Help! How do I change my DNS server settings on router?

Joined
Jun 27, 2012
Messages
7
Reaction score
0
Points
1
Hello! I think this is a hardware problem, isn't it?

This might be old news for some but I only found out about this malware a few days ago. Sorry if this is a bit of a long winded post.

This malware infects a computer with malicious software (DNS Changer) to change the user’s DNS server settings to replace the ISP’s good DNS servers with bad DNS servers operated by the criminal.

I used MacScan which found the DNS Changer malware. I isolated it and dumped it in the trash and emptied the trash as instructed. I am still getting the Google alert telling me my computer is infected – this time a different colour! The websites set up to tell you if you are infected are also telling me that I am still infected. I’ve read some other stuff on the internet so I know my router has been affected. Through a command in Terminal in Utilities, it shows it has 2 DNS servers that have been identified as one of the many rogue DNS servers set up by the criminals.

I’ve got an iMac PowerPC G4. It’s just my home computer about 7 years old and I’m using the Built -in- Ethernet. So I need to replace the rogue DNS servers with good ones. I did speak to my ISP provider and was told that as my Mac is using DHCP it means that my router cannot be infected - which goes to show how much they know. I’ve done some research on line but I can’t find instructions specific enough to enable me to change my DNS settings especially as my machine is an older one. This is what I have:

I click on Network.
Built-in-Ethernet is green because that’s what I’m using. But there is no ‘Advanced’ button to press. Just Configure.
I press Configure.
Location: is ‘Automatic’
Show: is Built-in-Ethernet
My button options are TCP/IP, PPPoE, AppleTalk, Proxies, and Ethernet. There is no DNS button across the top of the box with these others.

Under TCP/IP it says Configure IPv4 in front of a drop down menu that is showing ‘Using DHCP”
Under this there is my IP address.
There is a Subnet Mask number printed as well.
And under that is the printed Router number: 77.102.28.1. These are printed, they cannot be altered and they are not the same IPs that showed up when I used Terminal.

Under this is the DNS Servers box which is empty.
Under this the Search Domains box is also empty
Under this is IPv6 Address which is a long line of letters and numbers, lots of 0s. Plus the option to Configure IPv6.

There are no DNS servers for me to remove and replace in the boxes. So how do I change them?

Any help would be much appreciated as the FBI, who have caught the criminals behind it and who are now maintaining those “rogue” (actually no longer rogue) DNS servers will be turning them off on July 9th and if I haven’t fixed this problem by then I will be cut off from the internet. Thanks
 
Joined
Oct 22, 2007
Messages
8,967
Reaction score
287
Points
83
Location
London
Your Mac's Specs
Mac Mini Core i7 2012 | White 2009 MacBook 2 Ghz | 733 Mhz G4 Quicksilver
I shouldn't think you've been infected unless you are getting web redirects to gambling or pown sites

But what router do you have?
 
Joined
Mar 28, 2012
Messages
263
Reaction score
13
Points
18
Location
Atlanta, GA
Your Mac's Specs
27" iMac (Mid 2011), 3.4GHz Intel Core i7, 16GB RAM, 2GB Video Card, 2TB HDD
I always thought you changed your DNS settings in the router settings menu and not on the computer itself. I am no networking expert though.

To get to the router settings on a Linksys router (it's different for each brand so look up how to do it for your router brand) you open Safari on a computer connected to the network and in the URL box type "192.168.1.1". It will bring up a window asking for your username and password. Username is left blank and the password is "Admin". This will take you to the router settings where you can adjust the DNS (I think) and DHCP settings on the network.
 
OP
F
Joined
Jun 27, 2012
Messages
7
Reaction score
0
Points
1
I tried that Adric and I'm getting nothing, a 'failed to open page' with Safari because the server where the page is located isn't responding. I'll check it for my router brand as well.

Thanks for the prompt reply guys.

