Am I Infected DNS Changer?

The best way to determine if your computer or SOHO router has been affected by DNSChanger is to have them evaluated by a computer professional. However, the following steps can help you gather information before consulting a computer professional.

To determine if a computer is using rogue DNS servers, it is necessary to check the DNS server settings on the computer. If the computer is connected to a wireless access point or router, the settings on those devices should be checked as well.


Checking the Computer:

If you are using a Windows computer, open a command prompt. This can be done by selecting Run from the Start Menu and entering cmd.exe or starting the command prompt application, typically located in the Accessories folder within Programs on your Start Menu, as shown below:

At the command prompt, enter:

ipconfig /all

Look for the entry that reads “DNS Servers……….”

The numbers on this line and the line(s) below it are the IP addresses for your DNS servers. These numbers are in the format of nnn.nnn.nnn.nnn, where nnn is a number in the range of 0 to 255. Make note of the IP addresses for the DNS servers and compare them to the table of known rogue DNS servers listed later in this document. If the IP addresses of your DNS server appear in the table below, then the computer is using rogue DNS.

You can also look for your DNS servers without using the command prompt.

For windows XP machines, click on Start and select My Network Places. Then select Network Connections. In this example, the wireless connection is used.

Click on the connection that is active. This will bring up the Network Connection Status screen. Click on Support and then Details. Check for the values that correspond to the DNS servers.

If you are using an Apple computer, click on the Apple in the top left corner and choose System Preferences. Then, from the Apple System Preferences window, choose Network.

The Apple Network pane will show a number of possible connections on the left side. Choose the one that is active for you and click on the Advanced button in the right lower corner. Then choose DNS from the options to show the DNS servers you are using.

Compare whether your computer has DNS servers listed in the number ranges listed below.

If your computer is configured to use one or more of the rogue DNS servers, it may be infected with DNSChanger malware.
Home computers with high-speed Internet connections and office computers typically obtain their IP settings via DHCP from a device on the network. In these cases, the computers are provided with an IP address, default gateway, and DNS server settings. The IP addresses usually fall into one of three ranges of private addresses—192.168.0.0 to 192.168.255.255; 172.16.0.0 to 172.31.255.255; and 10.0.0.0 to 10.255.255.255. In most homes, computers are assigned an IP address in the range 192.168.1.2 to 192.168.1.254, and the default gateway and DNS servers are set to 192.168.1.1. To determine if your computer is utilizing the rogue DNS servers, read the next section, Checking the Router.


If you are unable to locate your DNS server settings, obtain assistance from the Help program bundled with your operating system, reputable online sources, or a trusted professional.

Checking the Router

Small office/home office routers connect your network of computers and devices to your Internet service provider. The SOHO router may have been purchased and installed by you or installed by your ISP. Linksys, D-Link, Netgear, and Cisco are common SOHO router brands, but there are many others.
The DNSChanger malware is capable of changing the DNS server settings within SOHO routers that have the default username and password provided by the manufacturer. If you did not change the default password at the time the SOHO router was installed, you must check the SOHO router settings.
The procedure to access your SOHO router setting varies by manufacturer, so consult your product documentation. Once you have access to the SOHO router configuration, compare the DNS servers listed to those in the rogue DNS servers table above. If your SOHO router is configured to use one or more of the rogue DNS servers, a computer on your network may be infected with DNSChanger malware.


What Should I Do?

In addition to directing your computer to utilize rogue DNS servers, the DNSChanger malware may have prevented your computer from obtaining operating system and anti-malware updates, both critical to protecting your computer from online threats. This behavior increases the likelihood of your computer being infected by additional malware. The criminals who conspired to infect computers with this malware utilized various methods to spread the infections. At this time, there is no single patch or fix that can be downloaded and installed to remove this malware. Individuals who believe their computer may be infected should consult a computer professional.
Individuals who do not have a recent back-up of their important documents, photos, music, and other files should complete a back-up before attempting to clean the malware or utilize the restore procedures that may have been packaged with your computer.
Information regarding malicious software removal can be found at the website of the United States Computer Emergency Readiness Team: https://www.us-cert.gov/reading_room/trojan-recovery.pdf.

Source :

continue reading

What Does DNSChanger Do to My Computer?

What Does DNSChanger Do to My Computer?

DNSChanger malware causes a computer to use rogue DNS servers in one of two ways.
First, it changes the computer’s DNS server settings to replace the ISP’s good DNS servers with rogue DNS servers operated by the criminal.
Second, it attempts to access devices on the victim’s small office/home office (SOHO) network that run a dynamic host configuration protocol (DHCP) server (eg. a router or home gateway). The malware attempts to access these devices using common default usernames and passwords and, if successful, changes the DNS servers these devices use from the ISP’s good DNS servers to rogue DNS servers operated by the criminals. This is a change that may impact all computers on the SOHO network, even if those computers are not infected with the malware.

