Having difficulty removing DNS Changer malware

By Mockingbird
in Smart Home, Network & Security

 Share

Recommended Posts

Grand Master

Mockingbird

Posted
Posted (edited)

My Windows 10 install has become infected with a DNS Changer malware.

 

I have identified the locations of the malware as follow:

 

C:\Windows\System32\drivers\msidntfs.sys

 

C:\Users\Sean\AppData\local\winjmqi\imeazsu.exe

 

C:\Users\Sean\AppData\local\winjmqi\winjmqi.exe

 

C:\Users\Sean\AppData\local\winjmqi\   <-- everything else in that folder

 

The problem is that I have not been able to remove them.

 

Every time, I get permission error.

 

I even tried applications that claim to be able to delete undeletable files by deleting them during booting.

 

Any ideas?

Grand Master

goretsky Supervisor

Posted
  • Supervisor
Posted

Hello,

 

Does your anti-malware software vendor offer a bootable version on a CD/DVD/USB?  If so, try booting from that and then removing the malware.

 

Regards,

 

Aryeh Goretsky

 

Grand Master

Mockingbird

Posted
  • Author
Posted
2 minutes ago, goretsky said:

Hello,

 

Does your anti-malware software vendor offer a bootable version on a CD/DVD/USB?  If so, try booting from that and then removing the malware.

 

Regards,

 

Aryeh Goretsky

 

I used a Linux live CD to delete them.

 

Unfortunately, msidntfs.sys keeps coming back.

Grand Master

+BudMan MVC

Posted
  • MVC
Posted
1 minute ago, Anibal P said:

or you can do the sane thing and just nuke the install 

Agreed.. This is almost always the faster better solution.  And the only way to be 100% sure.

  • xendrome and Terry504
  • Like 2
Grand Master

goretsky Supervisor

Posted
  • Supervisor
Posted

Hello,

 

Have you tried uploading the msidntfs.sys file and its companions to Google's VirusTotal to see if any of the five-dozen anti-malware engine there detect them? 

 

Regards,

 

Aryeh Goretsky

 

Grand Master

Mockingbird

Posted
  • Author
Posted
23 hours ago, Anibal P said:

My default solution for this is a fast format and reinstall of Windows

You can chase it for days and maybe remove it, or you can do the sane thing and just nuke the install 

I am definitely thinking about this.

 

3 hours ago, goretsky said:

Hello,

 

Have you tried uploading the msidntfs.sys file and its companions to Google's VirusTotal to see if any of the five-dozen anti-malware engine there detect them? 

 

Regards,

 

Aryeh Goretsky

 

Yes. Rootkit/SmartService

 

1 hour ago, sc302 said:

Ideas, other than nuke,

 

hitman pro

malwarebytes

eset online scanner

 

 

if all if all else fails, wipe and rebuild. 

The malware blocked any anti-malware and anti-virus from starting.

 

Even Malwarebytes Anti-Rootkit and RKill is blocked.

Grand Master

sc302 Veteran

Posted
  • Veteran
Posted

Then it has to be repaired with an offline scanner.


You can try combofix, as that usually kills rootkits online, but it may not work.

It has been years since I have had to deal. Usually combofix worked and if it didn't, hitman pro worked. It was rare when I had to do an offline scan.



Grand Master

Mockingbird

Posted
  • Author
Posted
24 minutes ago, sc302 said:

Then it has to be repaired with an offline scanner.


You can try combofix, as that usually kills rootkits online, but it may not work.

It has been years since I have had to deal. Usually combofix worked and if it didn't, hitman pro worked. It was rare when I had to do an offline scan.


 

Combofix can't find anything and Hitman Pro is blocked.

 

I followed this guide, but Malwarebytes Anti-Rootkit and RKill are blocked

 

https://www.bleepingcomputer.com/virus-removal/remove-tprdpw32.exe-and-smartservice-rootkit

Grand Master

sc302 Veteran

Posted
  • Veteran
Posted

Gotta do it offline. You cannot clean online. Options are to scan with another computer, by taking the drive out and putting it in another computer as a secondary drive or using one of the many offline tools/utilities to scan with.

 

Unfortunately data is limited where I am at or I would post a few. But one off the top of my head is Microsoft offline anti malware scanner or windows defender offline.

