Jump to content

Help removing Trojan:win64/patched.az.gen!dll


Recommended Posts

Hi,

 

Apologies for starting a new thread, I didn't want to jump on anyone's current problem similar to this.

 

I am having problems after letting my brother borrow my laptop.

 

Windows Defender is detecting Trojan:win64/patched.az.gen!dll - and I cannot get rid of it. It had blocked the internet but I have managed to get that back by going through command prompt instructions on the internet.

 

I cannot install any programs like AVG, Spyhunter etc to remove so I guess the virus is blocking this.

 

I have run the FRST64 and have the two files to upload as I see this is common first procedure.

 

Any help is appreciated

 

Thank you

FRST.txt

Addition.txt

Link to post
Share on other sites

51a46ae42d560-malwarebytes_anti_malware. Scan with Malwarebytes' Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.

  • Install the progam and select update.
  • Once updated, click the Settings tab, in the left panel choose Detection & Protection and tick Scan for rootkits.
  • In the same tab, under PUP and PUM detections make sure it is set to Treat detections as malware
  • .
  • Click the Scan tab, choose Threat Scan is checked and click Start Scan.
  • If threats are detected, click the Apply Actions button. You will now be prompted to reboot. Click Yes.
  • Upon completion of the scan (or after the reboot), click the History tab.
  • Click Application Logs and double-click the Scan Log.
  • At the bottom click Export and choose Text file.
Save the file to your desktop and include its content in your next reply.


adwcleaner_new.png Fix with AdwCleaner

Please download AdwCleaner by Xplode and save the file to your Desktop.

  • Right-click on adwcleaner_new.png icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Accept the Terms of use.
  • Wait until the database is updated.
  • Click Scan.
  • When finished, please click Cleaning.
  • Your PC should reboot now.
  • After reboot, logfile will be opened. Copy its content into your next reply.
Note: Reports will be saved in your system partition, usually at C:\Adwcleaner
Link to post
Share on other sites

Thank you

 

I tried to install Malware software but got the runtime error 97:137 could not call proc error

 

AdwCleaner report is here below. I have uninstalled BitTorrent - it is not in the programs & features but has just re-appeared after the reboot.

 

# AdwCleaner v5.025 - Logfile created 14/12/2015 at 08:11:58
# Updated 13/12/2015 by Xplode
# Database : 2015-12-13.2 [server]
# Operating system : Windows 10 Pro  (x64)
# Username : admin - CHRISTHOMAS
# Running from : C:\Users\admin\Desktop\AdwCleaner.exe
# Option : Cleaning
# Support : http://toolslib.net/forum

