What is DNSChanger?

First discovered in 2012, following an extensive FBI investigation, DNSChanger — also known as Puper, Jahlav, and RSPlug-F — is a malware virus that can hijack DNS servers and routers. Believed to be the work of an Estonian criminal enterprise, up to 100,000 servers were quietly hijacked around the world without anyone realizing it.

Servers disrupted globally

DNSChanger was so prolific that even social networks, search engines, and ISPs, such as Comcast, COX, Verizon, and AT&T, were inadvertently involved in spreading it. With the FBI's help, these companies were all part of a global effort to remove the problem in 2012.

A coordinated effort was needed to take over this rouge DNS network, with DNS settings pointing at one of the many thousands of hijacked servers being automatically taken over and redirected, restoring the rogue network to a legitimate part of the web again.

Redirection wars

It all started several years ago when an Estonian gang set up a seemingly genuine-sounding digital firm, Rove Digital. With some technical know-how, they created a type of adware that redirected web visitors to sites that displayed adverts. You could be going to do some shopping on Amazon, and then without realizing it — because the server your DNS is using has been hijacked — you would be redirected to a website full of adverts and pop-ups.

Annoyingly, for anyone whose DNS servers (where your Internet comes from, basically) had been infected — which is out of your control — this would keep happening. If any links or adverts were clicked, that would contribute to the profits of this Estonian gang. Over time, the group generated $11 million from adverts and pop-ups that no one wanted to see. It took a joint operation between the FBI and Estonian Police to find the source of this problem and begin restoring thousands of DNS servers to the correct settings. In this case, the servers that were hijacked were in Estonia, along with others in Chicago and New York.

For several months after the gang was discovered and operations shut down, governments and the FBI needed to keep the DNS network running. Otherwise, 4 million people worldwide would have lost Internet access.

It took time for the number of infected devices to reduce, as Internet providers and search engines updated users and customers with notifications of the infection.

Until the servers could be shut down, the FBI worked with the Information Services Corporation (ISC) to run the servers — albeit without directing anyone to unwanted ads and web pages anymore — giving infected Mac and Windows device owners a chance to prevent it from happening further on their end. Unfortunately, the only way to resolve this problem was to remove the malware, which meant that after the FBI shut the servers down, those who hadn't been able to remove the malware would lose internet access.

How to remove DNSChanger manually?

To start with, although this is older malware, there is a chance that anyone could have carried it over from one device to another. Any operating system that carries the files and settings of previous devices will keep infections with them unless they're detected and eliminated.

Making it useful to check whether DNSChanger has infected you in the past. The best way to do that is through this website:

http://www.dcwg.org/detect/

If you've got the all-clear, then there is nothing to worry about, and you don't need to scan and remove any viruses.

However, if a scan shows this infection still present — even though it isn't active anymore — then removing it will reduce the risk of other types of malware or trojans using this weakness as a backdoor to infect your device again.

Restore your DNS settings by hand

To do this manually, you first need to restore your DNS settings:

  1. Go to System Settings > Network.
  2. System Preferences - Network
  3. Within Network > Wi-Fi, click Details next to each network you are connected to and set your DNS settings to what they should be (your Internet Service Provider should have that information, or it will be on a router in your home or office).
  4. After clicking OK, go to Details once again to check if the changes have been saved.

Next, this type of malware has infected your web browser; therefore, you need to remove it from whichever browser you use. Here is how to do that with Safari, Firefox, and Chrome:

#1: Uninstall DNSChanger from Safari

  1. Go to Safari > Settings.
  2. Go to Extensions.
  3. Pick the extension that you don't recognize to delete.
  4. Click Uninstall.
  5. Confirm that you want to Uninstall the extension.

#2: Remove DNSChanger from Chrome

  1. Open Chrome.
  2. Go to the Menu in your browser.
  3. Go to Settings > Extensions.
  4. Pick the extension that you don't recognize to delete.
  5. Click Remove.
  6. Confirm that you want to remove the extension.

#3: Delete DNSChanger from Firefox

  1. Open Firefox.
  2. Go to the Menu in your browser.
  3. Go to Add-ons and themes > Extensions.
  4. Select the extension you want to remove.
  5. Click Remove.
  6. Confirm that you want to delete it.

Remove DNSChanger from system files

    Once you've removed the extension from your browser, you need to search through several files, including in Libraries, to ensure DNSChanger isn't hiding anywhere else.

    You should be able to identify applications you aren't familiar with and files related to them in several folders. To find them, open Finder > Go > Go to Folder and paste each of the following paths one at a time, clicking Return after each of them.

    /Applications/

    /Library/Application Support/

    ~/Library/Application Support/

    /Library/Internet Plug-Ins/

    ~/Library/Internet Plug-Ins/

    /Library/LaunchAgents/

    ~/Library/LaunchAgents/

    /Library/ScriptingAdditions/

    It is also worth resetting your browser settings and ensuring that the default search engine is restored to what it was before this unwanted adware and any of its companions took over.

    Now, if all of that sounds like too much work, don't worry. Or if you aren't confident that DNSChanger has gone, then there is another — quicker — way to make your Mac safe.

    Remove DNSChanger with CleanMyMac

    And if you don't want to go through the trouble of manual removal, here is how you can remove DNSChanger quickly and safely.  It involves CleanMyMac X, a tool that recently got a "Product of the Month" award on ProductHunt. This antivirus/cleaner is notarized by Apple, which means it's a safe pick for your Mac.

    1. Download CleanMyMac X (for free).
    2. Click on the Malware Removal tab.
    3. Click Scan to scan for DNSChanger and any other infection.
    4. Click Remove, and they will vanish for good.
    Removing threats

    Additionally, go to the Maintenance tab and select Flush DNS cache. This should delete the remains of DNS Changer from your network settings.

    Flush DNS cache in Maintenance

    Using this program, you can also clear out junk files and folders that you don't need, along with dozens of duplicates and backups that aren't needed anymore.


    DNSChanger was one of those rare Mac infections that spread around the world and impacted millions of people. It took an international law enforcement effort to resolve the problem. Keeping your Mac clean of infections with regular scans is the most effective way to detect issues when they occur, then resolve them quickly with a malware removal tool.