01-17-2014 09:13 PM - last edited on 03-27-2015 06:31 PM by RogersJermaine
My internet was blocked twice for apparently having a virus I was not aware of. The second time we called the tech support they told us to do the same procedure as the first using the anti virus provided over an email. I had done that hole procedure before and no infection was detected on any of my laptops. I was even suggested an anti virus by the second tech guy which I scanned my main laptop and still no infection. So IM very confused on what the problem may be. He told me of a virus that could get by the virus things but even after the one he had recommended to me which is a strong anti virus apparently... Still nothing... And my main laptop is brand new. Im still left confused because I do not know of any virus going on at all. And I can keep having my internet blocked as I'm a college student and really need the internet for my studies.
***edited labels***
Solved! Solved! Go to Solution.
07-18-2016 11:24 PM - last edited on 07-18-2016 11:49 PM by RogersMaude
Hello,
It has been a couple of weeks now since I have been getting automated security alert messages on my phone. I also recieved an email telling me I had a Gozi infection on one of my computers. At any given time I have 3-4 laptops in my household (and 3 smartphones), and I have a working Kaspersky subscription on each of them. Nevertheless, I decided to scan the computers with Malwarebytes, (it cleared up some malware, none of which I could identify as Gozi). The next day, my internet connection was suspended.
I ran a scan again, this time going more in depth to try and look for specific signs of the infection according to several webpages. I even searched on the Rogers Community Forums for help but I couldn't find an article specific to my problem.
Short story, I got my connection activated again, only to be suspended exactly one week later (today). I have run a thorough scan of all the laptops in my house and they appear to be clear of any Gozi infections. I called up the CSR, and was told that the problem appears to have been solved, but in the future if the "scanner" on their end encounters anything similar, they might slap me with a longer suspension. I was hoping someone could give me some clues as to what could potentially be going on here, as I've done everything on my end.
07-21-2016 11:43 AM
The little that i have read.. have some said that that one is a particularly hard one to detect/remove sometimes 😞
But that it is/can be used for a spaming out type of attack.. which would make sense then as to why rogers connection is possibly catching it and having an issue.
These things are REALLY hard to narrow down sometimes 😞
Really all i can sugest.. is a step by step process. (which is a REAL pain.. but sometimes the only way to narrow it down)
Day one.. just have device 1 on the network only. If nothing bad, next day add another.. then another.. till something triggers.
10-18-2016 12:59 AM - last edited on 10-18-2016 08:09 AM by RogersPrasana
Recently My Internet get blocked with a virus named as (.locky extension) RSA-2048 and AES-128 ciphers. I don't know what it is, but it sneaks very silently into my PC. I don't what harmful activities does it brings into my system, but it encrypted all my files that I have into my system. Furthermore, it demands some ransom money from me. I don't have any single penny to pay to its developers. what should I do to remove (.locky extension) RSA-2048 and AES-128 ciphers completely from my system? Please help!!!
(.locky extension) RSA-2048 and AES-128 ciphers is a harmful ransomware infection that usually comes to encrypts all your files and execute some malicious codes on your system. It will lock all your files, and used by its cyber criminals to make money by using victim personal files. This harmful virus usually get spread with suspicious e-mails and other free download files. Once get inside, it will frustrate you by encrypting all your files and programs. Hence, whenever you will open your files such as MS Word and other programs file on your system, you will find that all your files get encrypted, and you just need to follow the instructions of (.locky extension) RSA-2048 and AES-128 ciphers to pay certain money to its hijacker and get your files back.
However, other high level threats are spyware and other rootkit viruses will get downloaded into your PC to give more trouble to your system. When you pay the ransom money, its hacker get chance to enter into your system and buy you will not supposed to get your files back. Because these scammers are not trustworthy people you should not pay any single penny to its hacker. To avoid more issues on your system, you should remove urgently from your system.
07-19-2017 11:14 PM - last edited on 07-19-2017 11:52 PM by RogersCilio
Just got an email with this subject line that is obviously spam... the alleged infraction time stamp is TOMORROW and other details are utterly inapplicable to me. Does Rogers have an email that I can forward it to for investigation?
07-20-2017 07:08 AM
12-14-2017 10:31 AM
12-15-2017 08:50 AM
Which antivirus are you running?
Most likely its MALWARE and not necessarily a virus, which sometimes some AV doesnt fully catch.
