01-17-2014 09:13 PM - last edited on 03-27-2015 06:31 PM by RogersJermaine
My internet was blocked twice for apparently having a virus I was not aware of. The second time we called the tech support they told us to do the same procedure as the first using the anti virus provided over an email. I had done that hole procedure before and no infection was detected on any of my laptops. I was even suggested an anti virus by the second tech guy which I scanned my main laptop and still no infection. So IM very confused on what the problem may be. He told me of a virus that could get by the virus things but even after the one he had recommended to me which is a strong anti virus apparently... Still nothing... And my main laptop is brand new. Im still left confused because I do not know of any virus going on at all. And I can keep having my internet blocked as I'm a college student and really need the internet for my studies.
***edited labels***
Solved! Solved! Go to Solution.
07-07-2020 12:55 AM - edited 07-07-2020 12:58 AM
@stockylobster there's two possible choices here:
1. You have a botnet infection; or
2. The destination IP address has been attacked by someone using a spoofed IP address (yours).
The destination IP address belongs to Clara.net in Portugal.
https://bgp.he.net/ip/195.22.26.248#_whois
The details specify a TCP attack on port 80, which would be the http log in port on modems or routers. That looks like a report from an Intrusion Prevention System running on a router.
I would scan any connected devices with more than one antivirus application. For windows desktops/laptops, consider loading Malwarbytes Antimalware as a secondary scan application. I use that for a secondary application:
https://www.malwarebytes.com/mwb-download/
There is also a version for Android, IOS and Android.
Are you running the modem in Gateway mode, or in Bridge mode with a router behind it? If you have a router running, check for the latest firmware update. If its older than a year and doesn't look like there are any updates on the horizon I'd strongly consider binning the router and buying another one that will be updated with recent firmware updates. In any event, if you have a router running, consider running a factory update and set the router up from scratch. Don't load a backup config file.
To check the UUID for your windows platforms, at a command prompt enter the following command:
wmic csproduct get "UUID"
Compare the UUID result with the UUID's listed in the report from Rogers, just to see if there's a match. I haven't looked up how to find the UUID for MAC's or Android or IOS devices.
01-17-2014 09:47 PM
01-29-2014 11:22 AM - last edited on 01-29-2014 12:28 PM by RogersDarrell
1) I hope this did not start with an incoming phone call claiming to be from Microsoft or Windows saying "your computer is sending virus"... DO NOT EVER follow instructions from someone on an unsolicited phone call. They will have you install software which allows them to take over your computer. They aren't who they say they are ...
I hope instead that your internet went down and *you* initiated the call in to Rogers who confirmed you had been shut off and why. Then it would be okay for Rogers to help you by remote.
2) You mentioned you were a student. Ensure that you have taken the appropriate precautions to ensure your computer when using publicly accessible networks such as at school, libraries, coffee shops. Unis are prime sources of abuse.You set yourself up as an admin user with password, delete the default admin and guest users, anti-virus kept up to date and firewall on, file& folder sharing, remote desktop, screen sharing, bluetooth, wifi sharing, etc all turned off when you are not actually using them. Turn off autorun for USB sticks, avoid sharing sticks, etc...
3) I recommend Major Geeks for help with stubborn infections.
08-25-2015 12:48 PM
Not going to make a new thread since this one exist.
I got a call last week to say i have a virus on my system. Please check your rogers email for more informations. I check and there was nothing about it and just for the heck of it I did a full scan with Nod32 and Malwarebyte on my computer and family.
NOTHING!
Again got a call yesterday to say I have a virus and to check the email. Again NOTHING.
I check the phone number and sure enough it is from Rogers.
What the deal?
08-25-2015 01:34 PM
Those programs may not find what it is.. most of the ones that are effected this way are usually a ROOT KIT type virus 😞
What is usually happening, is SOMETHING within your network is spaming outbound.
I have had it happen to me ONCE. I only had one device on the network live at the times it was happening.. so i knew which PC it likely was. Got the call a number of days..
Only after i did a format/wipe on my PC, did it stop.