The router I have is a Motorola Surfboard cable Modem.
Also I just read somewhere that I can type new DNS servers into the empty DNS server boxes but I'm not sure if this is enough to override and replace the bogus DNS servers.
 

chscag

Well-known member
Staff member
Admin
Joined
Jan 23, 2008
Messages
65,248
Reaction score
1,833
Points
113
Location
Keller, Texas
Your Mac's Specs
2017 27" iMac, 10.5" iPad Pro, iPhone 8, iPhone 11, iPhone 12 Mini, Numerous iPods, Monterey
The router I have is a Motorola Surfboard cable Modem.

A cable modem is not a router unless that particular model has both combined into one unit. I just took a look at several Motorola Surfboard modems and they do not include a router. You didn't include your model number otherwise I could have looked a bit deeper.

Anyway, you should be able to change your DNS settings from System Preferences, Network, WiFi, Advanced, DNS.
 
Joined
Feb 14, 2004
Messages
4,781
Reaction score
166
Points
63
Location
Groves, Texas
Also I just read somewhere that I can type new DNS servers into the empty DNS server boxes but I'm not sure if this is enough to override and replace the bogus DNS servers.

If all you have is a cable modem and your DNS "boxes" are blank, you do not have rogue DNS servers. Also this the ip to the Motorola cable modem: 192.168.100.1 ... but you wont find any settings to change there.
 
OP
F
Joined
Jun 27, 2012
Messages
7
Reaction score
0
Points
1
Sorry to be so ignorant about my hardware. Never had a problem before with my Mac in the 7 or 8 years I've had it.
The only other bit of hardware I have with my Mac is the Motorola Sufboard cable Modem. The model number is SB5101E. And I assume the router is a physical piece of hardware so I assumed the Motorola was the router/Modem.

cradom when I used Terminal in Utilities to check what DNS servers my computer was using it came up with 2 of the rogue DNS servers which are 85.255.114.85 and 85.255.112.25. Also I am still getting the alert that my Mac's infected.

This is the website that tells you how to check if you're still infected by the malware and how to fix it (up to a point) "www.dcwg.org/" and here is a site that tells you what the rogue DNS servers are: DNSChanger Notification

And here's an a recent article on it: Google warns users infected with DNSChanger as Web outage nears - PC Advisor

I really appreciate your help, guys. If someone here can't help I'll just have to keep searching the net
 
OP
F
Joined
Jun 27, 2012
Messages
7
Reaction score
0
Points
1
My last post has to be looked at by the mods so it's not on here yet, but I do have an update. I was advised to go into Utilities and Terminal to input the command "sudo nano /etc/resolv.conf." Then to enter my Admin password. It then comes up with my servers and I'm able to delete the bogus ones. Then press Control - x. You're asked if you want to save your changes and you press y and then restart your Mac. It all worked up until I pressed y. I wasn't able to exit Terminal after that as it seemed to want me to write the file name. It said: "File Name to Write: /etc/resolv.conf." If I try to close and exit it tells me that it will terminate the "processes working inside, login, bash, nano." So I end up having to 'terminate' or cancel the whole process. I also sometimes get the added line: "cpc10-dals18-20-cust331:~" in Terminal.

I don't want to write anything for the file name, (if that's what it's asking me for) in case I get it wrong and mess it up. Does anyone know what to do when you get to this point? Because it seems as this will work and help me to delete the bogus DNS servers from my machine if I can just get past this bit. Thanks.
 
Joined
Feb 14, 2004
Messages
4,781
Reaction score
166
Points
63
Location
Groves, Texas
It's asking you if you want to save the file. Just press enter again and it will save and quit. Then you can quit Terminal.
Actually you need to press Control-o to write out the file and then control-x to quit nano. No need to type in a filename, it assumes the one you opened.
 
