Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Constant Guard reporting bots


  • Please log in to reply
63 replies to this topic

#1 Non Sequitor

Non Sequitor

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:02 AM

Posted 06 September 2014 - 04:16 PM

Over the last two days, Constant Guard has been notifying me of a TDSS-TDL_Generic.  It also added three other ones (Multi_CriminalClick_MugaVuga and two I didn't save before the info dropped off).  I have been running TDSS Killer on all of the machines to detect problems, but the occurrence of TDSS-TDL_Generic keeps popping up with more times seen (last at 7:54 last night).  At this point, I need a methodical approach to determine if it is just a false positive.  I have currently shut down 2 computers out of 4, shut down all network attached storage, and turned off my printers.  Last night only one computer was up at 7:54 so I have been concentrating on it.

What I have done is

1) am running Rubotted v2.0.0.1034 pattern V1.10047.00 - nothing found
2) scanned with Bitdefender Removal Tool V3.0.2.2.010 - nothing found
3) scanned with MalwareBytes anti-malware V2.2.0.1012 - nothing found
4) scanned with MalwareBytes Anti-Rootkit Beta v1.07.0.1012 - nothing found
5) scanned with Rootkit Remover - McAfee v0.8.9.174 - nothing found
6) scanned aswMBR v1.0.1.2041 - found some unknown code and one file that was infected and I had downloaded a long time ago without installing.  I did delete that file.

Since I have started these scans, amibotted.comcast.net has now reported Zeus_Generic and Rerdom_CriminalFinancial_Asprox as of 8am this morning.

I am not bringing the network drives or the other 2 computers up until I have a handle on this.  They have the most sensitive information.

 

Can someone help me figure out what I'm dealing with?

 



BC AdBot (Login to Remove)

 


m

#2 azth

azth

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:04:02 AM

Posted 06 September 2014 - 07:36 PM

I've been having a very similar issue. Yesterday I received a text message from Comcast telling me to visit the amibotted page. I went there and I found a list of several viruses/trojans, including Multi_CriminalClick_MugaVuga, TDSS-TDL_Generic, Multi_CriminalClick_ClickThrough, and SpyEye_Generic. I did a Google search for each one, trying to figure out what operating systems they infect to try to rule out false positives. The funny thing is, just under 24 hours ago, Googling for "Multi_CriminalClick_MugaVuga" would have resulted in a single result. Now, 3 pages come up.

 

I already have Avast installed, and it didn't detect anything. I also did a full scan with Microsoft's MSRT; again, nothing. I looked up more information on SpyEye_Generic, and tried to locate the files and registry keys it supposedly creates on the system (such as c:\cleansweep.exe\cleansweep.exe), again nothing came up. I also scanned using TDSSKiller. Also nothing.

 

I finally installed an application called GlassWire this morning, and now I'm waiting to see if the amibotted site shows up anything else, and whether the app will detect an unexpected connection. If a new entry appears on the site and nothing shows up in the app, then I think it's safe to say that it is a false positive. Perhaps someone is hijacking my wifi connection?


Edited by azth, 06 September 2014 - 07:38 PM.


#3 hencar491

hencar491

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:07:02 AM

Posted 06 September 2014 - 08:26 PM

Same deal here- got my first alert last night, first referencing Multi_CriminalClick_MugaVuga and TDSS-TDL_Generic, and a new alert today referencing only SpyEye_Generic.  Tried boot scans and full scans with Avast, malwarebytes, and Norton and ran TDSSKiller.  Everything came back clean on all my computers, including the boot scans.  Also checked the DHCP records on my router and no unknown connections found.

 

I'd have to imagine Comcast is having problems with false positives this weekend?



#4 LegumeGrower

LegumeGrower

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:02 AM

Posted 06 September 2014 - 09:06 PM

I've also been getting these alerts since Thursday.  Initially amibotted.comcast.net only showed Multi_CriminalClick_MugaVuga, but TDSS-TDL_Generic showed up soon after.  I ran Microsoft Security Essentials, Malwarebytes, and TDSSKiller on my Windows system and found nothing.  I have no idea what MugaVuga is (and neither does google), so I can't look for any particlar diagnostic procedure or removal tool for whatever they think I'm infected with.  Comcast support is not helpful.  If you ask what MugaVuga is, or the specific network traffic patterns they are flagging, they will obfuscate and stall and then connect you to a supervisor who will do the same.  If you are insistent enough they will eventually admit that they can't disclose it because it's proprietary information.

