Last chance to remove DNSChanger virus before web outage

The FBI is snipping a cyber safety net on Monday that kept thousands of computer users online after their internet connections were hijacked by a piece of malware called DNSChanger, meaning those users could be disconnected from the web if they still haven't removed the virus by July 9.

The good news is if you're among the roughly 7,300 Canadian PC or Mac users — or the tens of thousands more worldwide —still believed to have machines infected with the nasty DNSChanger virus, you can spare yourself the misery of being cut off from email, Twitter, Facebook and other online distractions by performing a simple test.

Google, Facebook and the FBI have all issued repeated alerts over the past year about the estimated 650,000 computers worldwide — of a total four million affected — that still had the DNSChanger trojan, but they and media outlets made one last public appeal this week warning of the looming July 9 deadline.

That's when the FBI will shut down the temporary DNS servers it set up to keep the virus-infected computers connected to the internet after it broke up a criminal operation that had rerouted the machines through a system of false DNS servers, manipulating users' web searches in order to direct them to fraudulent websites.

The websites promoted fake products and allowed the cybercriminals to earn money off the sale of these products and advertising.

The temporary servers, operated by the non-profit Internet Systems Consortium, were meant to keep people connected to the web until the virus was removed and the connection through their usual internet service provider was resumed.

As of the night of July 8, there were about 210,851 unique IP addresses worldwide, 7,289 in Canada and 41,557 in the U.S. still using those temporary servers. The machines associated with those addresses, which do not necessarily each correspond to one computer, would have had their web access cut off on July 9.

How to check for virus

Double-checking for the malware only takes a minute. Here's how to do it:

The Canadian Internet Registration Authority (CIRA) has done much of the legwork for you by setting up an online screening system for your computer.

Visit the website www.dns-ok.ca/ and click on a link agreeing to run your computer through the DNSChanger malware checker. The page should refresh and show you either a green or red banner, with a message stating whether DNSChanger has been detected.

If it's green, you're in the clear. If the banner is red and a message confirms the virus has been detected, you can go to one of several websites set up to help inform the public about the virus and the related FBI operation for further instructions on how to remove it:

• FBI 
• DNSChanger Working Group
• Public Safety Canada 

Identifying malicious IP addresses

Another way to screen for DNSChanger is to manually check and compare your computer's DNS settings to the known malicious DNS server IP addresses listed on the FBI or Public Safety Canada websites.

According to those sites, if your IP address falls within one of the following groups, your computer is infected with the virus:

• 85.255.112.0 through 85.255.127.25
• 67.210.0.0 through 67.210.15.255
• 93.188.160.0 through 93.188.167.255
• 77.67.83.0 through 77.67.83.255
• 213.109.64.0 through 213.109.79.255
• 64.28.176.0 through 64.28.191.255

To find your DNS settings, Public Safety Canada recommends the following steps.

For Windows users:

• Go to Start menu.
• Select Run...
• Type: cmd.exe [press ENTER].
• Type in the black command window: ipconfig /all [press ENTER].
• Search for the line that says "DNS Servers." Often, two or three IP addresses are listed.
• Compare against list of rogue IP addresses.

For Apple users:

• Go to System Preferences.
• Select Network.
• Select the connection used for internet access (typically. AirPort or ethernet).
• Select Advanced.
• Select the DNS tab.
• Compare against list of rogue IP addresses.

What to do if your computer is infected

It's always advisable to consult a reputable computer professional for help before taking any drastic steps to repair a machine infected with a computer virus.

Several DNSChanger removal tools have been made available for download online. Free virus scan and removal software can be downloaded at www.dcwg.org/fix/.

Another, more extreme course of action is to back up important data on your computer and then wipe the hard drive clean and reformat it.

But if you choose this route, keep in mind that if you don't back up your files to a separate drive, you'll lose them, because reformatting cleans out all the files on a drive. You'll also need to reinstall your operating system and applications after reformatting.