I can't get rid of a Trojan that's made itself a new user

[ncko10]

There's a Trojan on my computer called Varpes.K!plock and another called Patched.AZ.gen!dll. Both are pretending to be dnsapi.dll in System32 which is an extension of dashost.exe. I believe the Trojan had disabled Windows Defender, so I went into regedit, then local files, then navigated to Windows Defender and deleted the disabling property. When I tried to delete dashost.exe after force quitting the process, it said you need permission from TrustedInstaller and when I went to check permissions in the properties, underneath ADMINISTRATORS and USERS, it had TrustedInstaller.

Sorry if I said any of the wrong terms or wasn't specific enough, I don't have much experience with this kind of thing other than running Windows Defender and scanning. Also I'm afraid of opening my PC in fear of the Trojan doing any more damage.

 

[postmortemIA]

TrustedInstaller is a legit system pseudo-user
You can use special tool pstools' psexec to run apps as any user

info: https://technet.microsoft.com/en-us/sysinternals/psexec.aspx

 

[ncko10]

I should have mentioned, on every page I go to in Chrome, there are popups that leave the intended page. I have checked extensions, recently installed software in ProgramFiles and ProgramFiles x86, and the uninstall program thing in control panel. Windows Defender recognises the virus and attempts to remove it every 2 minutes or so but is unsuccessful.

 

[Ketchup]

You probably need a better program. Something running outside of Windows would probably be your best bet, but you should also be able to run Safe Mode with Networking, stop the malware's process, then run a virus scan.

But going back to my first statement, putting Kaspersky Rescue Disk on a CD/USB drive and booting off that would be the best way to start IMO.
http://support.kaspersky.com/us/viruses/rescuedisk

 

[ncko10]

For reference, in Windows Defender, after attempting to Quarantine the virus, the status tab says error encountered and in the details I get Error code 0x800704ec. This program is blocked by group policy. For more information, contact your system administrator. I am currently unable to access the internet on any webpage or application and when I go into network settings, I can't access IPv4 settings.

Edit: When I go to Google Chrome, the homepage has randomly been set to feed.snapdo.com...
I was having this issue beforehand and thought I had gotten rid of that separate virus but it would seem it is the same one.

 

[bononos]

Try using a rescue disk from Avira or Bitdefender.

 

[Iron Woode]

download and install malwarebytes anitmalware free edition:

https://www.malwarebytes.org/mwb-download/thankyou/

run custom scan then choose drive C (assuming that is your windows drive) and put a check in scan for rootkits. this should get rid of your trojan issues.

you may have to run the scan twice to make sure things are cleaned out.

 

[mikeymikec]

I've seen malware replace dnsapi.dll on Win81. I replaced it with the newest copy I could find elsewhere in the Windows folder (probably somewhere in winsxs), which allowed Malwarebytes and Firefox to start properly.

 

[Captante]

If you have the option I would pull the HD and scan with multiple anti-malware programs using a known-clean system. Unfortunately there's no way to be sure scan results from an infected Windows intall are accurate.

 

[KeithP]

If you have a back up of your data, I wouldn't spend the time trying to "clean" the system. Just wipe and restore.

-KeithP

 

[Captante]

If you have a back up of your data, I wouldn't spend the time trying to "clean" the system. Just wipe and restore.

-KeithP

An even better idea. :thumbsup:

 

[xgsound]

Here is a general procedure I use to attack Malware. Feel free to use all or none as you wish. Please let us know what fixes it when you find a solution.

******* 2015 Suggested General Virus/ Malware strategy ********
Download from www.bleepingcomputer.com if available there

TDSSKILLER
Adwcleaner
Rkill
Mbam

1. Use one and only one anti virus and keep it updated. MSE and Defender have become very limited. The free ones are Bitdefender, Avira, AVG, and Avast. I found Bitdefender free useful and unobtrusive.
2. These cleaners will require reentering browser IDs and passwords. Run these periodically or when there are problems:

a. run tdsskiller – this checks for rootkits and corrects -3 minutes
b. run ADWcleaner- very fast and effective malware cleaner. scan/ select clean -5 or 10 minutes
3. If problems persist:
a. run rkill – it takes 2 or 3 minutes to start and 3 more to finish DO
NOT REBOOT
b. when rkill finishes, run Malwarebytes a full scan and fix all - 1hour
or so.


Jim