Source : http://www.fbi.gov/news/stories/2011/november/malware_110911/DNS-changer-malware.pdf

continue reading

DNS Changer Check-Up

To find out if your computer is infected by DNS Changer malware. You can use the antivirus which has vitur to eliminate DNS Changer (DNS Changer Removal). In addition, you can also check online through:

• dns-changer.eu

DNS-Check in 3 Steps

This wizard guides you step by step through the test. To perform the test you have to agree to the transmission of the data indicated below by enabling the checkbox. In the second step, we check both dns-ok.de and a database operated by us with the DNS data provided by FBI. On the result page you'll be shown if there is a likely manipulation of your DNS settings and in that case additionally a link with further instructions for your operating system.

• dns-ok.us

DNS Changer Check-Up

DNS Resolution = GREEN  Your computer appears to be looking up IP addresses correctly! Had your computer been infected with DNS changer malware you would have seen a red background.  Please note, however, that if your ISP is redirecting DNS traffic for its customers you would have reached this site even though you are infected. For additional information regarding the DNS changer malware, please visit the FBI's website at: http://www.fbi.gov/news/stories/2011/november/malware_110911

continue reading

Learn How DNSChanger Malware Infect Our Computer

Berikut adalah penjelasan resmi dari FBI mengenai


DNS (Domain Name System) adalah layanan Internet yang mengubah user-friendly nama domain menjadi protokol Internet numerik (IP) alamat yang digunakan computer untuk berbicara satu sama lain. Bila Anda memasukkan nama domain, seperti www.fbi.gov, di bar alamat browser web Anda, komputer Anda kontak DNS server untuk menentukan alamat IP untuk website. Komputer Anda kemudian menggunakan alamat IP untuk mencari dan menghubungkan ke situs web. DNS server ini dioperasikan oleh penyedia layanan Internet (ISP) dan termasuk dalam komputer Anda, AOS konfigurasi jaringan. DNS dan DNS Server adalah komponen penting dari komputer Anda, AOS lingkungan operasi, Äîwithout mereka, Anda tidak akan dapat mengakses situs web, mengirim e-mail, atau menggunakan layanan Internet lainnya.

Penjahat telah belajar bahwa jika mereka dapat mengontrol pengguna, AOS server DNS, mereka dapat mengendalikan apa situs pengguna terhubung ke internet. Dengan DNS mengendalikan, seorang penjahat bisa mendapatkan pengguna yang tidak curiga untuk menghubungkan ke website palsu atau mengganggu bahwa pengguna, AOS web browsing online. Salah satu cara penjahat melakukan ini adalah dengan menginfeksi komputer dengan kelas perangkat lunak berbahaya (malware) yang disebut DNSChanger. Dalam skenario ini, kriminal menggunakan malware untuk mengubah pengguna, AOS pengaturan DNS server untuk mengganti ISP, AOS baik DNS server dengan server DNS buruk dioperasikan oleh kriminal. Sebuah server DNS buruk dioperasikan oleh penjahat ini disebut sebagai server DNS jahat.

FBI telah menemukan jaringan server DNS nakal dan telah mengambil langkah untuk menonaktifkannya. FBI juga melakukan upaya untuk mengidentifikasi dan memberitahukan korban yang telah dipengaruhi oleh malware DNSChanger. Salah satu konsekuensi dari menonaktifkan nakal DNS jaringan adalah bahwa korban yang mengandalkan nakal DNS jaringan untuk layanan DNS dapat kehilangan akses ke layanan DNS. Untuk mengatasi ini, FBI telah bekerja dengan para ahli sektor swasta teknis untuk mengembangkan rencana bagi badan sektor swasta, lembaga swadaya untuk mengoperasikan dan memelihara server DNS bersih bagi para korban yang terinfeksi. FBI juga telah memberikan informasi kepada ISP yang dapat digunakan untuk mengarahkan pengguna mereka dari server DNS nakal untuk ISP, AO server sah sendiri. FBI akan mendukung operasi dari server DNS bersih selama empat bulan, sehingga waktu bagi pengguna, bisnis, dan entitas lain untuk mengidentifikasi dan memperbaiki komputer yang terinfeksi. Pada saat tidak akan FBI memiliki akses ke data mengenai aktivitas internet para korban.

Hal ini sangat mungkin bahwa komputer terinfeksi dengan malware ini juga mungkin terinfeksi dengan malware lain. Pembentukan dari server DNS yang bersih tidak menjamin bahwa komputer aman dari malware lainnya. Tujuan utama adalah untuk memastikan pengguna tidak kehilangan layanan DNS.

continue reading