I would try running something more dedicated like MALWAREBYTES.
Make sure you run updates on EVERYTHING that can. Computers, iphones, android, etc. Any number of these things if not updated could have a vulnerability in them, which if not updated, could have something on them.
07-09-2018 07:54 PM
I received a message about the Mirai Antivirus.
Looks like i solved the problem.
I've Scanned my devices with MCafee, Desktop and android box and found nothing. So i installed Wireshark on my desktop and started to scan my network.
I realized a great number of SSDP packets coming from my android box. After some tests I've found the DLNA app which the box uses to work as a chormecast/apple TV was the culprit for that. Uninstalling it stoped the SSDP requests. When doing my research i've found this link from rogers: https://www.rogers.com/customer/support/article/rogers-terms-of-service-ssdp-vulnerability which talks about SSDP vulnerability. as i don't use UPNP, i disabled it on my router and also checked my public ip for SSDP vulnerabilities. I believe the issue was solved and Rogers won't find any abnormalities on my network.
10-23-2019 12:13 AM - last edited on 10-23-2019 08:07 AM by RogersYasmine
Service suspended due to Andromeda botnet
My services has been suspended 3 times due to detection of avlanche andromeda botnet in one of my machines.
I have 1 desktop, 1 iPad and 4 laptops. Plus few android and iPhones.
I tried various AVs be it malwarebytes, McAfee, Symentec, cylance but the issue still persisted.
Removed all unwanted programs that I could think of from all machines.---- did not helped.
I am using hitron Roger's modem and no third part router.
I got the suspicious destination IP and host name and port number from Roger's. Checked the status on virustotal and the IP and host names were malicious. But it's hard to track down which device it might be.
Any tips on next steps
10-23-2019 02:08 AM - last edited on 10-23-2019 08:08 AM by RogersYasmine
@Hkb for a pc or laptop you might need to run Norton Power Eraser or some other deep inspection tool, beyond the usual run of the mill Antivirus programs. I'm surprised that Malwarebytes Antimalware didn't detect it but, it might be on another device, not just a pc or laptop.
To see what device is connecting to what external IP address you need to run a router with logging and blocking capability. That would be something like Pfsense, Opensense, Sophos and maybe DD-WRT. An ASUS router with Merlin's Asuswrt will also do both if loaded with Skynet and Diversion add-ons. Skynet can block specific IP addresses and countries. It has its own block list and whitelist and has a debug mode to watch for specific IP addresses which should allow one to determine what device is connecting to a specific external IP address. I've never used it to track an outbound address but that should work. I have used to watch for blocked traffic from specific LAN IP addresses which is another way to do this. Diversion allows you to block domain names instead of specific IP addresses.
The botnet control IP addresses were taken down in late 2016 so I'm guessing that you now have a device or more that remains infected with no controller domain to contact. But it or they are still attempting to contact those domains.
10-29-2019 04:43 PM
10-29-2019 05:40 PM
@Ann75 have a look at my post just above yours. What model of router are you running and whats the last firmware version and date on the router?
10-29-2019 08:15 PM
03-24-2020 02:39 PM - last edited on 03-25-2020 12:05 AM by RogersMoin
Virus warning from Rogers, legitimate? (TYPE: avalanche-generic )
I recently received an email from Rogers stating " There's a problem with an internet-connected device in your home that's interfering with the network in your area. This may be a computer, phone, tablet, sensors or any other device connected to your Wi-Fi. Unfortunately, we're unable to help you identify the problem device. The problem device in your home is infected with a virus. You need to remove the infection to strengthen the security of your information and ensure that only authorized users have access to your network. "
They later state that if I fail to correct the issue, my service may be terminated.
Although I'm uncertain of which device is infected, they did provide me with details of the virus.
TYPE: avalanche-generic
SRC_PORT: 63073
DST_PORT: 80
HTTP_HOST: trackeropenbittorrent.uni.me
DST_IP: 216.218.135.114
DST_ASN: 6939
DST_GEO: US
NAICS: 517311
Upon googling for information regarding the virus and the host, the only thing I was really able to come up with was this. https://www.abuseipdb.com/check/216.218.135.114 which does mention the host/ip address and virus but I have no idea what to do with this information.
The email address it came from was: Rogers Internet Security <abuse@rogers.com>
Is this legitimate?
