How to Find, Remove DNSChanger From Your Router

For users who may be infected with the DNSChanger malware, the computer on your network should not be the only concern; it's the router as well. The looming threat of thousands of users unable to connect to the Internet come Monday is not so much caused by the malware, which is a form of rootkit, but rather, it's caused by the remedy.
The FBI is poised to pull the plug on a network of rogue DNS servers previously used by cybercriminals to redirect users' browsing sessions. These redirections are to sites that can illicitly generate advertising revenue, or worse, that could potentially snag personal digital information. Once these rogue servers are taken offline, infected machines that have DNS settings pointing to them, will be unable to access the internet. DNS settings are for most home users, handled by their routers. Your ISP typi cally assigns your DNS settings automatically. These DNS settings are one or more IP addresses that you can find in the WAN settings within a router's management interface.
Most routers are set to automatically trickle down network settings to any machine on a home network that connects to them through the use of DHCP. DNS settings on the router get assigned to all computers and devices that connect to that router. And yes, the DNSChanger threat can infect a router. Here's how to tell if your router is infected and what to do.
Quick note: all routers vary in settings. The steps detailed here are for Netgear's N600 Wireless Dual band Gigabit Router. However, for most of the major consumer routers on the market - Cisco Linksys, D-Link, Asus, Trendnet and so on - the same general steps can be taken:

• Open the management interface of your router.
• From the interface, look for WAN or Internet setup. This is where you are going to look for the router's current DNS settings.
• Under "Basic Settings" are settings for "Domain Name Server (DNS) Address":

• Under the "Use these DNS servers" there are two entries for Primary and Secondary DNS. These IP addresses should be DNS server addresses from your ISP. If you don't see any entries, you probably have DNS set to "Get automatically from ISP." You can still check what those DNS addresses are by going into the command prompt of your computer.
• For example, here's how to check DNS in Windows 7. From a machine connected to the router, click the Start button and then in the Search field, type "cmd" and hit the "Enter" key:

• At the flashing cursor on the cmd.exe window type: ipconfig /all. Hit the "Enter" key:

• Scroll down until you see the line "DNS Servers" and take note of what your DNS server addresses are:

Whichever of these methods you use to get your DNS server addresses, either right from the router's management interface or through the command prompt, you want to look for addresses that may be the ones pointing to the rogue DNS servers slated to be shut down. You want to look for the following addresses:
85.255.112.0 through 85.255.127.255
67.210.0.0 through 67.210.15.255
93.188.160.0 through 93.188.167.255
77.67.83.0 through 77.67.83.255
213.109.64.0 through 213.109.79.255
64.28.176.0 through 64.28.191.255
These addresses, according to the FBI's site information, are pointing to the rogue servers.
You can also input the DNS addresses you found on your router on the FBI's site.
If you have these rogue DNS addresses on your router, don't panic, it's a simple fix. Contact your ISP, (or check its website) and ask which DNS server addresses you should be using. You can manually enter the proper DNS addresses your ISP gives you in the DNS settings page of the router's interface.
For extra precaution, you can reset your router to factory default, reconfigure and then and opt to have DNS information set to be received automatically from the ISP (if your Internet connection supports DHCP versus having to enter static information in the router's settings; check with your ISP if you are unsure). If you take this measure, re-check that you now have the proper DNS information that your ISP gave you by going back into the DNS settings on the router's page or from the command prompt.
Reboot any clients that connect to the router if you make DNS changes to ensure they get the new settings.  You'll also want to ensure that the threat is removed from any computers that connect to the router. There are several tips for doing so that are detailed in Avoid Internet Doomsday: Check for DNSChanger Malware Now.