Search for new games to share.
Syntax for writing comments.
Frequently asked questions.
Community rules and guidelines.
Hope the computer savvy guys and girls can help me out.
I am currently temporary living in a community and using their wifi network.
But.....this wifi network is infected with a Trojan and our provider suspects we are part of a botnet.
This problem is been going on for months now!
We've been quarantined by our provider AND our provider threatens to shut us off the internet all together.
We used AV scanners and malwarebytes to check all computers, but haven't found anything.
My antivirus (Bitdefender) doesn't pick up anything and malwarebytes didn't find anything either.
My systems might be clean, or they might not.
We are desperate and really could use any and all help to locate the infected computer within our network!
We are not that computer savvy, so please bear that in mind.
Like said: appreciate your help, advise, suggestions and idea's!
Comment has been collapsed.
Someone could be tapping into your wifi network that isn't in your community, especially if the password is too easy or an ex community member, they could just be sitting with their laptop outside and using it, you could atleast change that wifi password.
It's rigorous but everyone installing windows from scratch and you all can for sure say the problem isn't with you, i don't know how many people there are.
Did everyone check with malwarebytes and an antivirus? They should, mind you not every antivirus program will pick up all antivirus, but since we talking botnet activity it's malware.
Your provider could be a lot more helpful though instead of threatening, and they know a lot more, like what hours/days it happens, maybe even which computer? Worse case get an IT guy in, you got some site where you can let IT students come by to help for cheap (assuming you still live in the netherlands and depending if you live near a large city).
Reinstalling Windows comes to mind, yes.
But I fear that's way too complicated for many of the users.
I am still not comfortable doing it myself.
Provider did sent their log files with time stamps and the suspected activity.
We've been trying to narrow it down, by dates and times.
Cause not everybody is here all the time and not everybody uses the computer every day.
Thus far we haven't come up with anything.
Yes, someone tapping into the network comes to mind with me for sure!
The password is changed recently, but it is ridiculously close to the old one.
Activity is on all hours, also a lot of nightly activity.
But a computer on stand by mode can be accessed remotely at all hours.
Sadly the provider can't pin point the computer, wish they could!
I dont know how many people, 10 - 100, makes a difference.
If you got a few that know how to install windows 10, they can help the others, there really isn't much that can go wrong with it installing it, you plug in the usb stick, and it guides you through a few steps (even if you misclick you can't ruin it) only thing you need to be careful if you have more drives is to select the right one you want to install windows on (and format it before hand).
When the password changed do you have information from the provider if the suspicious acitivity dropped?
Still change the password to completely something else.
What's the reasoning for the remote access?
That student at home thing i think they charge 8-10 euro per hour? I mean if we talk about a lot of computers like >50 then it's gonna be a lot harder to pinpoint from a distance, then seeing things for yourself, also the risks often becoming a lot bigger.
And basically you then should have some safe locks in place for certain people not installing shady software, not visiting shady websites, what normally an IT administrator would do. If you only got 10 computers then it shouldn't take such a person long.
It could also even come from laptops, tablets or smartphones that use the wifi.
Virus:Win32/Jadtre.A threat description - Microsoft Security Intelligence
It can usually be detected by the virus scan that comes with Windows 10, and should be of a class that can be repaired.
You may want to scan again just in case.
But are you connected to a computer other than the one you are using?
Suspect other computers.
Is the email from the provider real in the first place?
I am using 2 computers myself and they are not connected to other computers.
And I do suspect another computer being infected.
But as of yet, I can't rule out I am not infected.
But Bitdefender and Malwarebytes give me a clean bill of health.
And yes, the email is very legit!
There has been phone contact with our provider as well.
Does the router you use to connect to the Internet have wireless capabilities?
Is there a possibility that the router settings have been switched to the public setting and connected from a nearby PC?
Someone you don't know may be using a PC connected.
(Possibility of takeover of router)
You may need to change your router password and update the firmware.
i scanned through the replies and couldn't find if you have already tried this or not....
have you actually read through the link that kappaking posted? It states:
The virus prevents Windows from starting in safe mode, attempts to connect to a remote server to log its presence, and attempts to download and execute arbitrary files.
The virus prevents Windows from starting in safe mode, attempts to connect to a remote server to log its presence, and attempts to download and execute arbitrary files.
so a quick way to find out if a computer is infected might be to try to boot into safe mode... if it fails you know that it's infected and you can keep that device disconnected until it's clean again.
Yes I read through the replies, but somehow didn't think to use this as a test.
Might indeed be worthwhile!
I hope it helps you reduce some of your upcoming work ;-)
At least my 2 laptops still boot in safe mode, that's a relief!
Need to wait till after the weekend if our little test from yesterday helped a bit.
If not, I might be allowed to do more.
"We've been quarantined by our provider AND our provider threatens to shut us off the internet all together."
Something VERY sketchy about all this
copy and paste the email you received
This isn't uncommon for ISPs to do to commercial customers, but it could possibly be a scam. I agree with ApeCavalryDeserter that a copy of the email would be useful.
I wasn't the recipient of the email, I was asked to look at it and look at the provided logs.
So I can't share it here.
Besides, mail is in Dutch.
It's not just an email, there has been phone contact and the community received snail mail from provider also.
