What is the DNS Changer Malware?

On November 8, the FBI, the NASA-OIG and Estonian police arrested several cyber criminals in “Operation Ghost Click”. The criminals operated under the company name “Rove Digital”, and distributed DNS changing viruses, variously known as TDSS, Alureon, TidServ and TDL4 viruses. You can read more about the arrest of the Rove Digital principals here, and in the FBI Press Release.
What does the DNS Changer Malware do?

The botnet operated by Rove Digitally altered user DNS settings, pointing victims to malicious DNS in data centers in Estonia, New York, and Chicago. The malicious DNS servers would give fake, malicious answers, altering user searches, and promoting fake and dangerous products. Because every web search starts with DNS, the malware showed users an altered version of the Internet.
Under a court order, expiring July 9, the Internet Systems Consortium is operating replacement DNS servers for the Rove Digital network. This will allow affected networks time to identify infected hosts, and avoid sudden disruption of services to victim machines.

Is DNS Changer Spy Ware?
yes. due to the nature of installation in tricking the user as well as changing the information requested with altered data DNSChanger Trojan Horse is considered a Trojan Horse as well as spyware Resources.

How can you detect if your computer has been violated and infected with DNS Changer?

An industry wide team has developed easy “are you infected” web sites. They are a quick way to determine if you are infected with DNS Changer. Each site is designed for any normal computer user to browse to a link, follow the instructions, and see if they might be infected. Each site has instructions in their local languages on the next steps to clean up possible infections.

For example, the http://www.dns-ok.us/ will state if you are or are not infected (see below).
No Software is Downloaded! The tools do not need to to load any software on your computer to perform the check.
No changes are performed on your computer! Nothing is changed on your computer when you use sites like http://www.dns-ok.us/.
No scanning! The “are you infected with DNS Changer” tool does not need to scan your computer.
If you think your computer is infected with DNS Changer or any other malware, please refer to the security guides from your operating system or the self -help references from our fix page (http://www.dcwg.org/fix).
The following table is a list of all easy “are you infected” sites. It includes the links to the security organizations who are maintaining the sites. Each site has instructions in their local languages on the next steps to clean up possible infections.
URL Language Maintainer
www.dns-ok.us English DNS Changer Working Group (DCWG)
www.dns-ok.de German Bundeskriminalamt (BKA) & Bundesamt für Sicherheit in der Informationstechnik (BSI)
www.dns-ok.fi Finnish, Swedish, English CERT-FI is the Finnish national reporting point for computer security incidents and information security threats. CERT-FI is also responsible of maintaining the national information security situation awareness system.
www.dns-ok.ax Swedish, Finnish, English CERT-FI is the Finnish national reporting point for computer security incidents and information security threats. CERT-FI is also responsible of maintaining the national information security situation awareness system.
www.dns-ok.be Dutch/French CERT-BE is the primary Belgian contact point for dealing with Internet security threats and vulnerabilities affecting Belgian interests.
www.dns-ok.fr French Le CERT-LEXSI est la division de veille et d’enquête sur Internet, dédiée à la protection du patrimoine en ligne des organisations.
www.dns-ok.ca English/French Canadian Internet Registration Authority (CIRA) and Canadian Cyber Incident Response Centre (CCIRC)
www.dns-ok.lu English CIRCL (Computer Incident Response Center Luxembourg) is the national Computer Security Incident Response Team (CSIRT – CERT) coordination center for the Grand-Duchy of Luxembourg
www.dns-ok.nl Dutch SIDN (the Foundation for Internet Domain Registration in the Netherlands)
dns-ok.gov.au English CERT Australia, Stay Smart Online, and Australian Communications and Media Authority joint page on DNSChanger Information
dns-changer.eu German, Spanish, English ECO (Association of the German Internet Industry)

If you are not affected by DNS Changer then do nothing.
If the Check-Up Site indicates that you are affected then either follow the instructions on that site or go to the “FIX” page.

Manually Checking if your DNS server have been Changed

The following pages would help check to manually see if you have DNS Changer DNS servers configured on your computer. Use of the “check up” pages are more effective, but some would want to check manually.
Checking for DNS Changer on Windows XP
Checking for DNS Changer on Windows Vista (pending)
Checking Windows 7 for Infections
Checking OSX for Infections
Would my Service Provider Help Me?

Many service providers are notifying their customers. They are creating help pages that will help you detect and clean up DNS Changer from your system. Here is a partial list. Please contact your SP if you do not see them on the list.
ISP Page
AT&T 8 Suggestions for Mitigating and Preventing DNSChanger Malware in your Enterprise – What Can Help You Avoid Being a Victim
Bell Canada Important information about DNS Changer malware
CenturyLink CenturyLink DNSChanger Customer Notice
Comcast DNS Changer Bot FAQ
COX COX DnsChanger Malware Information
Verizon Verizon’s Virus Help Website for DNS Changer Malware

How to Fix DSN Changer Trojan Errors on Computers

Instructions

End DNS Changer Processes

Press “Ctrl” + “Shift” + “Escape” to open the Task Manager.
Click “Processes,” then click “Show Processes From All Users.”
Click “Image Name” to view the list of processes in alphabetical order.
End the following DNS Changer processes. To end a process, right-click it and select “End Process.”
“tempdir\theclicker.exe”
“system\kdcqt.exe”
“system\kdcss.exe”
“system\kddvl.exe”
“system\kdyan.exenvctrl.exe”
“msmsgs.exe”
Close the Task Manager.
Delete DNS Changer Registry Keys

Click “Start” and type “regedit” into the “Search Programs and Files” box and press “Enter.” The Registry Editor opens.
Delete each of the following registry keys from the left pane of the Registry Editor. To delete a registry key, right-click it and select “Delete.” Note that deleting the wrong registry key can create significant system errors.
“HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters DhcpNameServer”
“HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\%Random CLSID% DhcpNameServer”
“HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\Random CLSID% NameServer”
“HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\%Random CLSID DhcpNameServer”
“HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces NameServer”
Close the Registry Editor.
Delete DNS Changer Files

Click “Start,” then “Search Programs and Files.”
Search for and delete each of the following files. To delete a file, right-click it and select “Delete.”
“nvctrl.exe”
“msmsgs.exe”
“hp[X].tmp”
“msvol.tlb”
“ncompat.tlb”
“RSA”
“Protect”
“vnp7s.net”
“zxserv0.com”
“dumpserv.com”
“dtjby.dll”
“antzozc.dll”
“uimcu.dll”
Restart your computer.