My ISP provider emailed me saying that my computer is infected with Bamital/Ramnit-A. I did a boot time scan with Avast, Scan with MBAM, Microsoft Safety Scanner, and Norton Power Eraser and all the scan results came up with no infections. I also attached AdwCleaner,OTL, MBAM, aswMBR logs. Is there any other programs i should run?
Here’s part of the email:
"CenturyLink Security Services has received notification about malicious traffic originating from this account. This means that this computer or another computer on your network is trying to infect, attack, or gain unauthorized access to other computers on the Internet.
This malicious traffic has been determined to be an instance of “Bamital,” also known as “Ramnit-A”.
Date IP Additional Info
2013-05-31 01:43:10 71.36.219.193 infection => ‘B58-DGA2’, src_port => ‘4782’, method => ‘GET’, hostname => ‘drivenfranchise.co.cc’, URI => ‘/wp-content/uploads/2010/06/mj.png’ "
CenturyLink has noted malicious bot? activity. Anything unusual about the behavior of your system as of late? Do you have more than one?
Malware expert should be online in about 6 hours.
If you are seeing unusual or changed operating behavior, I’d take a moment or two to describe what they are to better assist the malware expert who will be coming in a bit. If using a DSL internet modem, is it well secured?
I have always wondered where these ISPs would come up with the determination that your system is infected with a specific infection, without having run a scan on your system.
So I would have been more concerned about the origin of the email (possibly not from the ISP) than the potential of an undetected virus like Ramnit which avast should have been detecting.
Or the so called possible bot activity would most likely have been detected by the network shield if it was trying to connect to a malicious site.
I was wondering that too after receiving an identical e-mail this morning (just switched to CL a week ago; didn’t even know they were so…“diligent.”)
Full headers indeed seem to say it comes from the ISP.
Like the OP, I’m also clean (SEP, Avast, MalwareBytes). Not sure that’ll -help- the OP or myself very much, but as this is the first result that comes up on Google… maybe it won’t hurt.
Well, the issue is, your ISP can decide to terminate Internet service if not notified of system cleanliness status.
Then there is the possibility that a second or third or fourth machine on the home network is the actual culprit, and not the one tested here. As, DavidR states, how the malicious anomaly is detected is only via network activity, and one would have to go directly to your ISP to find out how/why that determination was made, and which system is doing this.
Which is why the related question about the DSL modem and its’ status.
My DSL modem is a Modem/Router combo provided by Centurylink a month ago b/c they just switch to fiber optics here. The firewall status is set at default. There’s only one computer that’s directly connected to the modem. wireless connection is disable and i don’t use it.
I haven’t notice any changes to my computer lately, but several months ago I had issues starting up windows (freezing up, blackscreen). so i had to start windows in safemode, found out that Comodo firewall was causing the hanging when running with Avast so I removed Comodo firewall and i’m now just using windows firewall instead.
It’s kind of weird that ANewPerfume had the same email notice.
I’ve been using AVAST for 8 years now and never had an issue w/ viruses. but since they were specific with the information i was worried that the antiviruses software were not picking it up.
essexboy, I couldn’t find the extra OTL txt file that’s why i didn’t post it. It’s suppose to be in the same folder as the OTL text right? I did rescan OTL again and only the OTL file popped up. I’m not sure what i’m doing wrong.
I received the same notice from CenturyLink this morning. The logged domain and filename are different. For me, it was greendixy.co.cc hostname with ‘/tec_1.jpg’ as the listed URI. Interesting how both your URL and the one they marked for me are ‘cc’ domains, Cocos (Keeling) Islands domains. Could this be some kind of false positive by the ISP caused by someone trying to send out attacks from those locations? We all appear to also have Avast installed, in case that might be related as well.
That is interesting. The ‘greendixy.co.cc’ has the same identity information. I called CenturyLink’s tech support and they indicated it could have been some kind of external hack/exploit masking itself under IP’s/account details linked to us as their customer. How they could do this is unknown.
The only common links we appear to have is we’re using Avast for antivirus and CenturyLink as our ISP. So is it possible that Avast was somehow hacked in a way that a remote attacker could have retrieved details about our accounts to use them in some kind of bot attack attempt? What’s odd is that the problem surfaced again last night at a time when our systems were turned completely off and our modem was even turned off, but it was somehow linked to our account again.
I (or rather my wife) also received this email today from CenturyLink.
I do not use Avast. I have 3 laptops, two desktops, a Kindle, 2 Xbox 360’s all using internet, often several devices at once. My firewalls and antivirus software is usually AVG, but I think one of the laptops has Malwarebytes.
The bottom of their email to us was the following:
Date IP Additional Info
=================== =============== =======================================================
2013-06-11 13:21:30 ...** (My IP) infection => ‘B58-DGA2’, src_port => ‘3210’, method => ‘GET’, hostname => ‘thundergang.co.cc’, URI => ‘/3566997687_635a5c191e_o.jpg’, ASN => ‘AS209’
Email says host is thundergang.co.cc or something? I have no idea what that is.
I saw in an earlier comment to go that hostlogr site and here’s the page with thundergang put in: http://thundergang.co.cc.hostlogr.com/
Looks like the same IP as the earlier two messages from sw3dg and sc5119, drivenfranchise.co.cc and greendixy.co.cc.
I’d really like to know what’s going on so I can tell my ISP I’m not running some sort of botnet.
It appears to perhaps either be some kind of external hack/attack or maybe some kind of false positive. Maybe we can find some common attributes between our systems that might help pin down where it occurred. What model of modem are you using? I was on a Q1000. After three rounds of the same thing happening to me, I decided to try one of the tech’s suggestions and use a different modem for a while. I switched to a C1000A model and haven’t had the problem since. I think the tech said the new one has better security/protection. Perhaps the original model was vulnerable to a bot exploit, I don’t know. But so far, the problem has not resurfaced for me yet.
Not actually home at the moment, but I’m reasonably sure that’s the modem they gave us. Had it for about 2 1/2 years, no real problems with it. Service was crappy for a couple days and they offered to replace it, but then I would have lost all my settings (I have a number of ports forwarded and a couple networks coming out of that thing for different devices. The Nintendo DS for example, which I forgot to mention before, requires WEP security) and I didn’t want to lose that info, so I opted to keep the current modem. The problems went away after a few days, and it’s been months without issue. I suspect it was a problem on their end, but you know how that goes.
“I think the problems on your end”
“Oh, no, sir. You need a new modem. We can have a man out to your place in 5 days.”
EDIT: Just went over the email and noticed that they’ve done the courtesy of providing the exact date and time of the offending action.
For me, it was 2013-06-11 13:21:30. My wife was out painting another house, and I was at work. There was nobody in my house and my networks are pretty secured (I’d like to think). However, I regularly use putty to tunnel a connection from work to home, so I can use the actual internet rather than my office’s version of the internet. I’ve been doing this for over a year with very few problems. Had an issue a while back where my IP would change literally every five minutes, made tunneling… irksome.
Anyway, because I was using the internet at the office, I checked my history. Around 1:20 I was using reddit and Youtube. Nothing loaded at 1:21 exactly.
Hmm, not sure if that might be it or not. I did notice that the new modem has a more robust login system. It requires password entry to access the control menu every time, as opposed to just presenting it without requiring a log in with the older modem. That to me indicates one potential point of vulnerability that some kind of bot/malware might try to root into to inject something (maybe into the modem itself?).
Edit: YouTube might be one common link. One or two of the instances of the event for us was around the time YouTube was loaded on one of our systems. But like I mentioned earlier, one instance appeared to occur when all of our systems were turned off, including the modem.