dnsapi.dll False Alarm?

  • 11 December 2015
  • 19 replies
  • 171 views

I typed this out once and got an error, so I'm going to keep it brief and informative.
 
I was playing Killing Floor 2 through Steam, using TeamSpeak, and streaming to YouTube through OBS. Mid game, I had a threat pop up for the dnsapi.dll. I quarantined and removed it (C:WindowsSystem32 and another amd64_windows-dns-client spot). When I restarted, I had no internet, and couldn't open Teamspeak or anything because of the missing DLL. I went into safe mode, restored in using a cmd prompt and "sfc /scannow". It restored the files, but another virus scan immediately afterwards showed them as threats again. I didn't find anything weird in the registry and no host IPs were found connecting to me in the Drivers/etc/hosts.txt.
 
Is this a false postive? Or do I have a real intrusion?

19 replies

It's a false positive.
 
We're also affected this morning. As a managed service provider with over 4000 managed Webroot endpoints, we were LUCKY to catch this before it affected everyone.
 
We have over 200 machines that are effectively DEAD this morning.
200 computers had the same error, but actually were hacked?? That's unfortunate.. 😞
No, nothing was hacked.
 
Not sure if this is the information you've been given, but for us we've done some investigation and no intrusions occurred - the file was simply quarantined likely due to a recent update on the WR side.
 
I can't believe only two of us are talking about it if I'm honest! .....
Userlevel 1
We are having the same issue this morning.  We have 5000 devices we manage and this has to be the worst AV goof we've seen. NOT GOOD WEBROOT.
the same, but we are lacky that only one desktop have that problem.  And this computer lose network connectivity and we can't remotly repeir it. 😞
Userlevel 1
Here's instructions from webroot after we opened a ticket:
REPLY RECEIVED FROM WEBROOT SUPPORT:
  Hello,

Thank you for bringing this to our attention.
We have examined the file and found that the file was incorrectly blocked due to a false positive.
We have updated our back end database to address this issue. To restore a file from Quarantine, follow these steps:

1.   Log in to your Admin Console.
2.   Go into Endpoint Protection and select the "Reports" tab.
3.   Select "All Threats Seen" as the report type.
4.   Locate the files you wish to restore and select them.
5.   Along the top row, select "Restore From Quarantine".Now that this change has been applied, please send the "Scan" agent command from the management console, followed by the "Reverify all files and processes" command to all the affected endpoints. If you would like to expedite the process, go to the machine locally and right-click on the Webroot system tray icon. Select "Refresh Configuration" and click "OK". This will force a polling interval and send the two commands.

If the machines are experiencing network connectivity issues, please perform the following on the machines locally in Safe Mode with Networking:
1. Shutdown Webroot from the system tray icon. ( If you do not have this option, you can change it from Advanced Settings)
2. Locate the (hidden) Program Data folder ( %ProgramData%).
3. Locate the WRData folder and rename it.
4. In the DOS Command Prompt window type in the following command exactly as it appears and then press Enter:
  Run Sfc /scanfile=c:windowssystem32dnsapi.dll

If that fails try: Sfc /scannow
5. Reboot your machine.

Userlevel 1
Some machines DNS gets broken with browsing, so WebRoot support has sent us this link:
 
http://www.filedropper.com/fix-dns_1
 
File needs to be ran in safe mode.
Why share a file via filedropper? Is it safe? What are the results? Anybody?
Userlevel 1
the dns fix doesn't fix broken IE issue.  you have to run a full sfc /scannow it looks like.
Userlevel 1
if you open the file you'll notice it's their app they wrote this morning to undo I think some of the damage caused.
This is some serious BS. Ive been up all night trying to fix this. This is a time where knowing how to use a computer well would have been useful. Then I would have actually known what I deleted. Needless to say I uninstalled their product.
Userlevel 7
Hi All
 
Have been followong this thread with interest, and from the little bit of research I have been doing this seems to be a relatively recent development where malware (in the cases I have read it was Shopperz, a well known browser hijack) that alters 'dnsapi.dll'.
 
