Do you have pop-ups or your computer infected with trojan or spyware ? Learn how to ask us for help, click here!

How to remove trojan DNSChanger/DNS hijacker (Redirect Virus/Trojan Fix)

Trojan DNSChanger also known as rootrkit TDSS and redirect virus is name of a group of trojans (zlob dns changer, Troj/Rustok-N, W32/Tidserv. gaopdxserv.sys trojan, UACd.sys trojan, …) that once installed, redirects you to malicious websites and stealing personal identities.

Trojan DNSChanger Symptoms

  • Windows Update redirects you to
  • Search results in Google, Yahoo, MSN and other redirect you to other non related sites.
  • Google/Yahoo/MSN results redirects you via or another fake site.
  • Google/Yahoo/MSN has become slower when doing searches.
  • Facebook and youtube redirects to different sites.
  • “Waiting for…” at the bottom left corner of IE while Google search results were loading. It is caused by the file C:\Windows\system32\wdmaud.sys (reported as Rootkit.Win32.Agent.fwt). The legitimate wdmaud.sys actually exists at C:\Windows\system32\drivers\.
  • Any web page loads really slowly.
  • System restore function is blocked.
  • Vimax pills banner ads are popping up on some sites, include security sites.
  • Cannot run msconfig.
  • Cannot update antivirus and antispyware programs.
  • Trojan affects all browsers (IE7 and Firefox).
  • HijackThis shows infection.

    O17 – HKLM\System\CCS\Services\Tcpip\..\{1F5A3FA3-74FB-41DD-AD5B-F8C6C8B3D0EC}: NameServer =,
    O17 – HKLM\System\CCS\Services\Tcpip\..\{2B7C04D2-0898-43A3-B374-B7AFA580EA23}: NameServer =,

Use the following instructions to remove Trojan DNSChanger



It is possible that the trojan will not allow you to run a malware removal tools, then you will need to reboot your computer in Safe mode with networking.

Restart your computer. After hearing your computer beep once during startup, start pressing the F8 key on your keyboard. On a computer that is configured for booting to multiple operating systems, you can press the F8 key when the Boot Menu appears.

Instead of Windows loading as normal, Windows Advanced Options menu appears similar to the one below.

Windows Advanced Options menu

When the Windows Advanced Options menu appears, select Safe mode with networking and then press ENTER.


Trojan DNSChanger may change Internet Explorer proxy settings to use a malicious proxy server that will not allow you download or update security software. So, you should complete this step to fix this problem.

Run Internet Explorer, Click Tools -> Internet Options as as shown in the screen below.

Internet Explorer – Tools menu

You will see window similar to the one below.

Internet Explorer – Internet options

Select Connections Tab and click to Lan Settings button. You will see an image similar as shown below.

Internet Explorer – Lan settings

Uncheck “Use a proxy server” box. Click OK to close Lan Settings and Click OK to close Internet Explorer settings.


Now you should run TDSSKiller.

Download TDSSKiller from here and unzip to your desktop. Open TDSSKiller folder. Right click to tdsskiller and select rename. Type a new name (123myapp, for example). Press Enter. Double click the TDSSKiller icon. You will see a screen similar to the one below.


Click Start Scan button to start scanning Windows registry for TDSS trojan. If it is found, then you will see window similar to the one below.

TDSSKiller – Scan results

Click Continue button to remove TDSS trojan.

If you can`t to download or run TDSSKiller, then you need to use Combofix. Download Combofix. Close any open browsers. Double click on combofix.exe and follow the prompts. If ComboFix will not run, please rename it to myapp.exe and try again!


Now you should download Malwarebytes Anti-malware and remove all Trojan DNSChanger associated malware.

Download MalwareBytes Anti-malware (MBAM). Once downloaded, close all programs and windows on your computer.

Double-click on the icon on your desktop named mbam-setup.exe. This will start the installation of MalwareBytes Anti-malware onto your computer. Once installation is complete, you will see window similar to the one below.

Malwarebytes Anti-Malware Window

Now click on the Scan button to start scanning your computer for Trojan DNSChanger associated malware. This procedure can take some time, so please be patient.

