DNS-changing malware FBI thingy - anybody???

[Ponders]

via Firefox/Chrome we are getting the warning on google - we have done security checks suggested but are still getting warning, which means router settings have been reset?

DH, supposedly our resident tech because he works in IT (but he only does systems analysis/development ) denies that this is a problem & thinks that resetting DNS things on each individual computer will solve it; but he doesn't use any browser other than AOL, which doesn't get the google flag

I've told him that AOL has been bamboozled:

"Your computer appears to be looking up IP addresses correctly!
Had your computer been infected with DNS changer malware you would have seen a red background. Please note, however, that if your ISP is redirecting DNS traffic for its customers you would have reached this site even though you are infected "

but he won't listen to me because he knows best aaaaaargh

Please can a techy person tell me what to tell him so that he will believe that the router needs to be reset to factory settings before July 9th?

So you have been to a site like DNS-OK.fi and it is saying there is a problem, is that right?

Your internet connection is provided by AOL?

Can you get access to www.dcwg.org/fix/ and have you tried accessing tools like TrendMicro HouseCall

Do you know the correct DNS settings for your router?
Do you know how to access the DNS settings in your router?

Is AOL your broadband provider and did they provide the router?
If so they provide some guides on how to access various routers in the Help section of their UK website.

Thanks, Nick

I have been to \link{http://www.dcwg.org/detect/\dcwg.org/detect} which comes up with a red page warning on firefox, but a green page on AOL (but with the warning details I posted in OP)

your first link comes up with

There appears to be a problem in the name server configuration on your computer. This indicates a potential security problem.
This test page can be used to check, whether there is a configuration anomaly in your computer or broadband router that might indicate a presence of a malicious software.

plus some other stuff I don't understand

2nd link offers solutions which are way over my head!

3rd link won't open, on Firefox or AOL

should I send your links to DH? (He is sulking because I am not accepting that he knows what he's talking about)

DH has emailed aol about the problem but they just came back telling him to ring a phone number - he says it's a premium number, I don't know if it is, he hasn't told me what it is but he won't ring it.

He is so stubborn about PC issues he doesn't understand I could scream (I don't understand either, but I admit I don't )

Can you log into the router and access the basic settings, where it often has the ability to allow DNS to be assigned by the ISP?

The DNS setting on the router should be set to Automatic, for AOL. On some routers you select an option for automatic, others you leave the Primary and Secondary DNS details blank.

Are you using a MAC, Windows based computer (what version, XP, Vista, Win7 etc), or something else?

Router name and model number may help if you can't log in to the router and find the DNS settings section.

sorry, I've been off while DH was finally resetting the router he says he's set DNS on both PC & router to 88888 or something???

now when I look at google it doesn't give me the DNS warning any more, BUT if I click on the \link{http://www.dcwg.org/detect/\DCWG DNS Changer Check-Up} it's still red & saying the PC is infected

now I'm even more confused

PC is Windows Vista btw

Does DH know how to access the Network adapter settings?

On a Win7 system, you right click the networking icon towards bottom right of the screen, and select Open Network & Sharing Centre. Or go to Control Panel, View Network Status & Tasks.
Then in Left hand side of that it says Change Adapter Settings.
Then right click the network adapter, you may have more than one, so it's useful to know which one you are using - wired (Local Area Connection) or WiFi (Wireless Connection) are typically the adapters. Select Properties and then look for things mentioning TCP/IP. Highlight that (or highlight one at a time if there are two... for example I have TCP/IPv6 and TCP/IPv4) and click Properties. Then look for Obtain DNS Server Address Automatically.

Hmm, sounds like maybe he's set the DNS servers to Google DNS. 8.8.8.8 and 8.8.4.4.

Google saying you are not infected is an improvement.

I wonder if your network adapter has a different DNS entry in it...

Vista... let me think : : :

Start, Control Panel
View Network Status and Tasks (in the Network section)
Manage Network Connection (from the list on the left usually)

Then right click the network adapter, you may have more than one, so it's useful to know which one you are using - wired (Local Area Connection) or WiFi (Wireless Connection) are typically the adapters. Select Properties and then look for things mentioning TCP/IP. Highlight that (or highlight one at a time if there are two... for example I have TCP/IPv6 and TCP/IPv4) and click Properties. Then look for Obtain DNS Server Address Automatically.

fwiw there are various sites which won't open now (eg Facebook)

he did say something about it being the google code

I will try passing on your suggestions - thanks so much

Have you run a Virus Checker recently? May be worth trying to do now you have Google saying it's ok. If you have an anti-virus package installed, run it and get it to download all latest updates, then do a full scan.

