DNS Changer

DNS Changer Description

DNS Changer Image 1DNS Changer is a Trojan that is designed to force a computer system to use rogue DNS servers. Also, DNS Changer is being referred to as the Internet Doomsday Virus, Ghost Click Malware, DNS Changer Rootkit, DNS Changer Malware, DNS Changer Trojan, DNS Changer Virus, FBI DNS Changer or DNSChanger. A DNS Changer infection will typically have two steps, in order to reroute the infected computer’s traffic to these malicious DNS servers:
  1. A DNS Changer malware infection will change the infected computer system’s settings, in order to replace the DNS servers to rogue DNS servers belonging to hackers or online criminals.
  2. The DNS Changer malware infection will then try to gain access to other devices on the infected computer’s network (such as a router or a gateway). Using common default passwords for these kinds of devices, the DNS Changer malware infection will attempt to replace the ISP’s DNS servers with its own DNS servers related to criminal activity.

While the first step will only affect a specific computer system, the second step will affect all computers on the infected computer’s network, placing them at risk for additional malware threats. The DNS Changer malware infection has been linked to a variety of malware threats, especially the Zlob Trojan and the TDSS Rootkit.

DNS Changer or FBI DNS Changer May Shut Down Internet Over 250,000 PCs on Monday, July 9th


Countless thousands of computers are still estimated to be infected by the DNS Changer and will lose all Internet connectivity once these servers are brought down. Although the servers that are responsible for these DNS Changer attacks have been shut down and replaced by benign ones in the famous Operation Ghostclick, these ’safe’ servers are due to be shut off on Monday. Until this shutdown occurs, you may not see any symptoms of a DNS Changer infection, since many of the DNS Changer’s attacks were neutered by the mass server replacement that was set up by legal authorities.

Fortunately, a variety of websites have enacted safeguards for the sake of DNS Changer-infected PCs, with popular search engines and social networking sites displaying warning messages if your computer has been determined to be infected by DNS Changer. ESG malware experts also note the burgeoning presence of websites that have been designed explicitly to check for the DNS Changer on your computer, although you should be careful to distinguish between these websites and sites that distribute fake security software via fraudulent system scanners. Dcwg.org is an example of just one of many reputable sites that are devoted specifically to eradicating the DNS Changer.

While there may not be any symptoms of a DNS Changer infection, ESG malware experts note a high probability for the following issues:
  • An overall slowdown of your PC, including slowed web-browsing activities.
  • Disabled security programs, particularly concerning anti-virus and anti-malware scanners. You may also see fake pop-ups that fraudulently warn you about these programs being infected. ESG malware researchers also emphasize that this issue does place your PC in exceptional danger of being attacked by other PC threats.

Although various governments, Internet service providers, news companies and Internet safety organizations have all cooperated to try to put an end to DNS Changer infections (which are rapidly declining in number at the time of this article’s writing), authorities still estimate that over two hundred and fifty thousand PCs to be affected by the Internet blackout on Monday, as explained on the video below.

video platformvideo managementvideo solutionsvideo player

The current date for the server shutdown is 12:01 AM (Eastern Time) July 9th, and if you believe that your computer may be afflicted with the DNS Changer, you should act to disinfect your PC with a suitable anti-malware program before it’s too late. Standard anti-malware protocol, such as booting your PC from removable media, can also help you disable the DNS Changer and other PC threats if you find that your security software is being blocked.

While this Internet blackout has received vast amounts of news attention, ESG malware researchers can also present a ray of hope in this bleak scenario: the DNS Changer’s attacks have not been found to cause permanent harm to computers under normal scenarios. However, you may need to repair your operating system’s DNS settings from the original CD to regain complete Internet access.

Recognizing a DNS Changer Infection on Your Computer or Network


According to ESG security researchers, the best way to make sure that your router or computer system has not become infected with a DNS Changer malware invasion is to enlist the services of a qualified professional. However, you can evaluate whether your computer system is using the correct DNS servers by checking your computer’s DNS server settings. If you suspect that your router’s DNS settings have been changed, it is also important to check your router’s settings. ESG security researchers recommend consulting your router’s or operating system’s owner’s manual for more details on how to check your DNS server settings.

