DNS Changer

Posted: November 20, 2011

DNS Changer Description

DNS Changer Screenshot 1DNS Changer is a Trojan that attempts to change the infected computer's DNS (or domain name server) settings for malicious purposes. Although obvious symptoms of a DNS Changer infection may not be observable, SpywareRemove.com malware experts have noted that the full extent of DNS Changer's attacks can be dangerously-impressive and often include browser hijacks and attempts at theft of personal information. DNS Changer is also known as FBI DNS Changer, DNS Changer Virus, DNS Changer Trojan, Trojan:W32/DNSChanger, DNSChanger, DNS Changer Malware, Ghost Click Malware, Win32.DNSChanger, Windows DNS Changer, Ghost Click Virus or Doomsday Virus.

As of November 2011, many types of recent DNS Changer attacks have also used TDSS rootkits, banker Trojans and other forms of malicious software to enhance their spyware and security-lowering capabilities, and any attempt at removing DNS Changer should also include usage of anti-malware programs that can remove any additional PC threats.

The DNS Changer's Looming Internet Lockout Strikes This Monday

Although reputable entities such as Google, Facebook, various Internet service providers and even the FBI have all coordinated efforts to help DNS Changer victims, current reports indicate that countless thousands of DNS Changer-infected computers will still lose internet connectivity next Monday. This internet blackout date is the current date that's set for replacement DNS Changer servers to be taken down, which will leave PCs that are directed to those servers automatically without any ability to load even a single website.

There is a happy wrap up to this tale, but with a caveat: while DNS Changer's attacks were effectively halted with the closure of its malicious servers, and these servers were replaced with benign ones (this move was called Operation Ghostclick), these replacements are only up for a limited time. Our malware researchers have noted a sharp increase in assistance methods for victims of DNS Changer attacks as this Internet blackout date looms ever closer, including easy methods of detecting DNS Changer infections by visiting sites like www.dns-ok.us. Other popular sites, such as the Google search engine, have also taken to providing warning messages for infected computers as soon as they attempt to search or use another website-related feature. However, many computers remain infected by DNS Changer, and as long as its DNS alterations are still in place, affected computers will soon lose the ability to load any website at all.

This video illustrates the number of computers worldwide infected with DNSChanger every hour for the time period 01/01/2012 to 03/31/2012.

It should be stressed that since there may be no symptoms of a DNS Changer infection until the server shutdown date arrives, you shouldn't attempt to detect DNS Changer infections manually, particularly since they involve changes to sensitive system components. Our malware analysts recommend that you use a trustworthy brand of anti-malware application to detect and remove DNS Changer and its related changes, which can also be responsible for other attacks unless they're completely deleted. You can learn more on how threatening DNS Changer is from the 'DNS Changer Threatens Your Internet' video.

If DNS Changer or related PC threats prevent you from using appropriate software or visited PC security sites, boot your computer from a removable media device (such as a CD or USB drive) and proceed on from there with the uninfected OS. In rare cases where it's necessary, your ISP (among other sources) can also provide detailed instructions on DNS Changer removal.

The Unseen Dangers That Await with a DNS Changer Infection

Although DNS Changer can also be spread by other methods (most notably, via social networking-based links), most recent DNS Changer attacks have made use of TDSS rootkits to install themselves and gain access to the infected PC. DNS Changer is designed to attack Windows computers and does this in a very broad way - by abusing DNS settings to intercept and transmit online traffic. This allows DNS Changer to be used for many types of hijack-based attacks, such as:

  • Redirecting you to a phishing website that looks identical to a legitimate site. This method allows DNS Changer to steal passwords and other forms of personal information by requesting you to log in to an account at a fraudulent site.
  • Stealing passwords and other forms of online-transmitted information directly from legitimate sites.
  • Redirecting your web browser to irrelevant sites that pay click-based revenue to DNS Changer's criminal partners.
  • Redirecting your browser away from anti-malware sites that could provide assistance for removing DNS Changer.

Affiliated rootkits that can install DNS Changer such as TDL4 rootkit may also be responsible for other attacks on your PC. Until you've removed DNS Changer (and any related infections) with an appropriate anti-malware program, your computer's security will be severely-reduced, and you may be in danger of remote attacks that can take over or even damage your PC.

