WARNING****DNSchanger sounds fishy!! Here are a few tricks to check for infection.
DNS changers have been around for quite sometime (see examples below) Why is this variant and different?
Why have the big hitters of antivirus been reporting on this one with a removal tool? Why would the FBI setup "Clean Servers" up and allow your traffic to still be redirected?
My guess is that they are collecting statistics on every pc that hits their servers. I would not go to that site to have anything checked. Those sites are contractor sites for the FBI/CIA/NSA. Chances that you are infected are pretty low. Just run malwarebytes or any other malware checker.
Check for it running via the netstat command. Open a command promt and type netstat -b look and see what connections you have that are connecting to foreign hosts.Run netstat -p udp to check for outbound udp connections for DNS port 53 to foreign hosts. Netstat -p tcp same as above. DNS should not be forwarding outside of your firewall to any outside source from your LAN IP. Check your hosts file for any writes to it as it will bypass all dns settings. That is all for now. This is just a suggestion but the whole thing seems fishy!
If this is a variant of the below trojans then they can be detected by up to date antivirus/malware checkers.
[link to http://www.symantec.com]
Discovered: April 25, 2005
Updated: February 13, 2007 12:37:53 PM
Also Known As: Trojan.Win32.DNSChanger.a [Kas
Type: Trojan Horse
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
Trojan.Flush.C is a Trojan horse that modifies the DNS server settings on a compromised computer and redirects the browser to potentially malicious Web sites.
Antivirus Protection DatesInitial Rapid Release version April 25, 2005
Latest Rapid Release version April 25, 2005
Initial Daily Certified version April 25, 2005
Latest Daily Certified version April 25, 2005
Initial Weekly Certified release date April 27, 2005
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.
Threat AssessmentWildWild Level: Low
Number of Infections: 0 - 49
Number of Sites: 0 - 2
Geographical Distribution: Low
Threat Containment: Easy
DamageDamage Level: Low
DistributionDistribution Level: Low
[link to http://www.f-secure.com]
Lately we got a few samples of this trojan that were named 'PayPal-2.5.200-MSWin32-x86-2005.exe'. This trojan was programmed to change the DNS server name of a victim's computer to 220.127.116.11 address.
The Registry key that is affected by this trojan is:
Creates these keys:
DhcpNameServer = 85.255.xx.xxx,85.255.xxx.xxx
NameServer = 85.255.xxx.133,85.255.xxx.xxx
DhcpNameServer = 85.255.xxx.xxx,85.255.xxx.xxx
NameServer = 85.255.xxx.xxx,85.255.xxx.xxx