DNS Changer Removal Guide

Recently federal authorities arrested six Estonians, who were running a virus called DNS Changer. Almost a half million computers are still infected worldwide, so it’s recommended to check your computer if it has been affected by it. Infected computers are redirected to Rove Digital domain name servers in U.S. and Europe, which were used to change user searches, redirect to malicious websites, replace advertisements, block your anti-virus/anti-spyware software and recommend fake security products.

Although FBI has took over the control of these DNS server and they are producing to the legitimate DNS answers, it’s still highly recommended not to use them. The main reason is that FBI will most likely discontinue this service on the 8th of March 2012. Keeping your computer infected will still block many anti-virus software or websites, and it will hide your security updates. You see, that it’s very important to clean your PC from DNS Changer virus. It’s common that this poisonous virus comes along with other malicious Trojans, like Trojan.Fakealert, Trojan.DNSChanger, and Trojan.Generic. And there’s no need for you to call a repair technician or wait for FBI help, you can clean your computer yourself. Just follow the steps below:

Check if your computer is infected

There are several pages you can visit to check online, if your computer is infected. the first one is hosted on FBI website:
https://forms.fbi.gov/check-to-see-if-your-computer-is-using-rogue-DNS
You will have to enter your DNS nameserver address. If you’ll see this message, your computer might be infected:
“Your IP corresponds to a known rogue DNS server, and your computer may be infected. Please consult a computer professional.”

There are other web pages you can visit:
dns-ok.us
dns-ok.fi (Finland)
dns-ok.de (Germany)

If you see a RED sign, your computer is probably infected.
GREEN sign means you’re computer seems to be looking up ID addresses correctly.
The third way is to check it manually. The IP addresses that most likely are infected are listed in this table:
IP range from… …To
77.67.83.1 77.67.83.254
85.255.112.1 85.255.127.254
67.210.0.1 67.210.15.254
93.188.160.1 93.188.167.254
213.109.64.1 213.109.79.254
64.28.176.1 64.28.191.254

There’s a helpful PDF that explains on how to tell if your computer has wrong DNS servers. Download it here – http://www.fbi.gov/news/stories/2011/november/malware_110911/DNS-changer-malware.pdf

Also, you can check your router configuration. Confirm your DNS servers and correct them, if they are the ones you can find in the table above. If you find out one or several infected DNS servers in your routers configuration, the DNS Changer virus might have infected your computer. Reset your router to factory settings and change your passwords.

Restoring DNS settings to factory default

Guide for Microsoft Windows XP for disabling DNS Changers servers:
Click Start ?†’ Control Panel ?†’ Network Connections and select your local network.
Right-click Properties, then select Internet Protocol (TCP/IP).
Right-click and select Properties.
Click Properties and select Obtain DNS server address automatically. Then click OK to save the changes.
You’re done! DNS Changers servers are disabled.

Guide for Microsoft Windows 7 for disabling DNS Changers servers:
Go to Control Panel.
Click Network and Internet, then Network and Sharing Center, and click Change adapter settings.
Right-click Local Area Connection, and click Properties.
Select the Networking tab. Select Internet Protocol Version 4 (TCP/IPv4) or Internet Protocol Version 6 (TCP/IPv6) and then click Properties.
Click Advanced and select the DNS tab. Select Obtain DNS server address automatically and click OK to save the changes.
You’re done! DNS Changers servers are disabled.

Removing the DNS Changer virus

Download and run TDSSKiller -> http://support.kaspersky.com/downloads/utils/tdsskiller.exe . Press the button Start scan.
Wait for scanning to finish. Select Cure and click Continue to cure found threat. This will disable and delete the DNS Changer virus.
It might ask you to reboot. Click Reboot computer.
Download recommended anti-spyware/malware software and run a full system scan to remove DNS Changer from your PC.


  • K Buchmann

    The FBI step-by-step looks like it is for XP version. For the average computer user, the steps need to be specific to the version of OS. When I click on Start, there is no RUN and all the other screen shots therefore are not helpful. That’s why I searched and hit your site. So I followed your Guide for Windows 7 but some of the steps don’t follow either. There is no “Network and Internet” with the Control Panel but there is a “Network and Sharing Center” so skipped to that. Where it says select the networking tab, that’s the only tab I have. The “Select Obtain DNS server address automatically” choice is in Properties, and NOT in the Advanced and DNS area. My computer was already confitgured this way. Thanks for the info…I was able to figure out how to view everything. These things are never very simple for simple minds out there.

  • Loren Barrett

    “there is no RUN” is because it has not been added to the start menu by default. Basic instructions to improve Windows are available if one wants to learn. It is true that varioous versions of Windows function differently making it almost impossible to write instructions for all cases. What is not mentioned is that Malwarebytes is free and does the job. I run AVG free, Malwarebytes and ASC5 and have no problems.

Files
Software
Compare
Like us on Facebook