Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan:Win32/Varpes.J!plock and associated problems on Win 7


  • This topic is locked This topic is locked
7 replies to this topic

#1 Hypatia415

Hypatia415

  • Members
  • 12 posts
  • OFFLINE
  •  

Posted 08 December 2015 - 12:30 PM

I have a Windows 7 machine that was just infected with Trojan:Win32/Varpes.J!plock.  The first symptoms were that a number of programs reported that DNSAPI.dll was missing (Chrome, Origin, etc) and in the lower right corner, there was a message saying that this version of Windows 7 was not genuine (but it is).  I also received a message that two helper dll's were missing: NETIOHLP.DLL and NSHIPSEC.DLL.

 

Windows Security Essentials reports it is in the file C:\Windows\system32\DNSAPI.dll.  When I clicked the button to remove the file, I received the error 0x800704ec The program is blocked by group policy.  I tried to remove it manually, but got the same error.

 

How can I get rid of the infected file, get back the right file(s), and convince Windows that it's legit?  Any help will be greatly appreciated.

 

Thanks in advance!

 

 

 



BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • Moderator
  • 13,198 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:04:57 PM

Posted 08 December 2015 - 01:02 PM

Welcome to BC !

 

Try downloading, installing and running a scan using MBAM. If that is successful then run another scan using Eset Online Scanner.

 

Download Malwarebytes' Anti-Malware from Here

Double-click mbam-setup-2.X.X.XXXX.exe to install the application (X's are the current version number).

  • Make sure a checkmark is placed next to Launch Malwarebytes' Anti-Malware, then click Finish.
  • Once MBAM opens, when it says Your databases are out of date, click the Fix Now button.
  • Click the Settings tab at the top, and then in the left column, select Detections and Protections, and if not already checked place a checkmark in the selection box for Scan for rootkits.
  • Click the Scan tab at the top of the program window, select Threat Scan and click the Scan Now button.
  • If you receive a message that updates are available, click the Update Now button (the update will be downloaded, installed, and the scan will start).
  • When MBAM is finished scanning it will display a screen that displays any malware that it has detected.
  • Click the Remove Selected button.
  • MBAM will now delete all of the files and registry keys and add them to the programs quarantine. When removing the files, MBAM may require a reboot in order to remove some of them. If it displays a message stating that it needs to reboot, please allow it to do so.
  • While still on the Scan tab, click the link for View detailed log, and in the window that opens click the Export button, select Text file (*.txt), and save the log to your Desktop.
  • The log is automatically saved by MBAM and can also be viewed by clicking the History tab and then selecting Application Logs.

POST THE LOG FOR  REVIEW.

 

  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the esetonlinebtn.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the esetsmartinstaller_enu.png icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.
  • NOTE:Sometimes if ESET finds no infections it will not create a log.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#3 Hypatia415

Hypatia415
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  

Posted 08 December 2015 - 04:02 PM

Thanks for the speedy response.  :)  

 

I already have MBAM, but it wouldn't start because of the DNSAPI.dll error.  I tried to reinstall with the latest version from your link above, but during the installation process got the error: Runtime error Could not call proc. 

 

Incidentally, I too have been touched by His noodly appendage.



#4 buddy215

buddy215

  • Moderator
  • 13,198 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:04:57 PM

Posted 08 December 2015 - 05:18 PM

Bless you...:)

 

This sounds like shopperz...or very similar...a really nasty piece of combo malware and adware.

 

Hopefully you can run the scan required to post in the Malware Removal Forum. If unable to run the required scan then post anyway

describing your problem and why there are no FRST logs posted.

 

Please follow the instructions in the Malware Removal and Log Section Preparation Guide starting at Step 6.

  • If you cannot complete a step, then skip it and continue with the next.
  • In Step 6 there are instructions for downloading and running FRST which will create two logs.

When you have done that, post your logs in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team.

Start a new topic, give it a relevant title and post your log(s) along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. If you cannot produce any of the required logs...start the new topic anyway. Explain that you followed the Prep. Guide, were unable to create the logs, and describe what happened when you tried to create them. A member of the Malware Removal Team will walk you through, step by step, on how to clean your computer.

After doing this, please reply back in this thread with a link to the new topic so we can close this one.

 

DO NOT bump your new topic. Wait for a response from one of the Team Members.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#5 Hypatia415

Hypatia415
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  

Posted 08 December 2015 - 06:07 PM

Okay my new link is: http://www.bleepingcomputer.com/forums/t/598797/trojanwin32varpesjplock-and-associated-problems-on-win-7/



#6 Stephen3

Stephen3

  • Members
  • 1 posts
  • OFFLINE
  •  

Posted 09 December 2015 - 07:22 PM

so i have the EXACT same problem as Hypatia415 only worse because i cant access the internet... I get the DNS_PROBE_FINISHED_BAD_CONFIG and DNS_PROBE_FINISHED_NXDOMAIN errors on chrome, it is random for what error message i receive. i have tried using IE but it just says this page can't be displayed. I have tried to edit my internet protocol version 4 settings but it wont let me open the properties box. I've been trying everything that i can to try and sort it out but after 6 hours of trying i have given up and i need help.

 

p.s i have posted this message from my laptop.



#7 buddy215

buddy215

  • Moderator
  • 13,198 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:04:57 PM

Posted 09 December 2015 - 08:48 PM

Welcome to BC Stephen3...

 

In the future, please start your own topic. It gets too confusing otherwise....thanks.

Follow the directions below.

 

Please follow the instructions in the Malware Removal and Log Section Preparation Guide starting at Step 6.

  • If you cannot complete a step, then skip it and continue with the next.
  • In Step 6 there are instructions for downloading and running FRST which will create two logs.

When you have done that, post your logs in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team.

Start a new topic, give it a relevant title and post your log(s) along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. If you cannot produce any of the required logs...start the new topic anyway. Explain that you followed the Prep. Guide, were unable to create the logs, and describe what happened when you tried to create them. A member of the Malware Removal Team will walk you through, step by step, on how to clean your computer.

After doing this, please reply back in this thread with a link to the new topic so we can close this one.

 

DO NOT bump your new topic. Wait for a response from one of the Team Members.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#8 Queen-Evie

Queen-Evie

    Official Bleepin' G.R.I.T.S. (and proud of it)


  • Members
  • 16,485 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:My own little corner of the universe (somewhere in Alabama). It's OK, they know me here
  • Local time:04:57 PM

Posted 09 December 2015 - 08:59 PM

Since Hypatia415 has posted in Malware Removal Logs, this topic is closed.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users