Trojan.DNSChanger - How to remove


Trojan.DNSChanger is generic name for Trojans that have ability to change name servers for internet connections. Name servers are responsible in the way domains are resolved, so malware can display completely different websites instead the ones you are looking for. This results in search engine redirection, blockage of legitimate websites (including antivirus makers) and showing advertisement sites instead regular ones. A specific symptom is that unlike trojans that hijack network traffic directly, DNS Changer infection will result in TCP/IP protocol change that is not malware on itself. In some cases, only hosts file is altered and only some websites are redirected. Such settings are easy to fix once malware is gone, but many of remover programs do not detect these changes directly. Thus some parts of repair have to be done manually.

One of the first Trojan.DNSChangers were parasites from Zlob family. This family was extremely popular in 2007-2009, and were used to distribute fake AVs. Nowadays DNS change is still used by various Trojans to implement redirection for making advertisement money and preventing anti-virus software download.

To remove DNSChanger Trojan, one should scan with reputable antivirus or anti-malware program to remove the parasite itself. I recommend Kaspersky, or Malwarebytes Anti-Malware for this task. After removal, make sure you check TCP/IP settings and reset DNS servers to the ones of your ISP.  Usually these will not be fixed by software automatically and redirects will continue. For full removal instructions, check our guide on Google Redirect Virus removal. Steps 1 and 2 apply for this type of parasites.

Automatic Malware removal tools

Download Spyhunter for Malware detection

Note: Spyhunter trial provides detection of parasites and assists in their removal for free. limited trial available, Terms of use, Privacy Policy, Uninstall Instructions,

Download Combo Cleaner for Malware detection

Note: Combo Cleaner trial provides detection of parasites and assists in their removal for free. limited trial available, Terms of use, Privacy Policy, Uninstall Instructions, Refund Policy ,

Manual removal

6 responses to “Trojan.DNSChanger

  1. As soon as I log into Windows 7 on my toshiba laptop and before I access the internet, there is a pop-up window that looks like it comes from SpyHunter 4. It alerts me that my DNS settings have been modified. Click ‘Accept’, or on option ‘Remind me later’.
    I find it a very nuisance because it appears on my screen every 5 minutes.

    Can you tell me if this is a Trojan.DNSChanger?

  2. I downloaded Spyhunter as advised above (see copy paste below) and ended up with the DNS changer; I had never had that warning before. Other sites say that Spyhunter is a rogue and advise against it. I have now uninstalled, hopefully without permanent damage. It’s hard to know who to trust anymore.

    “Note: Spyhunter trial provides detection of parasite like Trojan.DNSChanger and assists in its removal for free. You can remove detected files, processes and registry entries yourself or purchase a full version.”

    Is this an ad? it looks like your site is recommending his sw.

  3. Jo: We test Spyhunter and there is no chance it included DNSChanger – the trojan with this name is no longer distributed ( the network is down), though some PCs might be affected by similar parasite.

    Please explain me, I can’t understand if you downloaded Spyhunter for something else or DnsChanger infection ?

    Spyhunter older versions were not recommended, however it was years ago. Personally, its installers process killing feature works much better than any other commercial or free program in my experience, and detection engine is very good now.

  4. My computer is running very slowly with high CPU usage. I initially downloaded Spyhunter because I was unsure about RegClean Pro. Googling brought me to which recommended getting rid of it & using Spyhunter. Downloaded Spyhunter; it didn’t select RegClean Pro but got DNSChanger though its promo says will detect rather than infect. Also, Spyhunter scan found files but would not allow fix until I had paid money; this agrees with some descriptions of rogues (“seeks to get you out of your money”). Came to 2-viruses googling for DNSChanger.
    Spyhunter did bring up search.conduit, bandoo, and doubleclick; I subsequently ran scans with Norton 360, Avast & Malwarebytes that didn’t pick out anything. I had already uninstalled Spyhunter so what is safe to use to get rid of search.conduit, bandoo, and doubleclick?
    This is doing my head in :\.

  5. Jo:
    Requiring money for services is quite usual, as it costs developing anti-malware programs. Sometimes these costs are covered by business users (like in case of Spybot), sometimes by ones that want protection (malwarebytes), but there are no really decent completely free anti-malware (and good antivirus suites too).
    Rogues demand payment for threats that do not exist on PC and does not install/uninstall normally. Additionally, Spyhunter lists items it detects with full paths so you can verify the infection and remove it manually, it has other useful services as well, even in scanner mode (for example, it fixes some associations).
    Now about Dnschanger. How do you know that you got infected with DNSChanger? As I told before, I am really surprised and would guess it is either false positive (you should inform makers of the software that detects it and enigma software group) or something not related to Spyhunter, or the download was infected elsewhere. Coduit redirect, that might be detected as hijacker or dnschanger and bandoo are caused by toolbars. These are not detected by Norton and avast, they are might be detected as malwarebytes as Potentially unwanted Software in some cases. The programs you mentioned specializes in trojans and viruses, not borderline parasites these toolbars are. If you want to get rid of them, use ADWcleaner (free), Spyhunter or this guide : (go through the instructions for your browser).

Leave a Reply

Your email address will not be published. Required fields are marked *