DNS Changer

DNS Changer Description

DNS Changer Screenshot 1DNS Changer is a Trojan that attempts to change the infected computer’s DNS (or domain name server) settings for malicious purposes. Although obvious symptoms of a DNS Changer infection may not be observable, SpywareRemove.com malware experts have noted that the full extent of DNS Changer’s attacks can be dangerously-impressive and often include browser hijacks and attempts at theft of personal information. DNS Changer is also known as FBI DNS Changer, DNS Changer Virus, DNS Changer Trojan, Trojan:W32/DNSChanger, DNSChanger, DNS Changer Malware, Ghost Click Malware, Win32.DNSChanger, Windows DNS Changer, Ghost Click Virus or Doomsday Virus.

As of November 2011, many types of recent DNS Changer attacks have also used TDSS rootkits, banker Trojans and other forms of malicious software to enhance their spyware and security-lowering capabilities, and any attempt at removing DNS Changer should also include usage of anti-malware programs that can remove any additional PC threats.

The DNS Changer’s Looming Internet Lockout Strikes This Monday

Although reputable entities such as Google, Facebook, various Internet service providers and even the FBI have all coordinated efforts to help DNS Changer victims, current reports indicate that countless thousands of DNS Changer-infected computers will still lose internet connectivity next Monday. This internet blackout date is the current date that’s set for replacement DNS Changer servers to be taken down, which will leave PCs that are directed to those servers automatically without any ability to load even a single website.

There is a happy wrap up to this tale, but with a caveat: while DNS Changer’s attacks were effectively halted with the closure of its malicious servers, and these servers were replaced with benign ones (this move was called Operation Ghostclick), these replacements are only up for a limited time. Our malware researchers have noted a sharp increase in assistance methods for victims of DNS Changer attacks as this Internet blackout date looms ever closer, including easy methods of detecting DNS Changer infections by visiting sites like www.dns-ok.us. Other popular sites, such as the Google search engine, have also taken to providing warning messages for infected computers as soon as they attempt to search or use another website-related feature. However, many computers remain infected by DNS Changer, and as long as its DNS alterations are still in place, affected computers will soon lose the ability to load any website at all.

This video illustrates the number of computers worldwide infected with DNSChanger every hour for the time period 01/01/2012 to 03/31/2012.

It should be stressed that since there may be no symptoms of a DNS Changer infection until the server shutdown date arrives, you shouldn’t attempt to detect DNS Changer infections manually, particularly since they involve changes to sensitive system components. Our malware analysts recommend that you use a trustworthy brand of anti-malware application to detect and remove DNS Changer and its related changes, which can also be responsible for other attacks unless they’re completely deleted. You can learn more on how threatening DNS Changer is from the ‘DNS Changer Threatens Your Internet’ video.

If DNS Changer or related PC threats prevent you from using appropriate software or visited PC security sites, boot your computer from a removable media device (such as a CD or USB drive) and proceed on from there with the uninfected OS. In rare cases where it’s necessary, your ISP (among other sources) can also provide detailed instructions on DNS Changer removal.

The Unseen Dangers That Await with a DNS Changer Infection

Although DNS Changer can also be spread by other methods (most notably, via social networking-based links), most recent DNS Changer attacks have made use of TDSS rootkits to install themselves and gain access to the infected PC. DNS Changer is designed to attack Windows computers and does this in a very broad way – by abusing DNS settings to intercept and transmit online traffic. This allows DNS Changer to be used for many types of hijack-based attacks, such as:
  • Redirecting you to a phishing website that looks identical to a legitimate site. This method allows DNS Changer to steal passwords and other forms of personal information by requesting you to log in to an account at a fraudulent site.
  • Stealing passwords and other forms of online-transmitted information directly from legitimate sites.
  • Redirecting your web browser to irrelevant sites that pay click-based revenue to DNS Changer’s criminal partners.
  • Redirecting your browser away from anti-malware sites that could provide assistance for removing DNS Changer.

