Virus in my router?

[Viktor Jaep]

Is it mine or yours now? And what is XXXMON script I'm seeing? I don't have any scripts. Must be yours... Interesting.

Oh ahem. Cough.

 

[Alt255]

Ok, here is a screenshot, I don't think this is legitimate. Let me know what you think.

 

[Viktor Jaep]

Ok, here is a screenshot, I don't think this is legitimate. Let me know what you think.

According to the Avast forums, this is a bug in their AV product... this is from August 2023:

System shows up on Avast Firewall with Chinese Characters

System shows up on Avast Firewall with Chinese Characters

forum.avast.com

And this is why you don't let your friends use Avast. Which also means this is why your other AV products didn't detect anything... because there's nothing to detect.

 

[Alt255]

OMG! Thank you! This was driving me nuts!

I really did have a virus like I said in previous posts, someone did try to log in to my router and set off the captcha. Someone also changed my Eathernet adapters ipv4 dns setting to 127.x.x.x (I don't remember the exact number).

Here is a link to the file that started it, Virus Total and Jotti say its clean but I got a trojan from it trying to masquerade as Opera. No I don't use Opera I use Firefox.

Yea, I'm going back to my paid version of Bitdefender.

Spoiler

www.mediafire.com/file/ku208jm2ccqvn1w/KindleForPC-installer-1.17.44183.exe/file

Be cautious with this Jotti and Virus Total say its clean, I don't believe it.

 

[ColinTaylor]

Someone also changed my Eathernet adapters ipv4 dns setting to 127.x.x.x (I don't remember the exact number).

You said this happened after you killed the "System" app. As you were looking at the legitimate firewall process you probably killed your network adapter which is why you then didn't have any internet access. It would also explain why your IP address changed to 127.0.0.1 at that is the loopback adapter and was likely the only remaining network interface.

 

[Alt255]

You said this happened after you killed the "System" app. As you were looking at the legitimate firewall process you probably killed your network adapter which is why you then didn't have any internet access. It would also explain why your IP address changed to 127.0.0.1 at that is the loopback adapter and was likely the only remaining network interface.

Wouldn't killing System cause a 169.x.x.x address? Also except that one time you mentioned I could surf the internet with system blocked.

 

[ColinTaylor]

Wouldn't killing System cause a 169.x.x.x address? Also except that one time you mentioned I could surf the internet with system blocked.

I don't know exactly what you did or what you were looking at. It just seems a likely explanation based on your brief comment.

C:\>route print -4
===========================================================================
Interface List
 14...d8 5e d3 8a 68 7e ......Realtek Gaming GbE Family Controller
  1...........................Software Loopback Interface 1
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.1.1     192.168.1.49     25
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    331
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    331
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    331
      192.168.1.0    255.255.255.0         On-link      192.168.1.49    281
     192.168.1.49  255.255.255.255         On-link      192.168.1.49    281
    192.168.1.255  255.255.255.255         On-link      192.168.1.49    281
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    331
        224.0.0.0        240.0.0.0         On-link      192.168.1.49    281
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    331
  255.255.255.255  255.255.255.255         On-link      192.168.1.49    281
===========================================================================
Persistent Routes:
  None

 

[Viktor Jaep]

OMG! Thank you! This was driving me nuts!

I really did have a virus like I said in previous posts, someone did try to log in to my router and set off the captcha. Someone also changed my Eathernet adapters ipv4 dns setting to 127.x.x.x (I don't remember the exact number).

Here is a link to the file that started it, Virus Total and Jotti say its clean but I got a trojan from it trying to masquerade as Opera. No I don't use Opera I use Firefox.

Yea, I'm going back to my paid version of Bitdefender.

Spoiler

www.mediafire.com/file/ku208jm2ccqvn1w/KindleForPC-installer-1.17.44183.exe/file

Be cautious with this Jotti and Virus Total say its clean, I don't believe it.

You should never ever download anything from mediafire... ever. Its haven for malware. Download apps from the actual vendors you purchase your products from. Kindle? You should be getting that software right off amazon.com... like: https://www.amazon.com/kindleapps

I concur with @ColinTaylor... killing that service probably caused a reset of your DNS entries to refer to the loopback as a fallback. You would only get 169.254.x.x IP addresses (not DNS) if your nic was set to receive DHCP, but it wasn't able to grab an IP.