OP
F
Joined
Jun 27, 2012
Messages
7
Reaction score
0
Points
1
Thanks for replying, cradom.
Something's not right. I'm so close to sorting this and it's so frustrating that I'm at this last hurdle and it won't work. I'll go through what I'm doing so far from advice given elsewhere:

In Terminal type sudo nano /etc/resolv.conf
Enter password
Delete bad DNS servers
There are 4 lines. The last 2 are the rogue DNS servers added by the malware. The first 2 are my ISP's DNS servers that I called and asked them for. The cursor is at the beginning of the first line so I have to use the back arrow to scroll down 4 lines to the last number of the last line of rogue server then use the backspace arrow to delete the 2 lines of the bad DNS servers.
Press Control - x to exit
Doing this jumps me straight into a highlighted question: "Save modified buffer (ANSWERING "No" WILL DESTROY CHANGES) ?" I'm given the highlighted options of yes, no or cancel.
Then press y to save changes
Pressing y for yes jumps me straight into the highlighted line "File Name to Write: /etc/resolve.conf." I cannot come out of this highlighted line. I can only move the cursor along this line to the beginning of " /etc..." This is where the problem starts.I was advised to press y again but that only adds the letter to the line. I pressed Control - O as you advised but nothing happens - presumably because it's not one of the options below. The only options I have at this point, which are also highlighted with this line are:
Control - G Get Help
Control - T To Files
M-D DOS Format
M-O Mac Format
M-A Append
M-P Prepend
M-B Backup File
Control - C Cancel

So I only get as far as saving the file. It seems to accept the save up to a point but then it wants me to do something else. Add to the name of the file? If I do add to the file name, then press return, it jumps to "File exists, OVERWRITE ?" with the options yes, no or cancel. I don't dare choose any of them. If I try to close nano and exit I get the "closing this window will terminate the following processes inside it: login, bash, nano."

I can't do anything except to close and terminate because I can't complete the process of deleting the rogue DNS servers.

What do you think? Are all the steps in this process correct?
 
Joined
Dec 11, 2010
Messages
1,808
Reaction score
40
Points
48
Location
Chicago
Your Mac's Specs
late 2012 mini w/SSD
cradom was trying to simplify things for you by doing ctrl-o (output=write the file) before ctrl-x.
 
Joined
Feb 14, 2004
Messages
4,781
Reaction score
166
Points
63
Location
Groves, Texas
Thanks for replying, cradom.
Something's not right. I'm so close to sorting this and it's so frustrating that I'm at this last hurdle and it won't work. I'll go through what I'm doing so far from advice given elsewhere:

In Terminal type sudo nano /etc/resolv.conf
Enter password
Delete bad DNS servers
There are 4 lines. The last 2 are the rogue DNS servers added by the malware. The first 2 are my ISP's DNS servers that I called and asked them for. The cursor is at the beginning of the first line so I have to use the back arrow to scroll down 4 lines to the last number of the last line of rogue server then use the backspace arrow to delete the 2 lines of the bad DNS servers.
Press Control - x to exit Don't do this, instead press control-o to save your changes. THEN press control-x to quit Nano.
Doing this jumps me straight into a highlighted question: "Save modified buffer (ANSWERING "No" WILL DESTROY CHANGES) ?" I'm given the highlighted options of yes, no or cancel.
Then press y to save changes
Pressing y for yes jumps me straight into the highlighted line "File Name to Write: /etc/resolve.conf." I cannot come out of this highlighted line. I can only move the cursor along this line to the beginning of " /etc..." All you need to do here is press 'ENTER' to save changes. Don't move the cursor.This is where the problem starts.I was advised to press y again but that only adds the letter to the line. I pressed Control - O as you advised but nothing happens - presumably because it's not one of the options below. The only options I have at this point, which are also highlighted with this line are:
Control - G Get Help
Control - T To Files
M-D DOS Format
M-O Mac Format
M-A Append
M-P Prepend
M-B Backup File
Control - C Cancel

So I only get as far as saving the file. It seems to accept the save up to a point but then it wants me to do something else. Add to the name of the file? If I do add to the file name, then press return, it jumps to "File exists, OVERWRITE ?" with the options yes, no or cancel. I don't dare choose any of them. If I try to close nano and exit I get the "closing this window will terminate the following processes inside it: login, bash, nano."

I can't do anything except to close and terminate because I can't complete the process of deleting the rogue DNS servers.

What do you think? Are all the steps in this process correct?

Fixed things for ya.
 