When the scan is finished a message box will appear that it has completed scanning successfully. Click OK. Now click “Show Results”. Make sure all entries have a checkmark at their far left and click “Remove Selected”. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.

Additional steps

1. Repair your Internet settings (Set option “Obtain DNS servers automatically”).
Skip the step, if computer uses static ip address (ask your Internet Service Provider).

  • Go to Start -> Control Panel ->Network Connections.
  • Right click your default connection, usually Local Area Connection or Dial-up Connection, if you are using Dial-up, and left click on Properties.
  • Double-click on the Internet Protocol (TCP/IP) item and select the radio button that says Obtain DNS servers automatically. Click OK twice.
  • Go to Start -> Run, enter CMD and click OK.
  • At the Dos Prompt Screen, type in cd\ and then press ENTER.
  • Now type in ipconfig /flushdns and then press ENTER. (notice the space after ipconfig)
  • Close the command prompt window.
  • Reboot your PC and try to open any website.

2. Clear trojan DNSChanger infected machines.

  • If you have a home network or other DNSChanger infected machines using the your router, you should clear them with the above steps.
  • Now your should reset your router (trojan DNSChanger can change the router’s DNS settings). Click reset button on back side of the router.
  • You may also need to consult with your Internet service provider to find out which DNS servers you should be using.

If you are still having problems with your computer after completing these instructions, then please follow these instructions

November 6, 2007 on 10:32 pm | In Malware removal, Trojan | 70 Comments |


RSS feed for comments on this post.

  1. get it try this

    Comment by john — December 18, 2008 #

  2. This instruction is written in billion sites and it DOES NOT work
    ! This MBAM program simply does not start.

    Comment by VIT — December 21, 2008 #

  3. VIT, probably your computer infected with tdsserv.trojan (“MBAM program simply does not start” symptom). Read and follow these steps How to remove trojan TDSServ.

    Comment by Patrik — December 22, 2008 #

  4. thx very much, i culdn’t access my drives letter, i could access by select drives in addressbar.
    drive C solved by this instruction but other drives dont solved yet.

    Comment by mohammad — January 17, 2009 #

  5. Hi.. I downloaded malware because i have downloaded anti virus 360 recently and i have come today to read that its a virus itself and i have followed the instructions on how to get rid of it. BUT when i launch Malware program it closes alone after 5 seconds and i read these instructions and i followed them thoroughly but i cannot seem to find any of these:
    pls respond to me ASAP

    Comment by Anthony — February 1, 2009 #

  6. Probably your computer infected with new version of trojan DNS-changer. Please follow these steps. I will help you.

    Comment by Patrik — February 1, 2009 #

  7. This is what I did. Start Win XP in safe mode with network support. Download the Malwarebytes’ Anti-Malware software and update. Perform a full scan using the Malwarebytes’ Anti-Malware software in safe mode and let the software delete what it finds. Restart Win XP in normal mode and perform another full scan using the Malwarebytes’ Anti-Malware software and let it delete what it finds. This process got rid of all five trojans infecting my computer.

    Comment by Terry — February 2, 2009 #

  8. Thanks guys i really appreciate it =]

    Comment by Anthony — February 2, 2009 #

  9. use avg free edition with latest virus base 2/2 7PM – it found and fixed problem as soon as I open the browser.

    Comment by frogman — February 3, 2009 #

  10. Hello Ive followed the steps thus far. which has been helpful, i can even get malwarebytes open now. BUT when i get to the part about running avenger after i click execute i get this message: \

    Comment by NETTE — February 6, 2009 #

  11. I can’t download anything on my computer! When I click on any of the downloads (MBAM, hijackThis, tried several others) it says Internet Explorer cannot display the webpage. I’ve restarted my computer millions of times and nothing works. I also did the my computer/properties process but nothing like this is there:
    (TDSSserv.sys or TDSSxyz.sys where xyz are random characters, msqpdxserv.sys, gaopdxserv.sys, seneka or seneka.sys)

    All the symptoms at the top apply for my computer and it really sucks! Please help, i can’t take this anymore :(

    I also got a HijackThis account but I can’t download it, (internet explorer can’t display the webpage.)

    Comment by rafiel — February 15, 2009 #

  12. rafiel, please follow these steps. I will help you.

