netapi32 keeps being created in appdata/local folders – Virus, Trojan, Spyware, and Malware Removal Help – BleepingComputer

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.
 
Latest News:    Windows 10 KB5005565 & KB5005566 cumulative updates released
Featured Deal: This bundle helps you explore the exciting world of machine learning
Posted 22 February 2021 – 10:14 AM
Hello BC!!
 
gLR8Lzs.png
 
So Kaspersky has been detecting this weird netapi32.dll being created in AppData/Local/Folder. 
 
Funny thing is, when netapi32.dll is created, BDSLauncher.exe is also created with it in the folder, but Kaspersky doesn’t seem to think BDSLauncher.exe is a virus (even ran it through virustotal). 
 
So, netapi32.dll was being created in the AppData/Local/Bluestacks folder. I thought there was a problem with Bluestacks, so I deleted the folder and Bluestacks program. 
 
Whatever is creating this netapi32.dll and BDSLauncher.exe switched folder to AppData/Local/BraveSoftware and is creating netapi32.dll there every few hours. 
 
Obviously something funky is going on, but I don’t know what. Kaspersky and Malwarebytes can’t seem to find the original culprit. :(
 
hNRGUhA.png
 
By the way, this is what Kaspersky says about the netapi32.dll. I don’t know if that would help…
 
Anyways here is FRST that I just ran! Thank you for the help!!
 
Posted 22 February 2021 – 02:01 PM
Posted 22 February 2021 – 02:08 PM
Hello Axe0,
 
here is the code from Additions.txt
 
It seems that some of the wordings are in Korean. Hope it is okay.
Posted 23 February 2021 – 12:07 PM
Hi Crknetapi,

While analyzing your logs, I spotted entries related to software that bypass software licensing for one or more programs on your system.

Bleeping Computer does not condone software piracy. Downloading and using such software, apart from being illegal by infringing on copyrights, is a MAJOR attack vector for malware. If you use such software, it is not a question of “IF” your computer will be infected, but only “WHEN”, and by HOW MANY different variants of malware!

I would like for you to remove any and all software that you do not own, and to uninstall any software that is evading licensing requirements. Further, if the utilities are designed to evade licensing for an Operating System (OS), you will need to obtain a legitimate product key. If you are not aware of these program(s), then you will have to accept that, as a part of my “fix” for your computer, the disinfection scripts and utilities will remove/disable any, and all, such software, tasks, etc., designed to evade legal software licensing requirements detected in the scan logs. Some of the anti-malware tools that I use will automatically quarantine software “cracks”, without notice, so if you are not willing to take the chance of one or more “cracked” programs being disabled, please let me know right away.

—–

I also noticed qBittorrent is installed.
– Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
– They are a security risk which can make your computer susceptible to a wide variety of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
– Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
– The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.

It is pretty much certain that if you continue to use P2P programs, you will get infected.
I would recommend that you uninstall qBittorrent, however that choice is up to you. If you choose to remove these programs, you can do so via Start > Control Panel > Add/Remove Programs.

If the removal of software bypassing software licensing and the removal of or not using qBittorrent while cleaning your computer is not acceptable to you, then please let me know so this thread can be concluded.

===============================================

In your next post
In your next post, please include the following.

  • Is the removal of software evading software licensing acceptable?
  • Is the removal of or not using qBittorrent while cleaning your computer acceptable?

Posted 23 February 2021 – 04:45 PM
Hi Axe0,
 
Yeah I don’t mind removing them! I haven’t used torrent in a long time. 
 
I’ve been busy with school and the only pirated program I use nowadays is Microsoft Word. I found an alternative to that – LibreOffice. So I will be uninstalling the Office.
 
And yes, Windows 10 of this computer has been activated by AutoKMS(?). I can get student version of Windows 10 and activate through that, but I do not know how to get rid of the AutoKMS that I originally installed. 
 
Some of the games are pirated, but the games I liked – I bought them after and installed them. For example, I found the old pirated version of Grim Dawn and the steam installed Grim Dawn on my computer. I deleted the pirated one. 
 
I don’t play anything other than Path of Exiles anyways so I will get to deleting them. 
Posted 25 February 2021 – 03:04 PM
Posted 25 February 2021 – 05:23 PM
Hello,
 
Here is the Search.txt !
Posted 26 February 2021 – 02:14 PM
Posted 26 February 2021 – 08:51 PM
Hello,
 
Kaspersky keeps deleting the netapi32.dll, so I restored the dll file and ran the fix.
 
Fixlog.txt:
Posted 27 February 2021 – 01:24 PM
Posted 01 March 2021 – 12:00 AM
Hello, 
 
I’ve been busy studying and could not reply yesterday. Sorry!
 
Anyways I have disabled the File Anti-Virus from Kaspersky and tried the fix again. 
 
I got curious of the virustotal result and holy smokes those are a lot of warning signs…
 
Also on the side note, I said that BDSLauncher.exe is created with netapi32.dll previously like this screenshot:
BfffOBT.png
 
 
After I turned off File Anti-Virus function of Kaspersky, this BDSLauncher is trying to do something funky. 
AcDEmC2.png
The actions were blocked by the System Watcher of Kaspersky.
 
I think it is also trying to download something as Web Anti-Virus function of Kaspersky denied the download:
zqtDFZ6.png
 
Anyways, thank you for the help!!
Posted 01 March 2021 – 02:15 PM
Posted 02 March 2021 – 01:39 PM
Hello,
 
I turned on the File Anti-Virus again to see if it detects the file recreation and unfortunately BDSLauncher and netapi32.dll are still being recreated :(
 
x8qGfxh.png
Also, I have been getting these warnings. Kaspersky does not seem to know which file is causing this.
 
I tried Disinfect and restart the computer option, but it didn’t work as the warning pops up once in a while. 
 
I ran a virustotal of BDSLauncher just in case: https://www.virustotal.com/gui/file/4cc358f5714e953afe6c5b12f07504e4f1493f5442aa61eaf7f9986bbd21188b/detection 
 
Thank you. 
Posted 03 March 2021 – 12:57 PM
Hi Crknetapi,
 
Thanks for the fixlog.
 
It is unfortunate to hear the files are still being recreated. Please post new FRST logs so I can have a look at the exact changes.
 
———————————————-

Fresh FRST logs

  • Right-click FRST64.exe then click “Run as administrator“.
  • Press the Scan button.
  • When finished, it will produce a log called FRST.txt and Addition.txt in the same directory the tool was run from.
  • Please copy and paste both logs in your next reply. Due to the size of the logs, you might need to copy and paste the content of FRST.txt into one post, and copy and paste the content of Addition.txt into another post.

 
===============================================

In your next post
In your next post, please include the following. Make sure to copy and paste any requested logs unless asked to attach it.

  • Content of FRST.txt
  • Content of Addition.txt

Posted 03 March 2021 – 09:53 PM
Hello,
 
I hope it is okay attaching the files. The thread has been laggy for me due to long brick of texts. : o 
0 members, 0 guests, 0 anonymous users
Community Forum Software by IP.Board

source