[aamer-nasco]

Hello Everyone,

The problem we are facing here in our company started around 1 week back after an employee installed an application on his colleagues pc.

As soon as he installed that application, every computer on the network that had it's ip address configured by DHCP was not able to browse the web, when a user would open a browser a web page saying "Update Your browser" with a button would display.... and upon running an "IPCONFIG" to view that particular pc's details it would keep the ip address and subnet mask the same but would change the entries for the DHCP Adddress, DNS address, would also change the mac-address in the entries....

we are using McAfee as our anti-virus for protection and we called up McAfee tech support and they mentioned that it's not a virus so they wont be able to help out with it.... we are suffering with this and temporarily all our cients have been assigned static addresses...

I formatted the flash of the cisco 2821 router and reinstalled the ios and plugged it to an isolated network and it seemed fine but as soon as i plugged the router back to the company network the same thing.... the dhcp on the router I suspect is being spoofed by this malware and is acting as the DHCP server and handing out the dns and dhcp values.....

appreciate all the help i can get...

Regards,
Aamer

PS: Attached is a screenshot of the web page that shows up when someone tries to access the internet using DHCP as well as the OTL Report.

Attached Thumbnails

• 
• 

Attached Files

•  OTL.Txt   55.69KB   238 downloads
•  Extras.Txt   46.88KB   160 downloads

[Advertisements]

Interesting problem you have there. (Please do not attach any more logs. It makes them too hard to work with. Please repost (Copy and Paste) the OTL and Extras logs so I will be able to refer to them later.)

What I think is happening is that your malware is running its own DHCP server and it answers faster than the Cisco. If you look at the ipconfig you will see the DHCP is coming from a PC with IP 192.168.30.53. You need to locate that PC and remove it from the network. When you find the PC. Run OTL on it and post the logs.

What I can also see is that the DNS the bad DHCP is giving out is in Romania so you are getting a DNS hijack. Their malware DNS server can then keep you from getting to sites or send you to faked copies of sites.

You can fix the DNS hijack by using a static DNS:

1. Click "Start," click "Control Panel," click "Network and Internet Connections," and then click "Network Connections."
2. Right-click the network connection that you want to configure (the one you use to connect to the Internet), and then click Properties.
3. On the General tab (for a local area connection), or the Networking tab (for all other connections), click "Internet Protocol (TCP/IP)", and then click "Properties."

4. Click "Use the following DNS server addresses," and then type 8.8.8.8 in the Preferred DNS server and 4.2.2.1 in the Alternate DNS server boxes.

5. Click "OK"

Then reboot and it should be able to connect normally even with the bad DHCP.

You should remove all old versions of Java from all PCs. This one has
Java 2 Runtime Environment, SE v1.4.2_17
Java 2 Runtime Environment Standard Edition v1.3.0_02
Java™ SE Development Kit 6 Update 23
Java™ 6 Update 24

The latest is Java™ 6 Update 26 which just came out. It will remove 6.24 when you install it but it ignores the really ancient versions which are very unsecure.

I think in next year's budget you should plan to change to a real anti-virus like Kaspersky, BitDefender or Avast.

Ron

[RKinner]

Interesting problem you have there. (Please do not attach any more logs. It makes them too hard to work with. Please repost (Copy and Paste) the OTL and Extras logs so I will be able to refer to them later.)

What I think is happening is that your malware is running its own DHCP server and it answers faster than the Cisco. If you look at the ipconfig you will see the DHCP is coming from a PC with IP 192.168.30.53. You need to locate that PC and remove it from the network. When you find the PC. Run OTL on it and post the logs.

What I can also see is that the DNS the bad DHCP is giving out is in Romania so you are getting a DNS hijack. Their malware DNS server can then keep you from getting to sites or send you to faked copies of sites.

You can fix the DNS hijack by using a static DNS:

1. Click "Start," click "Control Panel," click "Network and Internet Connections," and then click "Network Connections."
2. Right-click the network connection that you want to configure (the one you use to connect to the Internet), and then click Properties.
3. On the General tab (for a local area connection), or the Networking tab (for all other connections), click "Internet Protocol (TCP/IP)", and then click "Properties."

4. Click "Use the following DNS server addresses," and then type 8.8.8.8 in the Preferred DNS server and 4.2.2.1 in the Alternate DNS server boxes.

5. Click "OK"

Then reboot and it should be able to connect normally even with the bad DHCP.

You should remove all old versions of Java from all PCs. This one has
Java 2 Runtime Environment, SE v1.4.2_17
Java 2 Runtime Environment Standard Edition v1.3.0_02
Java™ SE Development Kit 6 Update 23
Java™ 6 Update 24

The latest is Java™ 6 Update 26 which just came out. It will remove 6.24 when you install it but it ignores the really ancient versions which are very unsecure.

I think in next year's budget you should plan to change to a real anti-virus like Kaspersky, BitDefender or Avast.

Ron