08-25-2015 01:49 PM
I understand that. Nod32 and Malwarebyte premiun do scan for rookit. Did not find anything. I even download McAfee RootkitRemover and did not find anything either.
And I wont start formatting all PC`s in my house because those tools not finding anything. Just plain crazy, sorry!
08-25-2015 03:22 PM
08-26-2015 07:29 AM
Well the problem is solved.
Call the customer service and explain my situation. Never got an email about the problem in which i was told to look into it for more details. Sure enough it was never sent.
Then the person that have help me told me it was an OpenDns. Turn out it was my cisco router did a firmware update and did not do a proper reboot. After i did the test and done a full reset on my router. Everything was ok.
Here the infos for anyone else having issues.
10-22-2015 05:33 PM - last edited on 10-22-2015 06:21 PM by RogersMoin
Rogers Called Me Saying One of my devices in my household is infected with a virus
Hey all,
just a few minutes ago, I got a phone call with the number 888- something. It notified me that I had a virus on one of my household devices, and told me that if I could not get rid of it within 48 hours, Rogers would shut down my internet. They told me to go to rogers.com/getprotected or check my email that I registered with Rogers and follow the instructions there. I checked my email but there was nothing there. I'm 99% sure that this is a fishing scam, but I just want to confirm just in case.
10-22-2015 06:19 PM - edited 10-22-2015 06:21 PM
Hello, @Chromus
Welcome to the Rogers Community Forums!
If it was an automated call and you were asked to contact Rogers' technical support, I can confirm the call was from Rogers.
I will reach you out through our CommunityHelps message box. Please check our message via the envelope icon that appears on the top right-hand side of your screen when you are logged in to the forums.
Cheers,
RogersMoin
10-22-2015 06:26 PM - edited 10-22-2015 06:26 PM
They did not tell me to contact them. All they did was to go to my email and find the email that they sent me, but it was not there. It also told me to go to rogers.com/getprotected. That's all they told me to do.
I also did the test that was mentioned in this post and it passed.
10-29-2015 06:47 PM
Check out the TechXpert Virus Info. here: http://communityforums.rogers.com/t5/forums/forumtopicpage/board-id/RAAETechXpert/thread-id/7
TechXpert will help you find, identify and remove any virus you may have.
RogersDarrell
01-08-2016 03:51 PM
I got a call as well. I scanned for virus for every computer in my house, 2 macs and 1 pc. nothing.
Then I called back and ask for the detailed information, the tech support told me it is because of Bots, named SinkHole.
Any one know how to remove it?
01-08-2016 04:12 PM - edited 01-08-2016 04:37 PM
Have a look at the following site:
http://resources.infosecinstitute.com/dns-sinkhole/
A sinkhole is used to direct traffic away from a botnet command and control server. This occurs when a botnet is taken down, usually through the co-operative efforts of Microsoft, FBI, RCMP etc. It doesn't remove the particular bot that you might have, but it disrupts the traffic so that the individuals running the botnet are unable to maintain control over their net.
So, for a tech to say that you're blocked due a a Sinkhole is a misinterpretation of the information that he or she has available. You need to go back to tech support and ask the CSR for the particular botnet that this incident refers to. Only by knowing what botnet this involves will you know what to look for and how to remove it. Without that information, anything that you are told is completely useless, personal opinion.
If you happen to be running the modem in Bridge mode with a third pary router, run a factory reset on the router and reset all of the parameters from scratch. Do not use a backup parameters file to reload the parameters. There are numerous botnets out in the wild that are taking advantage of security holes in routers these day, so if you do have a router, run the reset, and also look for a firmware update. If you have an older router and there is no update, it might be time to look for a newer router or load DD-WRT, Tomato or Merlin firmware.
If your router DNS server address has been changed without your knowledge, running the factory reset will delete that entry, along with any other mailcious settings.