 

[drinkingbird]

I got Avast from Avast's website, I don't run pirated software if that is what you're getting at.

Typically hackers with advanced capabilities don't bother with a home network, and try to make someone's life miserable on some Win 10 machine... (unless their name is @Tech9 and they're running an RV320)

That's what I was saying in my reply of ....
Most of the time the virus is in the uefi, that's why I used diskpart to remove everything that a standard reformat would miss. Yes a virus can infect your bios. It's extremely hard to do remotely, the hack on the democratic national convention was done that way. But why would a botnet team wast there time on something like that. Yea... .

I know they were trying to get into my router because they tripped the login protection that makes you type in the weird image.

I didn't do that so if it wasn't hackers trying to get into the router who was it ghosts?

Diskpart has nothing (well very little) to do with UEFI.

Sounds like the problem has been found. Like I and many said, DO NOT USE AVAST. And for god's sake never ever ever download an .exe from mediafire!

All the other symptoms you were seeing (such as DNS being sent local) are "features" of avast and many other AV. That's how it checks your DNS lookups before sending them out.

 

[djk44883]

Now that it's resolved, I understand it was/is serious to someone. I stumbled across via SNBformus mailbot.

In the end it's entertaining, vague references to what a user just know is the problem. Only takes bits of advice they like, because they know what's wrong and that suggestion won't help - not going to not use Avast through any step, won't use screen shot asked early on, etc.

If they would have, accepted their conclusion may have missed something followed the advice they asked for... the conclusion there wasn't any problem, at least with their route, may have been reached more quickly.

But still, why the mouse movements and file highlights? There's just gott'a be some'thin going on here.

 

[Ripshod]

But still, why the mouse movements and file highlights?

Wireless mouse? Tried a wired one?

 

[ColinTaylor]

But still, why the mouse movements and file highlights? There's just gott'a be some'thin going on here.

Unlikely we would be able to tell unless we were onsite to observe it in person. It could be almost anything. Wireless mouse for example, or accessibility options.

 

[Alt255]

Now that it's resolved, I understand it was/is serious to someone. I stumbled across via SNBformus mailbot.

In the end it's entertaining, vague references to what a user just know is the problem. Only takes bits of advice they like, because they know what's wrong and that suggestion won't help - not going to not use Avast through any step, won't use screen shot asked early on, etc.

If they would have, accepted their conclusion may have missed something followed the advice they asked for... the conclusion there wasn't any problem, at least with their route, may have been reached more quickly.

But still, why the mouse movements and file highlights? There's just gott'a be some'thin going on here.

Well let me apologize my memory isn't photographic and this had been going on for over a month. I did have a virus, Trojan I believe it's called. The reason I was focused on the system process is because it had used 100GB. The first 2 or so times I reinstalled Windows 10 the virus was still there using Gigabytes as fast as it could.

The virus process must have been running under system because when I blocked system that's when the Virus team did something to the computer. Where before I could get online I now could not and they changed the network adapter ipv4 setting to 127.x.x.x.

I then used bitdefender and it picked up nothing, so I tried a bunch of other AV's nothing picks it up not even Jotti or Virus Scan.

So I'm thinking I got rid of the virus when I did the diskpart because it whipes the boot partition and a regular format doesn't.

As for the screen shots like I said I was at Work and did not have access to my PC.

As for the "conclusion" it is wrong, I did have a virus I just didn't know about the avast bug in displaying the System process details.

I tried every AV that had a free version or a trial, I even tried Heimdall Nothing picks that virus up. Only a diskpart or doing a full zeroing out will get rid of it, Unless your good enough to clean it out by hand.

So go ahead and run that file I linked if you don't believe me.

 

[Alt255]

Wireless mouse? Tried a wired one?

I use a WIRED Cherry keyboard, and a WIRED mouse and I don't use accessibility options. That way I don't have to worry about dead batteries or interference.

 

[Alt255]

Unlikely we would be able to tell unless we were onsite to observe it in person. It could be almost anything. Wireless mouse for example, or accessibility options.

