Avira DNS Repair Resolves Manipulations By DNSChanger

Martin Brinkmann
Jan 23, 2012
Updated • Jan 24, 2012
Antivirus, Security, Software, Windows

The FBI back in November managed to close down a botnet that was created with the help of a malware called DNSChanger. In operation since 2007 it grew to a size of nearly 4 million infected computer systems of which about 500,000 were located in the United States. The operators manipulated the DNS system of local computer systems to redirect users to other web pages or to replace page elements such as advertisement with their own.

The configured DNS server basically tells the web browser where to look for when a web address such as www.ghacks.net is entered into the browser's address bar. If that lookup is manipulated part or all of the page elements of the website can be replaced by the operators of the rogue DNS server.

The FBI back then replaced the DNS servers that the cyber criminals used with working servers to avoid interruption of service for users affected by the DNS server change.

These DNS servers will however be shut down on March 8th, 2012. Affected users from that day on may not be able to connect to Internet addresses anymore until they replace the DNS server with working ones.

Security company Avira, famous for their antivirus solution, has released the Avira DNS Repair-tool.

You can run the portable program on your system to see if your computer's DNS server has been manipulated by DNSChanger.

avira dns repair

The program will reset the DNS servers to Windows default values if it finds out that they have been manipulated by the malware.

It is alternatively possible to check for manipulation manually.

Use the shortcut Windows-r to bring up the run box. Enter cmd in there and tap on the enter key to open the command prompt. Now run the command ipconfig /all and locate the DNS Servers entry. Compare what you see there with the list of rogue DNS servers below

  • -
  • -
  • -
  • -
  • -
  • -

dns server

If your DNS server IPs differ from the ones above then congratulations, you are not infected. You otherwise need to change the DNS server. While you could do that manually, you may prefer to use a program for that. You can use the Avira tool to reset the DNS Server, or a program like DNS Jumper to select a public DNS server instead.

You can download the Avira DNS Repair-Tool from the official Avira website


Tutorials & Tips

Previous Post: «
Next Post: «


  1. rover3500 said on January 25, 2012 at 6:53 am

    I really really hate ask,they are so sneaky trying to decieve their way onto peoples computers.I have thousands of (legit) software,and the amount of times ask has positioned their install so it’s easy to miss is very suspicious to me,I always get rid of any trace of it 1st chance I get(I’m a toolbar hater anyway I’m afraid,but ask in particular).Sorry not the subject but I had to get out of my system after reading.They don’t even deserve a capital a at the beginning of thier name.

  2. Todd said on January 24, 2012 at 9:10 pm

    Cool, thanks Martin! I always find the best info/utilities here. =)

  3. Pietzki said on January 24, 2012 at 5:05 pm

    DanTe, this happened around June 2011. I noticed that the usual pop-up asked me to upgrade to a new version including avira “webguard” (which is essentially the ask toolbar with an added ‘safe search’ feature). You can decline this, but if you download and install from scratch now, it will have “install webguard including ask toolbar” (recommended) *pre-checked*, which I find unacceptable…

    bogdan I had links in my reply and I guess martin has rules in place that linked posts have to be approved, so you’ll have to wait I guess (that is, if you’re even interested in debate – sounds to me like you just want to feel smugly superior)…

    For your knowledge, the ask toolbar is not that easy to remove. Use google, it’s your friend. If you don’t want to google, visit any forum that evaluates hijackthis logs. Read. Learn. Then write.

  4. Pietzki said on January 24, 2012 at 4:58 pm

    gaaah why are my posts not showing?! Martin, do you have some weird modding rules in place? Usually my comments come through straight away..

    1. Martin Brinkmann said on January 24, 2012 at 6:00 pm

      you should now see your comment, let me know if there is another one missing.

