DNSMessenger Removal Guide

Threat Level:
Rate this Article:
Comments (0)
Article Views: 744
Category: Trojans

Your operating system is vulnerable if DNSMessenger manages to invade it. This Trojan slithers in using a very clever disguise, and it operates as a fileless bot that uses DNS records to execute additional commands. The Trojan creates points of execution and tasks, and if they are not removed and the operating system is not secured, all kinds of malicious commands could be executed without you even realizing it. Since there is a possibility that other threats exist along with the Trojan, we recommend scanning your operating system first. You need to know what kinds of threats exist on your operating system so that you could make the right decisions to clean it. Depending on the threats that are found, you might decide to go with manual removal, or you might employ a tool that could delete DNSMessenger and other threats automatically. Regardless of which path you choose, you must get rid of this malware ASAP.

The distribution of DNSMessenger is not particularly unique or shocking, as it is spread via email. This security backdoor has been employed by ransomware and other malicious Trojans thousands of times before, and it will be used again and again in the future. Unfortunately, people continue making the same mistakes, which include falling for fake messages and opening malicious attachments or links. In the case of DNSMessenger, the misleading email message presents an attached Microsoft Word .doc file, and so it looks completely harmless. Unfortunately, that is a disguise. If the file is clicked to open, victims are asked to enable macros, which is requested using the “Enable Content” message. Unfortunately, a well-known and widely respected logo of McAfee is attached to the message, and so Windows users might be tricked into thinking that there is no harm in enabling the file. Of course, that is the worst thing that can be done because the attached file should not be opened, and the email should be deleted.

If users are tricked into opening DNSMessenger spam email attachment, VBA script is loaded, and a fileless backdoor is created using WMI, which stands for “Windows Management Instrumentation.” The Trojan abuses PowerShell – a scripting language and a task-based command-line shell – to infect the machine. PoE (points of execution) are created in HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion and HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run if the user is the system’s administrator, or in
HKCU\Software\Microsoft\Windows and HKCU\Software\Microsoft\Windows\CurrentVersion\Run if they are not the administrator. Also, depending on the version of PowerShell, if it is 3.0 or later, ADS is created in the %PROGRAMDATA%\Windows\ directory (kernel32.dll); otherwise, the value called “kernel32” is created in the registry too. The Trojan is dangerous because it opens a major security backdoor, and if it is not removed in time, this backdoor can be exploited by cyber criminals in all kinds of malicious ways.

Can you see the manual removal guide below? It might seem intimidating, considering that there are quite a few steps to go though. Also, one of the steps requires you to delete recently downloaded files, which you might be unable to identify. Even identifying the values created by the ransomware could be problematic. While we cannot guarantee that you will be able to remove DNSMessenger manually, you can definitely rely on legitimate anti-malware software to eradicate this devious Trojan. The right program will not only delete the Trojan and other active threats, it will also reinforce the security of your operating system to guarantee that no other dangerous infection can slip in through the cracks, without your knowledge. There are thousands of malicious infections of all kinds that could try to invade your computer, and DNSMessenger is just one of them. If you want to avoid them, you need to secure your operating system ASAP.

How to delete DNSMessenger

  1. Simultaneously tap Win+E keys.
  2. In Windows Explorer’s quick access field, enter %PROGRAMDATA%\Windows\.
  3. If a file named kernel32.dll exists, right-click and Delete it.
  4. Check the %WINDIR%\System32\Tasks\ and %WINDIR%\Tasks directories.
  5. Right-click and Delete the kernel32 tasks created by the Trojan.
  6. Exit Explorer and then launch Run by tapping Win+R keys.
  7. Type regedit.exe into the dialog box and click OK for Registry Editor.
  8. Go to the following registries and Delete all values (including kernel32) created by the infection:
    • HKCU\Software\Microsoft\Windows\
    • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    • HKLM\Software\Microsoft\Windows\CurrentVersion
    • HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  9. Go through your computer and Delete all suspicious, recently downloaded files.
  10. Empty Recycle Bin and then run a full system scan to check for malware using a malware scanner.
Download Remover for DNSMessenger *
*SpyHunter scanner, published on this site, is intended to be used only as a detection tool. To use the removal functionality, you will need to purchase the full version of SpyHunter.

DNSMessenger Screenshots:


DNSMessenger technical info for manual removal:

Files Modified/Created on the system:

# File Name File Size (Bytes) File Hash
117d0352df816637dcf96b4e9aba32e12f486787f731975b4fa7da0fc273f8c0f.doc398336 bytesMD5: 8cebee5086592386fa86f3ee5bacc0d2


Your email address will not be published.


Enter the numbers in the box to the right *