Find Out If You're Infected with DNS Changer

If your PC is still infected with DNS Changer, it's highly likely that you've experienced a total loss of Internet connectivity. This is due to a shutdown of servers that commenced at 12:01 AM on July 9th. In addition to technical methods of directly detecting DNS changes on your computer, SpywareRemove.com malware researchers can also recommend a profusion of various DNS Changer-detecting tools and websites. The afterward is an index of some of the many third-party entities that have worked to alert DNS Changer victims of the presence of DNS Changer malware:

  • You may have visited dns-ok.us or similar DNS Changer-detecting websites for different regions, such as dns-ok.nl, dns-ok.fi or dns-ok.gov.au. These FBI-recommended websites are designed to display highly-visible red alerts if your computer is infected with a variant of DNS Changer. However, they aren't foolproof – if your ISP redirects your DNS traffic by default, your PC may appear to be uninfected even if it truly is afflicted with DNS Changer.
  • As of early June 2012, Facebook also issued automatic warnings to any PC that was determined to be infected by DNS Changer. Facebook's warning message provides a link to DNS Changer Working Group or DCWG site, which, in its own turn, links back to one of the above sites for detecting DNS Changer.
  • Similar to Facebook, Google has had its own warnings to hand out to DNS Changer-infected computers. SpywareRemove.com malware analysts noted that Google's alert is much more generic than those used by the above sites, however; consequentially, some DNS Changer victims may have ignored Google's 'Your computer appears to be infected' warning as a false positive or a symptom of a browser hijacker.

Other than visiting the aforementioned websites, no special action needs to be taken; these sites will detect DNS Changer on your computer as you load their web pages. However, you may be unable to see these alerts or may receive inaccurate system analyses if your browser is blocking the scripts and related website features that are used to detect DNS Changer's system modifications. For this reason, SpywareRemove.com malware researchers strongly recommend that you enable all necessary features for trusted PC security sites.

Watch out for Alternate Forms of DNS-Modifying Attacks

Not all types of DNS Changer attacks are confined to the DNS settings of an individual computer. SpywareRemove.com malware experts have also found instances where advanced DNS Changer variants may choose, instead, to modify the settings of a communal router or modem. Strong user login names and passwords can help to protect these devices from being hijacked by DNS Changer and similar PC threats. It should be noted that even uninfected computers that use DNS Changer-infected routers, for example, will suffer the consequences of infection – for example, loss of Internet connectivity or exposure to harmful websites.

Methods for acquiring DNS data from these products will vary with the type of product in question, and SpywareRemove.com malware researchers recommend that you reference your router or modem's manual for guidance on how to acquire this information. However, once you've found your DNS Server information, you can check it for contamination by DNS Changer with any of the methods noted above.

Freeing Your DNS Settings from DNS Changer's Dominion

Because DNS Changer, by definition, changes your DNS settings, you may need to change your DNS settings back to normal values after you've deleted DNS Changer. Most variants of DNS Changer will use techniques to hide themselves, such as by using randomly-named files in the Windows folder, and should be removed by suitable anti-malware programs if such programs are available. Some versions of DNS Changer will also damage certain drivers – in most instances, restoring these drivers from backup copies will restore DNS Changer, and so you should reinstall these drivers from clean sources.

Because DNS Changer is a generic label, DNS Changer can be used to identify many types of PC threats that display its DNS-changing characteristics. DNS Changer may also be identified by the labels of TR/Dldr.DNS Changer, Trojan.BAT.DNS Changer.a, Trojan.DNS Changer.BX, Trojan:Win32/DNS Changer.AI, Win-Trojan/DNS Changer.72210 and Trojan.Win32.DNS Changer.re (among others).

Tips to Prevent DNS Changer Malware

Although DNS Changer attacks encompass multiple types of PC threats, there are some general precautions that you can take to make your network settings less vulnerable than otherwise to DNS Changer attacks. SpywareRemove.com malware experts particularly recommend:

  • Avoid default or commonly-used user names and passwords for network-related accounts, software and hardware. Passwords such as 'admin' and 'password1' are often cracked via brute force methods that allow malicious software like DNS Changer variants to change your network settings to their own preferences.
  • Monitoring IP activity for computers in your network. If a computer appears to be accessing one of the compromised DNS Changer IP numbers, you should isolate it from both the Internet and other PCs until it's disinfected.
  • Some brands of PC security and anti-malware programs can also offer particularly advanced solutions such as blocking unauthorized changes to sensitive portions of your Registry. You should only attempt this form of defense against DNS Changer if you're comfortable with working with the Registry and have your DNS server addresses set to be procured automatically. Specific instructions for this feature will vary with each brand of security software that offers it.
  • Avoid common means of installation by various PC threats, particularly those that are favored by DNS Changer variants. DNS Changer-related PC threats often disguise themselves as legitimate programs or updates such as codecs or script (Flash or JavaScript) packages.

DNS Changer Screenshot 2DNS Changer Screenshot 3

Technical Details

How to Detect Maliciously-Altered Domain Name System (DNS) Settings Manually

If you're unable or unwilling to access the above websites, or have any motive to believe that they might be inaccurate for your situation, you can also attempt to detect DNS Changer-altered Domain Name System settings by manual methods. These instructions will differ for different PC users, depending on your operating system.

DNS Attack-Detecting Instructions for Windows Users

The FBI provides its own detection method on its website that's usable once you know the IP address for your DNS Servers (which can be identified by a default Windows command). You can also use the Windows feature Ncpa.cpl, which is associated with Control Panel's management of network connectivity properties. Both methods can be launched and finished quickly and easily from the CMD.exe (what older PC users than the norm may still think of as a modern replacement for DOS).

