How do I change the DNS settings on my iMac G4?

[Jaycee411]

Hi, this might be old news for some but I only found out about this malware a few days ago. Sorry if this is a bit of a long winded post.

This malware infects a computer with malicious software (DNS Changer) to change the user’s DNS server settings to replace the ISP’s good DNS servers with bad DNS servers operated by the criminal.

I used MacScan which found the DNS Changer malware. I isolated it and dumped it in the trash and emptied the trash as instructed. I am still getting the Google alert telling me my computer is infected – this time a different colour! The websites set up to tell you if you are infected are also telling me that I am still infected. I’ve read some other stuff on the internet so I know it's probably my router that's been affected. Through a command in Terminal in Utilities, it shows it has 2 DNS servers that have been identified as one of the many rogue DNS servers set up by the criminals who created the malware.

I’ve got an iMac PowerPC G4. It’s just my home computer about 7 years old and I’m using the Built -in- Ethernet. So I need to replace the rogue DNS servers with good ones. I did speak to my ISP provider and was told that as my Mac is using DHCP it means that my router cannot be infected - which goes to show how much they know. I’ve done some research on line but I can’t find instructions specific enough to enable me to change my DNS settings especially as my machine is an older one. This is what I have:

I click on Network.
Built-in-Ethernet is green because that’s what I’m using. But there is no ‘Advanced’ button to press. Just Configure.
I press Configure.
Location: is ‘Automatic’
Show: is Built-in-Ethernet
My button options are TCP/IP, PPPoE, AppleTalk, Proxies, and Ethernet. There is no DNS button across the top of the box with these others.

Under TCP/IP it says Configure IPv4 in front of a drop down menu that is showing ‘Using DHCP”
Under this there is my IP address.
There is a Subnet Mask number printed as well.
And under that is the printed Router number: 77.102.28.1. These are printed, they cannot be altered and they are not the same IPs that showed up when I used Terminal.

Under this is the DNS Servers box which is empty.
Under this the Search Domains box is also empty
Under this is IPv6 Address which is a long line of letters and numbers, lots of 0s. Plus the option to Configure IPv6.

There are no DNS servers for me to remove and replace in the boxes. So how do I change them?

Any help would be much appreciated as the FBI, who have caught the criminals behind it and who are now maintaining those “rogue” (actually no longer rogue) DNS servers will be turning them off on July 9th and if I haven’t fixed this problem by then I will be cut off from the internet. Thanks

 

[Intell]

In the DNS server box put in "8.8.8.8, 8.8.4.4", no quotes. This will set your Mac to use Google's DNS server.

 

[Starfighter]

What is the benefit from typing both? I usually just choose one of them.

 

[Intell]

One is the primary DNS server and the other is the secondary. The secondary is used if the primary isn't responding or if it doesn't know the correct DNS record for the IP address. It's best to have at least two different ones.

 

[Starfighter]

Oh, I see... Thanks for the clarification, I'll put in both then!

 

[Jaycee411]

Thanks for the prompt reply!
I rang my ISP again and just asked them to give me the DNS servers that they use and they gave me a primary and a secondary number.

Is it really as simple as just typing them into the empty DNS server box? Will doing that override or rather replace the bogus DNS servers that my router automatically searches for?

I read somewhere else that I need to get to my router settings which are different for each brand of router, type 192.168.1.1 into the URL box of Safari where I'll then be asked for username and password. The username is left blank and I should type Admin for the password and this will then take me to the router settings where I can adjust the DNS and DHCP settings on the network.
They weren't 100% sure of this info though, so I'm just confused!

Thanks Intell!

 

[Intell]

It really is that simple. You only need to put the numbers in for the effected computes.

 

[Jaycee411]

Thank you so much, Intell.

I was reading else where that only my ISP could change the settings because what I've actually got is a cable modem: Motorola Surfboard SB5101E and my ISP has already been quite unhelpful apart from giving me the DNS servers they use. No help to actually change it!

If all goes well or not, either way I'll let you know

 

[Jaycee411]

Hi, I did what you suggested, Intell.

I added my ISP's servers to the empty DNS server box in my Network and then went back to Utilities and Terminal to input the command
"cat /etc/resolv.conf" and my ISP's severs have been added which I'm very pleased about but the 2 bogus servers are still there so I'm still getting the 'infected' alert. So I'm really hoping that they're not still being used.

The 2 bogus servers are now 3rd and 4th in the list so what I was wondering was, as my ISP's servers are now 1st and 2nd in line, surely that means they are the first 2 that my computer will use to find websites, etc. I would feel much safer if I could actually get rid of the bogus servers off my machine altogether, but maybe all I have to do is wait until the FBI shuts down those bogus servers and hopefully I won't be cut off from the internet - because my ISP's servers are now there.

What do you think? Should I still find some way to get rid of the bogus servers from my machine completely? I am still a little bit worried about it but other than that I really appreciate the help you've given me.