Affiliated rootkits that can install DNS Changer such as TDL4 rootkit may also be responsible for other attacks on your PC. Until you’ve removed DNS Changer (and any related infections) with an appropriate anti-malware program, your computer’s security will be severely-reduced, and you may be in danger of remote attacks that can take over or even damage your PC.

Find Out If You’re Infected with DNS Changer

If your PC is still infected with DNS Changer, it’s highly likely that you’ve experienced a total loss of Internet connectivity. This is due to a shutdown of servers that commenced at 12:01 AM on July 9th. In addition to technical methods of directly detecting DNS changes on your computer, SpywareRemove.com malware researchers can also recommend a profusion of various DNS Changer-detecting tools and websites. The afterward is an index of some of the many third-party entities that have worked to alert DNS Changer victims of the presence of DNS Changer malware:
  • You may have visited dns-ok.us or similar DNS Changer-detecting websites for different regions, such as dns-ok.nl, dns-ok.fi or dns-ok.gov.au. These FBI-recommended websites are designed to display highly-visible red alerts if your computer is infected with a variant of DNS Changer. However, they aren’t foolproof – if your ISP redirects your DNS traffic by default, your PC may appear to be uninfected even if it truly is afflicted with DNS Changer.
  • As of early June 2012, Facebook also issued automatic warnings to any PC that was determined to be infected by DNS Changer. Facebook’s warning message provides a link to DNS Changer Working Group or DCWG site, which, in its own turn, links back to one of the above sites for detecting DNS Changer.
  • Similar to Facebook, Google has had its own warnings to hand out to DNS Changer-infected computers. SpywareRemove.com malware analysts noted that Google’s alert is much more generic than those used by the above sites, however; consequentially, some DNS Changer victims may have ignored Google’s ‘Your computer appears to be infected’ warning as a false positive or a symptom of a browser hijacker.

Other than visiting the aforementioned websites, no special action needs to be taken; these sites will detect DNS Changer on your computer as you load their web pages.

» Learn more about SpyHunter's Spyware Detection Tool
and steps to uninstall SpyHunter.

However, you may be unable to see these alerts or may receive inaccurate system analyses if your browser is blocking the scripts and related website features that are used to detect DNS Changer’s system modifications. For this reason, SpywareRemove.com malware researchers strongly recommend that you enable all necessary features for trusted PC security sites.

Watch out for Alternate Forms of DNS-Modifying Attacks

Not all types of DNS Changer attacks are confined to the DNS settings of an individual computer. SpywareRemove.com malware experts have also found instances where advanced DNS Changer variants may choose, instead, to modify the settings of a communal router or modem. Strong user login names and passwords can help to protect these devices from being hijacked by DNS Changer and similar PC threats. It should be noted that even uninfected computers that use DNS Changer-infected routers, for example, will suffer the consequences of infection – for example, loss of Internet connectivity or exposure to harmful websites.

Methods for acquiring DNS data from these products will vary with the type of product in question, and SpywareRemove.com malware researchers recommend that you reference your router or modem’s manual for guidance on how to acquire this information. However, once you’ve found your DNS Server information, you can check it for contamination by DNS Changer with any of the methods noted above.

Freeing Your DNS Settings from DNS Changer’s Dominion

Because DNS Changer, by definition, changes your DNS settings, you may need to change your DNS settings back to normal values after you’ve deleted DNS Changer. Most variants of DNS Changer will use techniques to hide themselves, such as by using randomly-named files in the Windows folder, and should be removed by suitable anti-malware programs if such programs are available. Some versions of DNS Changer will also damage certain drivers – in most instances, restoring these drivers from backup copies will restore DNS Changer, and so you should reinstall these drivers from clean sources.

Because DNS Changer is a generic label, DNS Changer can be used to identify many types of PC threats that display its DNS-changing characteristics. DNS Changer may also be identified by the labels of TR/Dldr.DNS Changer, Trojan.BAT.DNS Changer.a, Trojan.DNS Changer.BX, Trojan:Win32/DNS Changer.AI, Win-Trojan/DNS Changer.72210 and Trojan.Win32.DNS Changer.re (among others).

