Not sure which group to send this to. My daughter's laptop (WIN &) apparently was infected by the DNS changer trojan, and consequently she lost internet connectivity on Monday.
She has a Norton antivirus program installed, but I don't know if it's up-to-date or would be useful for this problem.
How do you remove DNS changer prior to returning your settings to an appropriate DNS address?
Thanks
riserman
Is google broken?
A simple Google search returns several results when using the term "DNS Changer Trojan". Pick a result from the list and go from there.
In addition to doing what others have suggested, unplug the power wires from modem, router (if any), and computer. Wait 1 minute, the power up the modem first, then the router, then the computer. This simple process should remove the bogus DNS ip addresses and replace them with ones provided by her ISP.
"I could be wrong now." - Monk
Only works (maybe) if the router and computer are configured for dynamic IP and DNS assignment. If either is configured for static IP addresses or specify the DNS servers, power cycling will not change that configuration.
All 'consumers' have dynamic IP, while most business accounts have static IP and one can hope they have dedicated IT people ;-)
Any consumer can use static IP addresses for their hosts (computers). No one behind a router is required to use a DHCP server (from their ISP) for IP and DNS assignment. They all can configure TCP/IP properties on their intranet hosts to use static IP addresses.
I've yet to hear about a DNS changer trojan that goes out to the router's web config pages to modify it to use a static DNS server. Besides, one of the first actions you should take in configuring your router is to change its default password to something different so not even malware that has a table of common default passwords can get into your router's config screens. Just like your intranet hosts, you can configure your router to use a static DNS server. However, even if it configured for dynamic assignment from the upstream DHCP server (i.e., your ISP's DHCP server), the DNS Changer on your intranet host isn't going to change what DNS server got assigned to to your router (which then passes that down to your intranet hosts that use DHCP from the router as their upstream DHCP server).
If TCP/IP properties for DNS are configured for static assignment then power cycling that host is not going to suddenly reconfigure that host to use DHCP. You will have to go into TCP/IP properties to change the configuration back to dynamic (using DHCP which will be from your router). If a static DNS server is configured in your router, power cycling it will not erase the configuration to revert back to the default of using DHCP (from your ISP) so it will continue using the specified DNS server. Only if you use the Reset button on the router or go into its config screens will it revert back to using DHCP (from ISP).
I can configure TCP/IP on my host to use a static IP address and specify the DNS servers to use. One of the DNS servers (the last one), will be for my router so if DNS connects fail on the others that the fall through goes to the last one which is the router's DNS setup. In my router, I can either use DHCP to get whatever DNS server my ISP wants to give me or I can specify the DNS servers that the router uses (and passes onto my intranet hosts that still use DHCP). Power cycling isn't going to change any of that setup. Think about it: if power cycling wiped your user-configured settings in TCP/IP and in your router then you would lose your settings every time your powered down your computer or router, like when you leave them, or due to a power outage. That doesn't happen.
Your "Wait 1 minute, the power up the modem first, then the router, then the computer" procedure is not to revert back to good *dynamic* IP address and DNS server but to ensure the upstream DHCP server is available for any downstream host configured to use DHCP. If DHCP is used by a node in the network, the DHCP server that is upstream from it must already be available (so the host can use DHCP to get its IP and DNS settings). If your computer is configured for DHCP, you want the router's DHCP server ready when your computer tries using DHCP to get its assignments. If your router is configured for DHCP, you want the modem to be available to make available your ISP's DHCP server when your router tries to use DHCP to get its IP and DNS assignments. So, for the upstream DHCP server to be already available, you power up in top-down order: power up modem and wait for it to stabilize and the ISP's DHCP server becomes available, power up router and wait for it to stabilize (so its DHCP server is ready), and lastly power up the computer (which, if using DHCP, gets its assignments from the router's DHCP server).
If DHCP is *not* involved in the router or intranet host configuration then it is not required that the upstream DHCP server already be ready when a downstream node comes up that is using static assignments because it won't be using DHCP.
There were some sightings of something like this a while ago, maybe like
2-3 years ago. In Mexico or somewhere around there.Malware which exploited via XSS router (or maybe it was a router model where there was no real security, i.e. admin pages not properly requiring a prior login) and then modified the DNS server handed out via the dhcpd on the router.
Light on details, but it's all I remember. Maybe somebody knows more? Slashdot should have the story.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.