To determine if a computer is using rogue DNS servers, it is necessary to check the DNS
server settings on the computer. If the computer is connected to a wireless access point or
router, the settings on those devices should be checked as well.

Checking the Computer:

If you are using a Windows computer, open a command prompt. This can be done by
selecting Run from the Start Menu and entering cmd.exe or starting the command prompt
application, typically located in the Accessories folder within Programs on your Start Menu

At the command prompt, enter:
ipconfig /all
Look for the entry that reads “DNS Servers……….”

Compare whether your computer has DNS servers listed in the number ranges listed below.

To make the comparison between the computer’s DNS servers and this table easier, start by comparing the first number before the first dot. For example, if your DNS servers do not start with 85, 67, 93, 77, 213, or 64, you can move on to the next step. If your servers start with any of those numbers, continue the comparison.

Rogue DNS Servers
85.255.112.0 through 85.255.127.255
67.210.0.0 through 67.210.15.255
93.188.160.0 through 93.188.167.255
77.67.83.0 through 77.67.83.255
213.109.64.0 through 213.109.79.255
64.28.176.0 through 64.28.191.255

Checking the Router:

This is a little more difficult to describe since there are so many different home and office routers.  9/10 times you can identify what your router IP is by looking at the results of your ‘ipconfig /all’ from above.  The line that indicates your default gateway is the IP you want to put in your web browser (ex. http://192.168.1.1).  After logging in you need to find your router’s LAN settings to identify the DNS servers.  Check those DNS servers against the list of infected servers above.

If Infected:

Start with MalwareBytes

If you were directed here and are having issues you can submit a helpdesk ticket and a RTS rep can help you out.