    Comment by Patrik — February 15, 2009 #

  13. Hi,

    I don’t usually do this, but I would really like to thank whoever wrote this guide to remove DNSChanger. I downloaded it via a Trojan and it was crippling my work and just turning me crazy. With these instructions I managed to get rid of the damn bug in less than 15 minutes.


    Comment by Matt — February 25, 2009 #

  14. Hi,

    I followed the steps described above and it worked.
    thank you

    Comment by Evgeni Primakov — February 25, 2009 #

  15. this hijack was driving me NUTS!!!
    I couldn´t find ANYTHING ELSE on the web that could fix it.
    Thankyou for writing this! it put an end to two days of frustration!
    thankyou again!
    I have to emphasise that it´s important to follow the steps on here EXACTLY – if you don´t follow this order then it may not work (happened to me a few times before I got it right).

    Comment by owen — February 27, 2009 #

  16. thank you so much mate, this worked perfectly!!
    completely fixed!

    Comment by wes — February 28, 2009 #

  17. thank you so much mate! this worked perfectly, my internet finally works properly!

    Comment by wes — February 28, 2009 #

  18. For those who can’t run malwarebytes….. rename the .exe file to something else and it will run fine. That’s what I had to do with this bugger…

    Comment by organicnut — March 1, 2009 #

  19. In all cases these fix will not work.What will happens if the files msqp, gaopdx etc comes as hidden services?

    Comment by gobs — March 5, 2009 #

  20. We can also try this.
    1.Use Gmer anti rootkit tool and remove the Supperhidden malicious service.
    2.Manually Reset the DNS of your computer.
    3.Login in to the Router from your computer using the Internet Explorer and reset the DNS.
    ISSUE WILL be fixed.

    Comment by gobs — March 5, 2009 #

  21. I have been battling with this infection on multiple machines for days
    Thanks for this fantastic guide, worked as advertised!

    Comment by Rupert Ferder — March 11, 2009 #

  22. Excellent help this page is.

    I removed this but only with the help of First, download MalwareBytes as it says, rename the exe to something random, run the software and remove all the dodgy files. After that use GMER in Safe Mode to find the UACd.sys reg entries. Use regedit to remove the entries (you will likely need to reset the permissions on the UACd.sys keys to inherit and replace before you will be able to remove). Run an \

    Comment by Jacob Payne — March 17, 2009 #

  23. Thank you very much guys.

    I must have downloaded that nasty DSNChanger Trojan from some site. I tried Spybot Search and Destroy as well as my general antivirus with no success! I was about to panic, and it was then that I ran into your site, downloaded the avenger, followed the simple instructions, rebooted my computer and just like that everything was gone! If it wasn’t for you guys I don’t know what I would have done. Thank you very much and may God bless you!!!

    Comment by Dave Allen — March 19, 2009 #

  24. When I was faced with this problem, I tried doing all solutions suggested online, & in which case mostly consisted of downloading Malwarebytes AntiMalware.

    The first time downloading the setup file, I tried to run it but nothing would happen. I figured something must have gone wrong during the download so I decided to download the setup file again, but this time since my download manager was downloading the same file the second time around it automatically renamed it, adding \

    Comment by Love F. — March 21, 2009 #

  25. …adding “2” to the filename in order to avoid overwriting the original file which was in the same directory.

    Now I tried running that file and it actually finally installed. At that time I did not yet realize that it was the malware that blocked the setup from running the first time, and that I was actually able to run the 2nd setup file due to the fact that it had a different filename.

    But right after install, I was facing another problem, because the software would not run at all. Yes, it was successfully installed on my computer but it would not run.

    I researched some more and found why this was so. I renamed the .exe then, hoping to fool the malware but apparently since I’ve already tried running it as mbam.exe it probably knew what it really was already & was not falling for the new fake name.

    I ended up uninstalling, then I installed it again, but this time I made sure that the file doesn’t run at all until everything is changed just so the malware will have no idea what’s really going on.

    “…and when the program has finished installing, make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.”

