Conficker

[Ssayer]

Ok, I'm at a loss here and I know there are some very knowledgeable people on this site. AT&T tells me that I have Conficker. They sent me emails about it from late April through mid June, and then stopped so I presumed that whatever they were identifying as Conficker, wasn't. But... during that time, I tried checking with the checker from MS, Malwarebytes, Spybot. They all came back clean. I tried the Conficker eyechart, and it checked correctly. I tried 4 different Antiviruses. Nothing but nothing showed my machine as having any problem. Finally, I booted into safe mode, ran Microsoft's Malicious File remover tool (nothing) and checked the registry as best I could (nothing). It can only be this machine as it's a Windows problem. That narrows it down real fast as my wife's laptop (which is rarely on) is the only other Windows PC. Oh, I live in a rural area and my WiFi has a pretty ridiculous password as I'm paranoid like that.

Now today I get a call from them (I checked, it was AT&T and not some scammer) telling me that if I don't get it fixed, they were going to have to cut off my DSL. I told them everything that I'd tried and was told that if that's the case, then my only option was to format and reinstall the OS. Heck, this machine (thanks to MS?) went from 7.0 to 8.0 to 8.1 as "freebies". If I have to reinstall, it's not going to be fun...

So, before I got through all of that, can anyone please offer any other suggestions? Thanks in advance!

 

[fenderman]

Did these checks on your wife's PC?...a reformat is quick and easy... Might as well upgrade to 10 first you can still get it for free but using the assistive technology upgrade.... Do an In-Place upgrade first make sure it activates then download the Microsoft media creation tool and use that to do a clean install of 10...

 

[tangent]

Ok, I'm at a loss here and I know there are some very knowledgeable people on this site. AT&T tells me that I have Conficker. They sent me emails about it from late April through mid June, and then stopped so I presumed that whatever they were identifying as Conficker, wasn't. But... during that time, I tried checking with the checker from MS, Malwarebytes, Spybot. They all came back clean. I tried the Conficker eyechart, and it checked correctly. I tried 4 different Antiviruses. Nothing but nothing showed my machine as having any problem. Finally, I booted into safe mode, ran Microsoft's Malicious File remover tool (nothing) and checked the registry as best I could (nothing). It can only be this machine as it's a Windows problem. That narrows it down real fast as my wife's laptop (which is rarely on) is the only other Windows PC. Oh, I live in a rural area and my WiFi has a pretty ridiculous password as I'm paranoid like that.

Now today I get a call from them (I checked, it was AT&T and not some scammer) telling me that if I don't get it fixed, they were going to have to cut off my DSL. I told them everything that I'd tried and was told that if that's the case, then my only option was to format and reinstall the OS. Heck, this machine (thanks to MS?) went from 7.0 to 8.0 to 8.1 as "freebies". If I have to reinstall, it's not going to be fun...

So, before I got through all of that, can anyone please offer any other suggestions? Thanks in advance!

It's possible AT&T is misidentifying the threat. If you don't disable WPS PIN your wifi is quite insecure.
It's possible to infect cameras and routers with viruses.
Upgrading to windows 10 is still good idea.

First steps would be:

• Disable UPnP on router
• Delete all port forwarding rules on router
• Disable WPS PIN on router, disabling WPS entirely is fine too
• Disable remote access to the admin interface of the router
• Disable WAN ping on router
• Install latest version of software on router, if you already have the latest try to see if it will let you reinstall the latest version. Reset your router to factory defaults then restore your settings.
• Assign any cameras on your network static IP addresses and leave the DNS server portion blank.
• Reboot all cameras and other network devices (sometimes rebooting is all that's required to get rid of the virus but if you don't plug the hole first they'll get reinfected in minutes).
• Set your router to use OpenDNS instead of your ISPs DNS servers

Then tell us about all of the devices on your network.

 

[nzipcamera]

Good advise from Tangent

The one thing I would add is do a back up of your personal files to a external hard drive before commencing the upgrade.

