Virus in my router?

[Alt255]

I seem to have a virus in my router, I watched a new windows 10 reinstall on my laptop get infected with no internet plugged in to the router and a wireless connection to the laptop.

I cleared the jffs partition from a ssh session and did a hard reset on the router. The virus is still there, any ideas on how to get rid of it?

 

[drinkingbird]

I seem to have a virus in my router, I watched a new windows 10 reinstall on my laptop get infected with no internet plugged in to the router and a wireless connection to the laptop.

I cleared the jffs partition from a ssh session and did a hard reset on the router. The virus is still there, any ideas on how to get rid of it?

How do you know it came from the router? What are the symptoms?

 

[L&LD]

Welcome to the forums @Alt255.

Did you virus-check the USB drive you're using to install Windows?

 

[Viktor Jaep]

What antivirus tools are you using to determine that there is a virus? Can you please give us some screenshots of your antivirus test results? Also, what is happening from the router perspective? Why do you believe it's a virus?

 

[Alt255]

How do you know it came from the router? What are the symptoms?

I did a wps hard reset on the router and ssh tunneled into the router and cleared the jffs directory. I also removed all Ethernet cables including the wan port one connected to my modem. All my wireless devices are set to 192.168.100.1 so after the reset the router default of 192.168.50.1 means that nothing is connected to the router.

I then wiped my desktop with a windows 10 dvd I made a while ago I knew was clean. I also did a diskpart while installing to clean the hd.

After this when I booted the pc after about 3 or so minutes the virus showed up again

So the only thing it could be at this point is the router.

 

[Alt255]

Welcome to the forums @Alt255.

Did you virus-check the USB drive you're using to install Windows?

I used a windows 10 dvd made from the windows creation tool. I made this on my PC a while ago when the PC wasn't infected so I know the dvd is clean

 

[L&LD]

No, it can still be the DVD.

What virus is showing up?

 

[Viktor Jaep]

I used a windows 10 dvd made from the windows creation tool. I made this on my PC a while ago when the PC wasn't infected so I know the dvd is clean

Why don't you download a fresh image from Microsoft and install that onto a bootable flash drive from a known good PC. That's one of the only safe ways to go.

STILL no screenshot, more information about the virus, what tools you are using, what virus you have on your router, etc. Which makes me very skeptical.

 

[Alt255]

What antivirus tools are you using to determine that there is a virus? Can you please give us some screenshots of your antivirus test results? Also, what is happening from the router perspective? Why do you believe it's a virus?

I am using Avast free, when I go to the firewall section I see a program called "system" and it has no icon. When I go to the details of the system program I see that where it lists the location It shows a long marquee of scrolling (Chinese?) Text.

This virus is not picked up by any of the virus tools I have tried, Eset, Avast, Bitdefender...

I haven't noticed anything abnormal about the router except that any PC's connected to it get infected wired or wireless.

I am the only person who uses my PC and the door is shut to the room so the cat can't get in. I was using windows defender and I started noticing subtle indications of someone using my PC. I started noticing my mouse pointer was not where I left it and random folders would be highlighted that I know were not highlighted when I left.

Avast shows that wired "system" process in the logs of my PC's after I wipe them. Also, the first time I wiped the PC I didn't diskpart it. After the virus showed up again I blocked it in the Avast firewall. So I'm guessing the virus or maybe just the trojan remote control part was in my boot sector, that is why I started using diskpart when I reinstall windows. I must have pissed off someone, because after I blocked that system thing someone changed my PC to have a DNS server on it and the ipv4 settings showed a IP of 127.x.x.x. The IP would change back after I tried changing it and I could not reach any web pages in my browser.

I know my PC is clean because after a win 10 reinstall and a diskpart the Avast firewall would show as clean If I plugged my PC straight into the modem. As for screen shots I can do that tonight.

 

[Alt255]

No, it can still be the DVD.

What virus is showing up?

I don't know what virus it is nothing is detecting it. It appears to be a fileless virus as best I can tell

 

[Alt255]

Why don't you download a fresh image from Microsoft and install that onto a bootable flash drive from a known good PC. That's one of the only safe ways to go.

