DNS probe flush and dns reset didn't work

What makes you think this is a malware problem?

You said the dnsadpi.dll file is reported as missing! Did you check to see if it is really missing?

When you did the System Restore, you said it did not fix the problem but did the System Restore actually complete? Also did you try other restore points?

If you believe it is somehow due to malware, please follow the instructions in the below link:

READ & RUN ME FIRST. Malware Removal Guide


and attach the requested logs when you finish these instructions.

• **** If something does not run, write down the info to explain to us later but keep on going. ****
• Do not assume that because one step does not work that they all will not. MGtools will frequently run even when all other tools will not.

• After completing the READ & RUN ME and attaching your logs, make sure that you tell us what problems still remain ( if any still do )!

Helpful Notes:

1. If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode, you can run the steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:
   
   • Starting your computer in Safe mode
2. If you have problems downloading on the problem PC, download the tools and the manual update Malwarebytes ( links are given in the READ & RUN ME) onto another PC and then burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.
3. If you cannot seem to login to an infected user account, try using a different user account (if you have one) in either normal or safe boot mode and running only RogueKiller and Malwarebytes while logged into this other user account. Then reboot and see if you can log into the problem user account. If you can then run the rest of the READ & RUN ME FIRST instructions on the infected account.
4. To avoid additional delay in getting a response, it is strongly advised that after completing the READ & RUN ME you also read this sticky:
   • Don't Bump! It Only Hurts You!!!

Any additional post is a bump which will add more delay. Once you attach the logs, your thread will be in the work queue and as stated our system works the oldest threads FIRST.
​

 

Run Hitman Pro again and allow it to fix all that it finds except the Punkbuster stuff which you chose to install. Then immediately reboot your PC.

After reboot, run RogueKiller again and this time look for any of the below items on the Registry and Tasks tabs and fix them if they still remain after the Hitman Pro fix.


