Having difficulty removing DNS Changer malware

Recommended Posts

Mockingbird    2,052

My Windows 10 install has become infected with a DNS Changer malware.

 

I have identified the locations of the malware as follow:

 

C:\Windows\System32\drivers\msidntfs.sys

 

C:\Users\Sean\AppData\local\winjmqi\imeazsu.exe

 

C:\Users\Sean\AppData\local\winjmqi\winjmqi.exe

 

C:\Users\Sean\AppData\local\winjmqi\   <-- everything else in that folder

 

The problem is that I have not been able to remove them.

 

Every time, I get permission error.

 

I even tried applications that claim to be able to delete undeletable files by deleting them during booting.

 

Any ideas?

Share this post


Link to post
Share on other sites
+goretsky    676

Hello,

 

Does your anti-malware software vendor offer a bootable version on a CD/DVD/USB?  If so, try booting from that and then removing the malware.

 

Regards,

 

Aryeh Goretsky

 

Share this post


Link to post
Share on other sites
Mockingbird    2,052
2 minutes ago, goretsky said:

Hello,

 

Does your anti-malware software vendor offer a bootable version on a CD/DVD/USB?  If so, try booting from that and then removing the malware.

 

Regards,

 

Aryeh Goretsky

 

I used a Linux live CD to delete them.

 

Unfortunately, msidntfs.sys keeps coming back.

Share this post


Link to post
Share on other sites
Anibal P    2,012

My default solution for this is a fast format and reinstall of Windows

You can chase it for days and maybe remove it, or you can do the sane thing and just nuke the install 

  • Like 1

Share this post


Link to post
Share on other sites
+BudMan    2,892
1 minute ago, Anibal P said:

or you can do the sane thing and just nuke the install 

Agreed.. This is almost always the faster better solution.  And the only way to be 100% sure.

  • Like 2

Share this post


Link to post
Share on other sites
+goretsky    676

Hello,

 

Have you tried uploading the msidntfs.sys file and its companions to Google's VirusTotal to see if any of the five-dozen anti-malware engine there detect them? 

 

Regards,

 

Aryeh Goretsky

 

Share this post


Link to post
Share on other sites
sc302    1,383

Ideas, other than nuke,

 

hitman pro

malwarebytes

eset online scanner

 

 

if all if all else fails, wipe and rebuild. 

  • Like 1

Share this post


Link to post
Share on other sites
Mockingbird    2,052
23 hours ago, Anibal P said:

My default solution for this is a fast format and reinstall of Windows

You can chase it for days and maybe remove it, or you can do the sane thing and just nuke the install 

I am definitely thinking about this.

 

3 hours ago, goretsky said:

Hello,

 

Have you tried uploading the msidntfs.sys file and its companions to Google's VirusTotal to see if any of the five-dozen anti-malware engine there detect them? 

 

Regards,

 

Aryeh Goretsky

 

Yes. Rootkit/SmartService

 

1 hour ago, sc302 said:

Ideas, other than nuke,

 

hitman pro

malwarebytes

eset online scanner

 

 

if all if all else fails, wipe and rebuild. 

The malware blocked any anti-malware and anti-virus from starting.

 

Even Malwarebytes Anti-Rootkit and RKill is blocked.

Share this post


Link to post
Share on other sites
sc302    1,383

Then it has to be repaired with an offline scanner.


You can try combofix, as that usually kills rootkits online, but it may not work.

It has been years since I have had to deal. Usually combofix worked and if it didn't, hitman pro worked. It was rare when I had to do an offline scan.



Share this post


Link to post
Share on other sites
Mockingbird    2,052
24 minutes ago, sc302 said:

Then it has to be repaired with an offline scanner.


You can try combofix, as that usually kills rootkits online, but it may not work.

It has been years since I have had to deal. Usually combofix worked and if it didn't, hitman pro worked. It was rare when I had to do an offline scan.


 

Combofix can't find anything and Hitman Pro is blocked.

 

I followed this guide, but Malwarebytes Anti-Rootkit and RKill are blocked

 

https://www.bleepingcomputer.com/virus-removal/remove-tprdpw32.exe-and-smartservice-rootkit

Share this post


Link to post
Share on other sites
sc302    1,383

Gotta do it offline. You cannot clean online. Options are to scan with another computer, by taking the drive out and putting it in another computer as a secondary drive or using one of the many offline tools/utilities to scan with.

 

Unfortunately data is limited where I am at or I would post a few. But one off the top of my head is Microsoft offline anti malware scanner or windows defender offline.

 

If you can get into safe mode, sometimes scanners will run there. Combofix may have to be ran as administrator/elevated privileges.

Share this post


Link to post
Share on other sites
adrynalyne    7,861

Food for thought: a format and reinstall could have been done already in less time than this thread has existed ;)

 

I wouldn’t trust a compromised machine even if manually cleaned. 