There's no question here about legitimacy here
Whole thing sounds like a load of shit. Phone contact and mail could be anyone. Get the contact phone number from the service providers official website and call it. Don't trust anyone who contacts you. And don't use contact numbers that are not publicly available on official sites.
Agree, sadly it isn't in my hands, so I am not entirely sure this is 100% legit; but can ask.
Maybe router got hacked? With all the insecure IoT-devices, smartphones etc. out there that don´t get any updates... could be hard to figure out.
btw, how do you know it´s Win32.Vjadtre.3 Trojan if all scans show nothing?
That's what the provider gave as information.
They are still detecting outgoing traffic which is indicative of a viral and/or malware infection.
AND they have detected that one of our browser Add-ons is infected with a Win32.VJadtre.1.
That data is collected by the provider using G-Data.
They basically gave us this link: https://www.google.com/search?&q=Win32.VJadtre.1+remove
Which leads to VJadtre 1 not 3 links.
And they sent us a link to a blog which describe how to remove the virus but simultaneously advise against installing the suggested software!
So to be precise: the Win32.VJadtre infection is not the only problem.
Seems the log is also showing Trojan.Crypt activity. Which, I guess could be any kind of Trojan.
Yes, router could very well be hacked.
I am surprised they didn't offer to replace it.
But.....we live in a large building with multiple routers and wifi enhancers.
Where do you live and who's your ISP?
My guess is that a router hasn't been updated, or the wifi password hasn't been changed in forever and there's an old compromised device on the network that no one remembers.
Who owns the community network? Do you have an actual admin or is this just a mix of community owned hardware? You'll need admin access to the network hardware to fix everything (routers, modem, servers, etc). It sounds like you do, but doesn't hurt to ask.
What do you mean by an old compromised device?
It must be something that is still used or at least still ON.
I've found devices in closets and ceilings that were put there by someone who's left the organization. There's plenty of examples of computers being found in walls that were forgotten. These days, there's also the possibility that someone's TV or baby monitor has been compromised and the owners had no idea they were on the network. ("I thought Netflix was part of my cable package")
If your ISP has sent you a warning letter, they may have a solid signature that flagged them to the malicious traffic. If you could get that from them (Edit: or better yet a traffic sample), you could scan the community network for the same offending traffic. This would rapidly help you narrow what the offending device is.
Edit: There's also the slim possibility of a false positive on the providers end. I wouldn't count on it though.
I'm happy to help consult (for free) via Skype or phone. Just add me on steam and I'll send my contact details. No one should be stuck at home without internet access right now. ^-^
All we got was log files with the suspicious activity and time stamps.
But doesn't look like it is specific to any device, just points out as coming from this network.
I don't know how many computers there are that use the network, might be around 50 or so.
Then there's still the phones, the television sets and baby monitors.
Feels like searching for a needle in a haystack.
What do you mean by a solid signature?
And how may we be able to use that?
Right, ALL traffic looks like it's coming from your modem/router to your ISP due to Network Address Translation (NAT). But if you monitor the traffic off your router, you can see which device on your network is sending the bad data to your router.
A signature is pattern of bits that can be used to find a specific type of network traffic. By "solid" signature, I meant something that was a quality indicator (Triggers pretty frequently and doesn't have many false positives). Sometimes that's something as simple as connecting to a specific URL or IP address. Sometimes it's as complicated as having a malformed TCP/IP header.
If you know what signature the traffic is triggering, you could use that same signature to search your internal network for the offending device. You'll use a program like Wireshark to monitor and parse the data traveling on the network. It can be a little tricky to set up if it's your first time. And you may need to pick up a router to help troubleshoot the problem. Not every device is capable of mirroring all traffic to a specific port. If the primary router is provided by the ISP, they may be able to help assist setting this up.
Will talk to the people here who are working with our ISP and relay what you have told me.
Hope it will help!
If we were to use Wireshark does that mean that one pc/laptop needs to act as a server within the network?
Think it is already starting to get over my head.
Yes, you'd need a PC or laptop to run the software. It wouldn't be as a server, it would just be scanning all the traffic the router sees.
And yea, it's not simple. That's why I offered my contact info. But, with a little assistance, I believe it's something you (and the closest person to a network admin you have) could do! The steps are fairly easy, and it is something that could be broken down into steps that are easy to understand.
If you want to get someone to come in person to your community to help, I'd suggest staying away from the random PC repair shop unless they know how to trace traffic across a network. Since you're outside the US, your ISP might actually have a decent chance of employing technicians that can handle this kind of problem. Wouldn't hurt to ask them and explain your situation if you've got a tight budget to fix this. If you're trying to do this on the cheap, I'd suggest contacting a local college that has IT degrees and see if any of the Network Administration student workers are up for a side gig.
Just make sure that whoever comes out brings a router already pre-configured with a "mirror port". They should know what you're talking about, you don't have to. ^-^ There are other ways and tools to solve this problem, so if they say "Oh I don't need that, I'm going to..." and start spouting off technobabble and pulling out their gadgets, they're likely the right person for the job.
Thanks a lot!
Might get back to you on Steam.
Are you a professional IT worker of sorts?
There is some kind of plan in place for tomorrow but I don't know the details yet.
I know it involves disconnecting every device from wifi and the internet and one by one connecting them back.
But I don't know of any prior steps, like resetting router and password change.
Altho I am not THAT computer savvy, I have the feeling I know more than the guy currently working with our ISP.
