Thanks for the help all you guys...but flashing the router was one of the
first things I tried,and you are correct the router is now toast,somehow the
mac address of it went to 00 00 00 00 00 00 and it won't let me back
in...although it still passes traffic.
Afew other symptoms, when I first noticed the problem usb mouse would
freeze, (nothing wrong with the mouse) quickly switching usb ports would
reactivate it. Thought it was a hardware problem because the connection to
the motherboard was a bit sloppy... problem went away for a month. Problem
returned after that but this time usb connection was solid.
When I tried to pay for pctools product using https the web page would
appear back as transaction incomplete, credit card showed 4 copies of the
product.
Anyways I"ve had to change credit card, cancel isp and email and I've had
enough...thanks for your time and interest.
I live in an isolated community way in the bush, people come to me to fix
their computors. No one complained yet and the machines were clean, but
yesterday I had to go to a big city some 400 miles away, while doing some
business ,there was 4 or 5 customers with me waiting in line to be served.
Got to talking computors, 3 of them said that they were doing the same as me.
unplugging the machines. One young fellow said "So what ?" " don't bother
with firewalls, viruses, etc., etc., Just reformat once a month who cares
what is on the machine."
"Kerry Brown" wrote:
> "Shenan Stanley" wrote in message
> news:OJfVl4fiIHA.1204@TK2MSFTNGP03.phx.gbl...
> > Entire Conversation:
> > http://groups.google.com/group/microsoft.p...c31fc709607cf76
> >
> >
> >
> > Kerry Brown wrote:
> >> It sounds like your router may have been compromised.
> >>
> >> Unplug one of your computers from the router. Do a clean install of
> >> Windows on this computer making sure you delete all partitions then
> >> recreate them during the install. Leave this computer unplugged
> >> from the router. Don't worry about updating it just yet. On a
> >> different computer download the latest firmware for your router.
> >> Burn this file to a CD or copy it to a flash drive. Make sure there
> >> are no other files on the CD or flash drive. Unplug all of the
> >> computers from the router. Unplug the router from the Internet.
> >> Reset the router to the factory defaults. Plug in the computer with
> >> the fresh Windows install. Use it to flash the router with the
> >> downloaded firmware. Reset the router again. Set a password for the
> >> admin account. Plug the router back in to the Internet and update
> >> this computer. Do not plug in any of the other computers until they
> >> have been wiped clean and a fresh install of Windows done.
> >> The key is to flash the router with a clean computer then set a
> >> password on the router before reconnecting to the Internet.
> >
> > BoaterDave wrote:
> >> I feel there is much merit in what you say. FYI I did raise this
> >> topic here
> >> http://aumha.net/viewtopic.php?t=26677&sta...=asc&highlight=
> >> before I became persona non grata at AumHa.
> >> Are you aware of any way to check whether or not a router has been
> >> compromised - *before* one follows the procedure you have outlined.
> >> I should be interested to learn more about this subject. Do you (or
> >> anyone else reading here) have any pointers as to where to begin?
> >>
> >> I found this item which I found interesting - others may too:-
> >> http://www.pcadvisor.co.uk/news/index.cfm?newsid=12026
> >>
> >> A fairly recent news item here, too:
> >> http://www.pcpro.co.uk/news/173883/chinese...r-firmware.html
> >
> > While I know of no way to find out if a router has been compromised - if
> > there is even one ounce of suspicion that it could have been compromised -
> > it would be better to reset the router to defaults, set a new password
> > (strong one) on it, leave remote management turned off, make sure wireless
> > (if a feature of said router) is using WPA or WPA2 at least for security,
> > etc.
> >
> > What makes that even better is doing that 'offline' - the router does not
> > need a Internet connection for any of that.
> >
> > In this particular case (that where the original poster seems to have been
> > targeted in some way - or overlooking some part of re-securing their
> > entire system (not just the computer)) - the advice is spot-on in my
> > opinion. Start from the first piece of equipment you can control and work
> > your way through to the last - keeping them all 'offline' until you have
> > changed the setup on all of them and secured them to the best of your
> > ability.
> >
>
>
> There's currently two exploits for routers I know of. They both change the
> DNS servers the router uses to compromised DNS servers. This means whatever
> url you type in isn't necessarily where you end up. They can use the
> compromised DNS servers to send you wherever they want. You type in
>
www.google.com and end up at some malware site that tries every trick in the
> book to get more malware on your computer or more likely a site that is full
> of advertising where you are enticed to click on ad links while trying to
> get to where you wanted to go in the first place. It's a vicious circle.
> Every legitimate site you try to go to you're redirected to a non-legitimate
> site. They can even let you get to legitimate online AV sites to scan the
> computer. Because the router is compromised, not the computer, all the AV
> scans come up negative. The original trojan that compromised the router has
> long since erased itself.
>
> One exploit is a trojan that probes common IP addresses for a router. If it
> finds one it takes advantage of the fact that most people never set a
> password on the router and reprograms the DNS settings. The trojan tries a
> few common passwords as well as no password. Setting a strong password on
> the router admin account stops this exploit.
>
> The other exploit uses a flaw in some older versions of Flash to change the
> router's DNS settings via uPNP. All they have to do is trick you into
> watching an infected Flash video. You go to what looks like a normal website
> with some streaming video. While watching the video your router is
> reprogrammed. Keeping Flash up to date and/or turning off uPNP on the router
> stops this exploit.
>
> Doing a hard reset of the router is probably enough to fix a changed DNS
> setting. I have seen a couple of cases on networks that had highly
> compromised computers where someone or something had tried to flash the
> router unsuccessfully and the router was toast. This tells me there may be
> an exploit that tries to flash a router. That's why I recommended flashing
> the router.
>
> --
> Kerry Brown
> MS-MVP - Windows Desktop Experience: Systems Administration
>
http://www.vistahelp.ca/phpBB2/
>
>
>