OP
F
Joined
Jun 27, 2012
Messages
7
Reaction score
0
Points
1
I followed the instructions with your added info and it all went according to plan. I restarted my Mac, but when I used cat /etc/resolv.conf to check, the 2 rogue servers were still there - even though I deleted them in nano. If Control - O is the same as saving, then why are the servers still there? And beneath them had been added the line: cpc10-dals18-2-0-cust331:~ What does that mean? And why has Terminal added it? Maybe it's an error code of some kind.

I'm so tired of this. I've been working on it for a week now.
cradom, thank you so much for all your help. If you can shed any further light on this that would be cool. Maybe the rogue servers can't be deleted in this way. Can't be that easy! Maybe it does have to be done by the ISP or through the actual router, except I've got a Motorola Surfboard Cable Modem that has no manual reset, so I may have to try to speak to their technical support team.
 
OP
F
Joined
Jun 27, 2012
Messages
7
Reaction score
0
Points
1
All sorted now!

Oh finally!! Sorted!
I didn't need to do anything with my cable modem/router in the end.

I'd like to thank everyone for their advice and help on this. It was much appreciated. In the end it was using crontab that did it for me and in case anyone new has a problem with this in the future, this was the process:


Go into Utilities in Applications and open the Terminal app
Type cat /etc/resolv.conf to check what servers you have
To delete the rogue servers from here type sudo nano /etc/resolv.conf.
Enter your password.
Delete rogue servers. You have to scroll with your cursor to get to the end of the line and then delete from there.
Press Control - O to write out and save changes
Press Control - X to exit.
Restart machine.

This actually didn't work for me personally. So after more searching, help and advice, I got this process:

Go into Terminal
Type sudo crontab -l (That's the letter ell) This shows what entries are in the directory. In mine, the malware script showed up as /Library/Internet Plug-Ins/QuickTime.xpt. If you have more than the malware entry in there, you will want to edit and delete. To do this for a single line:
Type sudo crontab -e. Use arrow key to navigate to line. I scrolled to end of line.
Type dd to delete the line
Type wq and press Return to write out the file and quit.

I had only the one entry and that was the malware script so I was able to use sudo crontab -r which will delete everything in there, so you have to be careful with it. After that I also flushed the cache. For Tiger you go into Terminal and type lookupd -flushcache. This is like a reset. Two extra servers showed up and I assume they are the original servers that were there - which means that when I called my ISP to ask for the servers they used, they gave me 2 different ones from the original. Whatever.

I restarted my machine and the google alert was gone. I checked out the site that tells you if you're still 'infected' and the background was green. I'm clear.

Thanks everyone!
 
Joined
Jul 10, 2012
Messages
3
Reaction score
0
Points
1
password section won't budge !!

Hello y'all,

I've been reading this threads and trying all means. Yes, I'm uber desperate.

I typed sudo nano /etc/resolv.conf and it prompted for my password. But I can't seem to type anything!! What's wrong? Each time I pressed "enter", it says password is incorrect. I mean, duh. It doesn't even allow me to type anything.

I'm stuck in that section and hopefully the rest will work smoothly!

Thanks guys!

Ps: device used - macbook pro OS 10.4
 
Joined
Feb 14, 2004
Messages
4,781
Reaction score
166
Points
63
Location
Groves, Texas
When you type in your password it doesn't echo back. You wont see it but it's there. Just make sure you type in your user password correctly. This is a security feature.
 
Joined
Jul 10, 2012
Messages
3
Reaction score
0
Points
1
Hi Cradom,

Thank you for your prompt reply. I've finally managed to see the bad server and managed to delete them away. However, when I restart my device, the same thing happened. The bad server is stilll up and I'm not able to browse anything.

Alternatively, I tried Feisty411's suggestion by typing lookupd -flushcache (since its mentioned for Tiger OS) but it doesn't do anything either.

This is frustrating for someone who knows nuts about computer configurations!
 
Joined
Jul 10, 2012
Messages
3
Reaction score
0
Points
1
Ok, it works now!

Thank you for the info guys ! And the prompt reply cradom !

Phew.
 

Shop Amazon


Shop for your Apple, Mac, iPhone and other computer products on Amazon.
We are a participant in the Amazon Services LLC Associates Program, an affiliate program designed to provide a means for us to earn fees by linking to Amazon and affiliated sites.
Top