  5. Pietzki said on January 24, 2012 at 4:56 pm


    yeah bogdan, a smug attitude is always a great debating tool ;)

    Now – either you didn’t read my post, or you can’t comprehend the difference between the concepts of “performance” (the ability to detect and remove a large percentage of malware samples) and “integrity” (adherence to moral and ethical principles; soundness of moral character; honesty)
    or reputability.

    Don’t get me wrong, I’m fully aware that Avira has been a (if not *the*) top performer on most virus bulletin, and more importantly, on av-test.org reviews of antivirus products. And that’s exactly the reason why I have used Avira personal on several systems for over four years (and the paid version on my own two systems).

    However, ask.com has more than a dubious history, and most pc security experts consider it to be (at least bordering on) adware or spyware. If your memory needs jogging, gHacks itself had an article warning users of this development. That’s why I have stopped using Avira and strongly recommend anybody else to do the same. I don’t expect you to believe me at face value, so either google it for yourself or look at these links:

    (Web of Trust): http://www.mywot.com/en/scorecard/toolbar.ask.com
    (Wikipedia): http://en.wikipedia.org/wiki/Ask.com#Ask_Toolbar_browser_add-on_controversy
    (gHacks): https://www.ghacks.net/2011/06/29/beware-avira-partners-with-ask-and-uniblue/
    (Ben Edelman): http://www.benedelman.org/spyware/ask-toolbars/
    (gHacks): https://www.ghacks.net/2011/03/04/ask-toolbar-removal-how-to-uninstall/
    (Freeware Guide): http://www.freeware-guide.com/html/adwarelist.html
    (Security Garden): http://securitygarden.blogspot.com/2011/06/avira-antivir-adds-ask-toolbar-and.html
    (Tech Support Alert Forum Thread): http://www.techsupportalert.com/freeware-forum/security/7448-avira-antivir-tries-to-enforce-ask-toolbar.html
    (Computer Help Forums): http://computerhelpforums.net/topic/38275-avira-has-partnered-with-uniblue-and-ask-toolbar/

    If you type into google “ask toolbar”, the first suggestion is “ask toolbar removal” – always a great first indicator of a quality product, isn’t it?

    Now, as I said I used to be a very loyal customer of Avira myself. And back then, I would’ve reacted exactly as you just did (albeit maybe a little less belligerently). But a company which used to detect the ask toolbar under its PUP category (potentially unwanted program), and then *partners* with it, and not only removes it from its definitions database, but also *actively promotes* it, has absolutely zero credibility as a pc security vendor in my opinion. And this is completely disregarding the fact that Avira also promotes uniblue products in a scareware fashion! (google it)

    So hopefully now you understand why I have lost all respect for Avira. The aim of sites like virus bulletin and av-test.org is to test the detection and removal rates of malware by different programs – NOT to tell you whether a program vendor is corruptible or not. On the former, Avira has and still does score extremely well. On the latter, they have failed miserably. Their partnership with ask and uniblue has proven that you can buy yourself off their definitions list and even be promoted by them. It’s a massive shame – I really wish I could’ve stayed with avira.

    There is a difference between gaining high scores on malware detection/removal tests and being an honest, reputable company.
    There is a difference between between “performance” and “integrity”.


  6. DanTe said on January 24, 2012 at 4:04 pm

    Something is amiss. I didn’t have to install any toolbars to run Avira. When did this happen?

    As to these folks who might not be able to get on to the Internet after the Fed stops being nice: Maybe they should be off the Internet. They’re part of the hacking problem.

  7. bogdan said on January 24, 2012 at 8:16 am

    Yes, right .. And we will take into account your opinion dis-regarding that poor researchers at vbulletin. Thank you for your opinion .. but keep it for yourself.

    for your knowledge .. install the ask toolbar and then disable it from firefox. voila!

  8. Pietzki said on January 24, 2012 at 4:49 am

    hmmm, too bad that Avira has lost all credibility since the ask toolbar bundle… I wouldn’t even bother posting about them any more; in my opinion they’re not a reputable security company.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.