[CLOSED] Panda cannot remove files from Windows directory. Maybe FP?

Container for RESOLVED incidents, queries SOLVED by the experts, EXPIRED topics or those that have been CLOSED by the users.
Locked
liubomirwm
Registered user
Registered user
Posts: 22
Joined: Wed, 29 Jul 2015, 12:38

[CLOSED] Panda cannot remove files from Windows directory. Maybe FP?

Post by liubomirwm » Mon, 07 Mar 2016, 01:31

Hello, i have installed Panda Free Antivirus today. Previously i had Qihoo 360 TS installed. When i installed it the online installer said that it couldn't install it ( strangely why Panda was up and running) but i followed the advice and ran a repair with the offline installer. Rebooted the PC, everything fine. Then i ran a Critical areas scan and it found 3 items which it could not neutralize. The item are C:\Windows\SysWow64\dnsapi.dll

PhilVancWA
Registered user
Registered user
Posts: 1
Joined: Mon, 07 Mar 2016, 04:12

Re: Panda cannot remove files from Windows directory. Maybe FP?

Post by PhilVancWA » Mon, 07 Mar 2016, 04:24

I get several error messages because Panda 16.0.2 with AV updates as of 3/6/2016 18:06 Pacific Time on Win 10 (insider preview) build 14279 treats DNSAPI.dll as a trojan. This causes most things accessing the internet to fail. By excluding this file in both system32 and SysWOW64 everything seems happy. This is definitely a false positive since the dnsapi.dll bits just came from Microsoft and the certificate is correct.

I first saw errors from PSUAMain.exe - Bad Image with C:\WINDOWS\SYSTEM32\DNSAPI.dll error code 0xc0000045.

FromAporiaToEpoche
Registered user
Registered user
Posts: 2
Joined: Mon, 07 Mar 2016, 08:20

Re: Panda cannot remove files from Windows directory. Maybe FP?

Post by FromAporiaToEpoche » Mon, 07 Mar 2016, 08:45

I'm getting this same alert, as well, this morning. Windows 10 Pro Insider Preview, build 14271.rs_release.160218-2310.

I had just updated the machine last Friday and shut it down. This is the first time I've booted it since. Now Firefox crashes at start (every time), Chrome returns DNS_PROBE_FINISHED_NXDOMAIN for all attempts to browse, Internet Explorer returns a generic "This page can't be displayed" error. Only Edge appears to operate normally.

I have attached (in a 7z archive) my Application and System errors from Event Viewer from the last hour (it has been less than that since I booted and first encountered this issue).

One of the errors says that Build 14279 failed to install.

edit: For reference, here is my VirusTotal scan on that file: https://www.virustotal.com/en/file/26ab ... 457331289/
Attachments
logs.7z
(4.73 KiB) Downloaded 181 times
Last edited by FromAporiaToEpoche on Mon, 07 Mar 2016, 08:54, edited 1 time in total.

FromAporiaToEpoche
Registered user
Registered user
Posts: 2
Joined: Mon, 07 Mar 2016, 08:20

Re: Panda cannot remove files from Windows directory. Maybe FP?

Post by FromAporiaToEpoche » Mon, 07 Mar 2016, 08:53

liubomirwm, are you also running Windows 10 Insider Preview Build 14271 or 14279? If so, that's all three of us so far.

jrpaulson
Registered user
Registered user
Posts: 1
Joined: Mon, 07 Mar 2016, 14:50

Re: Panda cannot remove files from Windows directory. Maybe FP?

Post by jrpaulson » Mon, 07 Mar 2016, 15:00

I am running Windows 10 14279.rs1_release.160229-1700 and am Panda has identified dnsapi.dll as a Trojan, also.
I rolled back to the last release of Windows 10 and dnsapi.dll was ok. Overnight Windows 10 upgraded itself, again, and this morning I am back with the trojan dnsapi.dll.

liubomirwm
Registered user
Registered user
Posts: 22
Joined: Wed, 29 Jul 2015, 12:38

Re: Panda cannot remove files from Windows directory. Maybe FP?