 

I double-checked my WiFi settings to rule out a neighbor using it.  I have WPA2 configured with a long password, WPS off, remote configuration off, and the firmware is up-to-date.  I also have a Linux laptop, but I doubt it's the source -- TDSS is specifically a Windows rootkit, and whatever MugaVuga is, it seems that others who don't use Linux have seen it flagged as well.  On multiple occasions, the "last seen" timestamp has been at a time when my Windows system was physically turned off.

 

I find it interesting that there were basically no results for MugaVuga on google when I first searched for it on Thursday, and now there are several new results from Comcast customers posting on tech support forums trying to figure out why Constant Guard is flagging them.



#5 targumedo

targumedo

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:02 AM

Posted 06 September 2014 - 10:49 PM

Same thing here, this afternoon was the first alert. I think Comcast and Constant Guard want our cash with their software.  But, that's just me.

Edited by Queen-Evie, 07 September 2014 - 09:59 AM.
edited to remove language


#6 whstlr

whstlr

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:06:02 AM

Posted 06 September 2014 - 11:41 PM

I received my first alert via email from Comcast yesterday morning. Checking amibotted.comcast.net showed TDSS-TDL_Generic. I ran through multiple scanners (Windows Defender, MSRT, MalwareBytes, TDSSKiller, avz4) and manually looked for evidence, and found nothing. This morning, I woke up and found another instance of TDSS-TDL_Generic on amibotted, and decided to reinstall Windows 8.1 just to be safe (something I've been meaning to do anyway). I wiped the drive clean, repartitioned, and reinstalled. This afternoon, after reinstalling, TDSS-TDL_Generic showed up again along with Multi_CriminalClick_MugaVuga. It goes without saying that all of the same scanners still show nothing suspicious.



#7 drmoseley

drmoseley

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:02 AM

Posted 07 September 2014 - 01:02 AM

Received a Constant Guard "alert", Thursday, 9/4/2014 at 22:09 CDT - then, going to Comcast's 'amibotted' web site, I was informed that the bot, 'Rerdom_CriminalFinancial_Asprox', had infected my computer.

 

Called CSAC and discovered that what used to be a competently staffed department, has been outsourced and is now much less so.  When I asked for specifics as to what IP address my bot was communicating with, or what specific behavior pattern tripped their detectors, or if it was possible that I had simply visited a site that had previously been associated with malware, all I got was a vague and general description of "what a bot was" and "why it is bad".  So, I ended that call, and dialed again hoping to get an analyst with a pulse - no luck. I tried yet a 3rd time and still got nothing but a 1st grade description of what a 'bot' was AND that I should signup for a 2 week free demo for which Identity Guard had partnered with Comcast (simply use the promotion code of 'cr11').

 

I smelled a scam, but I've learned in this field not to jump to conclusions.  So, I performed the following:

- Checked Windows Update, ensuring all Microsoft maintenance for Win-7 was applied

- Checked Windows logs using event viewer, found nothing exceptional

- ensured Java was at the latest level - 7 Update 67

- ensured Adobe Flash was at latest level - 14.0.0.176 (ActiceX) and .179 (Plugin)

- ensured Norton Internet Security had been updated with the latest patterns

- checked NIS logs and found nothing exceptional

- performed a full scan using NIS

- downloaded current Microsoft Malicious Software Removal Tool and performed a scan

- downloaded & installed Spybot Search & Destroy and performed a scan

- downloaded & installed Norton Power Eraser and performed a scan

- downloaded & installed Immunet 3 and performed a scan

- downloaded & installed Secunia PSI and performed a scan

- downloaded & installed Malewarebytes Anti-Malware and performed a scan

ALL SCANS CAME UP NEGATIVE, SHOWING NOTHING BUT TRACKING COOKIES (which I removed)

 

Now, as of this evening - 9/7/2014, Comcast's 'amibotted' web site tells me that I've been infected with an 2nd bot called 'TDSS-TDL_Generic'.

 

Be aware that all during this multi-day Easter egg hunt, my system has been running normally - exhibiting no unusual behavior.

 

So, I wondered, what does Comcast's 'amibotted' web site say about the iPad and Android smart phone that I use frequently on the same LAN as my allegedly infected PC?

- pointing my  phone at 'amibotted', I'm told that the same two bots have been detected

- pointing my iPad at 'amibotted', I'm also told that the same two bots have been detected

- pointing my old Win-XP laptop (which I never use), I'm also told that the same two bots have been detected

So, I must conclude that the "detections" are based on deductions on Comcast's end, and not on actually scanning my equipment.