***** [ Services ] *****

***** [ Folders ] *****

[-] Folder Deleted : C:\SearchProtect
[-] Folder Deleted : C:\Program Files (x86)\AVG SafeGuard toolbar
[-] Folder Deleted : C:\Program Files (x86)\Conduit
[-] Folder Deleted : C:\Program Files (x86)\MyPC Backup
[-] Folder Deleted : C:\Program Files (x86)\tencent
[-] Folder Deleted : C:\Program Files (x86)\GGreaatsaver
[!] Folder Not Deleted : C:\Program Files (x86)\GGreaatsaver
[-] Folder Deleted : C:\Program Files\Common Files\ShopperPro
[-] Folder Deleted : C:\ProgramData\ShopperPro
[-] Folder Deleted : C:\ProgramData\GGreaatsaver
[!] Folder Not Deleted : C:\ProgramData\GGreaatsaver
[-] Folder Deleted : C:\ProgramData\YoutubeAdblocker
[-] Folder Deleted : C:\ProgramData\28341ff220e0446c9fff27c4493d622e
[-] Folder Deleted : C:\ProgramData\79d102da0261c9ce
[-] Folder Deleted : C:\ProgramData\Service1291
[-] Folder Deleted : C:\Users\admin\AppData\Local\Conduit
[-] Folder Deleted : C:\Users\admin\AppData\Local\jZip
[-] Folder Deleted : C:\Users\admin\AppData\Local\SwvUpdater
[-] Folder Deleted : C:\Users\admin\AppData\Local\torch
[-] Folder Deleted : C:\Users\admin\AppData\Local\SmartWeb
[-] Folder Deleted : C:\Users\admin\AppData\Local\DeskBar
[-] Folder Deleted : C:\Users\admin\AppData\Local\22813
[-] Folder Deleted : C:\Users\admin\AppData\Local\29479
[-] Folder Deleted : C:\Users\admin\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\mkopalohckfgjbdiokpbmhanoeelinih
[-] Folder Deleted : C:\Users\admin\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\nbodcglpafmddndffgfinlkpfjbogaoa
[-] Folder Deleted : C:\Users\admin\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\pibhhndkdodimkjlbchcjojpllccehmk
[!] Folder Not Deleted : C:\Users\admin\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\mkopalohckfgjbdiokpbmhanoeelinih
[!] Folder Not Deleted : C:\Users\admin\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\nbodcglpafmddndffgfinlkpfjbogaoa
[!] Folder Not Deleted : C:\Users\admin\AppData\Local\Comodo\Dragon\User Data\Default\Extensions\pibhhndkdodimkjlbchcjojpllccehmk
[-] Folder Deleted : C:\Users\admin\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\mkopalohckfgjbdiokpbmhanoeelinih
[-] Folder Deleted : C:\Users\admin\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\nbodcglpafmddndffgfinlkpfjbogaoa
[-] Folder Deleted : C:\Users\admin\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\pibhhndkdodimkjlbchcjojpllccehmk
[!] Folder Not Deleted : C:\Users\admin\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\mkopalohckfgjbdiokpbmhanoeelinih
[!] Folder Not Deleted : C:\Users\admin\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\nbodcglpafmddndffgfinlkpfjbogaoa
[!] Folder Not Deleted : C:\Users\admin\AppData\Local\Google\Chrome SxS\User Data\Default\Extensions\pibhhndkdodimkjlbchcjojpllccehmk
[-] Folder Deleted : C:\Users\admin\AppData\Local\Installer\Install_12570
[-] Folder Deleted : C:\Users\admin\AppData\Local\Installer\Install_18019
[-] Folder Deleted : C:\Users\admin\AppData\Local\Installer\Install_25398
[-] Folder Deleted : C:\Users\admin\AppData\Local\Installer\Install_25618
[-] Folder Deleted : C:\Users\admin\AppData\Local\Installer\Install_5094
[-] Folder Deleted : C:\Users\admin\AppData\Local\Installer\Install_5485
[-] Folder Deleted : C:\Users\admin\AppData\Local\Installer\Install_8952
[-] Folder Deleted : C:\Users\admin\AppData\LocalLow\Conduit
[-] Folder Deleted : C:\Users\admin\AppData\LocalLow\PriceGong
[-] Folder Deleted : C:\Users\admin\AppData\LocalLow\BitTorrentControl_v12
[-] Folder Deleted : C:\Users\admin\AppData\LocalLow\{D2020D47-707D-4E26-B4D9-739C4F4C2E9A}
[-] Folder Deleted : C:\Users\admin\AppData\Roaming\digitalsite
[-] Folder Deleted : C:\Users\admin\AppData\Roaming\Search Protection
[-] Folder Deleted : C:\Users\admin\AppData\Roaming\RunDir
[-] Folder Deleted : C:\Users\admin\AppData\Roaming\NetService
[-] Folder Deleted : C:\Users\Public\Documents\ShopperPro
[#] Folder Deleted : C:\WINDOWS\SysNative\Tasks\digitalsite

***** [ Files ] *****

[-] File Deleted : C:\Program Files (x86)\Mozilla Firefox\browser\nsprotector.js
[-] File Deleted : C:\Users\admin\AppData\Local\Temp\lengine.ini.log
[-] File Deleted : C:\Users\admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\BrowserAir.lnk
[-] File Deleted : C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartWeb.lnk
[-] File Deleted : C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\ei9163pu.default-1391602121228\user.js
[-] File Deleted : C:\WINDOWS\SysNative\drivers\bsdriver.sys
[-] File Deleted : C:\WINDOWS\SysNative\drivers\cherimoya.sys
[-] File Deleted : C:\WINDOWS\SysNative\drivers\swsedrvr_vw_1_10_0_25.sys

***** [ DLLs ] *****

[-] File Restored : C:\WINDOWS\SysWOW64\dnsapi.dll

***** [ Shortcuts ] *****

[-] Shortcut Disinfected : C:\Users\Public\Desktop\Google Chrome.lnk
[-] Shortcut Disinfected : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome\Google Chrome.lnk
[-] Shortcut Disinfected : C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Internet Explorer.lnk
[-] Shortcut Disinfected : C:\Users\admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet-Explorer Browser.lnk

***** [ Scheduled tasks ] *****

[-] Task Deleted : AmiUpdXp
[-] Task Deleted : DigitalSite
[-] Task Deleted : SPBIW_UpdateTask_Time_3431303934343133382d5737325a786c5a3237344541
[-] Task Deleted : SXJVXMRYODXGIOSL

