How to check for DNSChanger malware infection and fix it

The DNSChanger malware has an interesting history. The FBI, who took down the cybercriminal ring, is running a campaign to get the word out to users that they need to fix their computers before July or they may lose access to the Internet. At one point, as many as 4 million computers around the world may have been infected with the malware.

With the scheme broken up in November, 2011, the FBI and an ad-hoc group called the DNSChanger Working Group are concerned that there may still be some 350,000 computers infected. The malware changed the DNS values on a computer to redirect web traffic to where the criminals wanted them to go. When the ring was busted, the FBI obtained a court order to put clean DNS servers in place to keep previous victims online. The court order was set to expire in March but an extension was granted until July 9th. At that time (unless another extension is obtained), victim computers will not be able to translate domains like into the IP addresses they need to navigate the web.

You can test to see if your computer was affected by the DNSChanger malware by visiting
No software is downloaded, no changes are made, and no scanning is required.

If you see an image with a green background, it should mostly mean you are not infected (but you should still be running antivirus and regularly scan for malware).

If you see an image with a red background, it means you are using the now clean DNS servers that will shutdown soon and it may also mean you are infected with malware.

To fix the issue, the DNSChanger Working Group has a list of tools and guides that  help resolve malware infections including Kasperky Labs TDSSKiller, Microsoft Windows Defender Offline, and many others.

You will also want to change your DNS either back to your ISP’s DNS, OpenDNS, or Google Public DNS.

If you are a victim, you can also fill out this FBI form to file as a victim of the malware.

Comments are closed.