 

I have no idea where to turn from here.  How do you find and remedy a problem that Comcast wont describe in any detail.  How does one find something when one doesn't know what one is looking for?


Edited by drmoseley, 07 September 2014 - 01:14 AM.


#8 nacman30

nacman30

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:02 AM

Posted 07 September 2014 - 02:21 AM

Hello everybody, this is my first time on the forums as I also have been having these constant emails from Constant guard for the past 2 days.

 

I went to the am i being botted website and have seen the TDSS-TDL_Generic, and Multi_CriminalClick_MugaVuga updating up every 2 hours. 

 

All my laptops are squeaky clean , but for my amusment I ran TDSS killer, awdmbr, and still found nothing.

 

I think these constant guard alert are either false positives, or bullcrap, as it is giving innocent people nothing but heart attacks over the fear that they are infected.



#9 drmoseley

drmoseley

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:02 AM

Posted 07 September 2014 - 02:26 AM

Since my last post I have, "downloaded & installed Kaspersky TDSSKiller and performed a scan" - nothing detected!



#10 nacman30

nacman30

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:02 AM

Posted 07 September 2014 - 02:29 AM

Shame on Comcast on pulling such a cowardly marketing tactic, trying to rile up fear so you would buy their constant guard service.



#11 bchuckoreo1

bchuckoreo1

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:02 AM

Posted 07 September 2014 - 04:49 AM

Received the same email from Comcast yesterday (9/6/2014)

Ran "amibotted" and received 1 bot detected message:  TDSS-TDL_Generic

 

Followed all the same steps as those above have tried.  Still showing the same message on "amibotted"

 

I only have one computer, so I'm going to take it in to local Computer Repair Shop.  I'll let you know what I find out from them.

 

Also, did some reading about this online.  Found that it could be something with router.  I also have a Vonage Device connected to router.  Just wondering if that has anything to do with this?  Maybe Comcast doesn't like Vonage?

 

So I tried disconnecting the Vonage device, "amibotted" still showing the same message. 

 

I


Edited by bchuckoreo1, 07 September 2014 - 05:10 AM.


#12 Queen-Evie

Queen-Evie

    Official Bleepin' G.R.I.T.S. (and proud of it)


  • Staff Emeritus
  • 16,485 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:My own little corner of the universe (somewhere in Alabama). It's OK, they know me here
  • Local time:06:02 AM

Posted 07 September 2014 - 10:46 AM

Same thing here, this afternoon was the first alert. I think Comcast and Constant Guard want our cash with their software.  But, that's just me.


Shame on Comcast on pulling such a cowardly marketing tactic, trying to rile up fear so you would buy their constant guard service.


There is no charge for Constant Guard. It's free for Comcast internet customers.

Having said that, there is an Identity Guard service which must be subscribed to and has nothing to do with malware/infection/bots.

I will assume you checked using Am I Botted? which gave you the names of the detected bots.

Do you have a network set up and have more than one computer connected to the network? If you do, it could be on any computer that is on your network.

Then again, there may be NO bot.

Did you receive an email from Comcast about this?

Unless they changed the wording of the notice, it says
 

Constant Guard from XFINITY identified that one or more of your computers may be infected with a bot.


That does not necessarily mean there is one.

Do you have a network set up? If so, it could be on any of the computers that connect to your network. Then again, as stated above, there may be no bot on any of them.

No, they will not be able to tell you which computer "MAY" have a bot.

And in the Comcast help forum, where there are NUMEROUS posts about this you could be told by an employee (if one happens to stumble upon your post) that they observed signs of likely malware infection. If questioned they will then say you "likely" have a bot.

The notice is tied to your MODEM which is why if there is a network you don't know which computer MAY have a bot.

From cc_adame Comcast National Engineering in the Comcast help forum

 

The notice is tied to your modem

http://forums.comcast.com/t5/Security-and-Anti-Virus/constant-guard-alert-bot/m-p/1466883/highlight/true#M89772


Something using your cable modem is exhibiting the behaviour of a bot.

http://forums.comcast.com/t5/Security-and-Anti-Virus/constant-guard-alert-bot/m-p/1466891/highlight/true#M89773


we're only alerting you because we are seeing activity from *something* behind your modem that is bot traffic. We can't tell you which device it is because that would require us to do Deep Packet Inspection, which nobody wants - we care about your privacy, and will not do that.

I recommend you contact CSA, who can further assist you with figuring out which device behind your modem is infected and can remove the notice.