    I actually don’t really suggest doing that step after installation, I suggest UNchecking both options & clicking finish, otherwise the program would just run as mbam.exe since you only had control at renaming the setup file so if you ran it right after installation the malware would immediately cut it off noticing the filename. So I suggest UNchecking the options, then clicking finish. THEN proceeding to the installed directory, rename mbam.exe first to something completely random, THEN running the .exe, but before clicking scan, go under “Update” first to get all needed updates which you did not get to do right after installation, THEN scan.

    This was the only way I got it running at all, during installation I even did not install it in its default directory name, instead I changed that too, just to be very sure.

    This was very well written by the way, I loved how you wrote the symptoms down because I really was able to pinpoint the ones I had & they were absolutely right on the money. One that grabbed my attention the most was the HiJackthis error 017, because I really spent hours figuring that one out and wondering what it meant, so this was very helpful. Thanks!

    Comment by Love F. — March 21, 2009 #

    I have windows vista and i think all these instructions are for windows XP.
    I had panda global and it did not find the trojan.
    I used superantispyware free and found it in the registry keys C:\PROGRAMDATA\MICROSOFT\WINDOWS\STARTUP MENU IN a folder called VIDEOSOFT but although it says removed it finds it in the next scan.
    thanks in advance.

    Comment by FUNBASKETFUN — April 18, 2009 #

  27. FUNBASKETFUN, ask help at our forum.

    Comment by Patrik — April 19, 2009 #

  28. sorry for the silly question but i cant find in forums where is the new topic button!!!
    I have already downloaded the HIJACKTHIS.EXE


    Comment by FUNBASKETFUN — April 21, 2009 #

  29. Open Spyware Removal forum.
    Looks for NEWTOPIC button under Forum rules line.

    Comment by Patrik — April 21, 2009 #

  30. >>>>>>Clear trojan DNSChanger infected machines.

    If you have a home network or other DNSChanger infected machines using the your router, you should clear them with the above steps.
    Now your should reset your router (trojan DNSChanger can change the router’s DNS settings). Click reset button on back side of the router.
    You may also need to consult with your Internet service provider to find out which DNS servers you should be using.<<<<<<



    Comment by ROBERTWENEK — April 25, 2009 #

  31. ROBERTWENEK, if router is infected and resetting button does not help, then you have only one variant – change router.

    Comment by Patrik — April 25, 2009 #

  32. I administrate local network from my router Linksys WRT160N. I suppose I have the trojan in the computer and that it also alterd my router.What should be the steps to completely eliminate the DNSChanger from my computer and get my router working correctly? Thank you in advance for your support.

    Comment by Zjedoldym — May 26, 2009 #

  33. Zjedoldym, read steps above.
    1. disinfect your computer
    2, disinfect your router

    Comment by Patrik — May 27, 2009 #

  34. Thanks once again…great work!!!

    Comment by depp — June 9, 2009 #

  35. I wanted to thank you for this solution. I recently had this problem and thank’s to this post I was able to fix it! Thank YOU so much. :)

    Comment by olivia Justice — July 4, 2009 #

  36. I have been trying to download your suggestions. However I keep getting a pop up telling me my temp files cant support or are not responding and it wont let me download. I really need your help. Im computer stupid and I believe there is more going on then what I can explain right now. I cant even download mcafee. Whats going on? please help.

    Comment by jonathon — August 13, 2009 #

  37. jonathon, try to download Avenger using Safe mode with networking.

    Comment by Patrik — August 14, 2009 #

  38. stop using IE and download Firefox
    thanks for the router info but that also means i have to buy a new router which sucks

    Comment by aleadpipe — August 19, 2009 #

  39. I tried to disable the Disable trojan drivers..followed instructions, didnt find any of the following TDSSserv.sys or TDSSxyz.sys where xyz are random characters, msqpdxserv.sys, gaopdxserv.sys, seneka or seneka.sys. SO i went ahead and tried deleting the trojan drivers using avenger by copying the programme givin above . Now my windows starts and immediately logs off. I tried to press F8 n try to make windows run on previous config which made run windows run successfully and it still dose work. PLease help.

    Comment by arvind — January 21, 2010 #

  40. arvind, you have tried boot your PC in the Last Good configuration mode ?