Windows 10 is way better than 8.1

 

[Ssayer]

Did these checks on your wife's PC?...a reformat is quick and easy... Might as well upgrade to 10 first you can still get it for free but using the assistive technology upgrade.... Do an In-Place upgrade first make sure it activates then download the Microsoft media creation tool and use that to do a clean install of 10...

Yes I did. I'll check that out, thanks!

 

[tangent]

@Ssayer looks like you may be a Blue Iris user. Have you scanned that PC? Generally running Blue Iris on a dedicated machine is recommended.

I'd consider putting a second NIC in your BI PC and isolating your cameras from the rest of your network so they can only be accessed through the BI PC.

 

[Ssayer]

Good advise from Tangent

The one thing I would add is do a back up of your personal files to a external hard drive before commencing the upgrade.

Windows 10 is way better than 8.1

And that is the disadvantage of a 3TB drive, eh? I back stuff up regularly but there's always that oddball file that one forgets...

 

[Ssayer]

It's possible AT&T is misidentifying the threat. If you don't disable WPS PIN your wifi is quite insecure.
It's possible to infect cameras and routers with viruses.
Upgrading to windows 10 is still good idea.

First steps would be:

• Disable UPnP on router
• Delete all port forwarding rules on router
• Disable WPS PIN on router, disabling WPS entirely is fine too
• Disable remote access to the admin interface of the router
• Disable WAN ping on router
• Install latest version of software on router, if you already have the latest try to see if it will let you reinstall the latest version. Reset your router to factory defaults then restore your settings.
• Assign any cameras on your network static IP addresses and leave the DNS server portion blank.
• Reboot all cameras and other network devices (sometimes rebooting is all that's required to get rid of the virus but if you don't plug the hole first they'll get reinfected in minutes).
• Set your router to use OpenDNS instead of your ISPs DNS servers

Then tell us about all of the devices on your network.

My router is pretty much locked down and I always reccomend OpenDNS. I've not tried reinstalling software on my router, so that's something to think about. We have enough power failures around here that the cameras get plenty of reboots. I thank you for your suggestions!

@Ssayer looks like you may be a Blue Iris user. Have you scanned that PC? Generally running Blue Iris on a dedicated machine is recommended.

I'd consider putting a second NIC in your BI PC and isolating your cameras from the rest of your network so they can only be accessed through the BI PC.

I've got both ethernet and wireless on the BI PC, I could probably do it that way if I bought another switch.

A lot of crap to do and I don't even know if there is really a problem on this box, or if it is AT&T misidentifying the threat....

 

[tangent]

My router is pretty much locked down and I always reccomend OpenDNS. I've not tried reinstalling software on my router, so that's something to think about. We have enough power failures around here that the cameras get plenty of reboots. I thank you for your suggestions!


I've got both ethernet and wireless on the BI PC, I could probably do it that way if I bought another switch.

A lot of crap to do and I don't even know if there is really a problem on this box, or if it is AT&T misidentifying the threat....

It's a pretty safe assumption that they are detecting something on your network talking to a bot net or participating in a DDoS attack. I just wouldn't assume you only need to check out the windows machines it could be your thermostat or washing machine, though security cameras are more likely.

Some of the viruses that infect devices like cameras are disposed of by rebooting some do get written to flash and persist. If you're exposing any iot devices to the internet they could easily get reinfected.

Hopefully you don't forward ports to any of your cameras and have UPnP disabled.

Wifi and ethernet on the BI PC wouldn't work well, you'd really need a second wired nic if you want to do that.

If you have the skills required, you could also throw another PC with 2 nics between your modem and the rest of your network and run all your traffic through wireshark.

No offense, but when it comes to networking knowledge you come across as someone who thinks you know more than your actually do (it's hard to gauge someone's knowledge level, easier to gauge how well they listen). You might want to check out bleepingcomputer and dslreports and see what you can find about other people having similar issues with AT&T and what they ultimately discovered the issue was.

 

[Ssayer]

Hah, no! I'm just a home user that gets by. I know what I know and I know what I don't know, so I go where I can ask people that do...

