dnsapi.dll issues / daugava

[bookemdano]

Hello, was handed a laptop (Win7 x64) complaining wireless internet wasn't working. Definitely virus issues. MSE is the only installed antivirus and it is complaining about Trojan:Win32/Patched.AO which it says was suspended and affects c:\windows\syswow64\dnsapi.dll. I have not acted on the threat (it recommends Quarantine).

 

I have tried system restoring to the earliest available restore point: 9/21/15 but the issue remains. 

 

I cannot install malwarebytes anti-malware. During the installation process I get "Runtime error (at 92:137) Could not call proc."

 

In the interest of time, I ran FRST64.exe and have attached FRST.txt and Addition.txt

 

Much appreciate any help with this.

 

 

Addition.txt

FRST.txt

[Maurice Naggar]

Hello and welcome aboard the Malwarebytes forums.  I will be guiding you from this point forward.

 

There is one Windows DLL file that needs to be restored.

 

I suggest you run Windows' System File checker.

To get an elevated command prompt, do the following:
Press the Start key:
in the text box at bottom, type in
 
cmd

when it shows a black icon with cmd.exe, move the mouse over it and do a RIGHT-Click, select Run as Administrator.

If you are prompted for an administrator password or for a confirmation, type the password, OR click Allow.

Next, you will see a black box window (command prompt)
it should show "c:\Windows\system32>

there type in

sfc /scannow

and press ENTER key   { note there is one space after the letter c and before the slash mark.}

It will say Beginning system scan. This process will take some time.

Let it run and observe it from time to time.

I need to know what message you see when it is done.

P.S. The sfc /scannow command scans all protected system files and replaces incorrect versions with correct Microsoft versions.

[bookemdano]

It ran successfully and prompted to reboot, which I am doing now. It mentioned a cbs.log file which I am attaching

CBS.log

[bookemdano]

When it rebooted I now have the message "This copy of Windows is not genuine" in the lower right corner (this is a Dell laptop that shipped with Windows 7--it is very much genuine). 

 

Furthermore, when I try to connect to wireless I'm getting "The connection was unsuccessful" (limited connectivity).

 

Thanks.

[bookemdano]

Can't figure out how to edit a post but I should add that I was able to get malwarebytes antimalware to install now. But I can't update it due to no internet access.

[Maurice Naggar]

On the internet connection issue, see about getting a direct connection via a cable to the internet router connection.

As to the windows genuine issue, I will need to refer you elsewhere  ( such as the free expert help at tenforums.com).

[bookemdano]

Yeah, well rather than deal with the terrible aftermath of sfc /scannow my solution to this problem was:

 

1. Use System Restore to go back to the point before sfc /scannow was run

2. Use another computer to run the Windows 10 download tool and create a USB Installer

3. Install Windows 10 on the infected laptop

 

Windows 10 installed just fine, and when it booted all of the problems were fixed--internet was working, and I could install and update malwarebytes (after updating and running a scan it found and removed the shopperz rootkit). Subsequent scans of mbam find no problems. Windows is genuine as it should be.

 

So happy ending in the end. For anyone else tearing their hair out over a similar problem on Win7 or Win8 you might just want to install Win10--might save you a lot of time as it did for me.

 

Thanks for trying to help Maurice Naggar.

[Maurice Naggar]

I's quite notable that after the Windows 10 upgrade-in-place  ( which I assume is what was done) that a malware was found.

Glad to know that the system is better now.   My suggestion would be to do a new scan as follows to insure that no further rootkits are around.

 

Let us please do a Custom Scan run like this.  Start the Anti-Malware program. Click Scan icon.
Then next please click the CUSTOM Scan.
Then make sure you select the *C:* drive    ( as shown on the right side of the picture below).   We want to scan drive *C*
Then look and be sure that the line *Scan for rootkits* has a check-mark.  If it does not not, click that box 1 time.
The scanning for rootkits is important.



Then press Scan now.

    
 
Then you should see a screen like this once the scanning phase has completed IF there is a detection.  Titled Scan Results.




Kindly be real sure that each one of the  lines detected  has a CHECK-mark in the checkbox.   as shown in this last image.
Then press the button marked Remove Selected.

After all is done. please attach the log-report file with your next email reply.

 

You did well in recovering back from the non-genuine-message-issue.
 

[Maurice Naggar]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!