Tuesday 7 February 2012

How to Remove DNS Changer (Uninstall Guide)

If you haven't already, we recommend that you take a few minutes to determine if your computer has been affected by the DNS Changer virus. There are still nearly half a million computers infected by this malicious software or at least using the Rove Digital domain name servers in Europe and the U.S. This DNS infrastructure was formerly used by botnet czars to redirect unsuspecting victims to infected websites, alter user searches, replace ads, block legit anti-virus software and promote fake security products. Cyber crooks earned millions of dollars display false advertisements and redirecting users to wrong websites.

The FBI arrested six Estonians who ran the botnet that infected millions of computers worldwide and took over the control of rogue DNS servers. They now produce correct DNS answers but only until March 8th, 2012 Update: DNS servers will be shut down on Monday, July 9. That's official. The FBI will discontinue to provide this service. Then what? Infected computers will not longer be able to look up names using those name servers. In other words, users who are still affected by this DNS Changer malware won't find anything on the internet. If that had happened, Internet Explorer for example, would say something like "Internet Explorer cannot display the webpage", "No such server", etc.



While there's a slight chance that the FBI will continue to provide this service, I don't think that keeping your computer infected is a good idea. Not only DNS Changer virus causes a computer to use rogue DNS servers, it also disables security updates and blocks anti-virus software/websites. It can also change the DNS settings within small (home) office routers. As you can see, it's rather sophisticated piece of malicious code that very often comes with additional payloads (Trojan.DNSChanger, Trojan.Fakealert, Trojan.Generic). It is thus very important to remove DNS Changer virus. And it isn't only the job of FBI and PC repair technicians. You have to take responsibility for your own security as well. Good luck and be safe online!


So, are you infected?

1. You can check your DNS settings by simply visiting one of the following websites:
RED = your computer is using the DNS Changer rogue name servers and is therefore probably infected.


GREEN = your computer appears to be looking up IP addresses correctly.



2. Visit FBI's website and enter your IP address: https://forms.fbi.gov/check-to-see-if-your-computer-is-using-rogue-DNS

If your computer is infected, you'll see the following notification.



3. Check your DNS settings manually. If your computers' DNS settings use the follow ranges, then you likely have been affected by the DNS Changer virus.

Between this IP...
... and this IP
77.67.83.1 77.67.83.254
85.255.112.1 85.255.127.254
67.210.0.1 67.210.15.254
93.188.160.1 93.188.167.254
213.109.64.1 213.109.79.254
64.28.176.1 64.28.191.254

Here's a very helpful document that explains how to check your DNS settings to see whether you are using bad DNS servers. Please see DNS-changer-malware.pdf

4. Check your router. Compare the DNS servers listed to those in the rogue DNS servers table above. If your router is configured to use one or more of the rogue DNS servers, your computer may be infected with DNSChanger malware. Please reset your router to default factory settings and change passwords.


How to restore DNS settings to default?

Changing DNS server settings on Microsoft Windows XP:

1. Go to Control PanelNetwork Connections and select your local network.
2. Right-click Properties, then select Internet Protocol (TCP/IP).
3. Right-click and select Properties.
4. Click Properties. You should now see a window like the one below.



5. Select Obtain DNS server address automatically and click OK to save the changes.

Changing DNS server settings on Microsoft Windows 7:

1. Go to Control Panel.
2. Click Network and Internet, then Network and Sharing Center, and click Change adapter settings.
3. Right-click Local Area Connection, and click Properties.
4. Select the Networking tab. Select Internet Protocol Version 4 (TCP/IPv4) or Internet Protocol Version 6 (TCP/IPv6) and then click Properties.
5. Click Advanced and select the DNS tab. Select Obtain DNS server address automatically and click OK to save the changes.


How to remove DNS Changer malware?

1. Download and run TDSSKiller. Press the button Start scan for the utility to start scanning.

2. Wait for scanning to finish. Select Cure and click Continue to cure found threat.



3. A reboot might require after disinfection. Click Reboot computer.



4. Download recommended anti-malware software (direct download) and run a full system scan to remove DNS Changer malware from your computer.

That's it! If you have any questions or need extra help removing DNSChanger virus, please leave a comment below.

Tell your friends:

No comments:

Post a Comment