While having your computer be directed to rogue DNS servers is dangerous, DNS Changer is particularly dangerous because of its associated malware threats. Once your computer is infected, all security updates have likely stopped. It is also possible that your anti-malware software is already blocked or disabled. This exponentially increases the likelihood of becoming infected with additional malicious infections. ESG security researchers recommend using a legitimate anti-malware program to remove a DNS Changer infection, as well as possible associated malware threats. It is also important to double-check your online accounts and credit card statements to make sure that your personal information and security have not become compromised.
Aliases: Trojan.Win32.DNSChanger!IK [a-squared], Trojan.Win32.DNSChanger.11776 [ViRobot], Trojan/DNSChanger.gtb [TheHacker], High Risk Cloaked Malware [Prevx1], Trojan.DNSChanger!sd6 [PCTools], Trj/CI.A [Panda], probably a variant of Win32/DNSChanger [NOD32], Rootkit.Rootkit.XCP.6 [McAfee-GW-Edition], DNSChanger.gen [McAfee], Trojan.Win32.DNSChanger [Ikarus], Trojan.Win32.DNSChanger.gtb [F-Secure], TrojWare.Win32.DNSChanger.gtb [Comodo], Trojan.Generic.792834 [BitDefender], Generic11.GUS [AVG] and Win32:Rootkit-gen [Avast].

Infected with DNS Changer? Scan Your PC for Free

Download SpyHunter’s Spyware Scanner
to Detect DNS Changer

Security Doesn't Let You Download SpyHunter or Access the Internet?


Solutions: Your computer may have malware hiding in memory that prevents any program, including SpyHunter, from executing on your computer. Follow to download SpyHunter and gain access to the Internet:
  • Use an alternative browser. Malware may disable your browser. If you're using IE, for example, and having problems downloading SpyHunter, you should open Firefox, Chrome or Safari browser instead.
  • Use a removable media. Download SpyHunter on another clean computer, burn it to a USB flash drive, DVD/CD, or any preferred removable media, then install it on your infected computer and run SpyHunter's malware scanner.
  • Start Windows in Safe Mode. If you can not access your Window's desktop, reboot your computer in 'Safe Mode with Networking' and install SpyHunter in Safe Mode.
  • IE Users: Disable proxy server for Internet Explorer to browse the web with Internet Explorer or update your anti-spyware program. Malware modifies your Windows settings to use a proxy server to prevent you from browsing the web with IE.

If you still can't install SpyHunter? View other possible causes of installation issues.

How to Check for Rogue DNS Servers and DNS Changer Malware Manually on Windows


Below are two options you can use to display detailed information about your IP and identify whether your computer is using rogue DNS.

Windows Option #1: Using the FBI website to check if your computer is affected by DNS Changer

  1. Go to the Start menu.
  2. Type in cmd into the Start search box and press Enter.
  3. Type in ipconfig/all into the Command Prompt and press Enter.
  4. Locate and copy the IP address next to the DNS servers title and type in those numbers exactly as you see them on the form at: https://forms.fbi.gov/check-to-see-if-your-computer-is-using-rogue-DNS. After the IP address is filled in, the FBI website will identify the DNS address to determine if it is being shut down or not.

Windows Option #2: Running ncpa.cpl to check whether your machine has been infected with DNS Changer Virus

  1. Run the ncpa.cpl application by typing it into the Run box within the Start menu or typing ncpa.clp into the Start menu's 'search programs or files' box. Press Enter.
  2. Right-click your Local Area Connection icon and select Properties to enter into the Network Interface Properties page.
  3. Click once on the Internet Protocol (TCP/IP) item. Click the Properties button.
  4. Check if the item 'Use the following DNS Server address' is set. Make a note of its status and IP address.
  5. Compare your IP address with the list of malformed IPs provided by the FBI:
    • 85.255.112.0 through 85.255.127.255
    • 67.210.0.0 through 67.210.15.255
    • 93.188.160.0 through 93.188.167.255
    • 77.67.83.0 through 77.67.83.255
    • 213.109.64.0 through 213.109.79.255
    • 64.28.176.0 through 64.28.191.255

    If your IP address falls within the range of any of the listed IPs above, you may be infected with DNS Changer malware and impacted by the FBI's server shut down.