Using the Forms.fbi.gov Website

The website Forms.fbi.gov, or to be more specific than that, forms.fbi.gov/check-to-see-if-your-computer-is-using-rogue-DNS, offers DNS Changer detection once you've input your DNS information for analysis. The information FBI service can be procured from CMD.exe as follows:

  • Click Start and search for CMD.exe and launch it,


Hold down your Start menu button on your keyboard while also holding R, type cmd.exe and click OK.

  • Type ipconfig /all and make a note of the information (by taking a screenshot or writing it down, as preferred). However, for the purposes of this procedure, all you need are the numbers of the DNS Servers.
  • Type your DNS Servers information (for an example of the format: into the field at forms.fbi.gov/check-to-see-if-your-computer-is-using-rogue-DNS. You'll be informed on the website whether or not your PC's DNS settings have been compromised by DNS Changer attacks.
Using the Ncpa.cpl Windows Feature

If you're uninterested in using the FBI website, a second method is also available. Follow the instructions as above until you know your DNS Servers information. From that point:

  • Click Start and search for Ncpa.cpl and launch it,


Hold down your Start menu button on your keyboard while also holding R, type Ncpa.cpl and click OK. Either method will launch the Network Connections section of Control Panel.

  • Right-click on the icon the network connection that's in use (its description will vary with your type of connection) and click Properties.
  • Scroll the Networking 'items' section until you find Internet Protocol and click it.
  • Click the Properties button from within the window.
  • If you're set to obtain IP addresses automatically, your PC can be considered compromised. If you're set to use 'the following DNS addresses,' then your computer may be compromised by DNS Changer. Write down the numbers for both preferred and alternate servers, if this is applicable.
  • If any of the numbers fall within the following ranges (as determined by the United States FBI), your DNS settings have been altered with malicious intent: to to to to to to

DNS Attack-Detecting Instructions for Mac Users

Mac-based PCs can still use the same FBI website, forms.fbi.gov/check-to-see-if-your-computer-is-using-rogue-DNS, to detect DNS Changer-based DNS modifications. However, the procedure for acquiring DNS information is slightly different from the Windows instructions, as follows:

  • Left-click your Apple menu icon and select System Preferences.
  • Left-click Network.
  • Click your active network connection as noted in the display.
  • Click the Advanced button from within the window.
  • Select the DNS tab (just to the right of the TCP/IP tab). This will display your DNS Server information, which can be checked as per the Windows instructions.

Fixing DNS Server Settings By Hand (without Software-Based Assistance)

Switching from predetermined DNS settings to automatically-acquired ones is an easy way for Windows users to manually 'turn off' malicious DNS settings – although this does not necessarily remove the associated DNS Changer infection, which may reverse your changing if DNS Changer is not deleted by anti-malware software or other methods. If you feel that you need to make these changes by hand and are confident that they will not be reversed, follow the first four parts of the 'Using Ncpa.cpl' section.

Select 'Obtain DNS server address automatically.' Note that most, but not all ISPs provide automated DNS server acquisition via a DHCP or Dynamic Host Configuration Protocol. If your PC uses an ISP or network that doesn't provide this feature, this solution will not work.

Use SpyHunter to Detect and Remove PC Threats

If you are concerned that malware or PC threats similar to DNS Changer may have infected your computer, we recommend you start an in-depth system scan with SpyHunter. SpyHunter is an advanced malware protection and remediation application that offers subscribers a comprehensive method for protecting PCs from malware, in addition to providing one-on-one technical support service.

Download SpyHunter's Malware Scanner

Note: SpyHunter's free version is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter's malware tool to remove the malware threats. Learn more on SpyHunter. If you would like to uninstall SpyHunter for any reason, please follow these uninstall instructions. To learn more about our policies and practices, visit our EULA, Privacy Policy and Threat Assessment Criteria.

Why can't I open any program including SpyHunter? You may have a malware file running in memory that kills any programs that you try to launch on your PC. Tip: Download SpyHunter from a clean computer, copy it to a USB thumb drive, DVD or CD, then install it on the infected PC and run SpyHunter's malware scanner.

Technical Details

Registry Modifications

The following newly produced Registry Values are:

HKEY..\..\..\..{Subkeys}HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer = 85.255.xxx.xxx,85.255.xxx.xxxHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer = 85.255.xxx.xxx,85.255.xxx.xxxHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1F5A3FA3-74FB-41DD-AD5B-F8C6C8B3D0EC} NameServer =,\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\[RANDOM] DhcpNameServer = 85.255.xx.xxx,85.255.xxx.xxxHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\[RANDOM] NameServer = 85.255.xxx.133,85.255.xxx.xxxHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{2B7C04D2-0898-43A3-B374-B7AFA580EA23} NameServer =,


Leave a Reply

Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter. If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.