IPAddress being changed by malware

I've read the previous descriptions of "Trojan.DNSChanger",  and it appears that's what's happening to me.  I have a brand new, 3 days-out-of-the-box laptop, and it's already displaying exactly the same symptoms as every other PC & laptop I own...My IPAddress is being changed by some kind of malware.  I've tried sitting here keying into Terminal:Admin, "ipconfig /release", "ipconfig /renew" and my ipaddress keeps coming up pointing to the same 5 or 6 addresses that are all over the U.S. but not my state, and not my network-provider.  If I occasionally get one I know is valid, in the 2-3 seconds it takes me to turn on Norton VPN and try to lock it, it has already been changed by the Trojan.

I've downloaded and run MalwareBytes, and it found some PUP-ware, but nothing like the DNSChanger, or any other RootKit software.  What do I have to do to get rid of this and block it from being reinstalled?

 

Current Norton 360 version:  N360-ESD-22.22.11.12-EN

Forgot your other question regarding IP distribution. Unless your ISP requires a "static" IP, meaning an IP address that remains the same, allowing the default IP distribution which Automatic DHCP provides is in your best interest. 

SA

Thanks for the post back and info regarding your ISP device. There are active CVE's against it for "command injection vulnerabilities" listed here: 

https://nvd.nist.gov/vuln/detail/CVE-2023-33009

https://nvd.nist.gov/vuln/detail/CVE-2023-33010

More clearly stated info is posted over on Bleeping Computer which you can use to check the firmware installed. https://www.bleepingcomputer.com/news/security/zyxel-warns-of-critical-vulnerabilities-in-firewall-and-vpn-devices/#:~:text=CVE-2023-33010%3A%20A,critical%20severity%20score%20of%209.8)

Contact your ISP and have them help determine whether this has been corrected with the firmware updates it requires. Or, you can review it on your own or with the help of someone using this article as a guide. The firmware for your device shows in the listing.

https://www.centurylink.com/home/help/internet/network-upgrades.html

FYI!! The IP address you gave is Century Link, most likely one of their datacenters that you are getting services from. 

https://www.ip-tracker.org/lookup.php?ip=97.118.16.42

 

SA

Thanks for following up.   It's still doing it.  I bought a brand new laptop in the past few weeks, and just got another laptop back from HP that was repaired; (and the repair involved putting in a new hard drive and reinstalling Windows 10 at the repair site).  Both of them exhibit the same problem right after being connected to my home network.  

My home network consists of a ZyXel C3000Z Modem/Router (leased from the company, CenturyLink).  And the wireless function is turned off, since I have installed EERO Wifi-6 Mesh routers directly connected to the ZyXel, with extenders in other parts of the house.  I think that pretty well indicates that the virus is in the ZyXel, since I was having the problem BEFORE I installed the EERO system.

I don't know how to clear the ZyXel and reload it to clear the virus, (and what kind of solution I need to prevent it coming back).  Any suggestions you have would be appreciated.

Current version number: 22.23.5.106

I found out how to get into the "HOSTS" file, but when you say "Edit it", I'm apparently not sophisticated enough to know what I'm supposed to add/modify.  

Also, it appears that the closest default IPAddr_V4 to me is 97.118.16.42 (Highlands Ranch, CO).  Is there some way I can FORCE that to be permanent and get rid of the Automatic DHCP that seems to rotate?  I have a total of 4 machines and an iPhone13, I supposed I would need to find a permanent IP for each of those.  (Sorry these questions may seem dumb, but I know a lot about computers and operating systems, and not-so-much about network topology.)

BH>

Hello again. Following up to see if we can assist further.

SA

Hello bherber. If Malwarebytes is detecting things, quarantine them all and check them for deletion. A reboot is usually required.

Restart and see if things cleared up. If not I suggest the following below:

First thing to do is take ALL your devices OFF-LINE. Change your hosts file on ALL your devices one at a time. When done DO NOT allow them back online until the following are all done. 

Factory reset your router, modem/combo device. Change you factory default login and password to EACH device. All your computers are exhibiting the same behavior so I believe this is the common source. And indicates to me your ISP/personal router device may have become infected. Factory reset BOTH. 

Right out of the gate the first thing I see is your Norton product is far out of date. The current version is now version 22.23.5.6. When you are certain you are clean again update your Norton product to the latest version. Make sure you check both your ISP and personal router for firmware updates and restart.

SA