How to Tell Whether DNSChanger Has Infected Your PC
Unfortunately, if your router is infected, those websites will think that your PC is infected, even though it may be clean; worse, if your ISP redirects DNS traffic, your PC may appear to be clean even though your DNS settings may have been maliciously altered. If you want to be certain that your PC is free of DNSChanger malware, you need to manually look up the IP addresses of the DNS servers that your PC contacts to resolve domain names when browsing the Web.
To look up which DNS servers your Windows 7 PC is using, open your Start menu and either run the Command Prompt application or type cmd in the Search field. Once you have a command prompt open, type ipconfig /allcompartments /all at the command line and press Enter. A big block of text should appear; scroll through it until you see a line that says ‘DNS Servers’, and copy down the string(s) of numbers that follow (there may be more than one string here, meaning that your PC accesses more than one DNS server).
It’s even easier for Mac OS X users to determine the IP addresses of the DNS servers that their PC uses. Open the Apple menu (usually located in the upper-left corner of the screen) and select System Preferences. Next, click the Network icon to open your Network Settings menu; navigate to Advanced Settings, and copy down the string(s) of numbers listed in the DNS Server box.
Once you know the IP addresses of the DNS servers that your PC is using, head over to the FBI DNSChanger website and enter those addresses into the search box. Press the big blue Check Your DNS button, and the FBI’s software will tell you whether your PC is using rogue DNS servers to access the Internet.
What to Do If Your PC Is Infected by DNSChanger
If your PC is infected with DNSChanger, you’ll have to do some intensive work to get rid of it. DNSChanger is a powerful rootkit that does more than just alter DNS settings; if you’ve been infected with DNSChanger, the safest course is to back up your important data, reformat your hard drive(s), and reinstall your operating system. For more information, consult our guide to reinstalling Windows.
If you’re leery of reformatting your entire PC, you can try rooting out the DNSChanger rootkit with a free malware removal utility such as Kaspersky Labs’ TDSSKiller. As the name implies, Kaspersky released the program to help PC owners seek and destroy the TDSS rootkit malware, but it also detects and attempts to eliminate DNSChanger and many other forms of rootkits. The DNSChanger Working Group website maintains a large list of links to malware clean-up guides and utility software you can use to try and eradicate DNSChanger from your PC.
If the infected PC is on a network, you’ll have to check every other PC on the network for signs of infection, and then check your router’s settings to ensure that it isn’t affected (DNSChanger is programmed to change router DNS settings automatically, using the default usernames and passwords of most modern routers). To do this, copy down your router’s DNS server IP addresses (located in your router’s settings menu; read “How to Set Up a Wireless Router” for more information) and check them against the FBI’s IP address database mentioned above. If your router is infected, reset the router and confirm that all network settings are restored to the manufacturer’s defaults.
When you’re done, repeat the steps outlined above to verify that your PC is no longer infected with DNSChanger. With all traces of this vicious malware eliminated, you should have nothing to fear when the FBI shuts down the ISC’s temporary DNS servers in July.