DNSChanger Customer Notice

CenturyLink is dedicated to protecting its customers' Internet experience and works to notify users when their computer systems may be infected. Our Security Services organization has received notification from the Federal Bureau of Investigation (FBI) about industry-wide malicious online traffic, which we have identified as impacting a small fraction of our customers - less than one half of one percent. If you received an email from CenturyLink notifying you that your system has been impacted by this industry-wide attack, your computer or another computer on your network may be infected by malicious software known as "DNSChanger."

DNSChanger redirects your internet traffic to alternative web sites, most commonly redirecting advertisement traffic to sites controlled by the malicious operator. This means your Internet browser is pulling up different sites than the one originally intended by the website operator. DNSChanger does this by sending your computer's Domain Name System (DNS) traffic to servers under their control. Also, this malware allows infected computers to be controlled remotely (i.e., by another computer on the Internet known as a "command and control" server, or a C&C server). Details about this malware attack, and how your system may have been infected, can be found on the following FBI and Department of Justice website: http://www.fbi.gov/news/stories/2011/november/malware_110911/dns-changer-malware.pdf

To help protect your computer and to ensure continued internet access, we are redirecting your DNS traffic away from the malicious sites and sending it to CenturyLink-controlled DNS servers. Doing so will enable your Internet browsing, email and other activities to continue. At this time, it is not known whether or not the malware impacts anything other than web or advertisement redirection.

There are many forms and versions of this malicious software and no utility can effectively detect and remove all versions of this software from all operating systems. CenturyLink recommends Norton Power Eraser (NPE) as a utility, which may be effective in detecting and eradicating this malware on the Windows operating systems.

Norton Power Eraser may be obtained at http://security.symantec.com/nbrt/npe.aspx. Norton Power Eraser must be run in Rootkit mode to effectively detect and remove this malware.

Prior to using Norton Power Eraser, it is highly recommended that you back up your personal files. Backing up your files should ensure that you don't lose any data if malware cannot be removed and you need to reformat and repartition your hard drive.

If you are not running a Windows operating system, or are unable to remove the malware using this utility, as a precaution to protect your privacy and data, the Department of Justice, with the assistance of the FBI, is recommending that you update your master boot record and reformat your hard drive or take it to a local repair shop to have this done.

The DNSChanger malware may also modify your operating system's local DNS settings, which will need to be reset manually. Step-by-step instructions for Windows XP, Windows Vista, and Windows 7 are available at http://qwest.centurylink.com/internethelp/dnschanger.html

The DNSChanger malware may also attempt to access residential, small office or home office routers using a password guessing technique. If the router allows access by any of these username/password combinations, allowing access by the trojan, the DNS inside the home or small office router will also need to be modified.
Once you have serviced your infected computers, you can verify that your router is also connecting to CenturyLink's DNS servers by looking at the DNS settings of the router. If the DNS settings are statically set to an IP range that is part of the rogue DNS servers, the device will need to have its DNS reset to pull DNS dynamically. You can find the IP ranges of the rogue DNS servers at the FBI's public service announcement, located at http://www.fbi.gov/news/stories/2011/november/malware_110911/dns-changer-malware.pdf.

In addition, you will need to change your administrative username and password, to avoid additional compromise. Saving and rebooting the router after modifying these settings will allow the router to reconnect to CenturyLink's DNS servers. Instructions on resetting DNS for many CenturyLink provided HSI routers are available at http://qwest.centurylink.com/internethelp/dnschanger.html.

You must remove malware from an infected computer in order to remain in compliance with our Acceptable Use Policy. Please see the Acceptable Use Policy at: https://www.centurylink.com/Pages/AboutUs/Legal/AcceptableUse/.

This malware may block access to many anti-virus web sites and have prevented operating system updates. After having your computer(s) serviced, please make sure that the system software is up to date, that antivirus software is installed with current antivirus signatures, and that your hard disk(s) have been scanned to detect and remove all viruses, worms, trojans, or other software, which allow unauthorized remote control of your systems. In addition to DNSChanger, your computer may be compromised with additional malware.

Sorry, we don't recognize the information you provided.

Sorry, we don't recognize the information you provided.

Sorry, we don't recognize the information you provided.

We apologize for the inconvenience. This product is currently not available in your area.

DNSChanger Customer Notice