ran FRST with fixlist, pressed fix, and a lengthy process occurred, generating Fixlog. I ran Zemana, and it found nothing untoward, while generating a text file. FRST and Zemana logs are attached below. Meanwhile the computer had changed behaviour, so it ran with its normal speed, and could access Google Chrome once again. Avast reported a clean computer, no mention of win32:patched-AWQ [Trj]. Malwarebytes, which would not run up to now, ran successfully and reported no problems. As far as I can tell, you have achieved a complete cure. My sincere thanks.
 

Attachments

  • Fixlog.txt
    10.8 KB · Views: 3
  • 2016.12.16-21.28.57-i0-t92-d0.txt
    808 bytes · Views: 0

TwinHeadedEagle

Level 41
Verified
Mar 8, 2013
22,627
Since there are no more problems, we can declare this PC clean
thumbs_up_smiley.gif


Now, we can proceed with post-cleanup procedures. Let's remove my tools and create a new, non infected restore point concurrently deleting old ones.


Step 1. - Creation of system restore point and tools removal.


Download DelFix by Xplode and save it to your desktop.
  • Run the tool by right click on the
    51a5ce45263de-delfix.png
    icon and Run as administrator option.
  • Make sure that these ones are checked:
    • Remove disinfection tools
    • Purge system restore
    • Reset system settings
  • Push Run and wait until the tool completes his work.
  • All tools we used should be gone. Tool will create an report for you (C:\DelFix.txt). I don't need it for review.
Tool deletes old system restore points and creates a fresh system restore point after cleaning.


Step 2. - Tips and tricks to keep your computer clean, safe and in a good shape.


Security tips - highly recommended reading:

Maintenance tips:

Additional software that I personally use and install on all my clients devices:

  • Zemana AntiMalware (paid version highly recommended) - to work as a supplement for your antivirus but with excellent remediation and protection
  • Zemana AntiLogger - keep everything you type on keyboard out of sight of bad guys trying to steal your credantials
  • Malwarebytes' Anti-Exploit - to prevent plenty of mostly exploited vulnerabilities.
  • McShield - to prevent infections spread by removable media.
  • Unchecky - to prevent from installing additional foistware, implemented in legitimate installations.
  • uBlock - to surf the web without annoying ads!
  • Qualys BrowserCheck - cloud service that scans your browsers and plugins to see if they’re all up-to-date.


My help is free for everybody.
If you're happy with the help provided and/or wish to show your appreciaton, please consider a donation:
Thank you!​



Stay safe,
TwinHeadedEagle :)
 
  • Like
Reactions: grumpy

grumpy

New Member
Thread author
Dec 12, 2016
7
Thank you, I've carried out that program successfully, with just one addition: I reinstalled Adwcleaner after DelFix deleted it, because I've found it valuable in the past. Your process for fixing my problem has been completely effective, and has extracted me from a situation I was unable to get out of without your help.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top