He got them on the phone this afternoon and was completely baffled by their techno talk.
I found some useful tips here tonight.
Like checking if our router is broadcasting.
Password change, obviously! I suspected all along that our router is hacked and the recent password change was no improvement, as it is just one digit different from the last and totally hackable.
MAC addresses, like should our ISP have logs that trace the activity back to not only certain URLs that get accessed but could they trace it back to a specific MAC address?
I have a feeling I am sort of understanding what you want to do with an additional router with mirror port.
But I doubt I could pull it off myself, it still sounds complicated.
Found this Blog posting: https://www.testdevlab.com/blog/2017/08/setting-up-router-traffic-mirroring-to-wireshark/
But it doesn't give me enough info and I don't know who and how to check the data for malicious activity.
This blog post wants me to run far away from the problem and simultaneously pulls me in to figure it out......
With computers I always have the feeling of running 3 steps behind, however much I learn.
To be continued tomorrow, it's night time here now.
Hope to hear there is a solid plan of action.
Fear it will be bits and pieces work with the right intention, but not enough to solve the problem.
Thanks for all the help thus far!
Yep. I work in security actually.
Connecting everything back one by one sounds like a nightmare of logistics and time consuming, but for your sake I hope it works out.
I personally believe that your router should always broadcast its SSID. Hiding it doesn't actually hide the traffic as any attacker can sniff it right out of the air. Updating the firmware of the router is more important than changing the password. The things that tend to attack routers don't bother with passwords (other than factory default ones).
MAC address is a good thought, and that's how you'll be able to trace things to a device from your router with Wireshark, but the ISP won't see the MAC addresses. Your router will strip that data when it forwards everything to your ISP.
If you understand every computer has a MAC address, you could totally pull off someone walking you through most of the steps. laughs Yea, that's actually a pretty good blog post. It is lacking in the step by step process, but if you followed it even a little, then you could easily handle the full process with some explanation along the way.
Of course I've always been a believer that this stuff doable by anyone who's interested and is willing to put in the time. When everything is put together, it's pretty complicated, but when broken down into steps and explained, each step seems pretty easy. I mean, there's going to be things you don't fully understand, but that's ok. Treating the stuff you don't know as a magic black box will work just fine as you learn. Eventually you'll get to open that box and let out the magic smoke, but until then it works well enough.
Answered to Lugum, but might be of interest to you too.
But looks like you are already following the thread.
Looks like you 2 are the most knowledgeable guys here and/or the most willing to help.
to be continued after the weekend again.
Finally picked up 2 USB sticks at home.
Made the LiveCD per Ryzhevhost's suggestion, wanted to try that first.
But for the love of my life can't get my laptop to boot from USB, it's driving me bonkers!
Went to BIOS can change boot order from UEFI to Legacy mode, but can't seem to get USB as primary boot device!
Tomorrow I have limited time on the network.
As the guy working on the problem is doing another test tomorrow.
2 famlies have been ruled out as there was no suspicious outgoing activity when they where online. Not so sure they should be ruled out already, cause if there is a hacker active he could just be inactive at that time. Those ruled out families stayed online when another group was added.
the first thing that comes to mind is that someone could be using your internet connection for shady stuff without you knowing.
the steps would be
also most routers that aren't bottom of the barrel have a list of known devices that ever connected to the router. check that list for any devices that don't belong to anybody in your house / home.
do this first because updating / restarting your router might delete the log files.
Will talk to the one in charge here atm. and see if the firmware is updated already
Password should be changed too, hopefully they will be open to use a password generator this time.
This comment was deleted 2 months ago.
and perhaps, if it is wireless connected, get them to check if it is broadcasting (tick box inside the router software), mine was broadcasting that it was there for anyone to connect to when it got hacked - so I chose to turn of the broadcast signal and check the box in windows to connect even if the router is not broadcasting (mine was a hacked router when I received a letter, and I used crappy passwords that they could easily hack - ended up updating the firmware on the router, setting it to not broadcast, and using a password generator (that was some time ago now - and now I use wired mostly for the home, as my phone is the wireless hotspot now)
The router software also allows you to set the IP range, and how many people can connect, I ended up setting an odd ip range and only allowing as many people to connect as I had devices, I could then interrogate each mac address that connected to see what each one was
This sounds like it could very well be the case here too.
Will take this up tomorrow with the guy working on it with our ISP.
Hopefully someone didnt allow remote desktop access. Should sue good quality anti virus systems. Watch taskbar program activity infected computer should be using some unknown process at a high rate of activity slowing RAM hijacking process. If a known application is infected still should be showing unusually high activity and RAM consumption.
removal instructions on bottom half of each page
windows versions https://www.removemalwarevirus.com/win32-vjadtre-3-uninstallation-simple-steps-to-uninstall-win32-vjadtre-3-completely
caveat: I don't know if these websites are trustworthy
Thanks will check the links!
When I had an issue at my work, I changed the password to the WIFI as well as unplugged anyone physically connected. Then, slowly reconnected people (after running every anti-virus/spyware/etc I could find) to see if something triggered.
One useful tool is TCP View (https://docs.microsoft.com/en-us/sysinternals/downloads/tcpview). If you run it on a computer it will show what connections are being made from and to that unit.
These 2 links have some IP and domains that it apparently could try connecting to. TCP View would show you if those were active.