¤¤¤ Registry : 8 ¤¤¤
[PUP] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FB4F6285-4C32-49F2-950F-A5998F9CEC6C} -> Found
[Suspicious.Path] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | wenguanjia : C:\Users\Grigory\AppData\Roaming\wenguanjia\Dailaymation.exe /autorun [x][x] -> Found
¤¤¤ Tasks : 8 ¤¤¤
[Suspicious.Path] %WINDIR%\Tasks\3bdQeLxtspf.job -- C:\Users\Grigory\AppData\Roaming\3bdQeLxtspf.exe (--c=CTbI5yQ9J6WLq3xPV+h5C0Dsi7jo+9zxXo+osAc6BQIR81g1EO+hEV4m40YXx0xR+RlEoV90ibdOrIogb/ZyWemdPAtpp8MTOid4WGpCBix/MGmFFgB3KPLfrj6pHmT6GuI5cm1/XH/WdPTbylM246JLV7tFWoznjs0IXhyHPNECfDKEsUH572hdmD00NVPmluO9l4QJSd9jc0wXHi2Sn9Il/bDkoWj+50t7GTIGd5lGasyInDG7eMrrR83QSRpITFSUjcaz6/YgVscI7GE4DktSUH376Ub87xVELc6kC4wahCwV/tkfuMnf6hD3RwU3OZBWF/2x2nd+PfQ+ePJX4A==) -> Found
[Suspicious.Path] %WINDIR%\Tasks\89bG9akOXw.job -- C:\Users\Grigory\AppData\Roaming\89bG9akOXw.exe (--c=tVw/LXKBEpCVnut3PjjIhYBSFKDDkoMnGNGY0YLG/HhkDHePSPLJYDKDmCrh2TrsmDf5FXeYAsaiqMWnWbC/s3iQcji/hd8YyPDLmjZmkCDhn58rQFYNweav/cfu4xMs44B/EciVTfvTpZX5XUIVmDgFkrMam1lMMTRhusXfdlmXADbeRfyzynGqJfieg9pa18HukQ986HVZS5N946/+8AXxKGI2+2wKk8XNkVoS7mVa8R2svrqkBNQenCvfQQ1vidCCuzrMxYjDXWGGUi7lioIDcIZEGNMNGCqxK3Xpoom3phrToXv5NwwjPeJG2gyCgn+BWWWrO5p2CoU0NSJokA==) -> Found
[Suspicious.Path] %WINDIR%\Tasks\AdobeoaUpdate Ver 2015915.job -- C:\Users\Grigory\AppData\Roaming\wenguanjia\Dailaymation.exe (/check_update) -> Found
[Suspicious.Path] \3bdQeLxtspf -- C:\Users\Grigory\AppData\Roaming\3bdQeLxtspf.exe (--c=CTbI5yQ9J6WLq3xPV+h5C0Dsi7jo+9zxXo+osAc6BQIR81g1EO+hEV4m40YXx0xR+RlEoV90ibdOrIogb/ZyWemdPAtpp8MTOid4WGpCBix/MGmFFgB3KPLfrj6pHmT6GuI5cm1/XH/WdPTbylM246JLV7tFWoznjs0IXhyHPNECfDKEsUH572hdmD00NVPmluO9l4QJSd9jc0wXHi2Sn9Il/bDkoWj+50t7GTIGd5lGasyInDG7eMrrR83QSRpITFSUjcaz6/YgVscI7GE4DktSUH376Ub87xVELc6kC4wahCwV/tkfuMnf6hD3RwU3OZBWF/2x2nd+PfQ+ePJX4A==) -> Found
[Suspicious.Path] \89bG9akOXw -- C:\Users\Grigory\AppData\Roaming\89bG9akOXw.exe (--c=tVw/LXKBEpCVnut3PjjIhYBSFKDDkoMnGNGY0YLG/HhkDHePSPLJYDKDmCrh2TrsmDf5FXeYAsaiqMWnWbC/s3iQcji/hd8YyPDLmjZmkCDhn58rQFYNweav/cfu4xMs44B/EciVTfvTpZX5XUIVmDgFkrMam1lMMTRhusXfdlmXADbeRfyzynGqJfieg9pa18HukQ986HVZS5N946/+8AXxKGI2+2wKk8XNkVoS7mVa8R2svrqkBNQenCvfQQ1vidCCuzrMxYjDXWGGUi7lioIDcIZEGNMNGCqxK3Xpoom3phrToXv5NwwjPeJG2gyCgn+BWWWrO5p2CoU0NSJokA==) -> Found
[Suspicious.Path] \AdobeoaUpdate Ver 2015915 -- C:\Users\Grigory\AppData\Roaming\wenguanjia\Dailaymation.exe (/check_update) -> Found
[Suspicious.Path] \Dlialrulael -- "C:\ProgramData\Dlialrulael\1.0.5.1\grimsafi.exe" ("/e=L3A9MjI3NjAxXi91PWU3YzJlYWMwNTFiODQ2YmNiMTdmMGM2MTJjNmU4NTc3Xi9kPWRlc2t0b3BzZWFyY2hhcHAuY29tXi9uPURFU1ReL2E9RGVza3RvcFNlYXJjaF4vdA==") -> Found
[PUP] \Uijua -- "C:\Program Files\shopperz150920152021\Hugvyg.bat" -> Found

Now reboot your PC again immediately after the RogueKiller fix and run a new scan with RogueKiller and save a new log.

Now also run a new scan with Hitman Pro and save a new log.


After reboot, continue with the below.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• the RogueKillerlog
• the Hitman Pro log
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Yes but now the malware is at least gone.


Also, please download SystemLook_x64 from one of the links below and save it to your Desktop.
Download Mirror #1

Download Mirror #2

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:
  Code:

  :filefind
  dnsapi
  dnsapi.dll

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. You can just close this notepad window since the log is already saved on your Desktop. Be patient! It may look like it is not doing anything, but it takes awhile for this to scan thru your whole system look for matches.
• Please attach the SystemLook.txt log found on your Desktop to next reply.

 

You're welcome. Okay you have the file that is in the system32 folder and it is the correct/good file. The problem is that you are missing the on the needs to be in the SysWOW64 folder and it is a different version of the file than in the system32 folder. Let's see if we can copy if back where needed from a backup I located with SystemLook.


