Router Hijack - Help

Discussion in 'malware problems & news' started by opcode, Dec 29, 2011.

Thread Status:
Not open for further replies.
  1. opcode

    opcode Registered Member

    Joined:
    Dec 19, 2011
    Posts:
    37
    Location:
    united states
    I may have had my wireless router compromised by a hijack trojan.
    Mbam log shows the following entry:

    Registry Data Items Detected: 1
    HKLM\SYSTEM\CurrentControlSet\Services\RemoteAccess\RouterManagers\IP|DLLPATH (Hijack.Iprouter) -> Bad: (C:\2970400.dll) Good: (%systemroot%\System32\iprtrmgr.dll) -> quarantined and repaired successfully.

    I'm running additional scans with Mbam now. Is there anything you guys would recommend I do to test/ensure that this problem has been resolved?

    Is there any way to know for certain that my web traffic isn't being passed through some malicious server?

    Thanks!
     
  2. SoCalReviews

    SoCalReviews Registered Member

    Joined:
    Apr 14, 2006
    Posts:
    282
    Location:
    Los Angeles, CA
    Take a closer look at the definition for that malware (Hijack.Iprouter) that MBAM caught, quarantined and repaired. I suppose it is possible for routers to be infected but as far as I know that is a more rare occurrence. This infection could just be IP redirect malware in the Windows registry. Check to see if Windows remote access control and remote access invitations are turned off. In the worst case this could be a type of malware that tried to gain administrative access to your router.

    Make sure you have a strong administrative password to protect the router. Maybe you should change the administrative password and the wireless access passwords of that router. You could also do a hard reset of the router to its original default settings and then set up the router settings all over again for your network. If applicable turn off wireless remote administration of the router. Make sure the DNS settings and other settings in your router are good and not changed with malicious redirected settings to bad DNS (domain name servers). Try running more scans with other antimalware programs like SAS to make sure any undetected traces are removed from your computer. Also run some online scans like the ESET online scanner.

    If there are no clear answers from anyone else here about whether the router itself could be infected then you may want to contact MBAM or ask in the MBAM forum for a clear definition of what that malware is and exactly what it does. The obvious questions you will want to ask are whether it is a Windows system and/or registry infection or does it infect the router and is there anything you need to do pertaining to the router or the computer after MBAM has effectively dealt with it.
     
    Last edited: Dec 29, 2011
  3. opcode

    opcode Registered Member

    Joined:
    Dec 19, 2011
    Posts:
    37
    Location:
    united states
    Thanks! I've verified the router dns is going through my isp. Factory reset was applied as well. I'll double check your other suggestions, but so far so good.

    Thanks again!
     
  4. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    Be cautious when accessing your router while infected if you have a non default password, your login credentials may get harvested and then used to infect the router. If the router gets infected you will not notice any difference visually. The only way to verify integrity is to telnet into the router and check the flash layout for changes, safest way for doing this is while disconnected from Inet and accessing from a Live CD. Many routers will track which IP the update came from.
     
Loading...
Thread Status:
Not open for further replies.