In the case of the pc's, at least for windows, you can look at the hosts files. This is a file stored in C:\Windows\System32\drivers\etc
It should be opened with Notepad or a plain text editor, not Word. You can open that file and clean out any entries that might exist. Windows looks at that file first to determine the internet address associated with an address that you type into the browser address bar. If that file has been changed without your knowledge, there is a good chance that youv'e been redirected to a botnet command and control server, so, if there are any questions as to what that file contains, you can clean it out and save it. I think you have to be in an admin account to do that. Spybot, which is an spyware detection program will change change that file so that known malicious addresses are given an internal wrap around ip address and therefore attempting to use that address will not allow you to connect externally. Here's an example of the wrap-around addresses:
# Start of entries inserted by Spybot - Search & Destroy
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
01-08-2016 04:50 PM
Thanks for your sharing! When I called, I did asked if Rogers had more detailed info so that I can identify which machine is problematic.
Unfortunetly, she said nothing more.
I had to suggest Rogers to provide more details so users can easily identify the issue.
01-08-2016 05:10 PM
Without more details, the info is useless. It might be a pc, or mobile device, or, it might be a router, just depends on what you have on your network. For an androide and IOS device, a reset might be in order. Unfortunately, for IOS there is an ongoing issue with developers using XCode files downloaded from Chinese servers instead of the official Apple servers. As a result, many of Apple apps are infected, from what I remember reading. This hit the news again very recently. Here's a link or two to have a look at:
http://www.pcmag.com/article2/0,2817,2496598,00.asp
01-08-2016 09:23 PM
04-01-2016 12:24 PM - edited 04-01-2016 12:48 PM
Just got a call this morning saying the same thing.
This time i am starting to believe that Roger is spamming. Only got my laptop connected to my router and I just did a full check up, nothing wrong with my laptop or router. I even went to that link that was supplied to me from Rogers in which I have posted here and again saying I was :
Success! We detected your IP address as 99.xxx.xxx.xxx and did not find an open DNS resolver running.
Also when the BOT rogers called their client and tell them to check their email for the reason of the problem, make it stop because its never there in the inbox. I only use that yahoo roger inbox for just roger. There is NEVER or EVER got an email from them to explain the problem. So yes this would look more like a scam or spam. Maybe Rogers need to do a full scan on their own servers before contacting their clients and give them false informations.
UPDATE: I call in and explain the problem and the girl basically told me it was my UPNP was turn on at my router. Sure enough it was but I dont see the danger on that, regardless turn it off and life goes on.
04-01-2016 02:11 PM
Having UPNP on is suposed to make life easier.. some programs, etc which can run easier by opening up certian ports to make it run better all on its own.
BUT at the same time, something malicious COULD be then enabling those ports when its doing spaming, etc.
By turning UPNP off, at least it hopefully will eliminate that out.
04-30-2016 08:31 AM
I have the phone call, I ignore them a few times,
then Call Costumer services and ask them to stop the calls
then my internet was disconnected I call the phone number They provide
I have the MOST RUDE CUSTOMER SERVICE
WHIT NO SOLUTIONS.
I call a second time and they reconnected my Internet
not before "Warning me" if i don't get rid of the Virus I will be disconnected again...
I have been a customer for more than 8 years
and I am ready to move my service (and my money)
to another company next time I get disconnected...
Terrible service Rogers..!
04-30-2016 11:26 AM - edited 04-30-2016 11:28 AM
I suspect that you would get the same treatment from any other ISP, in terms of receiving warning calls, which you ignored. I'm not apologizing for the rude treatment, I'll leave that for some Rogers employee to discuss with you, but, if an ISP has detected outgoing traffic from a virus, or botnet, then yes, they will usually contact the customer in an attempt to resolve the problem. That is for your protection as well as the protection of any one else that the virus, trojan or botnet might be attacking. Moving to another company without resolving the problem might just make this another ISP's problem.
So, with that in mind, you should be running scans of all of your internet connected equipment with more than one anti-malware program. Malwarebyes Anti-malware (Free) comes to mind as a secondary scanner for pc's and Mac's (?). Android devices I'll leave for others to recommend a good anti-malware program. If you use a router, you should ensure that it's running firmware dated no earlier than about 6 months ago. Thats due to the numerous security problems that have come up over the last two to three years with routers from all companies. If you are running a router that has't had an update over the last two to three years and there is no update available from the manufacturer, its time to buy a new router from a company that provides regular updates.
https://www.malwarebytes.org/dl-confirm/