If you are able to obtain a DNS server address automatically, you may switch your DNS to use Google's public DNS for the current time.

Google's free DNS server IPs:
  • 8.8.8.8
  • 8.8.4.4

Open DNS free server option:
  • 208.67.222.222
  • 208.67.220.220

How to Check for the DNS Changer Malware Manually on Mac


To check if your IP address falls within the malformed DNS addresses range, perform the following steps on your Mac computer.
  1. Click the Apple menu.
  2. Select System Preferences.
  3. Click Network.
  4. Find and click your connection (shows as Green).
  5. Click Advanced.
  6. Click the DNS tab.
  7. Copy the IP address in the DNS Severs box and type it into the FBI website: https://forms.fbi.gov/check-to-see-if-your-computer-is-using-rogue-DNS.
    After the IP address is filled in, the FBI website will find the DNS address to see if it is being shut down or not.

If you are able to obtain a DNS Server address automatically, you may switch your DNS to use Google's public DNS for the current time.

Google's free DNS server IPs:
  • 8.8.8.8
  • 8.8.4.4

Open DNS free server option:
  • 208.67.222.222
  • 208.67.220.220

How to Fix DNS Server Settings Manually


You may manually reset your DNS Settings configuration through a DHCP. If you are connected to an Internet Service Provider or corporate network that allows automatic DNS settings, you may follow the steps below to reset your configuration.

Please note: These steps are for advanced PC users. It is not advisable for users who are unfamiliar with the Windows Registry or custom network settings to utilize this procedure.
  1. Backup your network settings by using the Registry Editor to make a copy under HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\SERVICES\TCPIP
  2. Run ncpa.cpl from the Start menu's Run or Search box.
  3. Once Network Connections are brought up, right-click your active network connection. Click Internet Protocol (TCP/IP) once and then click the Properties button.
  4. Select to radio button where it says 'Obtain DBS Sever Address Automatically'.
  5. Click OK and then OK again.

How to Prevent DNS Changer Malware


There is no guarantee on preventing DNS Changer malware with any specific method. However, you may follow our recommended prevention tips to help prevent DNS Changer malware in the future.
  • Block and monitor network systems attempting to access one of the rogue DNS servers.
  • Create custom registry rules to protect specific registry keys. Before changing the keys, make sure you have checked 'Obtain the DNS server address Automatically' in the Internet Protocol (TCP/IP), found in the Properties window. The following registry keys may be edited for an Access Protection Rule to protect them:
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\SERVICES\TCPIP\PARAMETERS\DHCPNAMESERVER = {Value Specified}

    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\SERVICES\TCPIP\PARAMETERS\NAMESERVER = {Value Specified}
  • When the 'Use the following DNS Server Addresses' already is checked, use the Registry Editor to access the following registry key:
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\SERVICES\TCPIP
  • Check 'HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\SERVICES\TCPIP\Parameters\Interfaces' key to search for your adapters (CLSIDs).
  • Then set Access Protection Rules for the keys below:
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\SERVICES\TCPIP\Parameters\Interface\{YOUR CLSID}\DHCPNAMESERVER

    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\SERVICES\TCPIP\Parameters\Interface\{YOUR CLSID}\NAMESERVER
  • Do not leave the default username and password on your modems or routers.

Technical Information

Infection Statistics


Our MalwareTracker shows malware activity across the world. Explore real-time data of DNS Changer outbreaks and other threats from global to local level.

