I believe I've been subject to a wpad attack, but I am not sure what was the extent of the damage and how to properly clean and secure my various devices at home.
First, my browser started blocking some random websites because of invalid certificates, (e.g. anything in google.com worked just fine but not wikipedia.com). The same happened when I tried with other browsers. When I check the server certificate, it showed one issued by vihoo (dev/localhost)
Few moments later, I got a notification from my antivirus about JS:Miner.bq in C:\Users\xxxxxx\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NBNFPTGR\wpad[4].htm\00000074.js
being detected and deleted. IE history shows that the file was access from http://wpad.<my-own-domain>/wpad.dat
(which doesn't exist)
So I was under MITM attack, and my browser could have run undetected malicious javascript. I checked my browsing history, everything was over HTTPS, but there was one website that was accessed via HTTP, no password/sensitive information/downloads there, but if I understand correctly, my browser could have run further malicious javascript.
I didn't find any suspecious DNS record changes with my personal domain name. So I am assuming here that someone managed to hack into my local home network and/or to my router (I had a public web management console which was just protected by simple password).
Question 1: What would be the extent of the damage if my router was compromized? browser-saved passwords? files on disk? persistent backdoor?
This is what I did so far:
- I run a full antivirus scan everywhere. Nothing was reported except another occurence of the same torjan in
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\wpad[1].htm\00000074.js
in the same Windows 7 machine. - Following the recommendations from this post, I deactivated the auto-discovery of network settings in my windows machines, I am not sure though if there is an equivalent for android devices
- I factory-reset my router configuration, changed Admin and Wifi passwords, and deactivated the remote web management
Question 2: Are those steps sufficient to properly secure my home network and the rest of my devices? Do I need for example to reinstall Windows and factory-reset all android devices?