1 2 3 Previous Next 33 Replies Latest reply: Jul 6, 2012 1:31 AM by Feisty411
Alexa22 Level 1 Level 1 (0 points)

Yesterday while i was using google to find something i came upon their warning saying that my computer might be infected, it looked like this:

Picture 4.png

 

i followed the instructions it gave me to get rid of this malware called "DNSchanger", went to the page http://www.dns-ok.us/ to check if in fact my computer was infected, and this is what it showed:

dns 2.png

i downloaded the DNSchanger removal tool, and scanned the computer, but it says that i don't have the trojan:

Picture 5.png

 

i ran Macscan and it deleted all the cookies that it found, but i keep getting the "your computer is infected" warning on the google page and on the other page, i don't know what else to do, do you have any idea how can i fix this?

 

right now i'm running ClamXav and it hasn't found anything yet...

 

help!


MacBook Pro, Mac OS X (10.5.8)
  • 1. Re: Help, how do i delete DNSchanger?
    Templeton Peck Level 9 Level 9 (58,255 points)

    If they scanners haven't found it, then you probably don't have it.

  • 2. Re: Help, how do i delete DNSchanger?
    Courcoul Level 6 Level 6 (11,470 points)

    Maybe what's infected is the DNS server your Mac calls up to do IP address resolution. Check with your ISP or network manager.

  • 3. Re: Help, how do i delete DNSchanger?
    thomas_r. Level 7 Level 7 (27,925 points)

    You may not still have the trojan in place, but you have the effects of that trojan.  Its purpose was to change the DNS settings on your Mac to use a malicious DNS server.

     

    All you need to do at this point is go to System Preferences -> Network, select whichever network type you are using (wifi or ethernet) and click the Advanced button.  Then go to the DNS tab.  Remove any DNS servers from that list and replace them with the DNS servers provided by your ISP, or use the OpenDNS servers (208.67.222.222 and 208.67.220.220).

     

    Edit: Note that this advice may not apply to others, who may still have the trojan installed.  If the trojan is still installed, it will change the DNS settings back again.  It has to be removed first, if present.

  • 4. Re: Help, how do i delete DNSchanger?
    Alexa22 Level 1 Level 1 (0 points)

    sorry, but i'm not really good with this whole computer stuff, how do i check my ISP?, and by network manager do you mean the router?

     

    sorry if i sound too lame, it's the first time in almost 3 years since i've had this computer that i've encountered a problem.

  • 5. Re: Help, how do i delete DNSchanger?
    Courcoul Level 6 Level 6 (11,470 points)

    If you're having these problems while connecting from home, then your ISP is your Internet Service Provider, whomever it is you pay to get on the Interweb.

     

    If you're connecting from work, then you will probably be doing it thru the business' local area network. There you'd have to talk to whomever is in charge of maintaining that network.

  • 6. Re: Help, how do i delete DNSchanger?
    Alexa22 Level 1 Level 1 (0 points)

    ok, i changed the DNS servers that thomas said, and at least the google warning went away, but, i still got the warning from the web that it's supposed to tell you if your computer is in fact infected, here it is:

    dns 3.png

     

    once again, i ran the DNSchanger removal tool, it still tells me i don't have it, and up until now the ClamXav hasn't turned up anything.

     

    what do i do?

  • 7. Re: Help, how do i delete DNSchanger?
    thomas_r. Level 7 Level 7 (27,925 points)

    Can you provide a screenshot of your DNS settings in the Network settings I referred to?  Just want to make sure they got set appropriately.

     

    If that's set properly, your wireless router may have been hacked somehow.  Can you try the machine on another network?  Say, at a public hotspot or a friend's house?  If so, try repeating that check from there.  If the problem only occurs on your network, you will probably want to reset the wireless router to factory settings and reconfigure it from scratch.  What kind of wireless router are you using?