What has been posted previously in relation to sorting this out using SFC, etc. would seem to be the consensus approach to resolving the issue, but in case some feel that running the usual & full sfc /scannow procedure takes too long, one can if one is confident about the focus of the issue then one could just replace the 'dnsapi' DLL only.
 
Having said that the general recommendations are that one runs the full SFC procedure (in an elevated Command Prompt) since the malware apparently does not limit itself to the more general locations that the 'dnsapi' DLL usually resides.
 
Regards, Baldrick
Userlevel 2
Luckily only two systems affected on Friday night's scan.  Cost me 4 hours of engineer time @ 50 per hour.  $200 cold hard cash gone.  WebRoot, please be more careful.  This was a Windows update.  Webroot quarantine the file, and absolutely no way to restore from the local console. 
 
I think this is the bigger issue:  We need to be able to operate on computers without the internet, because as you can clearly see, you cannot restore from quarantine unless the PC has access to the internet.

Webroot?  Is there any way to restore a file from quarantine without having the machine online to do it?  Any command line prompt or Gui available?  If not, there needs to be some way to look at WR activity and restore locally.
Rickkee
This false positive affected my 1 Webroot host and has been very painful.  Following mikestro's steps I ended up running a full sfc /scannow, which superficially restored my net connectivity.  But then today I had a short Internet outage (cable modem/ISP), and now my PC's Internet connectivity is going in and out.  I realize that sounds like a tenuous connection, but a laptop on the same network (not running Webroot) has been fine since the outage, whereas my Webroot PC's connection is extremely flaky.  I've rebooted several times.
 
It's not clear to me what caused what here between (chronologically):
1. Webroot's false-positive removal of dnsapi.dll yesterday,
2. my run of sfc /scannow yesterday,
3. my modem/ISP outage today, and
4. my Webroot PC's flaky wireless connection since the outage.
The outage was unusual but does happen occasionally; the flaky wifi is unprecedented for that PC.
 
I also run LogMeIn (remote connection tool) on this PC, which could be a factor somehow.  But the wifi is going in and out even when I disable LogMeIn.
 
Unfortunately the bottom line for me is that the PC is now unusable whereas the laptop, running Norton, has been fine through this, and I've never had a problem like this in several years of running Norton on it.
Userlevel 7
Badge +62
Hi jacob-eliosoff,
 
Welcome to the Webroot Community,
 
I am sorry to hear about the issues you are experiencing. Would you please Submit a Support Ticket so that they can check this out? This is a free service with a active Webroot subscription.
 
Support Number: 1-866-612-4227
Support Ticket: https://detail.webrootanywhere.com/servicewelcome.asp
 
I would advise creating a ticket first so they can gather logs and determine if a callback is necessary to resolve this for you.
 
 
Thanks!
 
Sherry, thanks for the reply.  The latest is that after a(nother) restart of my cable modem & wireless router, my Webroot-installed PC's connection now seems fine.  So although it makes me uneasy, I'm going to chalk up the Webroot-caused network failure and the modem/ISP outage within 24 hrs to pure coincidence, at least until the outage recurs.  That is, for now it seems that sfc /scannow did properly fix my connectivity, and my router had just gotten into a bad state.
 
I'll write again if the problem does recur.  Thanks for checking.  (And please I hope someone at Webroot is working on avoiding similar false positives in the future.)
I am getting this problem (DNSAPI.DLL) error across my agents today.  Is this problem raising its ugly head!  This appears to be after installing Windows update KB3199209
Hi DeePee,
 
I'm not having any issues after that update today (KB3199209).
 
Please submit a trouble ticket so that support can look into this for you. Or you can call Support Number: 1-866-612-4227.
 
Thanks,
BD
Userlevel 7
Hi deepee
 
Welcome to the Community Forums.
 
In case you have not noticed yet this has been responded to in the other thread that you posted in HERE.
 
Regards, Baldrick

Reply