 

[mat200]

Also remember to check your removable devices:

Infection vectors
"Removable media
Creates DLL-based AutoRun trojan on attached removable drives[18]"

Conficker - Wikipedia

 

[c hris527]

Ok, I'm at a loss here and I know there are some very knowledgeable people on this site. AT&T tells me that I have Conficker. They sent me emails about it from late April through mid June, and then stopped so I presumed that whatever they were identifying as Conficker, wasn't. But... during that time, I tried checking with the checker from MS, Malwarebytes, Spybot. They all came back clean. I tried the Conficker eyechart, and it checked correctly. I tried 4 different Antiviruses. Nothing but nothing showed my machine as having any problem. Finally, I booted into safe mode, ran Microsoft's Malicious File remover tool (nothing) and checked the registry as best I could (nothing). It can only be this machine as it's a Windows problem. That narrows it down real fast as my wife's laptop (which is rarely on) is the only other Windows PC. Oh, I live in a rural area and my WiFi has a pretty ridiculous password as I'm paranoid like that.

Now today I get a call from them (I checked, it was AT&T and not some scammer) telling me that if I don't get it fixed, they were going to have to cut off my DSL. I told them everything that I'd tried and was told that if that's the case, then my only option was to format and reinstall the OS. Heck, this machine (thanks to MS?) went from 7.0 to 8.0 to 8.1 as "freebies". If I have to reinstall, it's not going to be fun...

So, before I got through all of that, can anyone please offer any other suggestions? Thanks in advance!

It would seem that this worm is difficult to get a handle on. Right now it seems it is only effecting windows boxes but other stealthy variants are most likely out there. A really good malware program I use all the time is Hit Man Pro...free for 30 days or something to that effect.
Symantec has some good advice on this also ------> Killing Conficker: How to Eradicate W32.Downadup for Good | Symantec Connect

Do you have any cell phones connected to your network ? One never knows. Just for security sake, I would change my routers Admin and Wireless Passwords. I would e-mail ATT and ask if they have more info on the machine sitting behind your router that is doing it. Sometimes they may have the machine's name or mac address..cannot hurt to ask.

Good luck

 

[Mr-Gizmo]

You can also try downloading an Antivirus Rescue CD like Avira Rescue System or Bitdefender Rescue as an ISO image and burn then to a CD or write them to a USB flash drive so it is bootable. You will probably have better success detecting and removing malware from booting from a Rescue CD or Flash drive, instead of booting from the Windows OS's hard drive that is infected. I would recommend deleting your System Restore points as malware often hide in there and use it to reload itself. Before trying the Rescue CD approach. I would also recommend powering off all your PCs, network printers, IP cameras and then reboot your routers or Wifi APs.

Start with one PC, boot using an Antivirus Rescue CD or Flash Drive, update to latest virus definitions and have it perform a full scan. Once done, shutdown and reboot that PC in Safe Mode with Networking by pressing F8 during the boot process. I would then recommend running something like Malware Bytes to make sure your system is clean. If nothing is found, power on the next PC and follow the same steps.

Avira Rescue System Download Avira Rescue System | Official Website
Bitdefender Rescue http://download.bitdefender.com/rescue_cd/bitdefender-rescue-cd.iso

How to create Avira Rescue System
https://www.avira.com/documents/products/pdf/en/howto_avira_rescue_system_en.pdf

How to create a Bitdefender Rescue CD or Bootable Flash drive
How to create a Bitdefender Rescue CD

FYI, in order to boot from a CD or Flash Drive, you will need to press something like F12 (Dell PCs) during the PC's boot process so you can tell it to boot from the CD or an USB device instead of the hard drive. Some PC's may require you to change the boot order (CD, USB, Hard Drive) in the BIOS. If you have a Windows 8 or 10 PC with a UEFI bios, you can access UEFI BIOS by following these instructions: Boot to UEFI Firmware Settings from inside Windows 10

Windows 8 should be similar. I hope this helps.