It would be easier if your ISP could let you know how it detected it and what IP was being contacted.
There is a plan for tomorrow, don't know the details yet.
But part of it is disconnecting everything and one by one connecting again.
I hope it will involve a router reset and password change as well.
A harsh option would be whitelisting every device at the router so that no unauthorized devices can connect. Might cause a lot of disruption if there's a lot of people though.
What you should do is, reset the modem/router to factory settings, then connect 1 PC at the time. But I don't know how you can test if the connected PC is the one infected.
What Edocsil said is what I was gonna say :\
I am not entirely up to speed, but I think that's the plan for tomorrow.
Will hear more tomorrow.
If you and your community want to go through all the trouble you can reset every device back to factory settings and clean install every pc in your community <- that's the safest and easiest way.
Or you could just ask the isp to share logs and point out the suspicious activities so you can isolate the device(s) that are acting on their own.
Even though the IP address may change there is always the MAC address that is encapsuled in ethernet packets.
I do have some of the log files, but it looks like it doesn't display all info.
But if the MAC address is encapsuled in the ethernet packets, shouldn't the ISP be able to pin point it to a specific MAC address?
Then in turn we could check the MAC addresses of our devices?
Can't remember how to do that, but have encountered it before.
Weird story happened a decade or so ago when I bought an ALDI pc (Medion), the factory had accidentally given the whole bunch the same MAC address! That was not funny!
Thanks all, this isn't solved yet, but I learned a lot tonight from all of you!
There is a plan of sorts for tomorrow, not sure what the details are.
But I do know all devices will get disconnected and gradually be plugged in again.
Hope that isn't all.
Hope the Router gets addressed first and that it will get a firmware update AND a strong password!
To be continued!
Meanwhile had my own isp thing, a week long my wifi went off/on etc, so reset the ziggo white modem box, suddenly my speed dropped to 1mbps which is just superslow, called them 4 times (3 hours long), one time half way i didnt hear anything back anymore, 2 times it went halfway into a into a busy sign, and the last one was just so rude, basically going deal with it, and must be your fault or your neighbours (who are moving out so hardly using anything), i am sure to go file in a complaint.
Before they always used to be nice and helpful.
That's super annoying!
What sometimes help is when they reset the line, cause that also resets the connection from provider to modem. Have had that several times with KPN.
Hope you get it sorted.
I've had SO many internet problems on my houseboat (currently not residing there)
I have internet speed there that's from the stone age 13Mbit down, 0,9 Mbit up.
That's all they can offer me. (KPN)
But....normally there is a tool active that throttles back on speed when there are stability issues with the line.
In my case that tool kept throttling back till I got to a 2Mbit down speed.
Finally they disabled it on my connection.
If I want faster internet I have to switch providers, used to have Casema but when they merged their helpdesk was atrocious and the phone over internet was simply not working, so we switched to KPN. Little did we know how fast internet speed would grow and pick up and that KPN can't provide me more at my location.
Problem is we pulled out all the cables needed for Ziggo, so going back to Ziggo would be a real pain too as I am also talking about shore to boat cables.
Now I live in a community with pretty fast internet, but it's unreliable because it is a huge building with heavy concrete walls that interfere with the WIFI signal AND I might be part of a bot net!
Never a dull moment! xD
Well i sent a complaint on facebook but i actually had someone with knowledge this time, and he brought my speed back up, he said he could look if he can increase it even more (though it might also decrease) and asked me if it was okay, i said sure and then after an hour i get a reply from yet another colleague.
I think it really depends on your luck on whoever you get to speak there, and some just read standard instructions and don't have a clue about what they are doing.
We had casema too, then xs4all took over, and then ziggo. They a greedy bunch you know that, in 3 years 15 euro per month price increase... under the term of service, even more speed you don't need and you know what? to sponsor max verstappen..
There is a thing called mesh, like small/big pods you can place on several places, they are like mini satellites that can work through thick walls and floors, i gonna try it myself i think. It can get expensive though also depending on how big the building is and how many you need.
It makes a huge difference who you get on the phone!
Often they know less than you do yourself and refuse to put you through to someone more knowledgeable!
I know, Ziggo is advertising everywhere with their Giganet!
Nobody needs it, it's totally insane!
Unfortunately there is a large group of people that always wants more speed, because more sounds better..........
Even with 6 kids you won't need it!
Never heard of Mesh, just googled it.
How is it different from ordinary WIFI enhancers?
Still trying to grasp how the internet is set up here.
Apparently we have 1 incoming signal that is then divided into 2 separate networks. Using WIFI enhancers did not work in the past as they interfered with each other and constantly wanted to switch network.
Then there is the families living here, who have their own house within the building and their own modem, but still within the original network/incoming signal.
As nobody is really computer savvy, nobody can explain me exactly how it is set up.
But it sounds nightmarish!
Europe as a whole is having bandwidth issues due to the number of people staying home. The EU just asked Netflix and Youtube to cut their stream quality to accommodate. Might be related. Or could at least explain the technicians being tired.
my computer once had the lorena bobbitt virus. it turned my hard drive into a 3.5 inch floppy.
Yikes, but sounds like you got it sorted!