Post by liubomirwm » Mon, 07 Mar 2016, 18:53

Haha, nope, i'm on 14267.rs1... (I'm switching to slow and waiting for a new slow build so i guess i'll stay some time with that one) I also checked it on VirusTotal, only Panda and Rising detect it and it has a valid signature. FP. I am sending the file to the virus lab as a FP now. :idea:

BTW it's good that it failed at quarantining/deleting it, i can only guess what would've happen if it suceeded. :lol:

User avatar
GoneToPlaid
Registered user
Registered user
Posts: 56
Joined: Fri, 13 Jun 2014, 06:56

Re: Panda cannot remove files from Windows directory. Maybe FP?

Post by GoneToPlaid » Wed, 09 Mar 2016, 08:19

What a coincidence. On Friday, March 4th I was fiddling around in BIOS on my old XP machine. I changed the way hard drives are detected from IDE to ACPI and then booted. That screwed up Win XP. So this morning and after trying all weekend to resolve the issues via System Restore and/or registry hacks to force new hardware detection, this morning I resorted to restoring a backup from December. That fixed everything, or so I thought. Today (March 7) no matter what Firefox hangs for three or so minutes whenever I go to a different URL. It turns out that it really is Panda which is hanging since EVERYTHING is hung (including the systray clock) during these three or so minutes. The other side effect is that the drive C NTFS volume gets corrupted and must be repaired on the next reboot. ESENT shows up in the Windows event logs, but not always. Everything works fine on my restored system EXCEPT when I open Firefox and try to go to any other URL other than the first URL (the home page). So it looks like (for the time being) I will have to exclude dnsapi.dll in Panda.

Also note that Mozilla recently has had issues with their most recent updates. I updated my Firefox to the latest 45 after restoring my XP system. See this Firefox connectivity issue which is related to Firefox 43 and nVidia drivers:

https://support.mozilla.org/en-US/kb/co ... :win7:fx45

If you look at the above URL, the trailing :fx45 would seem to imply that this issue still persists with Firefox 45. I don't know if this is related.

User avatar
GoneToPlaid
Registered user
Registered user
Posts: 56
Joined: Fri, 13 Jun 2014, 06:56

Re: Panda cannot remove files from Windows directory. Maybe FP?

Post by GoneToPlaid » Wed, 09 Mar 2016, 08:56

Alrighty. I excluded DNSAPI.DLL in System32 on my XP machine, but still noted some slowdown in Firefox. As soon as I turned off Behavioral Blocking in Panda, then Firefox once again became as fast and responsive as what I am normally used to. This was merely some simple and quick tests by going to a few web sites which I know are safe. Thus it would appear that Behavioral Blocking has priority over exclusions when one would think that it should be the other way around. Anyway, I hope that Panda gets the FP for DNSAPI.DLL fixed quickly. Or perhaps the real issue is within either the Behavioral Blocking or Behavioral Analysis engines.

User avatar
VirusBuster
Official moderator
Official moderator
Posts: 7596
Joined: Mon, 02 Apr 2012, 18:53
Location: Panda HQ - Bilbao

Re: Panda cannot remove files from Windows directory. Maybe FP?

Post by VirusBuster » Thu, 10 Mar 2016, 17:01

Can you provide a password compressed copy of the wrongly detected dnsapi.dll file?
GoneToPlaid wrote:I was fiddling around in BIOS on my old XP machine. I changed the way hard drives are detected from IDE to ACPI and then booted. That screwed up Win XP.
I guess you mean AHCI instead of ACPI, right?
I also had this problem in my home machine and its related with the disk mode when the windows installation is done. If you change from IDE to AHCI or viceversa after having installed windows, you'll get BSODs
You must change from 3 to 0 the start key for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\msahci before changing to AHCI in BIOS
Regards,

Image
Jorge Torre
TechSupport Department - Panda Security

I don't reply to private messages unless I have previously requested them

User avatar
VirusBuster
Official moderator
Official moderator
Posts: 7596
Joined: Mon, 02 Apr 2012, 18:53
Location: Panda HQ - Bilbao

Re: Panda cannot remove files from Windows directory. Maybe FP?

Post by VirusBuster » Thu, 24 Mar 2016, 11:26

Topic closed due to lack of response
TOPIC CLOSED
Regards,

Image
Jorge Torre
TechSupport Department - Panda Security

I don't reply to private messages unless I have previously requested them

Locked

Return to “Virus - Archive Issues”