 

[Intell]

In Terminal type "sudo nano /etc/resolv.conf". Enter your admin password when it asks for it. Then delete the bad DNS servers. When you're done, press control-X to exit and then Y to save then changes. Restart your iMac when done. That's it.

 

[Jaycee411]

Intell, After I have pressed y to save the changes what do I do then? Because after doing that, at the bottom of the window, highlighted, it says
File Name to Write: /etc/resolv.conf plus the index below it. I assume I have to do something. Enter something in front of
File Name to Write: "? /etc/resolv.conf" perhaps? Or choose something from the index below it, e.g, To Files?

If I do nothing I cannot exit Terminal without it telling me that closing Terminal will terminate the 'processes inside it: login, bash, nano'.

Initially I just pressed Return and I was able to quit Terminal. If I open Terminal again straight away and enter cat /etc/resolve.conf it shows only the DNS servers of my ISP which makes me think it has worked although beneath them was also this:
cpc10-dals18-2-0-cust331:~
Not sure what that means.

If I restart my computer straight away after exiting Terminal and then check the DNS servers again, the bogus servers are still there plus this again: cpc10-dals18-2-0-cust331:~ and the Google alert and the other websites show that my machine is still infected.

 

[Intell]

There should second press of the y key after the first press. Nano will then close and you'll be back at the prompt. Go back into the file with nano to make sure it took.

 

[Jaycee411]

When I press the y key a second time it is automatically added onto the end of "File Name to Write: /etc/resolve.conf"y" because after I press the y key the first time it automatically highlights that sentence/command at the bottom of the Terminal window and I can't move the cursor anywhere else in the Terminal window. I can only move the cursor along " /etc/resolv.conf" as if it expects me to add to it or rename it.

If I leave the y added to the end of resolv.conf"y," and press Return, it then says: "File exists, OVERWRITE ?" And I have the options to choose yes, no or cancel.

Nano doesn't close when I press the y a second time. Do you have any idea why?

 

[Intell]

I'm unable to help you much right now. I'm away from my computer. You could look at some how-tos for nano usage.

 

[Jaycee411]

Ok. Thanks for all your help, Intell.

 

[Jaycee411]

Finally!! Sorted!

I didn't need to do anything with my cable modem/router in the end.

I'd like to thank everyone for their advice and help on this. It was much appreciated. In the end it was using crontab that did it for me and in case anyone new has a problem with this in the future, this was the process:


Go into Utilities in Applications and open the Terminal app

Type cat /etc/resolv.conf to check what servers you have
To delete the rogue servers from here type sudo nano /etc/resolv.conf.
Enter your password.
Delete rogue servers. You have to scroll with your cursor to get to the end of the line and then delete from there.
Press Control - O to write out and save changes
Press Control - X to exit.
Restart machine.

This actually didn't work for me personally. So after more searching, help and advice, I got this process:


Go into Terminal
Type sudo crontab -l (That's the letter ell) This shows what entries are in the directory. In mine, the malware script showed up as /Library/Internet Plug-Ins/QuickTime.xpt. If you have more than the malware entry in there, you will want to edit and delete. To do this for a single line:
Type sudo crontab -e. Use arrow key to navigate to line. I scrolled to end of line.
Type dd to delete the line
Type wq and press Return to write out the file and quit.

I had only the one entry and that was the malware script so I was able to use sudo crontab -r which will delete everything in there, so you have to be careful with it. After that I also flushed the cache. For Tiger you go into Terminal and type lookupd -flushcache. This is like a reset. Two extra servers showed up and I assume they are the original servers that were there - which means that when I called my ISP to ask for the servers they used, they gave me 2 different ones from the original. Whatever.

I restarted my machine and the google alert was gone. I checked out the site that tells you if you're still 'infected' and the background was green. I'm clear.

Thanks everyone!

 

[Intell]

Glad to hear you got everything working.

 

[RMT25]

Wow, thanks!

Google informed me a month ago that I was infected but a scan by an app I downloaded didn't find anything.

I used one of the sudo's above and found 2 rogue DNS from the country of Ukraine (rogue DNS was 85.255.116.165 and another very similar)... and deleted it with the info above. Thanks!

Check if you are infected or not here: (FBI approved)

Green means not infected,

http://www.dns-ok.lu/
http://www.dns-ok.ca/results-en.html
http://dns-ok.nl/

Tool: https://forms.fbi.gov/check-to-see-if-your-computer-is-using-rogue-DNS

The malicious Rove viruses changed some peoples DNS settings to use computers they operated. Compare your DNS settings with the known malicious Rove DNS settings listed below:

Starting IP Ending IP CIDR
85.255.112.0 85.255.127.255 85.255.112.0/20
67.210.0.0 67.210.15.255 67.210.0.0/20
93.188.160.0 93.188.167.255 93.188.160.0/21
77.67.83.0 77.67.83.255 77.67.83.0/24
213.109.64.0 213.109.79.255 213.109.64.0/20
64.28.176.0 64.28.191.255 64.28.176.0/20