***** [ Registry ] *****

[-] Key Deleted : HKLM\SOFTWARE\Classes\AppID\ScriptHelper.EXE
[-] Key Deleted : HKLM\SOFTWARE\Classes\jZip.file
[-] Key Deleted : HKLM\SOFTWARE\Classes\Updater.AmiUpd
[-] Key Deleted : HKLM\SOFTWARE\Classes\Updater.AmiUpd.1
[-] Value Deleted : HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [YTDownloader]
[-] Value Deleted : HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [DeskBar]
[-] Key Deleted : HKLM\SOFTWARE\CLASSES\dream.capture.1
[-] Key Deleted : HKLM\SOFTWARE\CLASSES\dream.capture
[-] Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT3225826
[-] Value Deleted : HKLM\SOFTWARE\Mozilla\Firefox\Extensions [fmconverter@gmail.com]
[-] Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\jbolfgndggfhhpbnkgnpjkfhinclbigj
[-] Key Deleted : HKCU\Software\Google\Chrome\Extensions\dknkjnkhedbanphkkpbpcgoblmkbfhlf
[-] Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\dknkjnkhedbanphkkpbpcgoblmkbfhlf
[-] Key Deleted : HKLM\SOFTWARE\Classes\AppID\{BB711CB0-C70B-482E-9852-EC05EBD71DBB}
[-] Key Deleted : HKCU\Software\Classes\CLSID\{17EF1FFB-0545-4C9A-BE64-78FF53338475}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{408CFAD9-8F13-4747-8EC7-770A339C7237}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{67BD9EEB-AA06-4329-A940-D250019300C9}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{A43DE495-3D00-47D4-9D2C-303115707939}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{DE9028D0-5FFA-4E69-94E3-89EE8741F468}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{117270FA-48AC-45BB-9171-B63D1B42A910}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9EDC0C90-2B5B-4512-953E-35767BAD5C67}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{EAC7DE5C-9520-435D-91AA-4A02E4773CEA}
[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{07CAC314-E962-4F78-89AB-DD002F2490EE}
[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{A0EE0278-2986-4E5A-884E-A3BF0357E476}
[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{99E29823-2F67-41C3-8AA5-6425097A771F}
[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{B0660298-91AA-421F-BF0D-BFF6BB8BF3AE}
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B6AC5E3C-5CEB-4E72-B451-F0E1BA983C14}
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{95B7759C-8C7F-4BF1-B163-73684A933233}
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B6AC5E3C-5CEB-4E72-B451-F0E1BA983C14}
[-] Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{B6AC5E3C-5CEB-4E72-B451-F0E1BA983C14}]
[-] Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{B6AC5E3C-5CEB-4E72-B451-F0E1BA983C14}]
[-] Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks [{B6AC5E3C-5CEB-4E72-B451-F0E1BA983C14}]
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{9EDC0C90-2B5B-4512-953E-35767BAD5C67}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{EAC7DE5C-9520-435D-91AA-4A02E4773CEA}
[-] Key Deleted : HKCU\Software\Conduit
[-] Key Deleted : HKCU\Software\dsiteproducts
[-] Key Deleted : HKCU\Software\jZip
[-] Key Deleted : HKCU\Software\OCS
[-] Key Deleted : HKCU\Software\Softonic
[-] Key Deleted : HKCU\Software\{3BDFD1D7-7A9B-4D29-80B3-D00E66E62885}
[-] Key Deleted : HKCU\Software\DAILYPCCLEAN
[-] Key Deleted : HKCU\Software\DeskBar
[-] Key Deleted : HKCU\Software\BrowserAir
[-] Key Deleted : HKCU\Software\SoftSuma
[-] Key Deleted : HKCU\Software\tstamptoken
[-] Key Deleted : HKCU\Software\Microsoft\Tinstalls
[-] Key Deleted : HKCU\Software\{5D3580CA-F881-4C16-bAB6-C23BD9AF53A8}
[-] Key Deleted : HKCU\Software\{C9DDB090-4E81-4602-9EE8-CEA9D3E26FB4}
[-] Key Deleted : HKCU\Software\AppDataLow\Toolbar
[-] Key Deleted : HKCU\Software\AppDataLow\Software\ConduitSearchScopes
[-] Key Deleted : HKCU\Software\AppDataLow\Software\PriceGong
[-] Key Deleted : HKCU\Software\AppDataLow\Software\Search Protection
[-] Key Deleted : HKCU\Software\AppDataLow\Software\{3BDFD1D7-7A9B-4D29-80B3-D00E66E62885}
[-] Key Deleted : HKLM\SOFTWARE\Conduit
[-] Key Deleted : HKLM\SOFTWARE\jZip
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{99C91FC5-DB5B-4AA0-BB70-5D89C5A4DF96}
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PCData App
[-] Key Deleted : HKU\S-1-5-19\Software\{5D3580CA-F881-4C16-bAB6-C23BD9AF53A8}
[-] Key Deleted : HKU\S-1-5-19\Software\{C9DDB090-4E81-4602-9EE8-CEA9D3E26FB4}
[-] Key Deleted : HKU\S-1-5-20\Software\{5D3580CA-F881-4C16-bAB6-C23BD9AF53A8}
[-] Key Deleted : HKU\S-1-5-20\Software\{C9DDB090-4E81-4602-9EE8-CEA9D3E26FB4}
[-] Key Deleted : HKU\S-1-5-21-3515164915-2860861682-270758949-1000_Classes\Software\{5D3580CA-F881-4C16-bAB6-C23BD9AF53A8}
[-] Key Deleted : HKU\S-1-5-21-3515164915-2860861682-270758949-1000_Classes\Software\{C9DDB090-4E81-4602-9EE8-CEA9D3E26FB4}
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{39E20AE7-59E6-4072-BBF1-E8FCFC883642}
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{E516D6F3-65F1-4F9B-9466-925DED6EE285}
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\esurf.biz
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\re-markit.co
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\static.re-markit00.re-markit.co