     

    The way these checks work is to detect what DNS server your machine is trying to contact.  So, if it says you're infected, what that really means is that your machine is, for whatever reason, trying to use one of the malicious DNS servers that were used by DNSChanger and have been in the custody of the FBI for some time now.  It doesn't mean that you still have the trojan itself on your machine.  There's no further risk to your privacy or security at this point, as the FBI has been maintaining those servers as legit DNS servers now.  But the FBI plans to finally shut down those servers in July, so you've got to fix the problem by then, or you'll be unable to get online.

  • 8. Re: Help, how do i delete DNSchanger?
    Courcoul Level 6 Level 6 (11,470 points)

    Let's try something else. In the Utilities folder you will find the Terminal utility. Run it and it will open a blank window expecting a command. Type the following command line exactly as written, followed by the return key:

     

    dscacheutil -flushcache

     

    Then quit Terminal, restart the Mac and see if the problem has been solved.

     

    (This command flushes the DNS cache in the Mac, in case it contains erroneous data causing the error)

  • 9. Re: Help, how do i delete DNSchanger?
    Alexa22 Level 1 Level 1 (0 points)

    /___sbsstatic___/migration-images/184/18469555-1.png

    there it is...

     

    in response to courcoul: where is the utility folder? in the finder? i can't find it...

  • 10. Re: Help, how do i delete DNSchanger?
    Courcoul Level 6 Level 6 (11,470 points)

    The Utilities folder is inside the Applications folder.

  • 11. Re: Help, how do i delete DNSchanger?
    Alexa22 Level 1 Level 1 (0 points)

    i did what you said and still if i go to http://www.dns-ok.us/ it keeps saying that my computer is infected...

     

    now what do i do?

  • 12. Re: Help, how do i delete DNSchanger?
    thomas_r. Level 7 Level 7 (27,925 points)

    That screenshot looks right, so I'd advise doing some of the other tests I recommended (testing on another network, for example).

  • 13. Re: Help, how do i delete DNSchanger?
    UUGeekGrl Level 1 Level 1 (0 points)

    The message you got is legit.  Google announced they would notify people here:  http://googleonlinesecurity.blogspot.com/2012/05/notifying-users-affected-by-dns changer.html   Go search news.google.com for DNS changer.  Your ISP may also have been trying to notify you over the last few months as well.  

     

    Check the DNS server settings on both your router and your computers.  The malware sometimes changes the DNS server settings on your router.  Sounds like this is the case for you.  If you find the DNS servers on your router have been changed to the bad ones, change them to something you trust (your ISP's, Google's etc) and then change the password on your router.  If there are other computers in your house, check those as well.  Make sure your router is secured so only you can get on it, not your neighbors.

     

     

    Here is a list of the bad DNS Servers:

    85.255.112.0 through 85.255.127.255

    67.210.0.0 through 67.210.15.255

    93.188.160.0 through 93.188.167.255

    77.67.83.0 through 77.67.83.255

    213.109.64.0 through 213.109.79.255

    64.28.176.0 through 64.28.191.255

     

    To make the comparison between the computer’s DNS servers and this table easier, start by comparing the first number before the first dot. For example, if your DNS servers do not start with 85, 67, 93, 77, 213, or 64, you can move on to the next step. If your servers start with any of those numbers, continue the comparison.

  • 14. Re: Help, how do i delete DNSchanger?
    Alexa22 Level 1 Level 1 (0 points)

    i guess there's a bit of a contradiction, because i'm not getting the warning on google anymore, but on the other site:http://www.dns-ok.us/, it says that my computer is infected, i've run the DNSchanger tool removal and it says my computer is clean, so do MacScan and ClamXav.

     

    the other thing is i don't know how to change or even see where the DNS server is on my router, i've changed the DNS servers on my computer but i don't know if that works for the ISP, i usually just go to a web page that tells me if i'm connected or not.

     

    does anyone here know how to check or change the DNS on a speedstream 5200 router via codetel? (which is my ISP)

1 2 3 Previous Next