That's a quality joke for anyone that was around in the 1990's - you got a laugh out of me. Didn't John Wayne Bobbitt do some porno after getting it sewn back on?
hell i didnt even know he got it put back on.
my guess would be that frankenstein's monster did the porno and johns name was in the credits because every body part on franky was credited.
part of me wants to look it up but im sure google already thinks im fucked enough.
My lack of shame and boredom in these trying times is your gain - I looked it up and you are going to be pleased with the results. He actually did two: "John Wayne Bobbitt: Uncut" and "Frankenpenis" (also known as "John Wayne Bobbitt's Frankenpenis"). Hahaha!
That's a pretty impressive medical result since she didn't just cut it off, she went for a drive and threw it out the car window.
i was just joking about google thinking im too fucked... i use duck duck go!
i just checked some of my fav free sites and they dont seem to have the vids, but thats just too funny i cracked the Frankenstein joke and they really named one after it.
best topic hijack ever
this poor person is trying to get help with comp troubles and were sitting here talking about severed penis's
Yeah, it was a personal curiosity at first but the Frankenstein joke and the movie title made it a duty to let you know.
Definitely a quality topic hijack. I suppose it is raising the profile of cheshirecatgirl's IT woes and might bring new eyes to it but not particularly helpful intrinsically. Since we're already off-topic, I was also surprised to read that the Bobbit worm, a marine polychaete/bristle worm, is supposedly named after the incident, which I thought was curious since they are spelt differently, the animal was known to science for hundreds of years prior to the incident, it normally grabs rather than slices its prey, and Bobbitt used a knife, not scissors.
for botnet like/worm like this, disconnect ALL computer, laptop, pc, fridge, washing machine, smartphone, android tv, android box from Wifi/router/switch
clean them up on 1 go at the same time,
after that reset your wifi/router, and reconfig the wifi using new name and better password, random word with number and symbol or something
and pray that its work
I am an IT guy (6 microsoft certificates making me Microsoft certified system engineer) and about 8 certificates hbo level, almost had a propedeuse, but lack of money got in the way) never had a real job in it because i always felt in between too low/too high (for example working in a warehouse).
I am curious how much and what they could see from their screen like they could see last month our wifi had a drop.
Yeah 100 euro a month for that giganet...So what if a download takes 1 hour or 1 day.
I copy and pasted this:
"The reason for this discrepancy is the simple fact that WiFi extenders are simply an add-on to your existing network setup whereas mesh networks are an entirely new network setup that require multiple new devices to be placed around your home"
Well these days you got 2.4ghz and 5.0 ghz wifi that's why you probably have 2 seperate networks, 5ghz has better range but speeds might be slower, some devices can automatically switch.
I finally had a good technician on ziggo on facebook he even was going to check if he could help increase our speed then i got someone else who was a lot shorter and wanted to check if our cable directly was still good (it was but for someone reason now it wasn't anymore which meant i had to crawl under the floor with all the spiders to draw a new cable, that's good now, wifi still the same though.
And since my dad was sick and couldn't drive i went to "hamster" groceries at 3 different places, and for some reason i took 2 jerrycans of cleaning vinegar too, i think i gonna be sore tommorow. :}
If you were anywhere closeby i'd help but probably not.
You got that backwards. 2.4 has better range and wall penetration, but slower speeds and is often crowded. 5ghz has better speeds and significantly less congestion, but has a hard time getting through things and bouncing around corners. ^-^
Mesh /is/ generally the answer though.
Yeah i figured (am so tired o_o).
Anyway i tried it once setting it up but it was a disaster and immediately dropped 5ghz.
Hope you are not too sore from your "hamster" shopping.
I am currently ill, slightly on the mend (hopefully), have no idea if it is/was Corona and totally freaking out over my Mum and her deteriorating health.
Should I go there, when I feel better in a few days? Will I not bring her the virus? My brother fears a total lock-down within a week, will I be able to travel to her once in lock down? It's a nightmare!
So I totally understand that you are tired and get things backwards with your sick Dad and your own health.
Yes, I remember you have IT qualifications and certificates, too bad it never landed you a proper job!
I have 3 old AMBI certificates, missing one (cause failed the exam) to get the base diploma, or whatever it was called back in the days.
I worked in IT for 5 years, but that was 20 years ago.
I am in Gorinchem, but chances aren't that high we live close together and with a possible incoming lock down.........
But even any help over the internet is appreciated!
Read up on mesh WIFI and do understand the difference from enhancers.
They guy here who's in contact with our ISP, is not an IT guy. Yesterday he asked us to go offline in groups and close down computers, in the hopes that when the new logfiles from our ISP are sent to us after the weekend he can pin point the infection to a user group and narrow it down this way.
I has a chance of working if it is indeed a single infected device, but I don't have high hopes.
On the other hand, if the outgoing traffic remains viral all day it might be (more) indicative of a router infection/hack.
I asked if the firmware of the router was updated after the problems started. He answered that he first wanted to do the group by group disconnect test and see if that gave results and that he would get back to me if needed, cause I seem to have some knowledge of IT stuff.
Guess the firmware is not updated.
I used to know a Systems Manager in my City, we both held a board function in our local house boat union for several years. Sadly we lost contact, so can hardly ask him to help now.
What Thac0 said about monitoring the network with Wireshark sounds like a good option.
We may be forced to take real solid actions that will locate the source of this problem and fix this or else get disconnected all together.
But that's a thread hanging over our heads for a few months now.