Otherwise try the Trend Micro one again. Use Google Chrome, or Internet Explorer if you find that Firefox does not like it.

Another one to try is Norton Power Eraser.

This [[http://www.avira.com/en/support-for-home-knowledgebase-detail/kbid/1199 tool] may help reset network adapters.

Do you have a local computer shop? May be worth taking it down there and asking them to sort it out for you. It is very hard to offer much help without being able to see the computer and you could do things that make it worse.

FYI, AOL says that the 0844 number is 5p per minute from a BT Line Source or is included in your price plan if you are an AOL Talk customer as long as you dial from the line your AOL Talk is activated on.

Norton run their own DNS servers... you could try changing the router and network adapters to that:

Security + Porn Filter
Primary: 198.153.192.50
Seconday: 198.153.194.50

Then try updating and running a virus scanner so that any traces of the Trojan (the thing that infected your computer) is removed.

we do have a local shop, & they have been brilliant in the past - my inclination was to take both PC & router to them but DH is stuck in stubborn-man mode

thanks so much for all your efforts, nick - if DH can't work this out tomorrow I think he will concede finally that shop can help more than he can.

this happens every time we have internet problems...

I'd say your machine is infected with malware, which frequently diverts the DNS settings of PCs. Have you got any anti-malware software such as Spybot - Search and Destroy or Malwarebytes Anti'Malware? Both good, free packages which will clean the machine up.

If you're going to use someone's DNS settings, I'd suggest you use OpenDNS. The nice thing about OpenDNS is that you can also get them to content-filter your internet, for free.

it was a specific bit of malware which changed the DNS setting in both affected routers as well as all the related machines, hamster. The FBI has dealt with it & are continuing to run the related server/s in Latvia (???) but supposedly willl be closing the whole thing down on July 9 - this is the warning which comes up on google on affected systems, that after July 9 they will no longer be able to connect to the internet. (\link{http://www.pcworld.com/article/256045/google_alerts_users_your_computer_appears_to_be_infected.html\PC World article}) (it was Estonia. I was close!)

DH finally got over himself, changed all the PCs/laptops & also the DNS setting within the router, but now I can only open MN of my regular sites, & only via Firefox. We can connect to AOL, & can read & send email, but the AOL homepage can only open with a blank screen (iyswim) - we get the frame, & it says "loading" at the bottom, but it never completes.

Some pages, eg google via AOL, say "Done" at the bottom but are still blank. Google will open properly on Firefox, & will conduct a search, but most links won't open (that PCWorld one I just found is a first). It seems as if there is enough speed (or whatever it is) to open text pages, but not anything else.

Is there something wrong somewhere with our broadband connection? DH has spoken to AOL several times, they go through all the routine checks & say they can see that the router is connected & working properly, we have replaced the filter, & the cables from filter to router & router to PC but it makes no difference. This has happened since the DNS settings were altered, but is it because they were altered, or has something else happened, either connected to the change or by coincidence elsewhere???

We haven't specifically asked if there are any problems with BT locally - I know they were introducing Infinity here around now.

There are a couple of people locally who offer to fix any & all PC problems 24/7 - one of them says no fix, no fee - thinking of calling one of them!

Haven't run spybot - I have Norton installed & tend to assume that can take care of most things. Anyway I can't install spybot now, the page won't open

DH can connect remotely to his systems at work & then we can access the internet via that connection (though it's slow & unstable)

It's weird. Any other helpful suggestions gratefully received (as long as they don't require connecting to any websites with pictures!)

The inability to be able to download SpyBot implies to me that there is still something on your system which is monitoring what sites you are going to and redirecting or blocking them.

AOL will probably carry advertising or have scripts running on hit hosted on various servers, in the same way that Mumsnet does, so whilst you are getting a connection to AOL, the page is not loading fully due to having trouble accessing the other servers.

Does Norton update correctly and then run a full system scan without any errors?

Can you also try running Windows Defender. This should already be installed on your system.

changed all the PCs/laptops

How many do you have and are they all doing the same thing?

