Router attack [Solved]

[netmaestro]

Still fighting. I replaced the router with a new one as I need something current anyway. Too many security holes in the old one. The new one is a Cisco Linksys WRT120N. It does allow for configuration via wireless but it's an option you can allow or not on setup. I disallowed it. I formatted c again, surfed around a bit and the problem came right back. My one win7 machine is the only network workstation. StopZilla said my googlemail notifier was infected, which I have on the d drive and that didn't get formatted. I can not find a way to get MalwareBytes to download updates, it hits an error every time even in safe mode. Going to move everything off d to a removable drive, format it, format c, install Windows and download MalwareBytes and try for an update first thing. If that doesn't work I have an 8-pound sledge in the shop that would look really good right now impaled in this f**king computer

Thanks for your suggestions and comments folks they are appreciated. Any more ideas would be very welcome.

[Fangbeast]

Do not bother scanning a possibly severely infected computer while running windows, a clever trojan/virus/malware object will reinfect as the writers know the most common antivirus products and they know how to hide from them. This happened to me 5 years ago.

1. Go to a friend or neighbour that you know has a clean computer.

2. Download the free DrWeb CureIt ISO or the Kaspersky ISO (There are many others). Even the UBD (Emergency Boot Disk cd) should do. Burn one or all to cd, use write once media. (it's good to have more than one)

3. Come home and disconnect ALL computers from the network.

4. Boot EACH computer from one of these tools and allow them to update their respective antivirus (or other) signatures to memory, they can all do this. it's safe to use the internet from these cd's.

5. Scan them thoroughly. DO NOT RECONNECT ANY of the machines back to the network until ALL have been scanned and cleaned or the one infected CAN and WILL reinfect the others over the network.

The reason this should work is that ALL of these products boot their utilities in a LINUX environment and will not be infected by the suspect machine as it is a windows based environment.

Further to that, the suspect machine's live windows environment is not loaded at this point and the boot media is Read Only so it cannot be infected.

[netmaestro]

Thank you so much! This solution looks deadly, I'm DL'ing the DrWeb iso now. I'll let you know how it fares Fangsey Long time no see, hope all is well with you and yours my friend.

[Fangbeast]

Many years ago, I had decidedly unsafe surfing habits (unsafe html?) and I got hit with many things.

The most ingenous was the screensaver malware. I only found out when I tried to change my desktop wallpaper and it wouldn't change. The computer said it did but nothing happened. Ocassionally, I saw a strange flicker at the edges of the screen and caught a microglimpse of something other than the desktop and the penny clicked.

This malware had made a bmp copy of my background and desktop objects and served it to me to see instead of my real, underlying desktop so that it could infect files and replicate itself (such as a previous poster had suggested). it even updated the bitmap as I added or removed icons.

By the time I caught on, several gig of data was infected and 315 copies of this malware were found in various directories on the only drive I bothered to scan.

Tried to manually run the installed antivirus, would not start up.

Tried to install Norton Antivirus, Avast, PCTools antivirus, PC-Cillin and a host of others, tried MalWareAntiBytes and other malware tools and none of them would install, this trojan blocked them.

Reformatted my c drive, restored the data, Guess what came back?

It also infected files in the system restore area that the normal user cannot see, very smart.

Hid itself in data files, exe files and zip files and others on some of the other drives I had connected at the time, I never even thought about those.

Found a good linux antivirus cd and scanned ALL had drives, burned cd's floppies and tapes, zip drives (yes, I had tapes, huge ones) and was pleasantly surprised that I hadn't done worse.

There are also some great forums that list which trojans/viruses do what to whom, what files they infest and how to get rid of them, saved my neck.

[Michael Vogel]

The following might now best universal solution, but there is a bootable CD (or stick) software available to kill "Bots & Co": https://www.botfrei.de/decleaner.html (Website in german).
However, you should create a Live-CD to get rid of your problems, hope you will win the fight (and don't concentrate your efforts on your routers)

[idle]

neuter windows as much as possible and turn off Dcom

[DarkDragon]

[...] (A lot of quotes)
My Speedport W701V does not. If i try to connect via WLAN it does not respond. Maybe you can configure it to accept WLAN connections for config but on default mine does not and i know friends having different routers and saying it's the same for them.

I don't even know where you can configure it to disallow or allow this. I've looked everywhere inside the configuration. Its the default setting here.

[TerryHough]

I can not find a way to get MalwareBytes to download updates, it hits an error every time even in safe mode.

That is a clue that the system is infected with this virus. It causes the MalwareBytes update to throw off errors. And, I believe, it also stores another copy of the virus elsewhere on the machine everytime it does this.

Uninstall your current copy of MalwareBytes. It is already "scarred" and isn't usuable.
See my first post about downloading and renaming the MalwareBytes install.
Do that, then
Install and DO NOT try to update. Just run the scan immediately. That usually works for me.

If all of this fails, I use a UBCD4WIN [URL]http://www.ubcd4win.com/[url] cd to boot the system and then run various anti-virus programs to clean the system. (This is similar to Fangbeast's description.)

[Rook Zimbabwe]

it would install but something was preventing it from running.

I had that issue with the fake virus scanner... I had to DL malwarebytes on a different computer and do the thumb drive thing...

I would use as many tools to scan that cpu as are possible... it could have a sleeper trojan and reinfect....