From what I understand our ISP offered to come and fix the problem but then we had to take a paid subscription for an AV solution/program of their choosing and we would be charged per device. I think €5 per month/per device.
From what I know about COVID-19, you should avoid going to see your Mum for several weeks, or until drive through testing is widely available in your area.
I would advise against that antivirus plan from the isp while you have other options on the table. Sounds like a pretty expensive fix. But if should work as a last resort.
While your guy is working with the ISP, if you have an unused WiFi router somewhere, you could start putting the tools together to trace the signature down. Since it sounds like most of your network is wireless, you might even get lucky and be able to identify the culprit with just a laptop. If the signature is just a malicious URL, then it may something you can pull out of the current routers logs or with a pi-hole
Do you know the model number of router y’all are working with?
There isn't much I know yet, cause they won't let me in on all the data and specifics regarding the network and the correspondence with our ISP yet.
I am pretty sure they will be knocking on my door soon, so hopefully I get more knowledge of the network setup soon.
I am trying to picture the network in my head and its bigger than I originally thought.
I said we have 2 networks within the original incoming signal.
But there's way more!
I am residing here temporary, so I am on the guest network which seems to be divided into 2 or 3 groups.
But every household seems to have their own separate network, that's 5 more networks!
So I am guessing we have a router, provided by our ISP, where the signal comes in, then it gets divided over 6-8 networks.
Each network having their own router, so their are probably 7-9 routers within our building.
This place needs a Systems Manager!
Also been going over the provider logs they gave me to look at and looks like a (or more) devices is not only infected, but is also being remotely accessed as their are key logger Trojans detected.
What I am seeing in the logs is: (those are logs from before our little test from Saturday)
Backdoor.Hupigon dropped: Trojan.GenericKD.32
Can't identify them all, cause for some reason log is cut off at the right end of the page, so can't read the whole line.
Looks to me like we need to:
Cut off the hacker (presuming their is one) from accessing our network and get access to the infected device(s)
Find the infected device(s)
I know I am on a TP-Link Router, can't detect the model on it.
I am guessing we have a core Modem/Router where the signal comes in and the additional 7-9 Routers.
I am in one of the guest rooms here, so I don't have much with.
So no access to a spare router.
Don't even have a flashdrive with to try Ryzhevost's suggestion, not that I am in a position now that I can use it to scan all devices in our building. But I could at least try it on my own laptops. At least my laptops still boot into safe mode.
Trying to find a solution is not in my hands (yet).
I don't know about setting up a Pi-hole, not even know exactly what it does, altho having some idea.
But I guess I would need direct access to the main Router then, which I currently have not.
For now I am just trying to warp my mind around the problem and task ahead and am trying to figure out how we (or I, maybe) can fix this with help from you and others here on the forum! This is a real nightmare! Of course Corona is currently the bigger nightmare.
Yes following advises I should stay away from my Mum, but what to do when her health is deteriorating so fast (not even Corona related) that we start to fear how long she still has? THAT's a nightmare too!
Yea, having to stay away from your mum while she’s sick sounds really rough. Sorry that she’s not doing well. I hope she feels better soon.
There’s some prep you can do if you’re bored. What kind of laptop do you have?
I have this laptop: Lenovo Legion Y530 15ICH 1060
with an i7 8750H CPU, 16GB Ram
Edit: wouldn't say I am bored, still trying to shake my own illness, whatever it is. But I kind of got caught up on this and can't let go!
Do you have a USB DVD burner and blank DVDs or CDs by chance? Unfortunately Windows doesn't always play nice with capturing wireless traffic, so being able to boot into a LiveCD would make life a little easier for you.
If not, getting a 4gig or larger USB drive would be ideal anyways. Any chance you know someone that could lend you one?
If neither of these options are available, or you just want to get started with what you have, that's ok. It just might limit what network traffic you are able to look at. Let which route you want to go, and when you're ready to get started, and I'll type up some instructions to get you going.
I might be able to pick up a flash drive later this week at my original home that's 16Gb, should be enough to install the LiveCD on.
Can't believe I left it there.
But I need to recover some more first, cause with still feeling slightly ill, I shouldn't be going anywhere right now.
Blank DVDs are useless imo, cause 9-10 laptops don't have disc drives anymore, so a flash drive is far better.
Are we talking the same LiveCD Ryzhehvost is talking about?
And/or does it (also) help with network monitoring?
I will let you know once I have a flash drive at hand.
Edited to add: I am for sure going to use Ryzhehvost's option to scan my own laptops with ESET, I am still in the suspected group of users.
This would be a different LiveCD, it would have some antivirus options, but it's mostly for network monitoring and discovering infected hosts. I wouldn't worry too much about your computer. Evidence of the things you mentioned would have likely been picked up by MalwareBytes. I would use this as an opportunity to make sure windows is up to date.
If you wanna play around with wireshark on windows while you recover, let me know. It's and might keep your mind of feeling bleh as you start recovering. And who knows, you might get lucky and discover the compromised device earlier than expected. ^-^
Find antivirus that provides liveCD(liveUSB) image (for example ESET have one), download it (preferably from a clean PC, but if you can do it from infected one it's okay, it's just that some malware may prevent you from downloading it), and write it to CD-RW or Flash drive. Now, go one-by-one with all the PCs affected, disconnect them from network, boot from the CD/flash drive you've made and do a full scan. Don't connect cleaned PCs to network until you have all of them cleaned.
