Infected computer with DNS locked at 192.168.0.1

[LePingUSA]

The machine was able to get an address from the DHCP server without any trouble. The problem is when it received DNS information (In this case 8.8.8.8 and 8.8.4.4.) the virus would append 192.168.0.1 (Which it was binding to locally) It also did not matter if I entered an ip address into the windows ip configuration.

The router at my shop runs ClearOS and is not some half a~1 Linksys easily compromised piece of junk.

After I cleared the MBR information I was able to remove the virus and spyware infections with no hassle.

This is the strangest one I have seen since 1997.

OK, I have to ask. If the machine was setting itself to IP addy 192.168.0.1 and the office subnet was anything other than 192.168.0.x, how was the computer getting out to the internet at all? If the local subnet WAS 192.168.0.x it should have been clashing big time with the router and if it wasn't then it should have been unable to find the gateway. Either way there should have been no internet access. Help me out here.

 

[meanderer]

I just dealt with a nasty virus that actually changed the dns settings in my ROUTER. After banging my head for hours on this, I logged into my router and let the isp give the dns settings and now everything works just fine...hope that helps.

household routers has UPnP functionalities, not to mention the default login for routers.

 

[shamrin]

The machine was able to get an address from the DHCP server without any trouble. The problem is when it received DNS information (In this case 8.8.8.8 and 8.8.4.4.) the virus would append 192.168.0.1 (Which it was binding to locally) It also did not matter if I entered an ip address into the windows ip configuration.

The router at my shop runs ClearOS and is not some half a~1 Linksys easily compromised piece of junk.

After I cleared the MBR information I was able to remove the virus and spyware infections with no hassle.

This is the strangest one I have seen since 1997.

Sorry to be tedious about this but I'm trying hard to understand what's happening and I don't yet.

1. Machine is configured for DHCP
2. Machine polls network for DHCP server
3. Machine finds router/DHCP server at 10.10.10.1
4. Router/DHCP server responds with IP address 10.10.10.101
5. Machine (10.10.10.101) asks for DNS server addy
6. Router/DHCP server at 10.10.10.1 responds with 8.8.8.8 / 8.8.8.4

Now's the part I'm fuzzy on. The virus then substitutes a different DNS address so instead of 8.8.8.8 the DNS is set to 192.168.0.1? If that is right, how does the DNS get serviced? It is both on an unreachable subnet and there is no device on that address anyway. I might be getting confused by your use of the term appending.