Are the DNS entries on all the systems the same as the DNS settings on the router? Or are you using Automatic DNS allocation on the systems and then setting the DNS on the router?

Can you access any of the online virus scanners. F-Secure is another one to try.

Are problems existing when using Internet Explorer as well as using FireFox, or just when using one browser?

DH can connect remotely to his systems at work

How? If the broadband was not working, how could he do that - using other hardware? It implies to me that the broadband connection is in itself working, it's something to do with the setup of the router and or computers that is not working.

DH has spoken to AOL several times, they go through all the routine checks & say they can see that the router is connected & working properly

DH knows how to log into the router as he has changed the DNS settings there, so access the router settings. As you say BT are installing Infinity currently in your area, I am assuming you are not on that, so your Router is probably also a modem (it connects to your phone line) and thus is using ADSL and thus will tell you somewhere in the router status the upload/download connection status. That can help show you that the line itself is working.

As AOL are saying it's ok from their end, and as your DH can connect to work systems, then I would tend to presume that the line is working fine. It may be running a bit slow - it does at times. The problem is more in the connection between the computers and the router itself, or in settings on the computers.

Start from scratch... connect just the router plus one computer. Ideally connect the computer to the router with a ethernet cable rather than WiFi, as WiFi can create it's own issues.

Change the DNS settings on the router to Obtain From ISP (on some routers this means leaving the DNS server settings blank).
(It would possibly help to know what Router you have. Make and Model number from the panel on the back, bottom of router)

Check that the computer has got DHCP Client and DNS Client running.
These should already be running and set to Automatic. Do steps 1 to 4 below to get a list of services and then look for DHCP Client and DNS Client. Do the other steps if the DHCP Client and DNS Client services are NOT running.

Windows VISTA
To enable the DHCP Client and DNS Client services

1. From the Start menu select Control Panel.
2. Select Classic View from the panel on the left.
3. Double-click Administrative Tools and then Services.
4. Click Continue at the prompt, if it appears.
5. Locate DHCP Client in the list of services and check if the status is stopped or blank.
6. If it the status is stopped or blank, right-click DHCP Client and select Properties.
7. Click the Start button to start the DHCP Client service, set the Startup Type to Automatic and then click Apply and OK.
8. Locate DNS Client and check if the status is stopped or blank.
9. If the status is stopped or blank, right-click the DNS Client and select Properties.

10. Click Start to begin the DNS Client service, set the Startup Type to Automatic, then click Apply and OK.

Clear the DNS on the computer:
In VISTA

1. Click the Microsoft Vista Start logo in the bottom left corner of the screen
2. Click All Programs
3. Click Accessories
4. RIGHT-click on Command Prompt
5. Select Run As Administrator
6. In the command window type the following and then hit enter: ipconfig /flushdns
7. Close that box once it has completed, it does not usually take long.

Now run the AOL browser (which I think is a form of Internet Explorer) and see what happens. If still no joy... reboot the machine.

Once you have AOL browser showing the AOL homescreen.
Download Spybot Search Destroy - try doing it via CNet click this link, then the big green Download CNET Secure Download button or search CNET.com for Spybot Search Destroy (you want version 1.6.2)

it's not that I can't download spybot, it's that none of the pages which would have download links on them are opening - they try, but nothing comes through. this applies to almost every site I want to visit like BBC, guardian, banks, facebook - they all say "connecting" (Firefox) or "loading" (aol) but never complete

Norton has been doing routine scans. I just started full system scan. I'll report back on that!

We have 1 PC, 3 laptops & 1 smartphone. afaik DH set the same DNS on all the computers & the router (he is out so I can't ask him atm). The phone is on Vodafone, & DD can access the internet via their network, but if she tries via our wireless she gets the same as the rest of us, ie trying & failing to load pages. (No idea what DNS her phone is using)

problems are the same on IE, Firefox & AOL. Haven't tried any others.

ah - interesting - DH hadn't told me that he has been able (all along) to access a number of sites I hadn't tried, eg RBS (where he has an account) - I'd only been trying Santander. I now discover that I can access Nationwide & Tesco Bank, & also the MN homepage comes up beautifully complete with colour pics & moving images - I'd only been on talk. Still can't get Facebook or BBC or anything else I want.