File System Details

DNS Changer creates the following file(s):
# File Name Size MD5 Detection Count
1 444.0 49,158 67bbcb5bff758c98a35b9d6be7dd16a3 156
2 flash_update.exe 125,652 8e3f18c030049ad18e2889821cff96e2 156
3 HBControl.exe 102,782 9f12839e75ee9252f28efcab2e8778a3 137
4 ndisprot.sys N/A
5 MSIVXserv.sys N/A
6 C:\resycled\bootmatrix.com N/A
7 msqpdxserv.sys N/A
8 D:\resycled\ntldr.com N/A
9 G:\resycled\ntldr.com N/A
10 %SYSTEM_DRIVE%\resycled\ntldr.com N/A
11 %SYSTEM%\kdlly.exe N/A
12 %SYSTEM%\kdkgg.exe N/A
13 %SYSTEM%\msmgs.exe N/A
14 %SYSTEM%\cmd32.exe N/A
15 %SYSTEM%\krl32mainweq.dll N/A
16 %PROGRAM_FILES%\videosoft\Uninstall.exe N/A
17 %COMMON_DOCUMENTS%\cmijj.exe N/A
18 %COMMON_DOCUMENTS%\LSSAS.exe N/A
19 %WINDOWS%\vkl_1253053752.exe N/A
20 %WINDOWS%\vkl_1252834085.exe N/A
21 %WINDOWS%\vkl_1253173827.exe N/A
22 %WINDOWS%\vkl_1252481066.exe N/A
23 %WINDOWS%\vkl_1253181421.exe N/A
24 _VOIDd.sys N/A
25 seneka.sys N/A
26 C:\Windows\system32\wdmaud.sys N/A
27 TDSSserv.sys N/A
28 I:\resycled\ntldr.com N/A
29 H:\resycled\ntldr.com N/A
30 M:\resycled\ntldr.com N/A
31 %SYSTEM%\MSlgx.exe N/A
32 %SYSTEM%\lsass.exe N/A
33 %SYSTEM%\kdgzh.exe N/A
34 %SYSTEM%\mssms.exe N/A
35 %SYSTEM%\kduev.exe N/A
36 %SYSTEM%\drivers\ndisprot.sys N/A
37 %COMMON_DOCUMENTS%\mstsc.exe N/A
38 %COMMON_DOCUMENTS%\msert.exe N/A
39 %WINDOWS%\vkl_1252834079.exe N/A
40 %WINDOWS%\vkl_1252765671.exe N/A
41 %WINDOWS%\vkl_1253165426.exe N/A
42 %WINDOWS%\vkl_1252768743.exe N/A
43 %WINDOWS%\vkl_1253181420.exe N/A
44 %WINDOWS%\vkl_1252768769.exe N/A
45 ESQULserv.sys N/A
46 H8SRTd.sys N/A
47 gaopdxserv.sys N/A
48 gxvxcserv.sys N/A
49 UACd.sys N/A
50 F:\resycled\ntldr.com N/A
51 E:\resycled\ntldr.com N/A
52 %SYSTEM%\csrcs.exe N/A
53 %SYSTEM%\cmd64.exe N/A
54 %SYSTEM%\kdqwt.exe N/A
55 %SYSTEM%\msnqp.exe N/A
56 %SYSTEM%\csrns.exe N/A
57 %SYSTEM%\csrss.exe N/A
58 %PROFILE_TEMP%\AlfaBR.exe N/A
59 %COMMON_DOCUMENTS%\csrss.exe N/A
60 %WINDOWS%\vkl_1252511207.exe N/A
61 %WINDOWS%\vkl_1252511321.exe N/A
62 %WINDOWS%\vkl_1253165416.exe N/A
63 %WINDOWS%\vkl_1252968719.exe N/A
64 %WINDOWS%\vkl_1253173833.exe N/A
65 %WINDOWS%\vkl_1252765651.exe N/A
66 D:\resycled N/A
67 B:\resycled N/A
68 C:\resycled N/A
69 P:\resycled N/A
70 T:\resycled N/A
71 Q:\resycled N/A
72 S:\resycled N/A
73 %SYSTEM_DRIVE%\resycled N/A
74 %PROGRAM_FILES%\DigitalHQ N/A
