Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win/Patched


  • Please log in to reply
15 replies to this topic

#1 Blackstar57

Blackstar57

  • Members
  • 269 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:12:48 AM

Posted 18 December 2016 - 10:59 AM

Hello again. A couple weeks ago I replaced my Mobo/processor and had to reinstall Win10 after a format. I installed AVG free and now it is popping up with warnings that I have a Virus. It calls it Win/Patched and I can't find anything here in a search for it. In the last 10 minutes AVG has popped up 5 times telling me it has found this and deleted it. Is there a tool I can use to find and destroy this thing?

 

Thanks

 

Glenn



BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,592 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:48 PM

Posted 18 December 2016 - 05:06 PM

Did AVG provide a specific file(s) name associated with the malware threat(s) detected and if so, where is it located (full file path) at on your system?

AVG provides this description on their web site

Win/Patched is a malicious software that once it is executed has the capability of replicating itself and infect other files and programs. These type of malware, called Viruses, can steal hard disk space and memory that slows down or completely halts your PC. It can also corrupt or delete data, erase your hard drive, steal personal information, hijack your screen and spam your contacts to spread itself to other users. Usually, a Virus is received as an attachment on an email or instant message.


Patched detections are usually legitimate (critical) Windows components that have been infected by a malicious application. Malware can add parts of its code to a system component and then patch certain functions of the original file to point to an appended code. In some cases a patched detection can be indicative of a dangerous polymorphic file infector with IRCBot functionality. The difference between file infectors (viruses) and patches is that a patch just changes a few bytes and cannot spread themselves. File infectors infect (patch) the victim file and add a virus body to perform a malicious action and can infect hundreds of other files.You should get a second opinion for this type of detection. Try performing an Online Virus Scan such as Eset Online Anti-virus Scanner to see if it can provide more specifics about the detected threat without allowing removal.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Blackstar57

Blackstar57
  • Topic Starter

  • Members
  • 269 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:12:48 AM

Posted 18 December 2016 - 06:14 PM

AVG says the file path is C:\Windows\System32\dnsapi.dll . AVG says it is deleting the affected file but it just pops back up again. I ran ESET online scanner from a thumb drive I downloaded it to from another computer. It found 7 infected files and got rid of them. Ran it a second time and it doesn't find anything.

 

Malware bytes did not get rid of it. I ran Rkill in safe mode and then AVG and Adware Cleaner... It still pops up as a virus in AVG.

 

I can't even explain how this got on my computer. It just seemed to appear. Is there any help short of a reformat? I just went through this a couple weeks ago after new Mobo/processor install. Had to install my original Win7 then after a crapload of updates I then had to reload Win 10 and then get more updates...

 

Thank you for your effort...

 

Glenn



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,592 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:48 PM

Posted 18 December 2016 - 06:34 PM


Another way of confirming the detection is to submit the file for analysis. Go to one of the following online services that analyzes suspicious files:--In the "File to Scan" (Upload or Submit) box, click the "browse" button, navigate to the location of the file:
C:\WINDOWS\System32\dnsapi.dll
...and submit it for analysis. If you get a message saying "File has already been analyzed", click Reanalyze or Scan again.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Blackstar57

Blackstar57
  • Topic Starter

  • Members
  • 269 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:12:48 AM

Posted 18 December 2016 - 06:46 PM

JOTTI reported back with... Scan finished. 0/19 scanners reported malware.



#6 Blackstar57

Blackstar57
  • Topic Starter

  • Members
  • 269 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:12:48 AM

Posted 18 December 2016 - 06:49 PM

Virus Total reported that the file had been analyzed. Reanalyzed and got this...  Probably harmless! There are strong indicators suggesting that this file is safe to use.



#7 Blackstar57

Blackstar57
  • Topic Starter

  • Members
  • 269 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:12:48 AM

Posted 18 December 2016 - 06:58 PM

I was running an Avast scan when you posted this. It found one infected file then recommended a boot scan. Awaiting the results now.



#8 Blackstar57

Blackstar57
  • Topic Starter

  • Members
  • 269 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:12:48 AM

Posted 18 December 2016 - 07:13 PM

VirSCAN found Malware... 

File Name : dnsapi.dll (File not down) File Size :534064 byte File Type :application/x-dosexec MD5:bb5bbd0e4d04047585e4ed0f07aa51e7 SHA1:fe8c8b4dfd5b80d30b98b2bd5ae2656f0d657a51
 
Scanner results Scanner results:2%Scanner(s) (1/39)found malware!        Behavior Time: 2016-12-19 08:09:58 (CST)

#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,592 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:48 PM

Posted 18 December 2016 - 07:34 PM

You should report and submit the file to AVG labs so they can investigate further.Once a file is received, a researcher can examine it in more detail and provide a report letting you know the results.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 Blackstar57

Blackstar57
  • Topic Starter

  • Members
  • 269 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:12:48 AM

Posted 18 December 2016 - 07:42 PM

You should report and submit the file to AVG labs so they can investigate further.

Once a file is received, a researcher can examine it in more detail and provide a report letting you know the results.

 

 

 

Done...



#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,592 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:48 PM

Posted 18 December 2016 - 08:00 PM

Dnsapi.dll is a legit Windows file but it has been know to be replaced with a patched copy during a Shopperz browser hijacker...see here. However, when that is the case there are other signs/symptoms which indicate malware infection as described in that article.

Since you are not experiencing any of these other symptoms, you most likely are only dealing with AVG's detection of that file. You could try running the System File Checker tool (SFC.exe) while waiting for AVG to get back.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 Blackstar57

Blackstar57
  • Topic Starter

  • Members
  • 269 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:12:48 AM

Posted 18 December 2016 - 08:09 PM

I was googling fro a bit and am now running SFC/scannow in safe mode. I will report back if it finds anything.

I am having some symptoms. Can't use Edge browser. just won't work. If I try to shred the file it won't because it is in use with Avast hijack protection. I checked that and it wasn't there.



#13 Blackstar57

Blackstar57
  • Topic Starter

  • Members
  • 269 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:12:48 AM

Posted 18 December 2016 - 08:14 PM

Scan found corrupt files and successfully repaired them. Just rebooting now



#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,592 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:48 PM

Posted 18 December 2016 - 08:15 PM

If it is a patched file the above article I linked to includes an update at the bottom which says Malwarebytes can fix it.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#15 Blackstar57

Blackstar57
  • Topic Starter

  • Members
  • 269 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:12:48 AM

Posted 18 December 2016 - 08:16 PM

This seems to have worked. After reboot I have nothing popping up and I can go online with Edge. If it acts up again I will report back. Thank you for your help quietman7... :clapping:






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users