Mitch_xtv

Estimable
Apr 27, 2015
11
0
4,560
Hey guys, Now before I get into this I would like to start by saying that I was very confused as to which forum to post this in, so forgive me if this is the wrong one & I am also very limited in my knowledge of this so In a desperate call for help and to make people aware of this I decided to make some posts all over the internet on certain forums like this one.

So let's start, late hours of Thursday evening last week I started to experience strange internet speeds and ping spikes etc etc, me being an avid gamer I thought nothing of it maybe give the router a reboot or something like that and normally the problem goes away, but I decided to tell my dad who then checked the router logs showing that we were being hacked/attacked from some IP. Anyway's it had seemed to stop so we carried on with whatever it was. Then Friday we noticed slow internet speeds etc etc, we thought this to not be a co incidence so we started to explore the situation further. In the long and short of it we had clearly been attacked / hacked and an infection had been placed in the router and on every device in the house. Our home network is very complex with 52 devices being used most of those are Phillips hue light switches and things like that. This network virus also re routed our DNS settings, and we knew that this was very bad. My father working in IT since early 2000's still did not know how to fix this problem. It seems we had picked it up from a phishing email. We had decided to reset EVERYTHING in the house, factory reset of the router, phones and pcs. I and my father re-formatted our whole systems but this thing has still not disappeared. this is clearly shown where by our fresh installs and wiped hardrives of windows were using 31% Of our CPU'S and our cpu's are an i74790k and an eight core AMD so this is VERY strange for a machine of such spec. I have done some researched across the web and I am pretty confident on saying we have some sort of RAM virus or fileless trojan on our machine and router probably. I am posting here to seek any sort of help someone might be able to point us in, currently im attempting to download CS:GO on steam with a normal 200mb download speed and 50 upload provided by virgin media and I am downloading at 750KB which never is this low, it is using lots of bandwith in our network to spread to as many devices we think. Please discuss this here and ask some more questions because we seriously do not know where to go or what to do.

Regards Mitchell
 
Solution


Having the other systems offline is to prevent cross infections.
Like if there are several kids in the house, and they pass a cold back and forth for several weeks.

As said earlier...time to go nuclear.

COLGeek

Cybernaut
Moderator
Have you spoken with your ISP about this potential threat?

Also, when you reset your router, did you disable remote access and change the default admin account credentials (complex password). Did you do this from a 100% clean system (no keylogger)?

What anti-virus/anti-malware applications are you using? What information have the scans revealed?
 

dark_lord69

Distinguished
Jun 6, 2006
740
0
19,010
"router logs showing that we were being hacked/attacked from some IP."
If jerks are attempting to hack your router. (Which is fairly easy.)
Use MAC filtering. The only way they could connect is if they did some MAC spoofing but even then they would need to know what an allowed MAC address would be.

BUT...
Since you've already been hacked it's just too late for that.
I'm not convinced that all of your devices have the virus.
Honestly,
The most likely scenario is that someone hacked your router to use your bandwidth/connection.
If that is the case, then just enable MAC filtering.
If you truly have a virus on the computer itself then I'd use Malwarebytes (free not trial) to scan your computer.

If your DNS settings have been changed then just change them back.
1. Right click on your network connection in "Adapter Settings"
2. Click Properties
3. Click the one that ends with IPv4 (you may have to repeat this for IPv6)
4. Click Properties
5. Click Advanced
6. Click the DNS tab
7. Remove anything listed in the "DNS Server addresses" white box
8. Select "Append primary and connection..." and the checkbox under it.

If everything looks ok in DNS then try Hijackthis.
 

Mitch_xtv

Estimable
Apr 27, 2015
11
0
4,560

Forgive me, as I'm quite new to this whole thing. I'm only 15 but I do know alot about computers and how they work as I've been brought up around them. It is my passion, i built my first pc 3 years ago so yeah aha. but to answer you dark lord. I have done multiple scans with every software out there including malware bytes. no result have been shown for anything. I too was sceptical that they all have the virus but this is the information I have been told from my father.
 

SoggyTissue

Prominent
Jun 27, 2017
158
0
710
I dont want to scare monger:

Did you install with the web connected? did your computers have this high usage as soon as you installed windows? I suggest you try a clean install with NO web access (router OFF) network cards OUT, dont even authenticate windows .... do you still get high cpu? answer NO, see below (and install antivirus before connecting to web):

How does your isp work? Can you go anywhere and plug a router into the web and connect? As in, do you have a user name + account password to access your isp? Because if the hacker has this, then every time you access the web through your isp, he is on your isp network ready to pump you full of baddies. - changing passwords may not work as you probably got a string of keylogging going on.
Hopefully your smart tv hasnt been 'jacked' too, else having that connected to your network will mean youre open to attack from your TV !

Finally, and dont take this like the ultimate fix because it isnt, time to change out you mac addresses ... thats your network cards and your router, bin them get new ones.

My suggestions are crazy, take them with a large pinch of salt.

Dark Lord is the man. Listen to him
 

Mitch_xtv

Estimable
Apr 27, 2015
11
0
4,560


I personally did not reset the router, this is all my dad's job as he is pretty good with these things as I stated previously. We have used multiple software's coming back with no results at all, my dad said that he saw the virus / hack come in as his pc started going crazy, producing alerts or something of the sort. I do not know if the remote access is disabled, but it would not of been from a 100% clean system and that could of had a keylogger installed tbh.
 