Tips to Prevent DNS Changer Malware

Although DNS Changer attacks encompass multiple types of PC threats, there are some general precautions that you can take to make your network settings less vulnerable than otherwise to DNS Changer attacks. SpywareRemove.com malware experts particularly recommend:
  • Avoid default or commonly-used user names and passwords for network-related accounts, software and hardware. Passwords such as ‘admin’ and ‘password1’ are often cracked via brute force methods that allow malicious software like DNS Changer variants to change your network settings to their own preferences.
  • Monitoring IP activity for computers in your network. If a computer appears to be accessing one of the compromised DNS Changer IP numbers, you should isolate it from both the Internet and other PCs until it’s disinfected.
  • Some brands of PC security and anti-malware programs can also offer particularly advanced solutions such as blocking unauthorized changes to sensitive portions of your Registry. You should only attempt this form of defense against DNS Changer if you’re comfortable with working with the Registry and have your DNS server addresses set to be procured automatically. Specific instructions for this feature will vary with each brand of security software that offers it.
  • Avoid common means of installation by various PC threats, particularly those that are favored by DNS Changer variants. DNS Changer-related PC threats often disguise themselves as legitimate programs or updates such as codecs or script (Flash or JavaScript) packages.

DNS Changer Automatic Detection Tool (Recommended)

Is your PC infected with DNS Changer? To safely & quickly detect DNS Changer we highly recommend you run the malware scanner listed below.

Visual & GUI Characteristics

DNS Changer Screenshot 2DNS Changer Screenshot 3

Technical Details

How to Detect Maliciously-Altered Domain Name System (DNS) Settings Manually

If you’re unable or unwilling to access the above websites, or have any motive to believe that they might be inaccurate for your situation, you can also attempt to detect DNS Changer-altered Domain Name System settings by manual methods. These instructions will differ for different PC users, depending on your operating system.

DNS Attack-Detecting Instructions for Windows Users

The FBI provides its own detection method on its website that’s usable once you know the IP address for your DNS Servers (which can be identified by a default Windows command). You can also use the Windows feature Ncpa.cpl, which is associated with Control Panel’s management of network connectivity properties. Both methods can be launched and finished quickly and easily from the CMD.exe (what older PC users than the norm may still think of as a modern replacement for DOS).
Using the Forms.fbi.gov Website

The website Forms.fbi.gov, or to be more specific than that, forms.fbi.gov/check-to-see-if-your-computer-is-using-rogue-DNS, offers DNS Changer detection once you’ve input your DNS information for analysis. The information FBI service can be procured from CMD.exe as follows:
  • Click Start and search for CMD.exe and launch it,


Hold down your Start menu button on your keyboard while also holding R, type cmd.exe and click OK.
  • Type ipconfig /all and make a note of the information (by taking a screenshot or writing it down, as preferred). However, for the purposes of this procedure, all you need are the numbers of the DNS Servers.
  • Type your DNS Servers information (for an example of the format: into the field at forms.fbi.gov/check-to-see-if-your-computer-is-using-rogue-DNS. You’ll be informed on the website whether or not your PC’s DNS settings have been compromised by DNS Changer attacks.
Using the Ncpa.cpl Windows Feature

If you’re uninterested in using the FBI website, a second method is also available. Follow the instructions as above until you know your DNS Servers information. From that point:
  • Click Start and search for Ncpa.cpl and launch it,


Hold down your Start menu button on your keyboard while also holding R, type Ncpa.cpl and click OK. Either method will launch the Network Connections section of Control Panel.
  • Right-click on the icon the network connection that’s in use (its description will vary with your type of connection) and click Properties.
  • Scroll the Networking ‘items’ section until you find Internet Protocol and click it.
  • Click the Properties button from within the window.
  • If you’re set to obtain IP addresses automatically, your PC can be considered compromised. If you’re set to use ‘the following DNS addresses,’ then your computer may be compromised by DNS Changer. Write down the numbers for both preferred and alternate servers, if this is applicable.
  • If any of the numbers fall within the following ranges (as determined by the United States FBI), your DNS settings have been altered with malicious intent: to to to to to to

DNS Attack-Detecting Instructions for Mac Users

Mac-based PCs can still use the same FBI website, forms.fbi.gov/check-to-see-if-your-computer-is-using-rogue-DNS, to detect DNS Changer-based DNS modifications. However, the procedure for acquiring DNS information is slightly different from the Windows instructions, as follows:
  • Left-click your Apple menu icon and select System Preferences.
  • Left-click Network.
  • Click your active network connection as noted in the display.
  • Click the Advanced button from within the window.
  • Select the DNS tab (just to the right of the TCP/IP tab). This will display your DNS Server information, which can be checked as per the Windows instructions.