    Comment by Patrik — January 21, 2010 #

  41. Thanks!

    I have been trying to remove the ‘internet guide’ DNS hijack installed by DynDNS updater for a while now. Their ‘fix’ didn’t help at all, but the instructions here did the trick.

    Comment by Mike — January 26, 2010 #

  42. Oh Wow, these ads and redirect are driving me crazy. I’ve downloaded Hijack This and it won’t run. I can’t find the nonplug and play drivers you recommend I disable either. Can you help me please?

    Comment by Jacquie — January 29, 2010 #

  43. Jacquie, try the steps or ask for help in our Spyware removal forum.

    Comment by Patrik — January 29, 2010 #

  44. Thank you, thank you, thank you! I ran the TDSSKiller and then AdAware (because I still couldn’t get Malwarebytes to download) The nasty ads are gone and I’m no longer being redirected. Thanks, Patrik. J

    Comment by Jacquie — January 29, 2010 #

  45. I have windows vista. This weekend someone hacked into my paypal and 90% of the time when I click on a google results link, it redirects me to an unrelated or vaguely-related site. I ran symantec. My computer shut off before it finished, but it did find and remove five trojan.fakeav viruses.

    I then ran malawarebytes anti-malware which found one more trojan.

    Then I ran MBAM under safe mode with networking. It found 3 trojan.dnschanger viruses and removed them.

    AdAware got rid of 34 privacy problems.

    I can’t get symantec to run under safe mode.

    I’ve run MBAM in regular mode and safe mode again, and it does not find any more viruses.

    BUT when I click on a google search result, it still redirects me to a wrong site. Obviously, there’s still a dnschanger or some other sort of virus, right?

    Any advice? Will the above work in Vista? I am not very tech-savvy, so a little overwhelmed.

    Comment by Kimberly — February 8, 2010 #

  46. Kimberly, try follow the steps.

    Comment by Patrik — February 10, 2010 #

  47. ok, college student in the middle of finals, all those trojans are saying yipee lets wreck her day… they managed. I have AVG 9.0 anti virus. the “thing” that keeps coming up is a vista anti malware warning saying my pc is infected, avg cant find anything so i ignored it, it was slightly annoying but not bad. than it progressed to any web page i opened it would say was unsafe and direct me to the page to buy their softwear. well now I cant open anyfiles because it says there is no path to that file and i need to use the control panel to set a path, only I cant get in the control panel. I also cant restore it. because It wont let me open anything. UGH! Please help. tried to follow your steps, but I click properties and nothing happens. so uhh, what now? oh yeah the computer is an HP DV6 PAVILLION using VISTA 64BIT VERSION if that helps any??

    Comment by stephanie — April 20, 2010 #

  48. Stephanie, try the instructions.

    Comment by Patrik — April 21, 2010 #

  49. So I was able to use this software (through bringing the exe on a USB) to eradicate all the infected files it found and I thought I would be fien after that. However, the DNS Changer Trojan remains. I still get popups for fake spyware antiviruses and pages redirect to random web searches.

    Basically, before I was able to clean my computer, neither Avenger nor TDSSkiller nor any other of the variants of step one worked for me. However, after the cleaning, I can now access all of these. The problem is that all of these come up with no results and/or infections regarding the DNS trojan, even though the problem persists. I even tried to clear my DNS cache through Network Connections to no avail. Can you shed any light on the issue?

    Comment by John — April 26, 2010 #

  50. Hello Patrik. I think I had a virus called Virus Protector. I followed the steps and it seems like I got rid of it!! But it didn’t stop there. When I scan with Malwarebytes Anti-Malware, it says I have the Trojan DNS Hacker & Trojan Banker. I have tried the Avenger, RegCure, WinASO Registry, TDSSKiller, ComboFix, TrojanRemover, HijackThis, and GMER. I can’t update Virus updates & Windows update. Other than that, it seems like the computer got alot faster.. including the internet speed. Please help*

    Comment by Alex — April 27, 2010 #

  51. Sorry Patrik. I forgot to tell you I can’t go into SAFE MODE. My keyboard freeze up when I try to select SAFE MODE. I tried rebooting but something is stopping the installation…

    Comment by Alex — April 27, 2010 #

  52. John, probably your version of the trojan has changed dns records in the Windows registry only (no active trojan components). You need run HijackThis and fix all O17 entries. Once finished, you need follow the first additional step above.