Also use a sandbox when doing the internet stuff... ALL net access should be firewalled and sandboxed... I spent 4 hours cleaning a mess created by 4Chan last saturday and only got paid $12.00 (Fajita Dinner)

Also changed router to a much newer model... Cost $65.00 with wireless but I addeed WEP Passphrase and it has survived the little terror next doors hacking attempts for 9 weeks so far...

[LuCiFeR[SD]]

I have a few questions...

(1) Do you have a firewall installed other than the Microsoft one supplied with windows?

(2) How many PC's/Laptops are connecting to your router, and do they do so wirelessly? make sure they are ALL turned off! I don't just mean disable the wireless connection's on them.... Physically turn them off, and leave them off until we get one machine secure.

(3) Have you secured the router?

By this I mean turned on the routers firewall. Locked local network access to the mac addresses of the PC's you own. Enabled any features which Stop Denial of service attacks etc? disabled UPnP?

If you don't secure your network, it is possible that you are getting reinfected by some neighbour who is getting a free ride with your router.

have you visited GRC shieldsUP and checked what ports are open and available? because it is sooooo easy to get caught with your pants down! Any ports showing in red, block them with the routers firewall. and rescan. once the page tells you, your system has "a perfect "TruStealth" rating." then I would proceed with a windows re installation.


Right and just one more thing... Go to a friends house and download windows updates and hotfixes, burn em to CD/DVD or copy em to a removable drive. make sure you are all patched up BEFORE you connect to the internet. Same with your antivrus and Antimalware software. Download the latest updates for them while grabbing the other stuff.

[netmaestro]

Thanks so much for all replies, I've learned a lot going through this, much of it from you guys. But now it's...

SOLVED!

Finally. The culprit did indeed turn out to be a router attack. After clearing off all hard drives, formatting and reinstalling the OS and making sure no other computers were connected to the network, (a process I went through three complete times before I found the problem) nothing seemed to work. I'd download MalwareBytes on my supposedly clean system and it would not update. The DrWeb scan from the live cd found nothing. Yet on my just-installed system I was getting redirected everywhere. Then I realized that when I replaced the router, I let it read the settings from the old one. I assumed this was OK because my internet connection worked. But on the fourth go-round I dug just a bit deeper. I located my ISP static IP information and found that my router was not set to the same primary and secondary DNS's that were supplied by my ISP. They were changed to:

DNS1: 213.109.69.44
DNS2: 213.109.76.46

which must have been the source of all the redirections. This time when I set up my connection I used the original DNS's from my ISP and voila! No more redirections! I downloaded MalwareBytes normally and it updated successfully and after hours of surfing, no problems at all.

So, someone from the WAN got to my router and sneaked those DNS's into it, which caused all the trouble.

Thanks again to all who helped, I appreciate it very much!

Back to work...

[Joakim Christiansen]

So, someone from the WAN got to my router and sneaked those DNS's into it, which caused all the trouble.

I am glad that you figured it out!
It is weird that none of us thought about DNS because it was kinda obvious.

Hmm, maybe someone should make a program to send thousands of DNS requests to those IPs and hopefully crash the server.

[LuCiFeR[SD]]

Thanks so much for all replies, I've learned a lot going through this, much of it from you guys. But now it's...

SOLVED!

<snip>. Then I realized that when I replaced the router, I let it read the settings from the old one. I assumed this was OK because my internet connection worked. But on the fourth go-round I dug just a bit deeper. I located my ISP static IP information and found that my router was not set to the same primary and secondary DNS's that were supplied by my ISP. They were changed to:

DNS1: 213.109.69.44
DNS2: 213.109.76.46

which must have been the source of all the redirections. This time when I set up my connection I used the original DNS's from my ISP and voila! No more redirections! I downloaded MalwareBytes normally and it updated successfully and after hours of surfing, no problems at all.

So, someone from the WAN got to my router and sneaked those DNS's into it, which caused all the trouble.

Thanks again to all who helped, I appreciate it very much!

Back to work...

Ahhh, interesting . I would say the router was reconfigured locally on your PC or on a PC in your network by the malware... especially if it was using default username and password.

but yeah... I must admit, the DNS being changed wasn't foremost in my mind either. Although it was an annoying experience for you, it was most educational

unsurprisingly those DNS's resolve to Russia
Domaintools Not that it makes any difference really.

Well at least you have it sorted now, so all is good with the world

[TerryHough]

While I have seen this change the hosts file a couple of years ago, I certainly hadn't though about the DNS changes.

Glad you got it solved!

[netmaestro]

In the course of looking at the router and changing it for a current model I saw that the two DNS numbers looked different from what I'd been given. But when I signed up with my ISP three years ago I was their first residential customer and they were just rolling out a new residential package to make available to the public. In those three years they've upgraded their equipment several times, upgraded my equipment once and speeded up my connection twice. When I saw the unfamiliar numbers I just assumed that it was part of their growing process. Today, after going through such drastic measures and still having the redirections, I was prepared to call my ISP and tell them that they had an infection. As far as I could see, nothing else fit the facts. However, before doing that I wanted to make sure that my setup was configured correctly so that they couldn't find any way to put the blame on me. So I dug out their setup document and, seeing that the DNS's were indeed different I thought I'd try the "old" numbers. That's how I ended up getting to it- not by clever logical means; trying to avoid blame!