Adversarial examples, which induce false recognition of CNN by adding a small perturbation to the input, are important security issues. As a countermeasure against such attacks, there is a study on removing perturbation using denoising autoencoder (DAE). However, in a white box attack scenario, it is known that adversarial examples can be generated by cascaded DAE-CNN. In this paper, we evaluate two types of DAEs with the MNIST dataset; one is an AdvDAE which is trained by adversarial examples from the CNN model, and the other is a GaussDAE which is trained by Gaussian noise superimposed images. Our experimental result shows that the AdvDAE is superior in removing perturbation of adversarial examples from the CNN model. On the other hand, when the adversarial examples generated against DAE-CNN, the GaussDAE required a large perturbation that could be easily detected by the human eye.