ISP provider says that I'm infected w/ Bamital/Ramnit-A.

hi synbios16,

Could you start your own topic, please?

As every situation is both similar and, but is by necessity, it is different, I will contact a certified malware expert (likely essexboy) to have a look at your case once you start your own thread. If possible, post a link to where you are when you start. That way you get the help you need, tailored, exactly, for your situation.

I’d really rather not. I get the feeling my posts would be removed anyway. I’d be asked to submit logs or I’d be told that I shouldn’t be creating topics when I don’t use Avast!.
I won’t have access to my home network or any of the computers for several hours to run any reports or submit any logs.
I didn’t come to start my own thread and seek a unique solution, I just wanted to corroborate what the others are saying and show the details of my experience so that we might pool our knowledge. Seems like a separate thread would just dilute the responses.

We help anyone here regardless of the AV that they use… However, I do not believe that there is an infection, as if you had ramnit you would know

lol, that’s what I was thinking, too. Pretty sure I’d notice if one of my machines became that compromised.
Regardless, I’ll be scanning everything when I get home. sigh I hate when stuff like this happens. Pretty much eats the next couple days’ worth of ‘free’ time scanning all the machines. If anything does pop up, I’ll be sure to create my own topic with reports and whatnot.

A week ago - it’s June 22nd today - CenturyLink blocked my computer, saying I had this Bamitol bot. I restarted the computer, since a laptop on the same account was still going strong without any interruption.

Today, however, that laptop was blocked with the same notice of the Bamitol virus trojan. I was outside, and my computer was in sleep mode, though still online, and not active. When I activated my computer it was also blocked.

The customer service guy posing as a tech rep, had no knowledge of networked systems, so he referred me to his manager.

That manager was tied up with someone else for some time. He finally called me, and after some discussion agreed to send a detailed account incident report to my eMail. I’ve not received it yet, 8 hours later.

AVG Secure Search hijacked my search URL on at least Firefox. I keep ZoneAlarm, free virus, firewall and security tool active all the time, and it has no record at all of the Bamitol trojan, and maintains full system watch 24/7.

I keep mostly updated on miserySoft’s lousy trial-ware system updates, so I’m not far behind with that disaster posing as “updates.” I just completed a ms Security Essentials quick scan, without any indication of the Bamitol, or any other malware. I’m letting it do a full scan with ZoneAlerm disabled. After that I will run Kaspersky’s RootKit snooper.

Is CenturyLink compromised and the bot running in their servers, between the various network systems CenturyLink runs on its secure internal network, where that Bamitol botnet poses as incoming account activity to disguise its internal presence?

Something is very suspicious with CenturyLink ISP server management, here.

hi claudius2u,

I’ve gone and notified a malware specialist to have a look. It is June 23, and about 10 AM where he lives.

It does seem a bit weird that the ISP is the same in all cases. If you can create the logs I will have a look see

CenturyLink has not yet sent their log for my account. I asked for a two-week file, and was told it would be no problem. My education in network systems is a bit old, but if I need a hand . . . thanks.

What I’d really like is to get CenturyLink to corner their internal server farm management system’s every packet, looking for unusual headers and data. This appears to NOT be customer account-driven traffic, from the diversity of distant domains and fairly close-grouped dates of this traffic. That’s just too obvious to ignore.

However, I am in process and asked my other household Windoz box user to also make a complete system scan, including a specific rootkit scan for this trojan.

Add me to the list of CenturyLink Bamital/Ramnit-A emailed list.

My location is Iowa, USA.

Details:
2013-06-20 05:22:26 GMT from “sdtstuff.co.cc”

Ran all the scans they request and additional anti-virus scans including Avast free and Spybot Search & Destroy for this PC. McAfee paid for my parents. Came up with nothing.

I just scrapped the Windows 7 install on their laptop with a fresh Ubuntu 13.4 install and my laptop runs a fresh copy of Ubuntu 13.4 as well.

Additional information:

I am using their wireless router which is a Actiontec Q1000.

Another interesting note would be that it seems my neighbor who also uses CenturyLink internet also went down last night when mine did. I haven’t asked him, but he wireless network isn’t password protected and I couldn’t access the internet with his. He currently uses a linksys router according to his network connection name.

Ramnit is not a classic PE infector, infects HTML and HTM files that are on your hard disk. Comes bundled with backing vocals (TDL3 rootkit and trojan downiader), a serious infection.

The original name of the main file is DesktopLayer.exe.

Creates files with the addition Srv.

ExplorerSrv.exe
UserinitSrv.exe

System infected with Ramnit can not normally behave and user will notice it.

What are some of the symptoms a system infected with Ramnit would have out of curiosity?

Ramnit symptoms are Avast screaming every time you boot, redirects on the internet. The system slowing right down and sometimes freezing. Some programmes not working or locking up. Believe me if you have it you would know

System is completely unusable. It can be transmitted from flash drives.

It would appear none of us had any symptoms of such an infection on any of our systems. As mentioned, all scans also came back clear. Only the report from our ISP. It is interesting that yet another person reported using an older Actiontech/Qwest modem who encountered the problem. Perhaps it is related to the Q1000 and similar line of older modems Qwest/CL used a few years ago. Ever since I upgraded my modem to a newer model, the problem has not occurred again.

A few years back a bunch of routers were sold that had a firmware infection… I will see if I can locate that data

Just on a hunch, to all: All three Q1000 modems set with factory default admin names and/or passwords? Using wireless enabled for local network?

Also have noted that, in the past, TCP port 4567 is always set as open. Why that is, I do not know. It is not reported as stealth or closed by GRC.com, and has not been since Qwest service started here, through several different qwest modems. Personally, I think Qwest is using this port for system maintenance.

Also have a Q1000 as well. Not attempting to divert topic from OP and others’ issues, but rather exploring other possibilities.

Hello there. I actually signed up just to post on this thread; the same exact thing that has happened to the other posters has also happened to me. While I’m not sure if I received an email notification from any odd sources, yesterday my internet was redirected towards a warning by CL about possible infection from the ramnit-a virus. However, like everyone else, scans on both my antivirus (avast) and my anti-malware (malwarebytes) came up with nothing. I also looked for the files mentioned by argus, just in case, and the searches have come up negative. I checked to see if there were any registry changes reputedly caused by the virus and found nothing. There were no suspicious processes, and my system isn’t “unusable,” though I still wonder if four simultaneous searches would really cause windows explorer to crash… a gaffe for the latter, I guess.

Something worth mentioning is that I do remember a prevented attack the night before yesterday, though I don’t think it was anything as serious as the ramnit-a. A quickscan done immediately afterwards yielded no alarming results. Should I assume that I’m fine and maybe CL just detected the traffic whilst avast actually did protect my system? Or could the prevented attack and the CL warning be unrelated? To add another layer of strangeness: I also have an Actiontec Q1000 modem…