75 %PROGRAM_FILES%\Network Monitor N/A
76 %PROGRAM_FILES%\SiteEntry N/A
77 %PROGRAM_FILES%\DVDConv N/A
78 %PROGRAM_FILES%\AccessMV N/A
79 %PROGRAM_FILES%\DecodingHQ N/A
80 %PROGRAM_FILES%\PlayMe N/A
81 %PROGRAM_FILES%\QuickTiming N/A
82 %PROGRAM_FILES%\FullMovies N/A
83 %PROGRAM_FILES%\PlusCodec N/A
84 %PROGRAM_FILES%\PLDivX N/A
85 %PROGRAM_FILES%\DVDextraPL N/A
86 %PROGRAM_FILES%\freshplay N/A
87 %PROGRAM_FILES%\HDQuality N/A
88 %PROGRAM_FILES%\aquaplay N/A
89 %PROGRAMS%\HDtvcodec N/A
90 %PROGRAMS%\HeroCodec N/A
91 %PROGRAMS%\totalvid N/A
92 %PROGRAMS%\MoviesPlay N/A
93 %PROGRAMS%\UNICCodec N/A
94 %PROGRAMS%\FreeHDplay N/A
95 %PROGRAMS%\QuickyPlaeyr N/A
96 %PROGRAMS%\HDExtrem N/A
97 %PROGRAMS%\DVDTool N/A
98 %PROGRAMS%\PLDivX N/A
99 %PROGRAMS%\DVDextraPL N/A
100 %PROGRAMS%\Mediaview N/A
101 F:\autorun.inf N/A
102 %WINDOWS%\vkl_1250424439 N/A
103 %WINDOWS%\vkl_1250425267 N/A
104 %WINDOWS%\vkl_1251463593 N/A
105 %WINDOWS%\vkl_1250425328 N/A
106 %WINDOWS%\Tasks\MSWD-5d240b12.job N/A
107 %WINDOWS%\Tasks\MSWD-2969d51d.job N/A
108 %WINDOWS%\Tasks\MSWD-6145903c.job N/A
109 %WINDOWS%\Tasks\MSWD-28d8d31d.job N/A
110 %WINDOWS%\Tasks\MSWD-3e4ae7ad.job N/A
111 %WINDOWS%\Tasks\MSWD-1b4abb06.job N/A
112 %WINDOWS%\Tasks\MSWD-b868995b.job N/A
113 %WINDOWS%\Temp\tempo-289.tmp N/A
114 %WINDOWS%\Temp\tempo-B7D.tmp N/A
115 %WINDOWS%\Temp\tempo-97265.tmp N/A
116 %WINDOWS%\Temp\tempo-394365031.tmp N/A
117 M:\resycled N/A
118 I:\resycled N/A
119 G:\resycled N/A
120 E:\resycled N/A
121 W:\resycled N/A
122 R:\resycled N/A
123 J:\resycled N/A
124 O:\resycled N/A
125 %MYPICTURES%\resycled N/A
126 %PROGRAM_FILES%\BestHD N/A
127 %PROGRAM_FILES%\DDnsFilter N/A
128 %PROGRAM_FILES%\HDExtrem N/A
129 %PROGRAM_FILES%\HDtvcodec N/A
130 %PROGRAM_FILES%\UltraVideo N/A
131 %PROGRAM_FILES%\videoplay N/A
132 %PROGRAM_FILES%\Convert2Play N/A
133 %PROGRAM_FILES%\HeroCodec N/A
134 %PROGRAM_FILES%\AlfaBR N/A
135 %PROGRAM_FILES%\EZVideo N/A
136 %PROGRAM_FILES%\SunPorn N/A
137 %PROGRAM_FILES%\ExpressVids N/A
138 %PROGRAM_FILES%\PornoPlayer N/A
139 %PROGRAM_FILES%\Mediaview N/A
140 %PROGRAMS%\SiteEntry N/A
141 %PROGRAMS%\QuickTiming N/A
142 %PROGRAMS%\coolplay N/A
143 %PROGRAMS%\DVDConv N/A
144 %PROGRAMS%\homeview N/A
145 %PROGRAMS%\PlayMe N/A
146 %PROGRAMS%\aquaplay N/A
147 %PROGRAMS%\DivxFree N/A
148 %PROGRAMS%\PlayMYDVD N/A
149 %PROGRAMS%\videoplay N/A