Fixing DNS Server Settings By Hand (without Software-Based Assistance)

Switching from predetermined DNS settings to automatically-acquired ones is an easy way for Windows users to manually ‘turn off’ malicious DNS settings – although this does not necessarily remove the associated DNS Changer infection, which may reverse your changing if DNS Changer is not deleted by anti-malware software or other methods. If you feel that you need to make these changes by hand and are confident that they will not be reversed, follow the first four parts of the ‘Using Ncpa.cpl’ section.

Select ‘Obtain DNS server address automatically.’ Note that most, but not all ISPs provide automated DNS server acquisition via a DHCP or Dynamic Host Configuration Protocol. If your PC uses an ISP or network that doesn’t provide this feature, this solution will not work.

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.
  • The following files were created in the system:
    # File Name
    1 %COMMON_DOCUMENTS%\cmijj.exe
    2 %COMMON_DOCUMENTS%\csrss.exe
    4 %COMMON_DOCUMENTS%\msert.exe
    5 %COMMON_DOCUMENTS%\mstsc.exe
    6 %MYPICTURES%\resycled
    7 %PERSONAL%\resycled
    8 %PROFILE_TEMP%\AlfaBR.exe
    9 %PROGRAMS%\AccessMV
    10 %PROGRAMS%\aquaplay
    11 %PROGRAMS%\BHVideo
    12 %PROGRAMS%\BlueRaTech
    13 %PROGRAMS%\Convert2Play
    14 %PROGRAMS%\coolplay
    15 %PROGRAMS%\DecodingHQ
    16 %PROGRAMS%\DigitalHQ
    17 %PROGRAMS%\DigitalLabs
    18 %PROGRAMS%\DivxFree
    19 %PROGRAMS%\DVDConv
    20 %PROGRAMS%\DVDextraPL
    21 %PROGRAMS%\DVDTool
    22 %PROGRAMS%\ExpressVids
    23 %PROGRAMS%\FreeHDplay
    24 %PROGRAMS%\FullMovies
    25 %PROGRAMS%\HDExtrem
    26 %PROGRAMS%\HDQuality
    27 %PROGRAMS%\HDtvcodec
    28 %PROGRAMS%\HeroCodec
    29 %PROGRAMS%\homeview
    30 %PROGRAMS%\Mediaview
    31 %PROGRAMS%\MoviesPlay
    32 %PROGRAMS%\PlayMe
    34 %PROGRAMS%\PLDivX
    35 %PROGRAMS%\PluginVideo
    36 %PROGRAMS%\QuickTiming
    37 %PROGRAMS%\QuickyPlaeyr
    38 %PROGRAMS%\sexvid
    39 %PROGRAMS%\SiteEntry
    40 %PROGRAMS%\TonsOfPorn
    41 %PROGRAMS%\totalvid
    42 %PROGRAMS%\UltraVideo
    43 %PROGRAMS%\UNICCodec
    44 %PROGRAMS%\videoplay
    45 %PROGRAM_FILES%\AccessMV
    47 %PROGRAM_FILES%\aquaplay
    49 %PROGRAM_FILES%\BlueRaTech
    50 %PROGRAM_FILES%\Convert2Play
    51 %PROGRAM_FILES%\DDnsFilter
    52 %PROGRAM_FILES%\DecodingHQ
    53 %PROGRAM_FILES%\DigitalHQ
    54 %PROGRAM_FILES%\DigitalLabs
    58 %PROGRAM_FILES%\ExpressVids
    59 %PROGRAM_FILES%\EZVideo