    Comment by Patrik — April 28, 2010 #

  53. Alex, firstly check O17 entries in your HijackThis log. Fix them all.
    if it does not help, then start a new topic in our Spyware removal forum. I will help you.

    Comment by Patrik — April 28, 2010 #

  54. Patrik. thank you for the reply.
    I don’t know how to use Hijackthis.
    What do you mean by checking the O17 series?

    Comment by Alex — April 30, 2010 #

  55. Alex, run HijackThis. Click “Do a system scan only” button. Now select all O17 entries by placing a tick in the left hand check box. Once you have selected all entries, close all running programs then click once on the “fix checked” button.
    Reboot your computer.

    Comment by Patrik — April 30, 2010 #

  56. Hi Patrick, got a question for you about the trojan.dnschanger. It appears I have sucessfully removed the virus, with one small exception, I’m getting a Malwarebyte pop-up that it is blocking a file (mentioning it is a trojan.DNSChanger), and giving me the options of ignore, quarantine etc… I keep choosing quarantine, but it’s not going away, happens every time the comp starts up, about 3-5 mins. after booting.

    Everything seems fine with the computer, except that one thing. Last thing done was Combofix in safe mode, followed by Malwarebyte quick scan in safe mode (found no infections).

    Any suggestions?

    Comment by marc — May 26, 2010 #

  57. marc, please begin a new topic in our Spyware removal forum. I will check your computer.

    Comment by Patrik — May 28, 2010 #

  58. Thank you so much. Have been struggling with this trojan for months. I can’t believe I finally got rid of it.

    Comment by Chris — August 18, 2010 #

  59. I have tried all of this and still have the redirect virus. I have a windos vista 64 bit

    Comment by Lonnie — September 24, 2010 #

  60. Lonnie, start a new topic in our Spyware removal forum. I will help you.

    Comment by Patrik — September 25, 2010 #

  61. Thank you but i got it. I just updated my firmware on my router and it was fixed.

    Comment by Lonnie — September 26, 2010 #

  62. A customer of mine had the av8 virus which even after being removed had left a browser redirect to

    It does not get removed by malwarebytes/spybot/superanti etc. It’s embedded into the MBR. It gets succesfully removed by the above kaspersky tool TDSSKiller.

    Thanks very much!

    Comment by Ross — October 28, 2010 #

  63. Been fighting this problem for several days. Webroot detected and deleted Winlogonhook, but it kept returning. I finally found the offending dll manually, but the DNS redirection problem continued.

    TDSSKiller looks like it solved the problem. I can now connect with MS update.

    One reminder when working with similar problems, turn off software restore then reactivate once system is clean and working normally.

    Comment by Bill — January 3, 2011 #

  64. Hey Patrik, I have “Antivirus Scan” and I’m trying to get rid of it. I have downloaded HijackThis and I tried to download Malware Bytes and it said the browser couldn’t find the webpage, so I assumed I needed to remove this TrojanDNSChanger. When I click “properties” after right-clicking “My Computer” it says “Application cannot be executed. The file rundll32.exe is infected. Do you want to activate your antivirus software now?” What do I do now?

    Comment by Javi — January 5, 2011 #

  65. Javi, follow the instructions
    Important steps:
    1. reboot in safe mode
    2. reset proxy settings

    Comment by Patrik — January 8, 2011 #

  66. I did everything and it seemed to have removed antivirus scan, but even though the machine has an ip address and I can ping my router I can not get online.

    Comment by Al — January 9, 2011 #

  67. Al, try reset proxy settings. Look my previous comment.

    Comment by Patrik (Myantispyware admin) — January 11, 2011 #

  68. I followed the instructions and now no desktop appears just my screensaver photo-no other icons. help!m

    Comment by Che — April 8, 2011 #

  69. I tried safemode too and it is the same result, my desktop seems to have been erased?

    Comment by Che — April 8, 2011 #

  70. thanks so much i had tried everything :-) this worked

    Comment by jennifer — April 28, 2012 #

Leave a comment

XHTML: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>


My Anti Spyware - Free antispyware programs and Spyware Removal Instructions.