Right click on your Windows icon at the lower left of your Desktop and select Run to bring up the Run box. Then copy and paste the below into the Run box and click OK.
( Note: if you do not see the Run selection then hold down your Windows Logo key on your keyboard and at the same time press the R key. This should bring up the Run box )

copy C:\Windows\WinSxS\wow64_microsoft-windows-dns-client-minwin_31bf3856ad364e35_6.3.9600.17415_none_90eb58f92b43cedd\dnsapi.dll C:\Windows\SysWOW64\dnsapi.dll

Did it copy properly into the SysWOW64 folder? The proper file size for this version is 498688 bytes. If it copied properly then reboot your PC and see how things are working.

 

Did you have the whole command line in? That is was the word copy at the beginning. Sounds like it did not copy. Did you check to see if the file actually now appears in the C:\window\SysWOW64 folder ?

Yes that is what I said in my last message.

Yes because it probably did not copy.

 

In fact, let's download and run a scan with the below tool since we may have to use it to copy the file to the correct location if you cannot get it to work using the Run box.

Please download the latest version of FRST the below link.

Farbar Recovery Scan Tool and save it to your Desktop.


Note: Make sure you download the proper version ( 32 bit or 64 bit ) for your PC. Only one will run, the correct one. So it you make a mistake and download the wrong one, go back and get the other.

• Double-click to run it. When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your next reply.
• The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

 

You're welcome.

Download this >> View attachment fixlist.txt

Save fixlist.txt on your Desktop. Make sure you save it as a txt file.

• You should now have both fixlist.txt and FRST64.exe on your Desktop.
• Run FRST64.exe by right clicking on it and selecting Run As Adminstrator
• Click the Fix button just once and wait.
• Your computer should reboot after the fix runs.
• If it does not reboot then reboot it yourself.
• The tool will make a log on the Desktop (Fixlog.txt) please attach this new log to your next reply (attach or paste)

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• Fixlog.txt
• C:\MGlogs.zip

Please attach the above two log first before you continue with the below.

Also at this point, I want to double check your status by having you run another scan with FRST like in my last message and attach the new FRST.txt log.


Make sure you tell me how things are working now!

 

Yes, this is becauseFRST did not run properly and was not able to complete the fix. Thus the file was not copied back.

As I stated before, this is the correct size file.

Okay we will need to copy this file back to this folder from the FRST backups with the new fix below.

NOTE: This script was written specifically for this user for use on this particular computer. Running this on another machine may cause damage to your operating system.

Download this >> View attachment fixlist.txt


Save fixlist.txt on your Desktop. Make sure you save it as a txt file.

• You should now have both fixlist.txt and FRST64.exe on your Desktop.
• Now I want you to disconnect your PC connection to the internet by unplugging the cable ( if it is wireless then temporarily shutdown the wireless network ).
• Run FRST64.exe by right clicking on it and selecting Run As Adminstrator
• Click the Fix button just once and wait.
• Your computer should reboot after the fix runs.
• Reconnect your internet connection after reboot so you can come back here to continue.
• The tool will make a log on the Desktop (Fixlog.txt) please attach this new log to your next reply (attach or paste)

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


Then attach the below logs:

• Fixlog.txt
• C:\MGlogs.zip

Please attach the above two log first before you continue with the below.

Also at this point, I want to double check your status by having you run another scan with FRST like in my last message and attach the new FRST.txt log.

Make sure you tell me how things are working now!

 

You're welcome.

Great news!

We will attempt to restore this now too with a new fix for FRST.

Download this >> View attachment fixlist.txt



Save fixlist.txt on your Desktop. Make sure you save it as a txt file.

• You should now have both fixlist.txt and FRST64.exe on your Desktop.
• Now I want you to disconnect your PC connection to the internet by unplugging the cable ( if it is wireless then temporarily shutdown the wireless network ).
• Run FRST64.exe by right clicking on it and selecting Run As Adminstrator
• Click the Fix button just once and wait.
• Your computer should reboot after the fix runs.
• Reconnect your internet connection after reboot so you can come back here to continue.
• The tool will make a log on the Desktop (Fixlog.txt) please attach this new log to your next reply (attach or paste)

Now reboot your PC if FRST has not rebooted it and check to see if the error message about the Lenovo-4317.vbs file is gone.

Now download the current version of MGtools and save it to your Desktop folder. Overwrite any previous MGtools.exe file with this one.

Run MGtools.exe ( Note: If using Vista, Win7, or Win8, make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )


Now attach the below logs:

• the Fixlog.txt log
• C:\MGlogs.zip

Is the error message gone now?