    60 %PROGRAM_FILES%\FreeHDplay
    61 %PROGRAM_FILES%\freshplay
    62 %PROGRAM_FILES%\FullMovies
    63 %PROGRAM_FILES%\HDExtrem
    64 %PROGRAM_FILES%\HDQuality
    65 %PROGRAM_FILES%\HDtvcodec
    66 %PROGRAM_FILES%\HeroCodec
    67 %PROGRAM_FILES%\homeview
    68 %PROGRAM_FILES%\iVideo
    69 %PROGRAM_FILES%\Mediaview
    70 %PROGRAM_FILES%\MpegBuster
    71 %PROGRAM_FILES%\Network Monitor
    72 %PROGRAM_FILES%\PlayMe
    74 %PROGRAM_FILES%\PluginVideo
    75 %PROGRAM_FILES%\PlusCodec
    76 %PROGRAM_FILES%\PornoPlayer
    77 %PROGRAM_FILES%\QuickTiming
    78 %PROGRAM_FILES%\QuickyPlaeyr
    79 %PROGRAM_FILES%\SiteEntry
    80 %PROGRAM_FILES%\SunPorn
    81 %PROGRAM_FILES%\TonsOfPorn
    82 %PROGRAM_FILES%\totalvid
    83 %PROGRAM_FILES%\ubervid
    84 %PROGRAM_FILES%\UltraVideo
    85 %PROGRAM_FILES%\VideoKey
    86 %PROGRAM_FILES%\videoplay
    87 %PROGRAM_FILES%\videosoft\Uninstall.exe
    88 %PROGRAM_FILES%\XXXHoliday
    89 %SYSTEM%\cmd32.exe
    90 %SYSTEM%\cmd64.exe
    91 %SYSTEM%\csrcs.exe
    92 %SYSTEM%\csrns.exe
    93 %SYSTEM%\csrss.exe
    94 %SYSTEM%\drivers\ndisprot.sys
    95 %SYSTEM%\kdgzh.exe
    96 %SYSTEM%\kdkgg.exe
    97 %SYSTEM%\kdlly.exe
    98 %SYSTEM%\kdqwt.exe
    99 %SYSTEM%\kduev.exe
    100 %SYSTEM%\krl32mainweq.dll
    101 %SYSTEM%\lsass.exe
    102 %SYSTEM%\MSlgx.exe
    103 %SYSTEM%\msmgs.exe
    104 %SYSTEM%\msnqp.exe
    105 %SYSTEM%\mssms.exe
    106 %SYSTEM_DRIVE%\autorun.inf
    107 %SYSTEM_DRIVE%\resycled
    108 %SYSTEM_DRIVE%\resycled\ntldr.com
    109 %SYSTEM_DRIVE%\Users\Manuel
    110 %WINDOWS%\Tasks\MSWD-1b4abb06.job
    111 %WINDOWS%\Tasks\MSWD-27e0d013.job
    112 %WINDOWS%\Tasks\MSWD-28d8d31d.job
    113 %WINDOWS%\Tasks\MSWD-2969d51d.job
    114 %WINDOWS%\Tasks\MSWD-3e4ae7ad.job
    115 %WINDOWS%\Tasks\MSWD-4354122e.job
    116 %WINDOWS%\Tasks\MSWD-44fcb0c6.job
    117 %WINDOWS%\Tasks\MSWD-4535c222.job
    118 %WINDOWS%\Tasks\MSWD-469d5901.job
    119 %WINDOWS%\Tasks\MSWD-56802d43.job
    120 %WINDOWS%\Tasks\MSWD-5d240b12.job
    121 %WINDOWS%\Tasks\MSWD-6145903c.job
    122 %WINDOWS%\Tasks\MSWD-88e4ae02.job
    123 %WINDOWS%\Tasks\MSWD-95cf3d27.job
    124 %WINDOWS%\Tasks\MSWD-af53409d.job
    125 %WINDOWS%\Tasks\MSWD-b2be9e3f.job
    126 %WINDOWS%\Tasks\MSWD-b868995b.job
    127 %WINDOWS%\Tasks\MSWD-c61509c8.job
    128 %WINDOWS%\Tasks\MSWD-db3968bf.job
    129 %WINDOWS%\Tasks\MSWD-ee6b7301.job
    130 %WINDOWS%\Temp\DAB.tmp
    131 %WINDOWS%\Temp\tempo-1145640.tmp
    132 %WINDOWS%\Temp\tempo-161796561.tmp
