Infected computer with DNS locked at 192.168.0.1

[LePingUSA]

I have tried all of the regular tools. Combofix, Malware Bytes, A Squared, Security Essentials. Tried locking the DNS settings to 8.8.8.8 and 8.8.4.4 ran tools to remove Norton, AVG, Mc Afee and still nothing stops this worm from appending 192.168.0.1 to the DNS settings. Furthermore I removed the hosts files and did a regedit. Has any one else dealt with this beast before and what insight can you offer me. (I should add the computer tests clean from all of the previously mentioned tools. Web pages work normal until you try to goto Windows Update. I have also tried Google Chrome with no luck)

Thanks

 

[Xander]

Have you slaved the drive in another machine so that any rootkits in the system aren't running at the time of scan?

Have you scanned it with a live CD ... so that any rootkits in the system aren't running at the time of scan?

Proxy settings?

Furthermore I removed the hosts files and did a regedit.

What does that mean? That's like "I did a notepad"...?

 

[Martyn]

I have tried all of the regular tools. Combofix, Malware Bytes, A Squared, Security Essentials. Tried locking the DNS settings to 8.8.8.8 and 8.8.4.4 ran tools to remove Norton, AVG, Mc Afee and still nothing stops this worm from appending 192.168.0.1 to the DNS settings. Furthermore I removed the hosts files and did a regedit. Has any one else dealt with this beast before and what insight can you offer me. (I should add the computer tests clean from all of the previously mentioned tools. Web pages work normal until you try to goto Windows Update. I have also tried Google Chrome with no luck)

Thanks

So you can go to any website with no problems but Windows Update doesn't work? What exactly happens?

 

[Nomad Computer Repair]

This is on XP I assume? (or maybe 32bit Vista?)
Something is making the computer use a fake DNS hidden locally for redirects.
Like eHousecalls said you must have a rootkit and need to do some sort of offline scan.
You might need to run "WinSock XP Fix" afterwords as well.

 

[mjbasford]

This may be obvious, but that's a private ip, is it the router? If that's the local subnet, Id at least check the router settings. Also, what issues are you having?

 

[LePingUSA]

I have not removed the hard drive yet. (Good idea) No proxy settings detected. The machine works fine other then when I need to goto Windows Update then it shows the standard DNS error page that you see in Internet Explorer. All other pages work fine.

Have you slaved the drive in another machine so that any rootkits in the system aren't running at the time of scan?

Have you scanned it with a live CD ... so that any rootkits in the system aren't running at the time of scan?

Proxy settings?

What does that mean? That's like "I did a notepad"...?

 

[LePingUSA]

So you can go to any website with no problems but Windows Update doesn't work? What exactly happens?

Correct, all other websites work fine.

 

[LePingUSA]

I have set the IP address manually, I have set the DNS servers manually. I can assure you that the 192.168.0.1 is not coming from within my LAN. I can go into the windows registry and remove it and no sooner is it back I can shut off DHCP and still have the same problem.

This may be obvious, but that's a private ip, is it the router? If that's the local subnet, Id at least check the router settings. Also, what issues are you having?

 

[LePingUSA]

I agree with you on the root kit. I have also run WinSock XP Fix, again no luck. I will try removing the hard drive and doing a cleansing that way.

This is on XP I assume? (or maybe 32bit Vista?)
Something is making the computer use a fake DNS hidden locally for redirects.
Like eHousecalls said you must have a rootkit and need to do some sort of offline scan.
You might need to run "WinSock XP Fix" afterwords as well.

 

[Xander]

This may be obvious, but that's a private ip, is it the router? If that's the local subnet, Id at least check the router settings. Also, what issues are you having?

Nice thought. I kicked myself for a second but then thought, "Unless someone changed the router from 192.168.0.1 to something else and then set it to assign IPs to MAC addresses starting at ..0.1." While possible, it's not that likely.

 

[anonymous Mac Tech]

ipconfig/ flushdns
ipconfig/ registerdns

 

[MobileTechie]

What if the IP of your router if not 192.168.0.1?

I'm wondering why on earth a rootkit would set the DNS to a private IP address.

 

[JD1248]

What if these two things are not related to each other. There are lots of things that cause WU not to work. Maybe the dns is being set by some router software or some parental control, or security software. I would look into fixing what is wrong with WU, and go from there. The dns your being pointed to could only be harmful if the router is infected.

