Virus in my router?

[drinkingbird]

I don't think that's true in my case, the program/process is called "system" all lower case. Also if you go the the "App Details" on the right side it shows a scrolling marquee of Chinese text instead of a file location. I believe the real System file should show a location of a file even if it just points to svhost. I think this is something trying to masquerade as System.

If you look in task scheduler that is likely where the fake system program is being called, but also check task manager startup tab. While in task scheduler you should see it in the process list and be able to see where it is located.

 

[drinkingbird]

I did that, it didn't help. Also if I reinstalled windows from my thumbdrive I made from a known good PC a work doing a diskpart. While installing and hooking the PC straight to the modem it would be clean.

How do you know that? Did you try?

There is no way to access your windows PC from the router unless you go out of your way to set up SSH server or something on it.

Diskpart has nothing to do with it, totally wipe/secure erase the hard drive and thumb drive.

You said you used an old DVD but now you're saying you used a thumb drive from work.

I'm starting to wonder if this is real. Sounds very similar to another paranoid poster that use to be here.

 

[ColinTaylor]

I don't think that's true in my case, the program/process is called "system" all lower case. Also if you go the the "App Details" on the right side it shows a scrolling marquee of Chinese text instead of a file location. I believe the real System file should show a location of a file even if it just points to svhost. I think this is something trying to masquerade as System.

Post screen shots of everything that concerns you when you get home. At the moment there's not enough information for us to understand what the problem is.

 

[AndreiV]

Déjà vu .....​

Prove there is any malicious process by running RKill as Administrator

https://www.bleepingcomputer.com/download/rkill/

 

[Alt255]

If you look in task scheduler that is likely where the fake system program is being called, but also check task manager startup tab. While in task scheduler you should see it in the process list and be able to see where it is located.

I have checked the task manager startup tab, I haven't checked task scheduler. I will check that when I get home.

 

[Alt255]

How do you know that? Did you try?

There is no way to access your windows PC from the router unless you go out of your way to set up SSH server or something on it.

Diskpart has nothing to do with it, totally wipe/secure erase the hard drive and thumb drive.

You said you used an old DVD but now you're saying you used a thumb drive from work.

I'm starting to wonder if this is real. Sounds very similar to another paranoid poster that use to be here.

Yes, I have flashed the bios twice now using the one from the motherboard manufacturer.

I'm using diskpart when I am inside the windows installer (shift f10) dropped to a command prompt and running diskpart.

Both are correct I have been fighting this virus for over a month, so I have tried the thumb drive and the old dvd. I think I'm up to 6 wips now, if I remember correctly.

Yesterday I created a boot camp partition on my Mac at work. I then downloaded windows 10 media creator and burned a new windows 10 dvd 64 and burned a new copy of Avast offline to a cd. I then at home used my laptop ,(I have both) and reinstalled windows offline from the new clean dvd. I also installed Avast from the cd. Then I connected it to the router wirelessly. I had hard reset the router and disconnected all Ethernet cables including the one from the modem. My wireless network is set to 192.168.100.1 so I know none of my wireless devices are connected to the router.

My laptop is not connected to anything and neither is my router. I then connect my laptop to my router wirelessly and look at avast's firewall log. At first everything is fine, then about 3 minutes or so later "system" shows up. Every other time "system" showed up immediately.

So a clean laptop connects to my router and gets infected. So the since all the media was created from a fresh boot camp on a Mac I don't know anything else it could me but the router.

 

[L&LD]

I don't know what virus it is nothing is detecting it. It appears to be a fileless virus as best I can tell

Avast is the virus here.

How does your computer behave without it installed?

 

[Alt255]

Avast is the virus here.

How does your computer behave without it installed?

I don't think it is...The first time I wiped my PC I didn't do a diskpart on it. I wasn't sure what was going on since my folders were being highlighted and my mouse pointer moved from where I left it.
I was using windows defender at the time so I downloaded avast free. Then when I opened the firewall in it I saw the "system" thing. I then clicked on app properties and saw that the "system" app did not have a location listed like all the other apps.I instead it had a scrolling marquee of Chinese maybe Japanese text and there was the occasional asci character and English word like port in there too.

So I blocked the "system" app in Avast's firewall.I must have pissed off who ever is running the virus because the next day they installed a DNS client or something on my PC and changed my IP address in the nic adapters ipv4 settings to 127.x.x.x. I couldn't change the ipadress no matter what I did, it would always switch back to the 127 address and I couldn't surf the web at all every site was an error.