He thinks the problem lies with AOL but nobody he has spoken to seems to know what or why

He did say that if they replace the router in a shop (he works in retail) it has to be "recognised" (or something) before it'll work properly- could it be that having physically changed the DNS our router is not being recognised in places???

Full system scan is still running

watch this space....

This has happened since the DNS settings were altered, but is it because they were altered, or has something else happened, either connected to the change or by coincidence elsewhere?

Exactly, which is why you need to isolate where the problem is. AOL have said they can see the router, so the phone line would appear to be fine.
Connect just one computer to the router and get that working.

just seen your latest post - my PC is connected to the router, the rest are wireless. All 3 laptops have been off all day.

I will C&P your suggestions, thanks

it's not that I can't download spybot, it's that none of the pages which would have download links on them are opening - they try, but nothing comes through. this applies to almost every site I want to visit like BBC, guardian, banks, facebook - they all say "connecting" (Firefox) or "loading" (aol) but never complete

Very hard to diagnose what the problem is there, it could be so many things.
Can you or can you not download Spybot, update Spybot, and run Spybot?

Norton has been doing routine scans. I just started full system scan. I'll report back on that!

Is Norton also able to update? You may need to force it to update manually - updates are normally scheduled but you can trigger it to check for updates at any time.

We have 1 PC, 3 laptops & 1 smartphone.
afaik DH set the same DNS on all the computers & the router (he is out so I can't ask him atm). The phone is on Vodafone, & DD can access the internet via their network, but if she tries via our wireless she gets the same as the rest of us, ie trying & failing to load pages. (No idea what DNS her phone is using)

So the chances are I feel that the DNS settings on the router are wrong. Changing DNS settings on a phone is not always easy, so it's most likely connecting to the router and using the router's settings.

ah - interesting - DH hadn't told me that he has been able (all along) to access a number of sites I hadn't tried, eg RBS (where he has an account) - I'd only been trying Santander. I now discover that I can access Nationwide & Tesco Bank, & also the MN homepage comes up beautifully complete with colour pics & moving images - I'd only been on talk. Still can't get Facebook or BBC or anything else I want.

Some sites are working then but not others. As you said earlier, weird!

He thinks the problem lies with AOL but nobody he has spoken to seems to know what or why

Perhaps, though I would check the DNS settings on the router to make sure that it was getting the DNS from AOL (so then you can blame AOL's network for any problems) rather than another DNS provider (such as Google).

He did say that if they replace the router in a shop (he works in retail) it has to be "recognised" (or something) before it'll work properly- could it be that having physically changed the DNS our router is not being recognised in places?

I wouldn't have thought that likely as AOL support has already told you they CAN see the router. AOL's website does say that you can use routers they don't provide but problems may exist, so the router you have now I guess was supplied by AOL and is working (have a look at the lights on it, those will often tell you the current status of the connection).

Please can you look at the router and post the details of the Make and Model. That may then help direct you as to how to check the routers DNS settings.

ok showed DH your list of steps & he says thank you very much

in fact he had already gone through them all yesterday (though he concedes it took him 2 weeks to get to this stage, which I take to be a tacit acknowledgement that it might have been smarter not to continually dismiss DD's & my concerns, as he has been doing all this time, purely because he wasn't getting the warnings we were getting, purely because he never uses any other browser

re-booting has been tried repeatedly over the last couple of days (being standard IT practice) but appears to make no difference. (router has also been rebooted repeatedly, as well as being given lovely shiny new cables)

BT say there is no problem on on our line or in this area

he says router & all machines are now set to automatic

router is Netgear DG834G, supplied by aol (ages ago)

As this problem started by you saying that you may be infected with the DNS Changer trojan, one of the key things that needs to be done is to make sure that the computer does not still have that, as it will modify the DNS settings.

It is known to create the following things on your computers registry:
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces{random}
DhcpNameServer = 85.255.xx.xxx,85.255.xxx.xxx
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces{random}
NameServer = 85.255.xxx.133,85.255.xxx.xxx
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\
DhcpNameServer = 85.255.xxx.xxx,85.255.xxx.xxx
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\
NameServer = 85.255.xxx.xxx,85.255.xxx.xxx

By using SpyBot, SpyBot will with luck detect this and correct it.

This Tool also will correct it (it is a .exe file from Avira.com an anti-virus company).

So...
We need to get connection to the internet sufficient to download the anti-malware. Then with luck that will remove the trojan. Then the system may be much happier.