 

[LePingUSA]

I get the impression you do not appreciate whats going on here. The computer has bound itself to 192.168.0.1 and is running its own DNS server. This has nothing to do with the office router. No other machine is affected in the same way. It is with out a doubt some form of malware or some antivirus program that went terribly wrong.

 

[LePingUSA]

I now know what I am up against. I pulled the drive out and scanned it.


Virus:Win32/Alureon.A (?)

Encyclopedia entry
Updated: May 20, 2010 | Published: Apr 13, 2010

Aliases
Win32/Alureon.H (other)
W32/SYStroj.AB2.gen!Eldorado (Authentium (Command))
Win32/Patched.DP (AVG)
TR/Patched.Gen (Avira)
Rootkit.Patched.TDSS.Gen (BitDefender)
Win32/Alureon.A!Generic (CA)
BackDoor.Tdss.2459 (Dr.Web)
Win32/Olmarik.ZC (ESET)
Rootkit.Win32.TDSS.ap (Kaspersky)
Patched-SYSFile.d (McAfee)
W32/TDSS.drv.gen8 (Norman)
Bck/Tdss.AL (Panda)
Rootkit.Win32.TDSS.c (Rising AV)
Mal/TDSSRt-A (Sophos)
LooksLike.Win32.PatchedDriver!A (Sunbelt Software)
Backdoor.Tidserv!inf (Symantec)
Mal_TIDIES-12 (Trend Micro)
Rootkit.TDSS.Gen.3 (VirusBuster)

Alert Level (?)
Severe

Antimalware protection details
Microsoft recommends that you download the latest definitions to get protected.
Detection last updated:
Definition: 1.85.683.0
Released: Jun 23, 2010 Detection initially created:
Definition: 1.79.1469.0
Released: Apr 09, 2010

On this page
Summary|Symptoms|Technical Information|Prevention|Recovery



Summary
Virus:Win32/Alureon.H is a detection for system drivers infected by members of the Win32/Alureon family.

Win32/Alureon is a multi-component family of trojans involved in a broad range of subversive activities online in order to generate revenue from various sources for its controllers. Mostly, Win32/Alureon is associated with moderating affected user's activities online to the attacker's benefit. As such, the various components of this family have been used for:
modifying affected user's search results (search hijacking)
redirecting affected user's browsing to sites of the attacker's choice (browser hijacking)
changing Domain Name System (DNS) settings in order to redirect users to sites of the attacker's choice without the affected user's knowledge
downloading and executing arbitrary files, including additional components and other malware
serving illegitimate advertising
installing Rogue security software
banner clicking

Win32/Alureon also utilizes advanced stealth techniques in order to hinder the detection and removal of its various components.

Some variants of this trojan may modify DNS settings on the host computer to enable the attacker to perform these tasks. Therefore it may be necessary to reconfigure DNS settings after the trojan is removed from the computer.

Uses advanced stealth
This added code is responsible for loading the rest of the rootkit (installed by another Alureon component) stored in arbitrary sectors in the hard drive. The rootkit is used to hide Alureon file components as well as to hide the infection of the infected driver.

Analysis by Scott Molenkamp

 

[LePingUSA]

Resolved

I booted off of a Windows 98 CD (This is an XP Installation) and did a format /mbr then rebooted into the Windows XP recovery console and typed fixmbr and fixboot.

Now I am able to connect to Windows Update and can treat this like a regular spyware and virus removal.

Thanks for listening to my rant.

 

[meanderer]

Well you didn't say the computer itself gets the 192.168.0.1 IP and is running a DNS on itself. That's how it got everyone confused.

Glad you got it fixed.

 

[shamrin]

Huh?

OK, I have to ask. If the machine was setting itself to IP addy 192.168.0.1 and the office subnet was anything other than 192.168.0.x, how was the computer getting out to the internet at all? If the local subnet WAS 192.168.0.x it should have been clashing big time with the router and if it wasn't then it should have been unable to find the gateway. Either way there should have been no internet access. Help me out here.

 

[xxsilk109xx]

I just dealt with a nasty virus that actually changed the dns settings in my ROUTER. After banging my head for hours on this, I logged into my router and let the isp give the dns settings and now everything works just fine...hope that helps.

 

[Martyn]

I just dealt with a nasty virus that actually changed the dns settings in my ROUTER. After banging my head for hours on this, I logged into my router and let the isp give the dns settings and now everything works just fine...hope that helps.

This has been posted a couple of times over the last couple of months. Don't forget to change the default login settings of the router.