 

If you can get into safe mode, sometimes scanners will run there. Combofix may have to be ran as administrator/elevated privileges.

Grand Master

adrynalyne

Posted
Posted

Food for thought: a format and reinstall could have been done already in less time than this thread has existed ;)

 

I wouldn’t trust a compromised machine even if manually cleaned. 

Grand Master

+BudMan MVC

Posted
  • MVC
Posted

The time between the OP and their 2nd post would of been enough time to reimage the machine multiple times ;)

Grand Master

Mockingbird

Posted
  • Author
Posted
2 hours ago, adrynalyne said:

Food for thought: a format and reinstall could have been done already in less time than this thread has existed ;)

 

I wouldn’t trust a compromised machine even if manually cleaned. 

 

1 hour ago, BudMan said:

The time between the OP and their 2nd post would of been enough time to reimage the machine multiple times ;)

That doesn't consider the time it takes to backup files.

Grand Master

sc302 Veteran

Posted
  • Veteran
Posted

You could backup everything utilizing robocopy for your files. If you use the log option you can see what it doesn't copy. It is an automated process you don't have to baby sit if it takes hours.

 

Reinstalling windows, if you took a backup image between install and now "usually" doesn't take more than 20 minutes to apply the image, then copy your data back. How long of your time will it take to have a working system again? 30 minutes maybe of thought process, a few hours for the entire backup and restore to complete. Unless you have 10s of TBs on your system, it should be fairly quick.

 

 

Even if you were installing windows from scratch, you can complete that within an 8 hour period....3 if you prep properly. Within 1 if you have an image to revert to.

 

 

Grand Master

+BudMan MVC

Posted
  • MVC
Posted

If your backing up your files "after" you get hit with some nasty - your doing it wrong ;)

 

wrong05.thumb.jpg.8de4a0156791476ceaa296eaf2a35f75.jpg

 

How would that help you if you got hit with ransomware?  And not just pesky dns changer?

 

If I re-imaged my machine this second the only thing I would loose is that your doing it wrong image I just downloaded ;)

Grand Master

Mockingbird

Posted
  • Author
Posted (edited)
3 minutes ago, BudMan said:

If your backing up your files "after" you get hit with some nasty - your doing it wrong ;)

 

wrong05.thumb.jpg.8de4a0156791476ceaa296eaf2a35f75.jpg

 

How would that help you if you got hit with ransomware?  And not just pesky dns changer?

 

If I re-imaged my machine this second the only thing I would loose is that your doing it wrong image I just downloaded ;)

I already have a backup of the whole drive, but it's infected.

Grand Master

+BudMan MVC

Posted
  • MVC
Posted
42 minutes ago, Mockingbird said:

I already have a backup of the whole drive, but it's infected.

So again your "doing it wrong"  Go to your previous back, or the one before that. 

 

How are you "backing up" your stuff.?

Grand Master

Mockingbird

Posted
  • Author
Posted
17 minutes ago, BudMan said:

So again your "doing it wrong"  Go to your previous back, or the one before that. 

 

How are you "backing up" your stuff.?

Basically, I make an image of the hard drive and put it on an external hard drive.

 

I intended it to address the issue of possible hard drive failures.

Grand Master

+BudMan MVC

Posted
  • MVC
Posted
13 hours ago, Mockingbird said:

Basically, I make an image of the hard drive and put it on an external hard drive.

So you have only 1 of these and you overwrite it how often?  What are you using for the image?  Can you not just open the image and grab files off of it directly vs having to restore the whole thing?

 

You really should have multiple images, say your daily images, your weekly image, your monthly image, etc. This is a typical backup rotation..

 

If you can not mount your image to pull off files, then you might want to look into something that just backups up your files..  Software can always be reinstalled.. All you really need are your "files" stuff you created.. Pictures, Videos, etc.  Stuff that can not be replaced or duplicated.. Everything else can just be re done in in a worse case deal..  You loose your bookmarks - not going to be the end of the world.  You loose video of your kids 1st day party - that is kind of big deal..

 

If you take anything away from this problem it should be that you should get your backup system in order, so that at the drop of hat your system could be restored without any sort of loss that would of be of concern..

This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.