    133 %WINDOWS%\Temp\tempo-161797121.tmp
    134 %WINDOWS%\Temp\tempo-289.tmp
    135 %WINDOWS%\Temp\tempo-394365031.tmp
    136 %WINDOWS%\Temp\tempo-394365218.tmp
    137 %WINDOWS%\Temp\tempo-44B.tmp
    138 %WINDOWS%\Temp\tempo-45B.tmp
    139 %WINDOWS%\Temp\tempo-66D.tmp
    140 %WINDOWS%\Temp\tempo-76546.tmp
    141 %WINDOWS%\Temp\tempo-97265.tmp
    142 %WINDOWS%\Temp\tempo-B7D.tmp
    143 %WINDOWS%\Temp\tempo-E2B.tmp
    144 %WINDOWS%\vkl_1250424439
    145 %WINDOWS%\vkl_1250424989
    146 %WINDOWS%\vkl_1250425116
    147 %WINDOWS%\vkl_1250425221
    148 %WINDOWS%\vkl_1250425267
    149 %WINDOWS%\vkl_1250425328
    150 %WINDOWS%\vkl_1250733143
    151 %WINDOWS%\vkl_1251463593
    152 %WINDOWS%\vkl_1251734499
    153 %WINDOWS%\vkl_1251745894
    154 %WINDOWS%\vkl_1251803401
    155 %WINDOWS%\vkl_1252481066.exe
    156 %WINDOWS%\vkl_1252511207.exe
    157 %WINDOWS%\vkl_1252511321.exe
    158 %WINDOWS%\vkl_1252765651.exe
    159 %WINDOWS%\vkl_1252765671.exe
    160 %WINDOWS%\vkl_1252768743.exe
    161 %WINDOWS%\vkl_1252768769.exe
    162 %WINDOWS%\vkl_1252834079.exe
    163 %WINDOWS%\vkl_1252834085.exe
    164 %WINDOWS%\vkl_1252968719.exe
    165 %WINDOWS%\vkl_1253053752.exe
    166 %WINDOWS%\vkl_1253165416.exe
    167 %WINDOWS%\vkl_1253165426.exe
    168 %WINDOWS%\vkl_1253173827.exe
    169 %WINDOWS%\vkl_1253173833.exe
    170 %WINDOWS%\vkl_1253181420.exe
    171 %WINDOWS%\vkl_1253181421.exe
    172 B:\resycled
    173 C:\resycled
    174 C:\resycled\bootmatrix.com
    175 C:\Windows\system32\wdmaud.sys
    176 D:\autorun.inf
    177 D:\resycled
    178 D:\resycled\ntldr.com
    179 E:\resycled
    180 E:\resycled\ntldr.com
    181 ESQULserv.sys
    182 F:\autorun.inf
    183 F:\resycled
    184 F:\resycled\ntldr.com
    185 G:\resycled
    186 G:\resycled\ntldr.com
    187 gaopdxserv.sys
    188 gxvxcserv.sys
    189 H8SRTd.sys
    190 H:\resycled
    191 H:\resycled\ntldr.com
    192 I:\resycled
    193 I:\resycled\ntldr.com
    194 J:\resycled
    195 K:\autorun.inf
    196 K:\resycled
    197 L:\resycled
    198 M:\resycled
    199 M:\resycled\ntldr.co
    200 MSIVXserv.sys
    201 msqpdxserv.sys
    202 N:\resycled
    203 ndisprot.sys
    204 O:\resycled
    205 P:\resycled
    206 PayPal-2.5.200-MSWin32-x86-2005.exe
    207 Q:\resycled
    208 R:\resycled
    209 S:\resycled
    210 seneka.sys
    211 T:\resycled
    212 TDSSserv.sys
    213 UACd.sys
    214 V:\resycled
    215 W:\resycled
    216 X:\resycled
    217 Z:\resycled
    218 _VOIDd.sys