 

[drinkingbird]

Yes, I have flashed the bios twice now using the one from the motherboard manufacturer.

I'm using diskpart when I am inside the windows installer (shift f10) dropped to a command prompt and running diskpart.

Both are correct I have been fighting this virus for over a month, so I have tried the thumb drive and the old dvd. I think I'm up to 6 wips now, if I remember correctly.

Yesterday I created a boot camp partition on my Mac at work. I then downloaded windows 10 media creator and burned a new windows 10 dvd 64 and burned a new copy of Avast offline to a cd. I then at home used my laptop ,(I have both) and reinstalled windows offline from the new clean dvd. I also installed Avast from the cd. Then I connected it to the router wirelessly. I had hard reset the router and disconnected all Ethernet cables including the one from the modem. My wireless network is set to 192.168.100.1 so I know none of my wireless devices are connected to the router.

My laptop is not connected to anything and neither is my router. I then connect my laptop to my router wirelessly and look at avast's firewall log. At first everything is fine, then about 3 minutes or so later "system" shows up. Every other time "system" showed up immediately.

So a clean laptop connects to my router and gets infected. So the since all the media was created from a fresh boot camp on a Mac I don't know anything else it could me but the router.

When you connect to the router the virus gets Internet and becomes active. It is not coming from the router, it is already there waiting for a network connection.

Do not use diskpart, use the drive manufacturer's wipe utility. Same for the thumb drive. Also see if your bios has a recovery mode.

Don't use avast. Just use defender.

Something you are doing is installing the virus, the router is not doing it. Your router may also be compromised but that would be a separate issue and not causing virus installs on your PC.

 

[AndreiV]

Something you are doing is installing the virus, the router is not doing it

It's called PICNIC syndrome : Problem in chair , not in computer . AKA PEBCAK virus , problem exists between chair and keyboard.

 

[drinkingbird]

It's called PICNIC syndrome : Problem in chair , not in computer . AKA PEBCAK virus , problem exists between chair and keyboard.

The chair to keyboard interface can be quite problematic.

 

[Viktor Jaep]

So I blocked the "system" app in Avast's firewall.I must have pissed off who ever is running the virus because the next day they installed a DNS client or something on my PC and changed my IP address in the nic adapters ipv4 settings to 127.x.x.x. I couldn't change the ipadress no matter what I did, it would always switch back to the 127 address and I couldn't surf the web at all every site was an error.

What kind of security etiquette do you practice? What kinds of things do you download and execute on your PC? Seeing you're using the freebie version of Avast you got from who knows where doesn't give me a great vote of confidence.

Typically hackers with advanced capabilities don't bother with a home network, and try to make someone's life miserable on some Win 10 machine... (unless their name is @Tech9 and they're running an RV320)

But in all seriousness... you probably have other things going on, in addition to understanding the fundamentals on how hacks work, what they're caused by, or how they are triggered.

 

[Ripshod]

This thread smells of someone sold on Avast. They are trusting Avast too much because of what they've read on Avast's site.
A quick Google of "router causes windows virus" and the first result is

How to Remove a Virus From Your Router

Is your router infected with malware? Learn how to check a router for malware and viruses, and how to remove any malicious software you find.

www.avast.com

Yep, Avast.
Has this even been tested with another router yet?

 

[Alt255]

When you connect to the router the virus gets Internet and becomes active. It is not coming from the router, it is already there waiting for a network connection.

Do not use diskpart, use the drive manufacturer's wipe utility. Same for the thumb drive. Also see if your bios has a recovery mode.

Don't use avast. Just use defender.

Something you are doing is installing the virus, the router is not doing it. Your router may also be compromised but that would be a separate issue and not causing virus installs on your

It's called PICNIC syndrome : Problem in chair , not in computer . AKA PEBCAK virus , problem exists between chair and keyboard.

No..
Most of the time the virus is in the uefi, that's why I used diskpart to remove everything that a standard reformat would miss. Yes a virus can infect your bios. It's extremely hard to do remotely, the hack on the democratic national convention was done that way. But why would a botnet team wast there time on something like that?

 

[Alt255]

What kind of security etiquette do you practice? What kinds of things do you download and execute on your PC? Seeing you're using the freebie version of Avast you got from who knows where doesn't give me a great vote of confidence.

