FAQ for DNS Changer
What is DNS Changer?
DNS, Domain Name System, is an Internet service that converts user-friendly domain names, such as www.wlu.ca, into numerical IP addresses that allow computers to talk to each other. Without DNS and DNS servers, which are operated by Internet service providers, computer users would not be able to browse web sites, send e-mail. DNS changer, known as TDSS, Alureon, Tidserv and TDL4 viruses, altered user DNS settings, pointed victims to malicious DNS in data centers in Estonia, New York, and Chicago. The malicious DNS servers would give fake, malicious answers, altering user searches, and promoting fake and dangerous products. Because every web search starts with DNS, the malware showed users an altered version of the Internet.
Does ESET protect my computer?
Yes, ESET protects your computer from DNS Changer and its variants and removes it from infected computers. However, the DNS Changer malware may have changed some network settings that allow your computer to communicate on the Internet.
For computers that are not protected, a free ESET scan can be used by clicking
How to detect if computer has been violated and infected with DNS Changer?
An industry wide team has developed easy “are you infected” web sites. They are a quick way to determine if you are infected with DNS Changer. Each site is designed for any normal computer user to browse to a link, follow the instructions, and see if they might be infected. Each site has instructions in their local languages on the next steps to clean up possible infections.
A GREEN banner at the top and bottom of this page indicates your computer system uses a DNS which is not known to be associated with the criminal DNS infrastructure associated with Operation GhostClick.
A RED banner at the top and bottom of this page indicates your computer system appears to be using a Domain Name System (DNS) that was part of the criminal infrastructure seized during Operation GhostClick. In this case, please contact helpdesk to set up a work order.
A simple way to check is to verify the DNS on the computers.
In order to determine if a computer was infected with this variant of DNS Changer malicious code, a user may perform the following steps:
Identify your computer DNS settings:
1. Go to start menu
2. Select Run...
3. Type : cmd.exe [press ENTER]
4. Type in the black command window: ipconfig /all [press ENTER]
Search for the line written: "DNS Servers". Often, 2 or 3 IP addresses are identified.
1. Go to System Preferences
2. Select Network
3. Select the connection used for internet access (typically AirPort or Ethernet)
4. Select Advanced
5. Select the DNS tab
Verify if the DNS server IP addresses used by the computer match ranges used by the rogue DNS servers below. Compare numbers left to right. If the computers DNS IPs do not start with 85.255.*.* or 67.210.*.* or 93.188.*.* or 77.67.*.* or 213.109.*.* or 64.28.*.* , the computer is not affected by this variant of DNS changer malware.
Known Malicious DNS Server IP ranges:
• 220.127.116.11 through 18.104.22.168
• 22.214.171.124 through 126.96.36.199
• 188.8.131.52 through 184.108.40.206
• 220.127.116.11 through 18.104.22.168
• 22.214.171.124 through 126.96.36.199
• 188.8.131.52 through 184.108.40.206
C) Home Router
The DNS Changer malware is also capable of changing the DNS settings of some Small office/home office routers that kept their default username and password as provided by the manufacturer. Common Small office/home office routers brand include Linksys, D-Link, Netgear, and Cisco. These routers may also have been installed by your ISP. Consult the product documentation to verify whether the default password is used and if DNS settings include entries matching the malicious DNS servers IP ranges provided above. If it is the case, a computer within the network may be infected with the DNS Changer malware.