That's a good suggestion! Not that I am at liberty to implement or enforce it here now, but I will certainly keep it in mind!
It would also be a nightmare to scan all devices and keep everything disconnected until all devices are scanned.
But I hear that ESET is a very good antivirus program (a system manager I used to know worked with it)
From what I understand this LiveCD (I guess that would be a Flashdrive now) works independent of OS?
Does that also mean that it can be used for all OS's? Because from what I understand the computer boots from the LiveCD, so how can it be used for both Windows and Mac then? Not sure if we have Linux users, but think not.
works independent of OS?
works independent of OS?
Just so. That's the main idea - if OS is infected it means malware is running all the time, and most of malware will try to prevent AV software from working properly; But when you boot from liveCD - malware is inactive, and can't protect itself. And yes, it works disregard of OS you have installed, since a separate minimized OS is loaded from liveCD. Also, if "Win32.Vjadtre.3 Trojan" is the only malware you have - then you don't have to worry about Mac or Linux users, since this malware is only for windows (Win32 in the name for a reason).
Ah thanks, at least I know now how it works, should I have to use it.
No sadly Win32.Vjadtre is not the only malware active on our network.
See my above answer to Thac0 with a small list I pulled from the ISP logs.
Those are Windows trojans, start scanning all windows machines connected to the network following Ryzhehvost advice (the best advice of this thread).
Mac malware exists but is rare. MacOS is far more secure than Windows.
Thanks, will see if I can pick up a flash drive at my old/original home later this week when I am up and functioning again.
I know I have a 16Gb flash drive, should be enough to install the LiveCD on there.
If it's a live CD a 1GB flash drive will be more than enough :)
Not more secure, just less common.
A lot more secure by design, I have seen too many Windows machines from non-technical users with UAC disabled. It's too easy to disable and that's the main reason to enjoy malware of any kind. Even with UAC enabled, that kind of user clicks "yes" to any prompt screen, so in some cases it's useless and they enjoy malware anyway.
MacOS, on the other hand, is more like Linux. Secure by default.
So Windows is less secure because of the users, not the OS? Only beginner level malware bought by scriptkiddies asks for permissions to begin with. And yes, the lack of malware has been mostly because of the low % of users compared to Windows.
Someone should make a malware that promises all Apple accessories for -50% and see how many users give their CC instantly.
So Windows is less secure because of the users, not the OS?
So Windows is less secure because of the users, not the OS?
Yes, Windows is secure enough if you know how it works. Most experts don't even use blacklisting software (antivirus). But is less secure than MacOS and Linux because in Windows you have admin permissions by default, unless you create a limited user account with lots of restrictions.
I have never felt any need for AV, since their main function is fear mongering with false positives. But I've also never felt any need to download any malware so that explains why they would never have anything useful to do for me. I've had 0 Windows machines ever infected while I've had 1 Linux server rooted through some 0day hole, so to me Linux is less secure. 0day is the actual key to problems, not a silly user clicking yes to everything and installing who knows what freeporndownloader.exe they found on USB stick in a dark alley.
0day is the actual key to problems
0day is the actual key to problems
I agree on that. That's why is so important to patch the OS, I will never understand why some people don't update their OS.
Your argument really lacks some logic. You are talking about user actions ("UAC disabled by user, user allows malware to make changes manually) and then you make a conclusion about system... You really believe that all those morons who start malware with their own hands won't do the same on Os X? They will.
I'll just chime in to add a +1 to following @Ryzhehvost's advice. It's the best advice of the thread. 👍
In case you hadn't decided that yet. 🙂
Well I finally made the LiveCD, went to BIOS to change the boot order put can't pull it off.
I can switch from UEFI to Legacy mode but can't get USB as first boot.
It's driving me bonkers!
Yes, it could be tricky. Try to found out which button invokes a boot menu for your motherboard, it may help.
Got there, picked the USB boot, got into the ESET menu and then it said no ISO LiveCD was found.
Thought it might be the USB stick, so used another one, there no USB option in the menu, picked something that might have been the USB.
But again no luck.
Will try and download the ISO file again, had a very bad connection, so maybe it got damaged.
BTW used Rufus to "burn" the ISO to the USB stick
Sigh.....I am really getting tired
This is embarrassing, I am pretty sure those 2 USB sticks aren't Flashdrives, they are simply too old!
Will order one tomorrow, at least I know how to make a LiveCd now.
Edit: Don't fret! This whole process will be some trial and error.
Any usb stick is a flash drive.
Rufus is one of the easiest ways to make these, so I don't think it's the drive.
So with windows 10, there's a new way to boot into a USB drive. I don't recommend messing with your UEFI/Legacy setting.
Try these instructions. Let me know if those don't work. https://www.tenforums.com/tutorials/2294-boot-advanced-startup-options-windows-10-a.html
Hi, hope you are alright?
Cause running a fever nowadays kind of puts you on edge!
Ohh right, thought USB sticks became Flash drives after 2016.
I am tired, so I am not always thinking straight.
I don't know why this LiveCd isn't working then.
Found a way to boot from motherboard menu, like Rhyzhehvost suggested.
But that's the thing, it pulls up the ESET info from the USB stick but then I get the message:
Unable to find a medium containing a live file system
So no idea where it it goes wrong, tried it on 2 (rather old) USB sticks.