Typically hackers with advanced capabilities don't bother with a home network, and try to make someone's life miserable on some Win 10 machine... (unless their name is @Tech9 and they're running an RV320)

But in all seriousness... you probably have other things going on, in addition to understanding the fundamentals on how hacks work, what they're caused by, or how they are triggered.

I got Avast from Avast's website, I don't run pirated software if that is what you're getting at.

Typically hackers with advanced capabilities don't bother with a home network, and try to make someone's life miserable on some Win 10 machine... (unless their name is @Tech9 and they're running an RV320)

That's what I was saying in my reply of ....
Most of the time the virus is in the uefi, that's why I used diskpart to remove everything that a standard reformat would miss. Yes a virus can infect your bios. It's extremely hard to do remotely, the hack on the democratic national convention was done that way. But why would a botnet team wast there time on something like that. Yea... .

I know they were trying to get into my router because they tripped the login protection that makes you type in the weird image.

I didn't do that so if it wasn't hackers trying to get into the router who was it ghosts?

 

[Alt255]

This thread smells of someone sold on Avast. They are trusting Avast too much because of what they've read on Avast's site.
A quick Google of "router causes windows virus" and the first result is

How to Remove a Virus From Your Router

Is your router infected with malware? Learn how to check a router for malware and viruses, and how to remove any malicious software you find.

www.avast.com

Yep, Avast.
Has this even been tested with another router yet?

This thread smells of someone sold on Avast. They are trusting Avast too much because of what they've read on Avast's site.
A quick Google of "router causes windows virus" and the first result is

How to Remove a Virus From Your Router

Is your router infected with malware? Learn how to check a router for malware and viruses, and how to remove any malicious software you find.

www.avast.com

Yep, Avast.
Has this even been tested with another router yet?

No I have a paid version of bitdefender I like and use. I was just using avast to see if it would pickup the virus bitdefender, Eset, Norton, and avast missed.

When I get home I am going to put my old n66 back in place. So then I can see one way or another if it's the PC or router. I will let you all know.

 

[Viktor Jaep]

I got Avast from Avast's website, I don't run pirated software if that is what you're getting at.

Typically hackers with advanced capabilities don't bother with a home network, and try to make someone's life miserable on some Win 10 machine... (unless their name is @Tech9 and they're running an RV320)

That's what I was saying in my reply of ....
Most of the time the virus is in the uefi, that's why I used diskpart to remove everything that a standard reformat would miss. Yes a virus can infect your bios. It's extremely hard to do remotely, the hack on the democratic national convention was done that way. But why would a botnet team wast there time on something like that. Yea... .

I know they were trying to get into my router because the tripped the login protection that makes you type in the weird image.

I didn't do that so if it wasn't hackers trying to get into the router who was it ghosts?

What model router do you have? What firmware is running on it? Do you have it exposed to the internet in any way? As in, what services are internet-facing? Try installing my RTRMON script, and going to the section where you can run diagnostics (page 5). It will also show you which ports are open hanging off your WAN. You want to make sure it says none... and if it's showing something else, you better know what you're doing?

PS. Any reason why you're still on Win10? Why not upgrade to 11?

 

[Tech9]

unless their name is @Tech9 and they're running an RV320

Hey, I changed the end of my IP to .101 - nothing to worry about now.

 

[Viktor Jaep]

Hey, I changed the end of my IP to .101 - nothing to worry about now.

ViktorJp@GT-AX6000-3C88:/tmp/home/root# ping 192.168.132.101
PING 192.168.132.101 (192.168.132.101): 56 data bytes
64 bytes from 192.168.132.101: seq=0 ttl=64 time=0.186 ms
64 bytes from 192.168.132.101: seq=1 ttl=64 time=0.123 ms
64 bytes from 192.168.132.101: seq=2 ttl=64 time=0.123 ms
64 bytes from 192.168.132.101: seq=3 ttl=64 time=0.118 ms
64 bytes from 192.168.132.101: seq=4 ttl=64 time=0.127 ms
64 bytes from 192.168.132.101: seq=5 ttl=64 time=0.122 ms
64 bytes from 192.168.132.101: seq=6 ttl=64 time=0.124 ms
64 bytes from 192.168.132.101: seq=7 ttl=64 time=0.115 ms
^C
--- 192.168.132.101 ping statistics ---
8 packets transmitted, 8 packets received, 0% packet loss
round-trip min/avg/max = 0.115/0.129/0.186 ms

I have you now! Yes!

 

[Tech9]

Is it mine or yours now? And what is XXXMON script I'm seeing? I don't have any scripts. Must be yours... Interesting.