# My router is hijacked...



## jpierce55 (Nov 20, 2011)

It happened after I was on Facebook. I received a virus last week, not exactly like the publicized one. It appears my router is hijacked as everything tests virus free now. One of my email accounts spammed everybody, and occasionally my page all the sudden goes to yahoo. Anybody know how to fix a hijacked router?

My router page should be 192.168.2.1, and is identified so by cmd.exe, yet I can't access that.


----------



## 1freedude (Nov 20, 2011)

reset it


----------



## PVTCaboose1337 (Nov 20, 2011)

If someone somehow got control of your router because you did not change the passwords from default you have a big advantage:

YOU HAVE PHYSICAL CONTROL OF THE ROUTER.  Best thing you can do is to hard reset all settings in the router, don't connect it to the web, and set a secure password / user.


----------



## streetfighter 2 (Nov 20, 2011)

Sounds more like a virus modified your hosts file then hacked your router . . .

If you're afraid your router was hijacked, which it vary likely isn't, just reset it by holding in the reset button and singing the first half of Tosca .  Also disable UPnP so viruses on your network aren't able to open ports for themselves.

On the other hand you could post your HJT, and start running antivirus software like it was going out of style.


----------



## oinkypig (Nov 20, 2011)

run cmd, check up on what IP their accessing you on. They probably are getting access to your pc too through the network. Even if they hijacked the router they probably got into your network auditing settings that would allow them to access your pc. Even if you reset the router there may still be a chance of them being able to access your pc without you even knowing it. If you can figure it out and they actually have changed your domain's settings then you actually could gain access to their pc as well. It may only take their MAC address to gain access. Ehh. maybe a little more work then that, but its definitely possible.
create you own netbios profile. use cmd and run ipconfig, netstat, net view, and nbtstat. Those will help you find out whos tracking you. also check on event viewer security settings. Itll tell you what IP they do run under. They don't need to have access to your router to access you computer over the network. May also wanta check your auditing settings and make sure they havent switched over to your administrator domain and privileges. You can do that by searching for your pcs group policies and then edit them back to their default values.
-Theres workaround and access your pcs workgroup/domain through other computers on your network, using their domains as a way to disguise their own and gain access to your pc.


----------



## newtekie1 (Nov 20, 2011)

I highly doubt it is your router that is hijacked.  More than likely you have two things going on.

1.) Your email account was compromised when you got the original virus.  Now they can send emails to everyone in your address book from your address, they don't even need access to your email account anymore to do this(though changing your password would be wise anyway), it is extremely easy to spoof an email address.

2.) You still have a piece of malware infecting your computer that is redirecting your browser to yahoo.

What have you done to clean the virus, and make sure your PC is virus free?


----------



## micropage7 (Nov 20, 2011)

yeah i agree try reset it then check your pc, i guess your pc got hijacked or virus or something like that.
since router/switch has no storage capability i guess the err come from your pc


----------



## jpierce55 (Nov 20, 2011)

I ran tdss root kill. Hijack this. I ran Malware Malbytes. I installed MS security essentials. I also ran the Microsoft Tool that boots up in ISO, that is what cleaned the virus.

My email is web only, not sure if that matters.

Edit: I also clean my browsers with bleachbit


----------



## jpierce55 (Nov 20, 2011)

streetfighter 2 said:


> Sounds more like a virus modified your hosts file then hacked your router . . .
> 
> .



Perhaps, I don't know what is going on. I don't know why I can't access the router settings page. I did try resetting the router, so it is probably something else.


----------



## 95Viper (Nov 20, 2011)

Run a few other virus tools, it does not take that long and may be worth the peace of mind.

Emsisoft Anti-Malware 6.0

Emsisoft Emergency Kit 1.0

Superantispyware

Then you need to re-set a few things, like, others in previous posts mentioned.

And, maybe, these free software tools will help.
You may get a false positive with some A/V or anti-malware packages, as these software packages are made to changes settings, some A/V and anti-malware don't like that.
Feel free to run them through Virus-total, if you have doubts.

Rizonesoft's WinSock Repair - still good and works, has been replaced with Rizonesoft's Complete Internet Repair - this is the best at ease of use for me.
Then there is Tweaking.com's - Windows Repair all-in-one repair tool - which is ok, has a lot, but the gui is so-so for me. 

Try them (not all at once). You will, more than likely, need to re-boot after using them.
Hope they help.  Goodluck there.

EDIT:  Another tool to run, is the *system file checker* that is built into windows. Does what it says.

Open a administrative command prompt, type "sfc /scannow"   (without the quotes and put a space between the "c" and "/"), hit enter and let it do an integrity scan on the system files.


----------



## v12dock (Nov 20, 2011)

Common malicious software head over to Bleeping Computer I believe they have an extensive guide on how to remove it

DLL addon that is loaded when the webpage loads

Might be TDSS rootkit http://www.bleepingcomputer.com/virus-removal/remove-tdss-tdl3-alureon-rootkit-using-tdsskiller


----------



## theJesus (Nov 20, 2011)

streetfighter 2 said:


> Sounds more like a virus modified your hosts file then hacked your router . . .


Yeah, check your hosts file for anything suspicious or out of place.  Also check msconfig for any startup programs and services that look suspicious and disable them.  You might want to do this in safe-mode since some viruses can detect you trying to disable them and just make a different file, etc.

edit:  Oh, and if you have another PC that you can toss the drive into, then it would be a good idea to run scans like that so there's no chance of viruses loading and interfering with the scan.  You could also try using a boot-disk for the same purpose, like UBCD 4 Windows.


----------



## oinkypig (Nov 20, 2011)

If you cant access the router through the default gateway and you are wirelessly connected to it, then maybe the router has those connections set to a different IP range other then 192.168.2.x, that makes it so. That way you wouldn't be able to access it unless you had a direct link to the router. I'm fairly certain that can only be done manually though. make sure your IP falls within the default range of the router or just keep resetting it until it does. It has to properly reset eventually.


----------



## erixx (Nov 20, 2011)

WOW, AND ALL THIS SH*IT because you visitied Facebook? .... omg!

apart from all the gloriouse tips from above, you can also install (download from official website) the software of the router, it should have a proggie that lets you config and RESET it.

Then we have the phisical buton to RESET it on the router itself.

good luck!


----------



## jpierce55 (Nov 20, 2011)

Yeah, and it was not the virus that made news last week. I seen a friend posted a new photo, when I clicked on that wham. The virus was attached to that photo. 

Resetting the router did not work. I find nothing on startup or system processes showing a virus. I'll keep digging.

I tried 3 root kill softwares and still nothing  I did the MS boot scan again and it found nothing. After I did all 4 I started typing an email (Firefox) and again it tried to redirect me to Yahoo. I might see if uninstalling and reinstalling the browser works.


----------



## theJesus (Nov 20, 2011)

jpierce55 said:


> I might see if uninstalling and reinstalling the browser works.


That actually did work for me once on somebody's PC.  Also, you might want to change your e-mail password.


----------



## johnspack (Nov 20, 2011)

I would try running the Kaspersky rescue disk:  http://rescuedisk.kaspersky-labs.com/rescuedisk/updatable/
Also,  to fully reset your router,  use the 30/30/30 rule,  hold the reset button for 30secs,  while still holding in,  unplug power from router and hold another 30secs,  then plug the power back in and hold for 30secs more.


----------



## jpierce55 (Nov 21, 2011)

I have pounded and pounded. I MAY have succeeded. I had to reset all of my network settings, clean out IE explorer/Firefox again. For a little while I could not access some websites. Hopefully it is good now.


----------