STILL no screenshot, more information about the virus, what tools you are using, what virus you have on your router, etc. Which makes me very skeptical.

I have download a fresh image from Microsoft and reformated the thumbdrive on a known good PC. Sorry I'm a slow typer on my phone here at work so I can get you the screen shots when I get home. I don't know anything about the virus except it shows up calling itself "system" in the firewall logs and nothing detects it. I am using Avast free so I can see the firewall logs. You can see my previous replys about my efforts to narrow down the virus.

 

[dave14305]

Sometimes free antivirus tools can carry trojans themselves, or their behavior might resemble malicious activity. Avast has a “Real Site” feature that may be intercepting DNS. Is that enabled?

 

[ColinTaylor]

I don't know anything about the virus except it shows up calling itself "system" in the firewall logs and nothing detects it. I am using Avast free so I can see the firewall logs.

"System" is not the name of a virus. It means the log entry relates to a system process.

https://static.avast.com/support/kb/images/v2022/avkb49/en/v1_av_logs_tab.png

 

[Paliv]

Also installing a clean UEFI/BIOS might be a good idea.

 

[Paliv]

I’ve definitely heard people have similar issues with cursors/highlighting and it turned out to be a hardware or driver failure (mouse, keyboard, etc.).

 

[Viktor Jaep]

I don't know what virus it is nothing is detecting it. It appears to be a fileless virus as best I can tell

Here's a couple of pointers for your PC:

1. Setup your Windows 10 install from a known-good image (not your DVD) on known-good clean media, keep your PC offline.
2. After install completes, enable the firewall, turn off network/file sharing across the board.
3. Create a secondary non-administrator account for your daily use. DO NOT use an account with administrator access at all times.
4. Get out to the internet using a mobile hotspot or some other known-good network connection (or hook it up directly to your ISP modem), and download all updates for your windows pc. Only then, after this is all done, hook it back up to your router.
5. Don't use Avast Free. That's probably the most worthless AV tool out there. I know AV tools are points of contention for many, but try using Trend Micro, Sophos, MalwareBytes, or Windows Defender. And actually buy the paid version.

Pointers for your router:

1. Download a fresh image from here, and actually do a complete reset of your router... @L&LD has some great guides.

 

[Alt255]

Sometimes free antivirus tools can carry trojans themselves, or their behavior might resemble malicious activity. Avast has a “Real Site” feature that may be intercepting DNS. Is that enabled?

Not that I know of, the only thing I turn on is the firewall. I haven't touched any of the settings or programs.

 

[Alt255]

"System" is not the name of a virus. It means the log entry relates to a system process.

https://static.avast.com/support/kb/images/v2022/avkb49/en/v1_av_logs_tab.png

I don't think that's true in my case, the program/process is called "system" all lower case. Also if you go the the "App Details" on the right side it shows a scrolling marquee of Chinese text instead of a file location. I believe the real System file should show a location of a file even if it just points to svhost. I think this is something trying to masquerade as System.

 

[drinkingbird]

Not that I know of, the only thing I turn on is the firewall. I haven't touched any of the settings or programs.

It isn't coming from the router. It is on the DVD or in your bios at this point. If every PC is infected you better make that USB drive at work or something. Use a new USB drive or at least secure wipe it. Make another drive with the latest bios for the PC. Before putting any drive in the PC go into bios, reset everything including secure boot keys etc, and see if it has a rollback option to a previous version that hopefully isn't infected. Then restart and update it. Make sure secure boot, execution prevention, and all other security features are enabled before installing windows.

Even if your router was infected it would not be infecting your PC like that.

Do not use avast, the built in defender is better. Who knows, your avast install file may very well have the virus if you downloaded it from the wrong place.

 

[Alt255]

Also installing a clean UEFI/BIOS might be a good idea.

I did that, it didn't help. Also if I reinstalled windows from my thumbdrive I made from a known good PC a work doing a diskpart. While installing and hooking the PC straight to the modem it would be clean.