Mitch_xtv

Estimable
Apr 27, 2015
11
0
4,560

Our dns settings were set to open dns in the router, this is the chain of events. - before the virus came, our settings in the router were set to use open dns, then my dads work asked him to install net extender so that he could acess they're lan. after he installed net extender everything seemed fine, we he logged onto the pc the next day even though net extender had been turned off all of his traffic from all of the PC'S in the house seemed to be going through his work IP. and whatever DNS they had allocated. He uninstalled net extender but the dns setting on every machine in the house had now been set back to what appeared to be the routers IP. This is when things started to go crazy, he reset the router he installed new firmware in the router 15 mins later he looked at the router logs and the new firmware he had installed had been over written with another install recorded in the logs. and his PC was running about 90 services had never seen before in service host. on an AMD machine you cannot see the CPU usage but on an intel machine you can, the only reason he knew amd was running at full speed corsair commander was running all 9 fans at full speed trying to cool the system down.There seems to be aswell in task manager several version of our antivirus ( norton ) running norton keeps telling us our machines are clean even with a full scan, It takes 5 mins when it used to take at least 40. He has uninstalled norton re installed norton, and is still no better however during the last install the system kept asking for username and password for the norton account on multiple occasions. We have tried re installing windows he managed to clean one disk, his previous installation was in raid 0 removing both disk and removing them seemed to work the first time, on the first disk on the second disk as soon as we plugged it into a brand new laptop ( never before used on the internet or network) it refused to format the disk then he ran a disk part in the cmd clean even after this when he put it into his main pc the old master boot record was still on that disk.
 

Mitch_xtv

Estimable
Apr 27, 2015
11
0
4,560


"ecause if the hacker has this, then every time you access the web through your isp, he is on your isp network ready to pump you full of baddies. - changing passwords may not work as you probably got a string of keylogging going on." this is the case 100%.
 

USAFRet

Illustrious
Moderator
Time to go nuclear and piss off everyone else in the house.

Disconnect everything else in the house. Everything.

1 system...Linux or Windows.
Full wipe and reinstall of the system. The OS and only the OS.

Router, restored to factory default specs.
Turn off ALL WiFi.

Connect that single system.
See what happens.

And don't bother with MAC address filtering. If someone has truly hacked your router (doubtful, but we'll go with that), or installed keyloggers, MAC address filtering is not even a speedbump.
 

Mitch_xtv

Estimable
Apr 27, 2015
11
0
4,560


Okay, so say we do this what will it tell us if it works?
 

USAFRet

Illustrious
Moderator


If the hack continues, you have much larger issues.
As in somehow, the hacker can insert himself in the stream between you and your ISP.

Start from a pristine, minimalist network.
Brand new PC install, and a router at factory settings.

If it does not continue, then you disinfect each system, one by one. They do not get connected to anything until known uninfected. Even if that requires a full wipe and reinstall.
Create some bootable antivirus DVD or USB solutions. Boot from those and disinfect each system.
 

SoggyTissue

Prominent
Jun 27, 2017
158
0
710
tbh, i'd be concerned with your dads work? lets look at what caused this from your point of view. your dad work for the govt. ? its a case of spy hard. access govt servers a 1 time deal, this pc will self destruct in 30 seconds ..... !

Seriously though, i bow to other peoples suggestions here. Have a 'no net day' when you have been sent a new router, with new username/password, all computers clean installed at the same time, backups will be infected. only after this no net access day, see if your computer is running more than usual processes. install several antiviruses like: avast / avg / get spybot to help protect your registry. Everything comes with norton installed (like internet explorer comes with windows) and so its a safe bet to hide dodgy programs under the norton name.
not using norton will eliminate this possibility.
Your dads work might not be impressed with loss of data, but its their fault for suggesting you remote access them. I dont care how you got your problem, it happened because they wanted you to go through them. It doesnt take a huge leap to suggest their network might be swimming in <mod edit>


Listen to USAfret
 

mdd1963

Distinguished
Test a PC using a Linux MInt LIVE CD from USB....; from it's default broswer, check speedtest.net....

Hard reset the router ASAP....; see if your router shows activity when wireless disabled, etc...go wired only while troubleshooting... Go a to a new, complex router password, and if your router allows, only allow changes to password via wired methods....

IF you were able to identify a specific IP, block all inbound/outbound traffic to that IP address in your router...

You might have some mischievous punk neighbors with a side-interest in hacking....

 

Mitch_xtv

Estimable
Apr 27, 2015
11
0
4,560



Yeah their network is for sure swimming in <mod edit> lol.
 

Mitch_xtv

Estimable
Apr 27, 2015
11
0
4,560

Today my dad is going to buy a new ssd and we have factory reset the router. We can see services in our task manager that we cant end or change, some being remote processes. We also feel it has masked itself inside our antivirus.
 

USAFRet

Illustrious
Moderator


A clean OS install on that new drive will put an end to that.
 

Mitch_xtv

Estimable
Apr 27, 2015
11
0
4,560


That's the thing, it doesn't. We've done 100000 clean OS installs.
 

Mitch_xtv

Estimable
Apr 27, 2015
11
0
4,560


Wired system yes, other systems offline no and factory router reset no. :p
 

USAFRet

Illustrious
Moderator


Having the other systems offline is to prevent cross infections.
Like if there are several kids in the house, and they pass a cold back and forth for several weeks.

As said earlier...time to go nuclear.
 
Solution