150 %PROGRAMS%\BlueRaTech N/A
151 %PROGRAMS%\BHVideo N/A
152 D:\autorun.inf N/A
153 %SYSTEM_DRIVE%\Users\Manuel N/A
154 %WINDOWS%\vkl_1251803401 N/A
155 %WINDOWS%\vkl_1250425221 N/A
156 %WINDOWS%\vkl_1251745894 N/A
157 %WINDOWS%\Tasks\MSWD-af53409d.job N/A
158 %WINDOWS%\Tasks\MSWD-c61509c8.job N/A
159 %WINDOWS%\Tasks\MSWD-27e0d013.job N/A
160 %WINDOWS%\Tasks\MSWD-95cf3d27.job N/A
161 %WINDOWS%\Tasks\MSWD-56802d43.job N/A
162 %WINDOWS%\Tasks\MSWD-ee6b7301.job N/A
163 %WINDOWS%\Tasks\MSWD-88e4ae02.job N/A
164 %WINDOWS%\Temp\tempo-44B.tmp N/A
165 %WINDOWS%\Temp\tempo-45B.tmp N/A
166 %WINDOWS%\Temp\tempo-76546.tmp N/A
167 %WINDOWS%\Temp\tempo-161797121.tmp N/A
168 %WINDOWS%\Temp\DAB.tmp N/A
169 H:\resycled N/A
170 K:\resycled N/A
171 Z:\resycled N/A
172 F:\resycled N/A
173 L:\resycled N/A
174 X:\resycled N/A
175 N:\resycled N/A
176 V:\resycled N/A
177 %PERSONAL%\resycled N/A
178 %PROGRAM_FILES%\ubervid N/A
179 %PROGRAM_FILES%\FreeHDplay N/A
180 %PROGRAM_FILES%\totalvid N/A
181 %PROGRAM_FILES%\DVDTool N/A
182 %PROGRAM_FILES%\homeview N/A
183 %PROGRAM_FILES%\VideoKey N/A
184 %PROGRAM_FILES%\DigitalLabs N/A
185 %PROGRAM_FILES%\QuickyPlaeyr N/A
186 %PROGRAM_FILES%\MpegBuster N/A
187 %PROGRAM_FILES%\iVideo N/A
188 %PROGRAM_FILES%\TonsOfPorn N/A
189 %PROGRAM_FILES%\BlueRaTech N/A
190 %PROGRAM_FILES%\XXXHoliday N/A
191 %PROGRAM_FILES%\PluginVideo N/A
192 %PROGRAMS%\DigitalHQ N/A
193 %PROGRAMS%\AccessMV N/A
194 %PROGRAMS%\HDQuality N/A
195 %PROGRAMS%\DecodingHQ N/A
196 %PROGRAMS%\UltraVideo N/A
197 %PROGRAMS%\DigitalLabs N/A
198 %PROGRAMS%\FullMovies N/A
199 %PROGRAMS%\Convert2Play N/A
200 %PROGRAMS%\ExpressVids N/A
201 %PROGRAMS%\PluginVideo N/A
202 %PROGRAMS%\sexvid N/A
203 %PROGRAMS%\TonsOfPorn N/A
204 K:\autorun.inf N/A
205 %SYSTEM_DRIVE%\autorun.inf N/A
206 %WINDOWS%\vkl_1250424989 N/A
207 %WINDOWS%\vkl_1250425116 N/A
208 %WINDOWS%\vkl_1251734499 N/A
209 %WINDOWS%\vkl_1250733143 N/A
210 %WINDOWS%\Tasks\MSWD-db3968bf.job N/A
211 %WINDOWS%\Tasks\MSWD-4535c222.job N/A
212 %WINDOWS%\Tasks\MSWD-469d5901.job N/A
213 %WINDOWS%\Tasks\MSWD-b2be9e3f.job N/A
214 %WINDOWS%\Tasks\MSWD-44fcb0c6.job N/A
215 %WINDOWS%\Tasks\MSWD-4354122e.job N/A
216 %WINDOWS%\Temp\tempo-E2B.tmp N/A
217 %WINDOWS%\Temp\tempo-66D.tmp N/A
218 %WINDOWS%\Temp\tempo-1145640.tmp N/A
219 %WINDOWS%\Temp\tempo-161796561.tmp N/A
220 %WINDOWS%\Temp\tempo-394365218.tmp N/A