Wanted to rule out my own laptops from being infected, by just doing this simple test.
Don't know what I am missing.
Edit: from ESET's page:
To burn a disc image, right-click the downloaded ISO image in Windows file explorer, select Burn disc image and follow the on-screen instructions.
Use a free third-party software to create a Live USB. There are several free utilities available on the internet, such as Rufus, UNetbootin or Universal USB Installer, among others.
I skipped the burn a disc image, as I assumed that was for a real CD and not an USB stick.
So that might be where it goes wrong?
If so, need to install some burning software then.
Should give it a rest now, am really too tired.
BUT I did figure out why the LiveCD isn't working, missed that I had to boot from Legacy mode.
Tried that, which worked!
But virusdatabase doesn't update cause I have no ESET licence.
Will see if my own AV has a LiveCD option too, otherwise might get a trial version to use ESET.
Finally pulled it off, due to tiredness and feeling half ill, I was not taking in all information and not reading things properly :facepalm:
In the end it turned out to be dead simple!
Turns out that you have to boot into Legacy mode (UEFI not supported) in order for Live file system to work.
But discovered this isn't a free to use tool, you need a subscription/account; which I probably could have suspected.
My own AV (Bitdefender) no longer supports LiveCD, but has a rescue mode that works the same.
Downside is that you can only use it on your own computer and not use it on a flash drive to go from one computer to another.
Did scan both my laptops in rescue mode and getting a clean bill of health.
Guess if push comes to shove, and we do want to use this to check each individual computer one of us needs to take a trial version of an AV that has a LiveCD option.
Which one of them need subscription? I was sure I used ESET one before, and it was completely free... did they changed it?
And before that I used Kaspersky and Dr.WEB ones, which also were free at that time. Dunno if something has changed now.
I used ESET and it prompts you for user id and password, without it virus database won't update.
So looks like they changed it!
I might not be the most user friendly one also, because of having to boot into Legacy mode.
Could look into Kaspersky, see if that's free to use.
well, I can't promise it will be free. Also, I guess downloaded iso should have pretty up-to-date virus database, so maybe you can proceed without updating?
Tried that, but you get an empty scan then, with zero items checked.
Try this one, Clam AV (Open Source):
Live CD/USB: https://sourceforge.net/projects/antiviruslivecd/
Thanks, will keep it in mind!
Have the kaspersky file downloaded, but not yet tried it.
As of Friday night no malicious activity on our network spotted by provider.
But.....one of the router passwords has been altered.
So maybe it was a router hack and we don't have an infected device in our community.
Our guest network is divided into 3 networks and not all the passwords are changed, simply because the routers are so old that they are very difficult to access.
Don't think a password generator was used, so if it was/is a router hack, I fear it will be just a matter of time before the hacker gains acces again.
The list of trojans you posted here are only for Windows. The routers are usually powered by Linux but they can suffer vulnerabilities too. Also, some malware for Windows could have changed the default password of the router.
You should start by setting a secure (complex) password for that router.
Tonight they tried to reset the main modem to factory settings, which worked.
But after that the other routers had difficulty connecting to the modem again.
So our whole network is down now :facepalm:
Using my phone as hot spot now, but am basically deprived of internet atm.
Hopefully our ISP can provide some help tomorrow. They already said that if, after 2 resets to factory settings, we wouldn't get internet back we could ask for a new modem.
But might be that the whole network needs re configuring now, doubt if all the routers will be "plug and play"
Can only hope it does get sorted!
drweb might help you so much
Couldn't hurt, according to Techradar it isn't as good as it claims to be, but it does detect Ransomware and Malware but also missing threats.
But in order for it to work, we have to run it on ALL devices.
We already used Malwarebytes, but I can't be sure that it was run on all devices.
I was also suggested to use Zemana Antimalware.
Running an additional anti malware program makes sense!
I am almost sure if Malwarebytes can't find anything, nothing else will.
There was this program that had several anti malware programs in 1 setup, but i don't know if it's still updated nor what it was called.
Update for all who have helped me and a HUGE thanks!
During the test that was performed last weekend, no malicious activity was going on on our network.
ISP asked us to reset their modem (our main modem where the signal comes in) to factory settings.
This was done, but then the guys here couldn't get our network back up, so from shabby internet we went to no internet!
Outside IT help was called in, they came the next morning and reconfigured everything.
Still not sure if the firmware is updated too.
We do have a strong password now, that's not easily hacked.
Chances are high that one of the routers was hacked/compromised.
Good news is that we have internet again, we probably are no longer part of a botnet (hope it stays that way)
But internet is still very erratic, with crazy spikes and dips in speed.
My download speed varies from 0,5 Mbps to 45 Mbps! :facepalm:
Sometimes I have a couple of hours stable internet.
But many times it's not stable.
When I do a speed test (using Ookla) it sometimes starts at crawling speed and during the test speed picks up.
Those crawling speed periods (however brief sometimes, could be long also) are problematic.
It makes it very hard to connect to Steam servers and/or connect to any game server when trying to join a MP game and when in a MP game it's hard to stay onboard.
The router I am on doesn't have ethernet ports, so can't go wired.
There's talk of placing an additional switch.
WIFI was never that stable here, but with the higher load on traffic it's even more problematic.