Registry Modifications

Tutorial: To edit and delete registry entries manually, read the tutorial on how to remove malicious registry entries.

Tip & Warning: Editing and removing the wrong registry keys can severely damage your PC, so remember to backup your Windows Registry! To optimize your Windows Registry and speed up your PC, download RegHunter's registry cleaner.
  • The following newly produced Registry Values are:
    HKEY..\..\..\..{Subkeys}HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer = 85.255.xxx.xxx,85.255.xxx.xxxHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\[RANDOM] DhcpNameServer = 85.255.xx.xxx,85.255.xxx.xxxHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\[RANDOM] NameServer = 85.255.xxx.133,85.255.xxx.xxxHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1F5A3FA3-74FB-41DD-AD5B-F8C6C8B3D0EC} NameServer =,\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{2B7C04D2-0898-43A3-B374-B7AFA580EA23} NameServer =,\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer = 85.255.xxx.xxx,85.255.xxx.xxx

Related Posts

Posted: November 20, 2011 | By
Rate this article:
1 Star2 Stars3 Stars4 Stars5 Stars (6 votes, average: 4.00 out of 5)
Loading ... Loading ...
Threat Metric
Threat Level: 8/10


  • Rahman says:

    Just what the doctor ordered, thaknity you!

  • Melissa says:

    Thank you so much for all the detailed information. I used your article and another one together to repair IP whatever for my computer

  • frank thompson says:

    i have the fbi porn virus

  • Jay says:

    Detailed info. Thanks for your help.

  • Shelly B. says:

    I cannot thank you all enough for your Helpdesk services through Spyhunter. You were able to fix my dilemma and remove DNS Changer. Now have FULL internet access with no issues. You all are a Godsend!

  • Ryan Lewis says:

    Lots of information to digest. I just want to remove this bull shi*! DNS Change thing has been messed up on my HP laptop since monday! Can you not get this malware program on a usb thumb and then install and run it from that?

  • Jeff Deetz says:

    With all the fuss made by the media about this DNS Changer wave, how can still having people that didn’t check their computers in order to be on the safe side and avoid countless problems?

  • Cracker Jack says:

    The DNS Changer plague is a good example of why computer users should be careful when it comes to their PCs security! I know a lot of people that clicks on everything they see, get badly infected and still think they are entitled to complaint… just sayin!!!

  • Freddy says:

    In my opinion, just sloppy computer users were affected by the DNS Changer blackout, I’m sure that people who take care of their PC’s security didn’t have any problem. I didn’t.

  • Perry Lewis says:

    I had to go to library to find a solution for this. My PC runs just fine and I can run any program I want but the internet is not connecting. I spent almost 45 minutes on the phone with Comcast and the rep said I needed to use their Mcafee program to scan for viruses that could be blocking the internet. It was not until their supervisor said I could have the FBI DNS Changer on my computer. He told me to go to http://www.dcwg.org but how could I if I do not have internet access. They hung up after my connection was verified as working to the cable modem. I am at wits end here. How can I remove it if I have no internet to go to a fix site or download software to remove it???

  • Raymond Glover says:

    On a year-old Dell XPS desktop tower with Windows 7 home. I must have the DNS Changer virus. Cannot go to any website. How do I install another browser to try that? Using my neighbors laptop now due to this. I must find a solution soon so I can return his laptop. Can this antimalware spyhunter remove it?

  • Mary Paige says:

    My Laptop keeps saying "this web page not available" when going to any site using IE. I use Chrome and I can pull up SOME sites. Could this be DNS Changer? What Do I do to find out?

  • seneka.sys says:

    have a good day.

  • cindy parchim says:

    I tried to do this a couple days ago, but did not have any luck. I find it confusing when you state all the files that were created.

Leave a Reply

What is 6 + 5 ?
Please leave these two fields as-is:
IMPORTANT! To be able to proceed, you need to solve the following simple math (so we know that you are a human) :-)