Registry Details

DNS Changer creates the following registry entry or registry entries:
HKEY..\..\{Value}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer = 85.255.xxx.xxx,85.255.xxx.xxx
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\[RANDOM] DhcpNameServer = 85.255.xx.xxx,85.255.xxx.xxx
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\[RANDOM] NameServer = 85.255.xxx.133,85.255.xxx.xxx
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1F5A3FA3-74FB-41DD-AD5B-F8C6C8B3D0EC} NameServer = 85.255.116.86,85.255.112.157
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{2B7C04D2-0898-43A3-B374-B7AFA580EA23} NameServer = 93.188.163.113,93.188.161.83
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer = 85.255.xxx.xxx,85.255.xxx.xxx

Site Disclaimer

13 Comments

  • comma says:

    Please do not post comments regarding technical support issues. ESG customers that have issues with SpyHunter should open a customer support ticket.

  • Kurt Fasile says:

    Computer works fine, just cannot access any website. It brings up some generic looking error page. Safe Mode allows the internet to work though.

  • Sean says:

    All you need to do is change your IP setting in network in your adaptor settings – local area connection and then change both the Internet Protocol TCP/IP to “Obtain DNS Server address automatically”. this will erase the bad IP that your PC is connecting to from the DNS Changer virus.

  • John Jenski says:

    My son’s computer has this thing and it wont even let us transfer files on our home network. How can I get a fixing program on the system to remove DNS Changer?

  • Millard says:

    Gosh, it is impossible to remove ALL of those files. Isn’t there an easier way to remove this DNS Changer virus? What if you change the IP address in your network settings and then hit OK? Seems to have worked for some people. This DNS Changer virus wont reactivate will it?

  • Dan says:

    Please remove DNS Changer FBI IPs off my system NOW! Not able to get onto the internet no matter what browser I use. How do you change the IP and it stay???? .. it keeps going back to different numbers starting with 85.255.1xx and then 67.210.x. Any help is appreciated!

  • Paul says:

    Didn’t affect me. I think it was the media hype blowing this out of proportion. Suckers!!!

  • Chuck Blair says:

    I wonder why the FBI turned off the Internet servers that were preventing infected computer to be without the Internet. If they stop helping people that fall prey to any kind of crime, who will protect us?

  • Stoney says:

    Besides the panic caused by the news on DNS Changer, it is just unbelievable how people were affected by this mess. Total happy I stayed protected using my antivirus and antimalware.

  • Robert Stanton says:

    Well, it is not the first time something like this happens. I think PC users should be always ready to fight epidemic infections. It is the medias fault for this BS!!!

  • Jason Sanford says:

    Please get this DNS Changer off. I want it gone YESTERDAY!!! Tried loading Norton antivirus 2012 on my PC from a USB drive but it was worthless. Ideas on what else to use for removing DNS Changer? I am going to ask for my money back with Norton.

  • Stevie says:

    Somehow I must still have DNS Changer on my PC as I cannot go to any web page. It gives me an error. I thought this DNS Changer was supposed to only do this on july 9th and not afterwards. I’m confused. Please help me!

  • Pete Mitez says:

    Checked my DNS settings and it is set for Obtain DNS sever automatically. Is that supposed to be that way. I cannot access any sites on my laptop. using my desktop to find a solution. I am only using Internet Explorer 9 so do not know if that could be the issue. This is aggravating!

Leave a Reply

IMPORTANT! To be able to proceed, you need to solve the following simple math.
Please leave these two fields as-is:
What is 3 + 10 ?