DNS Changer (re)lived, new deadline: 9 July 2012!

As written in our “Password management for non-obvious accounts” blog post on February 22, the FBI confiscated the DNS Servers used by the DNS Changer malware and replaced them with different servers so that infected users would not be left without internet right away. Initially these replacement DNS Servers were to be taken offline on March 7, 2012. That meant any users who had not yet cleaned their systems and restored their DNS configuration would find themselves unable to use the internet.

All internet users were urged to check and clean their systems before March 7. However, due to the large number of affected systems and the unprecendent amount of effort involved, a federal judge in New York has ordered that the replacement DNS Servers not be taken offline before 9 July 2012. This may seem like good news but in reality it means that too many systems are still affected and dismantling the replacement DNS Severs would cause havoc.

One way to check if your system is affected by this DNS Changer malware is to use a free DNS check that several websites offer. If you rely (or have relied) on these websites, please be aware that some websites may be tampered with or malicious and give you the wrong advice. To be sure you use legitimate websites that offer this feature, ESET has verified that this US-website and this European-website have the proper checks and give sound advice.

Another good way to check if your Windows system is affected by any variant of the DNS Changer malware or any type of other malware is to use the free ESET Online Scanner. ESET’s Online Scanner for Windows employs ThreatSense scanning technology and is updated several times a day with detection and automatic remediation of newly discovered threats.

If you are using a Mac, then you can scan your system and remove malware like DNS Changer with a free trial version of ESET Cybersecurity for Mac.

Please be aware that if your system is still affected by DNS Changer come 9 July you may not be able to use the internet any longer. When that happens, especially for less technical people, it may be problematic to clean your system manually. A quick online scan takes just a short time and can prevent you and your system suffering further complications that could be awkward to resolve.

Author Righard Zwienenberg, ESET

  • Matt Whiseant

    If I'm running Nod32 Antivirus 5.0 should I be concerned about this? In other words, would running ESET's online scanner be redundant if I'm already using a paid yearly subscription for their Antivirus product?

    • Righard Zwienenberg

      Of course you will not need to run ESET’s online scanner on the devices that are protected by NOD32 Antivirus as that product is also capable of detecting and taking care of the DNS Changer Malware. For PC’s that are not protected, running ESET’s online scanner is highly recommended. But please be aware that this is more of a problem solver. If ESET’s online scanner is detecting a threat, it already has entered your system. It is always better to have ESET NOD32 Antivirus installed as that also provides real-time protection.

  • Alba Agila


  • Maudy Grunch

    What about us Mac users? I know we're immune from many exploits/malware/bad things, but we aren't immune to DNS poisoning and corrupted tables. Is there a scanner that Mac users can use?
    Thanks muchly!

  • Righard Zwienenberg

    Hi Maudy,
    Mac users indeed are not immune for DNS poisoning, phishing, etc, but also for different exploits/malware/etc. ESET's Online Scanner will only work under Windows. For Mac users ESET has ESET Cybersecurity for Mac that of course embeds ESET's ThreatSense Scan Technology as well, and comes with a free trial. You can find that here: http://www.eset.com/download/home/detail/family/29/

  • pAUL

    hello from Australia  how about  norton 360   am i gonna  be safe 

  • Vernice Phildor

    Woohoo! I survived the DNS Changer shutdown. :)

    • Righard Zwienenberg

      Congratulations :-)

  • Lilly Newstead

    Hi Righard, does it mean that if I keep having Internet after Monday, I am not infected with that DNS changer virus? It happens that sometimes my browser lands on a page, different from that one I am looking for. Preaviously, I have read that this may be related with the DNSes. I tried these instructions and these too to with no luck. Maybe it is some new version of that virus?

    • David Harley

      It probably means you’re not infected, especially if you took steps to check your system for infection (and to check that your AV is working correctly). I can’t say that you don’t have some other infection, but sometimes when you open a link and it puts you somewhere else entirely, it’s because the URL redirects, which isn’t the same as DNS hijacking, and is sometimes done quite legitimately.

  • Enrique

    I'm from Latin America, in your opinion and experience, you think the affectation in countries like Mexico that threat had the same level of criticality in other world regions, Europe for example?

    • Righard Zwienenberg

      DNSChanger problems are global and not really geographical.

  • Micro

    I like what you guys are up to. Such intelligent work and reporting! Keep up the superb works guys. I have incorporated you guys to my blogroll. I think it’ll improve the value of my site. :)

  • Santina

    Received phone call from indian man today,  I live in Sydney saying there going to refund my money i paid over a year ago for 3 years technical support which i did back then, i paid them $239 and then was put on female supervisor to confirm about my refund saying that the company was shutting down and they were authorised by the government to refund everyone's money because they can't look after our computer anymore.  Is this a scam as i gave her my work email address and told her i am not at work till thursday where she said she will call me back then.  But then she also knew i had my computer at home opened (which i did) but i told her i rather give her my email address at work to deal with it then as we have better security software. 
    Told her i was not going to give her my bank details to put my money back she said it was fine all i had to do was fill out a refund form which she will send via email  (at work).  So is this a scam as well and what do i expect?  she will probably ask me for my bank details, which i will refuse on thursday when i go back to work and get her phone call.  Have i done the write thing?  As i also heard my company i dealt with is shut down now, but she said they were shutting down??  so something weird about that, cause she knew how much i paid for 3 years technical support but couldnt name the company i dealt with?

    • David Harley

      Santina, there are a couple of things here that don’t sound right. At the very least, you need verification from the company, which means you need to contact it, not accept the word of some random caller that he or she is representing it. If you can’t contact the company because it’s shut down, who is supposed to be refunding the money? It doesn’t sound likely that the caller could know that your home PC was on. That sounds like the sort of claim PC support scammers make. It sounds to me, frankly, as if this could be some twist on the old PC support scam, and the fact that the company you dealt with did shut may be totally coincidental: at any rate, they ought to be able to tell which company they’re representing.

Follow us

Copyright © 2018 ESET, All Rights Reserved.