PC Hell: How to Remove the DNSChanger Trojan

What is the DNS Changer Malware?

On November 8, 2011, the FBI, the NASA-OIG and Estonian police arrested several cyber criminals in “Operation Ghost Click”. The criminals operated under the company name “Rove Digital”, and distributed DNS changing viruses, variously known as TDSS, Alureon, TidServ and TDL4 viruses.

However, let's start with the basics. What is DNS and what does it do? DNS stands for Domain Name System. Every computer connected to the Internet is given an IP (Internet Protocol) address, and every website is also assigned an IP address. For instance, when you try to find PCHELL.COM in your web browser, the DNS looks up the IP address of the domain and finds the corresponding web server on the Intenet where that domain is hosted. This is how the Internet is connected and how you can find information that is located all over the world. The DNS is like a giant table of contents for the Internet.

What these DNS Changing viruses do is reroute your lookup for a domain to an infected server, that might serve you ads, viruses, or just the wrong site to your web browser. So, when you type PCHELL.COM into your web browser you might end up on google.com or any other site where the DNS has rerouted your request.

What does the DNS Changer Malware do?

The botnet operated by Rove Digital altered user DNS settings, pointing victims to malicious DNS in data centers in Estonia, New York, and Chicago. The malicious DNS servers would give fake, malicious answers, altering user searches, and promoting fake and dangerous products. Because every web search starts with DNS, the malware showed users an altered version of the Internet.

What these DNS Changing viruses do is reroute your lookup for a domain to an infected server, that might serve you ads, viruses, or just the wrong site to your web browser. So, when you type PCHELL.COM into your web browser you might end up on google.com or any other site where the DNS has rerouted your request. When you try to run Windows Update you might be met with an error 80244019 in Windows Vista or 7 that simply states it cannot reach the correct server.

Under a court order, expiring July 9, 2012, the Internet Systems Consortium is operating replacement DNS servers for the Rove Digital network. This will allow affected networks time to identify infected hosts, and avoid sudden disruption of services to victim machines.

This means if your system is infected with the DNSChanger trojan, you won't be able to access anything on the Internet after July 9, 2012 because those DNS servers will be offline.

How Do I Know if I'm Infected with the DNSChanger Trojan?

To manually check your computer for a DNSChanger infection, follow these steps:

in Windows XP

Click on Start, Run
Type CMD and press Enter
Type IPCONFIG /ALL and press Enter
Find the line starting with DNS Servers. there should be IP numbers there. Refer to the table below to see if these numbers match any of the known DNSChanger IPs

In Windows Vista

Click on the Windows orb in the lower left of the Start bar
Click in the Search box and type CMD and press Enter
At the command prompt, type IPCONFIG /ALL and press Enter
Find the line starting with DNS Servers. there should be IP numbers there. Refer to the table below to see if these numbers match any of the known DNSChanger IPs

In Windows 7

Click on the Windows orb in the lower left of the Start bar
Click in the Search box and type CMD and press Enter
At the command prompt, type IPCONFIG /ALL or IPCONFIG /ALLCOMPARTMENTS /ALL and press Enter
Find the line starting with DNS Servers. there should be IP numbers there. Refer to the table below to see if these numbers match any of the known DNSChanger IPs

DNSChanger Infected IPs

Starting IP	Ending IP	CIDR
85.255.112.0	85.255.127.255	85.255.112.0/20
67.210.0.0	67.210.15.255	67.210.0.0/20
93.188.160.0	93.188.167.255	93.188.160.0/21
77.67.83.0	77.67.83.255	77.67.83.0/24
213.109.64.0	213.109.79.255	213.109.64.0/20
64.28.176.0	64.28.191.255	64.28.176.0/20

If your DNS looks like any of the IPs in the table above, you are infected with the DNSChanger trojan and you need to remove it to maintain Internet connectivity after July 9, 2012.

You may also visit the following site setup by the FBI to check for infections.

http://www.dcwg.org

Easiest Way to Remove the DNSChanger Trojan

If the DNSChanger trojan is on your computer chances are you may be infected with more viruses or trojans. One of my favorite programs for finding these problems is MalwareBytes Anti-Malware. Its a fantastic removal program for almost any type of infection.

Download MalwareBytes Anti-Malware by clicking on the link below. Save the file to your desktop. When the download completes, double-click on the file and install it. Then run an update and start a full scan of your computer.

Download MalwareBytes Anti-Malware

If you use MalwareBytes Anti-Malware to scan your computer, you'll find information in the log file similar to the following if the DNS Changer trojan is found.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.148 85.255.112.223 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{806586a1-a695-45bb-9075-88b9ef4addf6}\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.148,85.255.112.223 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.148 85.255.112.223 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{806586a1-a695-45bb-9075-88b9ef4addf6}\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.148,85.255.112.223 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.148 85.255.112.223 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{806586a1-a695-45bb-9075-88b9ef4addf6}\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.148,85.255.112.223 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.148 85.255.112.223 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\Tcpip\Parameters\Interfaces\{806586a1-a695-45bb-9075-88b9ef4addf6}\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.148,85.255.112.223 -> Quarantined and deleted successfully.

Another great tool for removing these infections is TDSSKiller by Kaspersky

After removing the infections, try some of the sites that you may not have been able to reach before, or visit the DCWG.org site to check your system again.

Buy Anti-Virus Software

If you don't already have antivirus software loaded on your computer. You should download and install an antivirus product immediately. The popular commercial antivirus products like McAfee and Norton are ok, but there are also excellent free antivirus solutions available. Listed below are some of the popular free and commercial antivirus software products.

Search PCHell.com
site search by freefind	advanced

DNSChanger Removal and Help

What is the DNS Changer Malware?

What does the DNS Changer Malware do?

How Do I Know if I'm Infected with the DNSChanger Trojan?

Easiest Way to Remove the DNSChanger Trojan

Buy Anti-Virus Software

Learn more information about Viruses at the PC HELL Virus Center

Links to Other Important Information