***** [ Web browsers ] *****

[-] [C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Web Data] [search Provider] Deleted : aol.com
[-] [C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Web Data] [search Provider] Deleted : ask.com
[-] [C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [startup_URLs] Deleted : hxxp://www-searching.com/?pid=s&s=FCCztutdk0004,1f163b47-ad6b-447b-9ad7-0e6a63c39609&vp=ch&prd=set_ch
[-] [C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [Extension] Deleted : aaaaaiabcopkplhgaedhbloeejhhankf
[-] [C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [Extension] Deleted : dknkjnkhedbanphkkpbpcgoblmkbfhlf
[-] [C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [Extension] Deleted : jbolfgndggfhhpbnkgnpjkfhinclbigj
[-] [C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [Extension] Deleted : jlcgehabolcakkjhgmgpkagpolbjlhfa
[-] [C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [Homepage] Deleted : hxxp://www-searching.com/?pid=s&s=FCCztutdk0004,1f163b47-ad6b-447b-9ad7-0e6a63c39609&vp=ch&prd=set_ch

*************************

:: "Tracing" keys removed
:: Winsock settings cleared

########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [13471 bytes] ##########

Link to post
Share on other sites

FRST.gif FRST search

Once again we shall use FRST for additional checks. Re-run FRST/FRST64 by double-clicking:

  • Copy dnsapi.dll;ds*.bin into the Search: field in FRST then click the Search Files button.
  • FRST will search your computer for files and when finished it will produce a log Search.txt in the same directory the tool is run.
  • Please attach it to your reply.
Link to post
Share on other sites

Since there are no more problems, we can declare this PC clean thumbs_up_smiley.gif

Now, we can proceed with post-cleanup procedures. Let's remove my tools and create a new, non infected restore point concurrently deleting old ones.

Step 1. - Creation of system restore point and tools removal.

Download DelFix by Xplode and save it to your desktop.

  • Run the tool by right click on the 51a5ce45263de-delfix.png icon and Run as administrator option.
  • Make sure that these ones are checked:
    • Remove disinfection tools
    • Purge system restore
    • Reset system settings
  • Push Run and wait until the tool completes his work.
  • All tools we used should be gone. Tool will create an report for you (C:\DelFix.txt). I don't need it for review.
Tool deletes old system restore points and creates a fresh system restore point after cleaning.

Step 2. - Tips and tricks to keep your computer clean, safe and in a good shape.

Security tips - highly recommended reading:

Maintenance tips:Additional software that I personally use and install on all my clients devices:
  • Malwarebytes' Anti-Malware (paid version highly recommended) - to scan your system from time to time in search for malware.
  • Malwarebytes' Anti-Exploit - to prevent plenty of mostly exploited vulnerabilities.
  • McShield - to prevent infections spread by removable media.
  • Unchecky - to prevent from installing additional foistware, implemented in legitimate installations.
  • Adblock - to surf the web without annoying ads!
  • Qualys BrowserCheck - cloud service that scans your browsers and plugins to see if they’re all up-to-date.

My help is free for everybody.

If you're happy with the help provided and/or wish to buy me a beer for the assistance you received, then you can consider a donation: btn_donateCC_LG.gif

Thank you!

Stay safe,

TwinHeadedEagle :)

Link to post
Share on other sites

  • 3 weeks later...
  • Root Admin

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.