  • Like 4

Share this post


Link to post
Share on other sites
+BudMan    2,892

The time between the OP and their 2nd post would of been enough time to reimage the machine multiple times ;)

  • Like 3
  • Haha 1

Share this post


Link to post
Share on other sites
Mockingbird    2,052
2 hours ago, adrynalyne said:

Food for thought: a format and reinstall could have been done already in less time than this thread has existed ;)

 

I wouldn’t trust a compromised machine even if manually cleaned. 

 

1 hour ago, BudMan said:

The time between the OP and their 2nd post would of been enough time to reimage the machine multiple times ;)

That doesn't consider the time it takes to backup files.

Share this post


Link to post
Share on other sites
Mindovermaster    888

it takes 3 days to backup everything?

  • Like 1
  • Haha 2

Share this post


Link to post
Share on other sites
sc302    1,383

You could backup everything utilizing robocopy for your files. If you use the log option you can see what it doesn't copy. It is an automated process you don't have to baby sit if it takes hours.

 

Reinstalling windows, if you took a backup image between install and now "usually" doesn't take more than 20 minutes to apply the image, then copy your data back. How long of your time will it take to have a working system again? 30 minutes maybe of thought process, a few hours for the entire backup and restore to complete. Unless you have 10s of TBs on your system, it should be fairly quick.

 

 

Even if you were installing windows from scratch, you can complete that within an 8 hour period....3 if you prep properly. Within 1 if you have an image to revert to.

 

 

Share this post


Link to post
Share on other sites
adrynalyne    7,861
1 hour ago, Mockingbird said:

 

That doesn't consider the time it takes to backup files.

Sure it does. 

Share this post


Link to post
Share on other sites
+BudMan    2,892

If your backing up your files "after" you get hit with some nasty - your doing it wrong ;)

 

wrong05.thumb.jpg.8de4a0156791476ceaa296eaf2a35f75.jpg

 

How would that help you if you got hit with ransomware?  And not just pesky dns changer?

 

If I re-imaged my machine this second the only thing I would loose is that your doing it wrong image I just downloaded ;)

  • Like 1

Share this post


Link to post
Share on other sites
Mockingbird    2,052
3 minutes ago, BudMan said:

If your backing up your files "after" you get hit with some nasty - your doing it wrong ;)

 

wrong05.thumb.jpg.8de4a0156791476ceaa296eaf2a35f75.jpg

 

How would that help you if you got hit with ransomware?  And not just pesky dns changer?

 

If I re-imaged my machine this second the only thing I would loose is that your doing it wrong image I just downloaded ;)

I already have a backup of the whole drive, but it's infected.

Share this post


Link to post
Share on other sites
+BudMan    2,892
42 minutes ago, Mockingbird said:

I already have a backup of the whole drive, but it's infected.

So again your "doing it wrong"  Go to your previous back, or the one before that. 

 

How are you "backing up" your stuff.?

  • Like 1

Share this post


Link to post
Share on other sites
Mockingbird    2,052
17 minutes ago, BudMan said:

So again your "doing it wrong"  Go to your previous back, or the one before that. 

 

How are you "backing up" your stuff.?

Basically, I make an image of the hard drive and put it on an external hard drive.

 

I intended it to address the issue of possible hard drive failures.

Share this post


Link to post
Share on other sites
Mockingbird    2,052
1 hour ago, CrashGordon said:

https://www.malwarebytes.com/chameleon/

or restore a clean backup image

Chameleon got Malwarebytes running!

  • Like 1

Share this post


Link to post
Share on other sites
+goretsky    676

Hello,

 

Can you share the URL of the VirusTotal sample upload?

 

Regards,

 

Aryeh Goretsky

 

Share this post


Link to post
Share on other sites
+BudMan    2,892
13 hours ago, Mockingbird said:

Basically, I make an image of the hard drive and put it on an external hard drive.

So you have only 1 of these and you overwrite it how often?  What are you using for the image?  Can you not just open the image and grab files off of it directly vs having to restore the whole thing?

 

You really should have multiple images, say your daily images, your weekly image, your monthly image, etc. This is a typical backup rotation..

 

If you can not mount your image to pull off files, then you might want to look into something that just backups up your files..  Software can always be reinstalled.. All you really need are your "files" stuff you created.. Pictures, Videos, etc.  Stuff that can not be replaced or duplicated.. Everything else can just be re done in in a worse case deal..  You loose your bookmarks - not going to be the end of the world.  You loose video of your kids 1st day party - that is kind of big deal..

 

If you take anything away from this problem it should be that you should get your backup system in order, so that at the drop of hat your system could be restored without any sort of loss that would of be of concern..

  • Like 1

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


  • Recently Browsing   0 members

    No registered users viewing this page.