How to restore proper DNS Server settings altered by DNSChanger
July 8, 2012
On March 6, 2012, I wrote an article explaining the extended cutoff date of July 9, 2012, for computers that had been infected with the "DNSChanger" malware, during 2011. That date arrives tomorrow! Are you sure that your computers and routers are not still using the temporary DNS servers soon to be disconnected? If they are, your DNS Server settings are pointing to a temporary Court Ordered interim server that will be disconnected sometime on July 9, 2012.
The reason I am posting this is due to the fact that there are still about 270,000 unique IP addresses using the DNS Server IP addresses that were changed in computers and routers infected by the DNSChanger malware. They are all being rerouted to the temporary DNS Server arranged for by a Court Order obtained by the US FBI, after they took down the servers being used by the Rove Digital criminal enterprise, based in Estonia and had the people involved arrested. The statistic about infected IP addresses is logged by the DNS Changer Working Group (DCWG) and is obtained from access logs from the temporary DNS Servers.
The DCWG website also supplies links to websites around the World where people can go to test their computers and routers in their own languages for evidence of the DNSChanger infection. They also have a page listing numerous free legitimate online security scanners and downloadable security software to identify and remove the DNSChanger malware.
The first thing anybody reading this should do is verify that their own computers and routers are not infected. You can do this by visiting this page at the DCWG. If the results are in green, your connection is not using the so-called "Rogue DNS Servers" setup by the Rove Digital crime gang in Estonia. But, if you see RED, either your computer is still infected, or if disinfected, has not had the proper DNS Server settings restored, or your router has been altered by the malware and needs to be changed to use the DNS Servers belonging to your ISP, or some other preferred DNS provider (e.g. OpenDns, which I use).
What can I do if the test at DCWG says I am infected?
If you see red at the test site, your PC may be infected with the DNSChanger malware. This suggests that you are not using an up-to-date and updated anti-virus program. Virtually every known legitimate security program company has released definitions that detect this malware, since late 2011. The program you are using has apparently let you down. You need to have your computer scanned for this and other malware using a current version of a legitimate anti-virus and anti-malware program, with current malware definitions.
Your first thought might be to just go to one of the known security websites that offer a free online scan and downloadable repair software. That would be a prudent thing to do, except for the fact that on July 9, 2012, if your PC is infected with the DNSChanger, you are going to lose the ability to browse to websites! This will happen because the malware has altered the DNS Server settings in your computer's networking adapter settings, and/or in your router, if you use one.
You have to restore normal DNS Server settings to your computers and possibly your router, in order to use the Internet after the temporary DNS Servers are disconnected on July 9, 2012.
How to reset normal DNS Server settings in a Windows computer.
These instructions either require you to operate from an Administrator level account (Windows XP), or use the Windows Vista or Windows 7 User Account Control box to elevate your privileges to perform administrative tasks.
A list of hostile IP address ranges, belong to the DNSChanger malware, is shown at the end of this article. If your computer or router is set to use any IP within those ranges, it must be changed ASAP.
What to look for in Control Panel:
To restore your computer's DNS Server settings, click on the Start button or orb, then on (Settings) Control Panel. In Control Panel, locate the Networking icon, which may be labeled as "Network Connections" (in XP), or "Networking," or Network and Internet," or "Network Sharing Center." Click (or double-click) on that link or icon to open your network connections details. Look for a link or button that contains the words "Adapter," or "(Change) Adapter settings," or shows icons for each installed networking connection (e.g. Local Area Connection, Wireless Network Connection) and proceed as follows, based on your operating system, or displayed options.