I've run virus scanners and nothing was picked up, I've checked my phone and PC and no sign of an ''avalanche-generic'' virus anywhere, is there any other way to deal with this? If I blocked the listed ports in my modem/router and block the domain would that solve the issue?
03-24-2020 11:57 PM - last edited on 03-25-2020 12:05 AM by RogersMoin
07-06-2020 08:11 PM - last edited on 07-06-2020 08:21 PM by RogersMaude
Got an email and call from Rogers about a potential virus
IP 174.116.133.### .
data: SOURCE TIME: 2020-07-05 18:51:28Z
IP: 174.116.133.###
ASN: 812
AS NAME: ROGERS-COMMUNICATIONS, CA
MALWARE FAMILY: quant
TYPE: botnet drone
DESCRIPTION: This host is most likely infected with malware.
DESTINATION IP: 195.22.26.248
DESTINATION PORT: 80
PROTOCOL: 6
UUID
: 8b4dcd30-0d2a-4972-a384-22b6471fd66a
P 174.116.133.### .
data: SOURCE TIME: 2020-07-05 18:51:28Z
IP: 174.116.133.###
ASN: 812
AS NAME: ROGERS-COMMUNICATIONS, CA
MALWARE FAMILY: isrstealer
TYPE: botnet drone
DESCRIPTION: This host is most likely infected with malware.
DESTINATION IP: 195.22.26.248
DESTINATION PORT: 80
PROTOCOL: 6
UUID
: 93c69d53-1dd9-4e04-9473-f10312d6e1f1
I scanned both my computers for virus and it didn't find anything. Could this be a false alarm?
07-07-2020 12:55 AM - edited 07-07-2020 12:58 AM
@stockylobster there's two possible choices here:
1. You have a botnet infection; or
2. The destination IP address has been attacked by someone using a spoofed IP address (yours).
The destination IP address belongs to Clara.net in Portugal.
https://bgp.he.net/ip/195.22.26.248#_whois
The details specify a TCP attack on port 80, which would be the http log in port on modems or routers. That looks like a report from an Intrusion Prevention System running on a router.
I would scan any connected devices with more than one antivirus application. For windows desktops/laptops, consider loading Malwarbytes Antimalware as a secondary scan application. I use that for a secondary application:
https://www.malwarebytes.com/mwb-download/
There is also a version for Android, IOS and Android.
Are you running the modem in Gateway mode, or in Bridge mode with a router behind it? If you have a router running, check for the latest firmware update. If its older than a year and doesn't look like there are any updates on the horizon I'd strongly consider binning the router and buying another one that will be updated with recent firmware updates. In any event, if you have a router running, consider running a factory update and set the router up from scratch. Don't load a backup config file.
To check the UUID for your windows platforms, at a command prompt enter the following command:
wmic csproduct get "UUID"
Compare the UUID result with the UUID's listed in the report from Rogers, just to see if there's a match. I haven't looked up how to find the UUID for MAC's or Android or IOS devices.
07-07-2020 01:19 AM - edited 07-07-2020 01:21 AM
Hi,
My modem is in Bridge mode and my router's firmware is about 4 months old but I will factory reset and update again. I scanned both of my computers and none of them match. I also ran antivirus and malwarebytes on both computers. Nothing was found. I also checked the UUID and doesn't match any of my computers either. Do you know if android devices have UUIDs?
07-07-2020 02:38 AM
@stockylobster what router are you using, out of curiosity's sake?
It looks like Android devices can have a UUID, but, it doesn't look like there's an easy way to determine what that UUID is.
If you run a google search for: android uuid
You'll come across numerous links for android UUID generation, use, etc, etc. There's nothing that comes up that shows easy access to an Android UUID, but, I didn't look beyond page one of the results at the present time.
07-08-2020 06:14 PM
I'm using the Asus ac1900p router. I have that IP blocked on the router so if there is a malware it won't cause anymore problems. But I still need to figure out if this is a faults alarm or not. I wonder if my android boxes can get the botnets...
07-08-2020 06:49 PM - edited 07-08-2020 06:52 PM
I assume that you're running Merlin's Asuswrt. Do you have Skynet loaded? If so, you can block inbound and outbound attempts from/to any IP address, block whole countries and watch any LAN IP address for attempts to contact a blocked IP address. It should be possible to parse thru the Skynet log to look for specific IP addresses.