Everyone was so hell bent I didn't have a virus.

Also like I mentioned in one of my replies I had gotten a clean system by just hooking up to the modem itself. I just didn't know about the avast bug.

Go ahead prove me wrong install that file I linked.

 

[ColinTaylor]

So go ahead and run that file I linked if you don't believe me.

No need. So you've concluded that all your problems, including the mouse issue that @djk44883 was asking about stem from this virus file that you installed. That makes much more sense than thinking that it is somehow coming from your router.

 

[Alt255]

No need. So you've concluded that all your problems, including the mouse issue that @djk44883 was asking about stem from this virus file that you installed. That makes much more sense than thinking that it is somehow coming from your router.

I admit I was wrong about the router, but I had proven it was not the PC. So that's why I came here asking about the router, I was chasing an Avast bug. That's why I was ignoring advice about the PC, This virus is a pain in the butt nothing picks it up.

Check my reply to him, I use a wired mouse and keyboard.

 

[djk44883]

No reply to me mentioned moue connectivity.

Initially the issue was this virus originating from your router, not specifically it's existence.

I presume, since it's uniquely unusual, the trouble-shooter's needed more than - I watched my fresh install get infected when connected to my router with no internet. No, at this point the only thing it could be is the router.

Everyone wanted to know about this router specific virus, without stating it didn't exist. Or, conclude how router can be the source - this can be an enormous security risk to everyone.

It wasn't, you do no have a virus. It was tell us how you know you have a virus, how is it your have sourced it from your router.

My preference to avoid all this tomfoolery is not installing Windows on any of my personal systems, but that's me.

 

[Alt255]

No reply to me mentioned moue connectivity.

Initially the issue was this virus originating from your router, not specifically it's existence.

I presume, since it's uniquely unusual, the trouble-shooter's needed more than - I watched my fresh install get infected when connected to my router with no internet. No, at this point the only thing it could be is the router.

Everyone wanted to know about this router specific virus, without stating it didn't exist. Or, conclude how router can be the source - this can be an enormous security risk to everyone.

It wasn't, you do no have a virus. It was tell us how you know you have a virus, how is it your have sourced it from your router.

My preference to avoid all this tomfoolery is not installing Windows on any of my personal systems, but that's me.

How does Linux work with Windows games these days?

 

[drinkingbird]

Now that it's resolved, I understand it was/is serious to someone. I stumbled across via SNBformus mailbot.

In the end it's entertaining, vague references to what a user just know is the problem. Only takes bits of advice they like, because they know what's wrong and that suggestion won't help - not going to not use Avast through any step, won't use screen shot asked early on, etc.

If they would have, accepted their conclusion may have missed something followed the advice they asked for... the conclusion there wasn't any problem, at least with their route, may have been reached more quickly.

But still, why the mouse movements and file highlights? There's just gott'a be some'thin going on here.

I have no doubt the OP did originally have a virus, and could very well have been allowing remote access.

Problem is the steps taken to eliminate that virus and installing/uninstalling multiple AV programs (installing an AV program while you have an active virus is completely useless, they just detect and block them), I think OP just got totally confused.

@Alt255

At this point hopefully you are more focused on changing passwords to everything especially cell, email, and financial, and enabling 2FA (preferably TOTP) on all of those same things than on worrying about Avast's chinese lettering. I'm sure they've used chinese programmers and ones from many countries (Avast is a Czech company, not at the top of my list for stuff I want to install).

No amount of virus and firewall protection in the world can replace good internet hygiene and common sense. For example when you can download the latest kindle reader directly from amazon, why download it from a 3rd party site (even if you didn't know that particular site is loaded with malware)?

In the future I'd recommend approaching it more patiently, isolate the machine that you know is infected, shut it down until you can do some offline virus scans, and if you suspect your router, instead of coming in here and saying you know your router has a virus and not listening to (or having an attitude with) any suggestions that don't confirm what you "know".

Panicking and installing random stuff will only make it worse. Shut it down, pull the drive, and use a known good PC to diagnose and clean it. Or at least boot the PC off a write protected medium to work on that infected drive from a clean OS.