For Windows XP:
In Windows XP, for each network adapter (wired and wireless), right-click on the icon or link, move your pointer down the list of options and (left) click on Properties. This will open the networking protocols page for that adapter. Look in the list of Protocols for "Internet Protocol (TCP/IP)" and double-click to open its properties sheet. There are two sections with two radio selection options each. Unless you are part of a business network, with specific IP addresses normally required (contact your tech support or networking admin before making these changes), there should not be any numeric IPs in either section. If there are and they are within any range shown in the list below, please change the radio option in the upper section to: "Obtain an IP address automatically." In the lower section, change it to: "Obtain DNS Server address automatically." If you see a tab for "Alternate Configuration" click on it and make sure that the option for "Automatic IP Address" is selected. If it isn't, click that option to change it. Click OK twice, then move on to any other adapter properties and do the same things, making changes if necessary.
For Windows 7 (and Vista):
In Windows 7 you need to drill down through various Networking options until you find the advanced settings and TCP/IP properties for the "Network Adapter or Adapters)" you are using to connect to a router and/or a modem, which may include both hardwired and wireless hardware. Assume that if infected, all onboard networking adapters have been altered, including any used by a dial-up modem, if you have one.
On my Windows 7 PC, the path is as follows from Control Panel:
- Click on the "Network and Internet" icon
- Click on the "Network And Sharing Center" link
- In the left side pane, click on the link labeled "Change adapter settings"
- If you only have a hard wired adapter, Local Area Connection is my only icon, double click on it. If you also have a Wireless Connection, do the same afterwards.
- A (Local Area) connection "Status" box opens with some details and buttons.
- Click on the "Properties" button. A UAC box opens and asks for the administrator password. Type it in if you have an Administrator password (I hope you do!), or else leave it blank and click "Yes" to authorize this activity.
- The connection's properties box now opens. find Internet Protocol Version 4 (TCP/IP) and double-click on it.
- Follow the same instructions a given to XP users to ensure that you obtain IP addresses automatically, unless you are part of a business network. If you are, consult the list below to see if the IP addresses in your Networking TCP/IP settings are within any of the ranges shown in the DNSChanger list. If they are, you need to change them immediately. Either set them to automatically obtain an IP, or contact your networking specialist to get the correct IPs for the business network you are part of.
- Click OK three times, then close the Control Panel and networking windows
Open a Command Prompt window. To do this, go to Start > Run and type CMD into the input field, then press Enter. When the Command box opens, type these commands in sequence, pressing the ENTER key after each command, noting the results in parenthesis on the screen:
- IPCONFIG /RELEASE
- IPCONFIG /FLUSHDNS
- IPCONFIG /RENEW
- IPCONFIG /ALL
After releasing the IP, flushing the DNS, then renewing the IP addresses, when you type IPCONFIG /ALL, you should not see the hostile IP addresses listed for the "DNS Servers, at the bottom of the readout. You should see IP addresses belong to your ISP. Verify this by browsing to the DCWG Detection page. If it is still red, check the IPCONFIG /ALL results again to ensure that the computer is properly set. If it is, the router was probably modified by the DNSChanger malware and will need to have its DNS Server settings changed as well. You'll need to be able to log into the router's administration web interface and find the page that has input fields and options for obtaining an IP address and change them back to automatically obtain those addresses. Save the changes, then check again on the detector web page. If it now shows green, it's time to secure the router with a very secure password, disable remote administration, then thoroughly disinfect all or your computers that have acquired this or any other malware. I use Trend Micro Internet Security to keep my computers and laptops secure.
List of IP address ranges used by DNSChanger malware
If you find that your router or computers have a DNS Server setting within any of these ranges, it is pointing to the DNSChanger servers that are set to be disconnected on July 9, 2012.
- 85.255.112.0 through 85.255.127.255
- 67.210.0.0 through 67.210.15.255
- 93.188.160.0 through 93.188.167.255
- 77.67.83.0 through 77.67.83.255
- 213.109.64.0 through 213.109.79.255
- 64.28.176.0 through 64.28.191.255
If you read this from an infected system before the interim servers are disconnected, you should save this article to your computer, or print it our, as a reference after you lose the ability to surf the Web.
If you like this article please share it.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.