Normal business hours (6:00 am to 2:00 am EST, 7 days a week) 888-565-4329http://forums.comcast.com/t5/Security-and-Anti-Virus/constant-guard-alert-bot/m-p/1467167/highlight/true#M89784


First aid following a botnet notice is to run a full scan with your AV software. If that comes up clean, try the free version of Malwarebytes Anti-Malware.

Wait 24 hours and then check Am I Botted? again. If you do have a network you will need to scan ALL computers using the network.
(if you get curious you can check before then)

At this point in time don't panic and don't worry about it to much. If Am I Botted does keeps saying you are THEN you can do whatever it takes to determine whether it's fact or fiction. The malware removal folks here at Bleeping Computer will be glad to help you.
 

1) going to the amibotted does not rescan it just reports that they saw activity in the last 24-26 hours.
2) Comcast clears the you are botted message after a few hours so it you wait 27-30 hours the website will say you do not have a bot until the magical bot activity is seen again.

http://forums.comcast.com/t5/Security-and-Anti-Virus/constant-guard-alert-bot/m-p/1559963/highlight/true#M91304


They used to have a so-called self-help guide. This was totally useless and did not do anything to help you determine IF there was a bot and on which computer. The procedures did not show any infections/malware. It wanted you to download and install the Constant Guard Protection Suite, which includes Norton Security.

I got one of those you may be botted emails in February of 2013. I did scan 2 of the 4 computers on my network and scans came up clean. After that I decided to wait the 24 hours and check again. When I did Am I Botted said all clear.

For what it's worth, the Comcast Help Forums, Security subforum, has had several postings over the past few days about the same thing-receiving "you are botted" messages. http://forums.comcast.com/t5/Security-and-Anti-Virus/bd-p/13

Some state they ran various scanners and found nothing.

One suspects the traffic it seems to be detecting is coming from individual web sites and pop-ups/unders, not the computer.

Comcast did some recent upgrades with the network bot detection service and that when people started to receive these notices. It could very well be a false positive.

I suspect that Comcast did some recent upgrade with their network security bot detection services and many of us are getting hit with false positives. The other possibility is a very subtle, very wide spread set of bots that have gone undetected for a long time are are just now being detected.

http://forums.comcast.com/t5/Security-and-Anti-Virus/Suspected-quot-bot-quot-Activity-email-from-Comcast/m-p/2302051/highlight/true#M99576


Just before I started this reply, I went to am i botted and it tells me that 2 bots detected-date Sept. 6.

I then downloaded and installed Trend Micro RUBotted. Ran it and no bots detected.
If you want to try it http://free.antivirus.com/us/rubotted/index.html
Note that it is a beta.

While this is an older topic it still contains good advice http://forums.comcast.com/t5/Security-and-Anti-Virus/What-do-I-do-if-I-receive-a-BOT-notification/m-p/1082387/thread-id/83716/message-uid/1082387

Bottom line is to run those scans. Even though it may turn out to be nothing, there could also be some truth to some of them.

Just for fun, I looked at amibotted just before I started composing this reply. It found 2.

As for me, I am ignoring the 2 Comcast says it saw. I ran all my scans this morning before I saw am i botted and nothing malicious was found by any of them.

edit to add: both computers scanned with my arsenal. The other one is also clean.

Edited by Queen-Evie, 07 September 2014 - 11:04 AM.


#13 Non Sequitor

Non Sequitor
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:02 AM

Posted 07 September 2014 - 11:25 AM

Comcast is still reporting sightings.  So if I do the following on all of my computers, I should be confident that I'm ok?

 

What I have done is

1) am running Rubotted v2.0.0.1034 pattern V1.10047.00 - nothing found
2) scanned with Bitdefender Removal Tool V3.0.2.2.010 - nothing found
3) scanned with MalwareBytes anti-malware V2.2.0.1012 - nothing found
4) scanned with MalwareBytes Anti-Rootkit Beta v1.07.0.1012 - nothing found
5) scanned with Rootkit Remover - McAfee v0.8.9.174 - nothing found
6) scanned aswMBR v1.0.1.2041 - found some unknown code and one file that was infected and I had downloaded a long time ago without installing.  I did delete that file.
 

 

The one question I do have is that aswMBR found some unknown code in the MBR.  Is there something else I could do to verity it is ok?

 

ETA: I've also noticed that people with 'nix only computers are also getting this alert.  It really sounds like a misreading of traffic to me.


Edited by Non Sequitor, 07 September 2014 - 11:27 AM.


#14 Scallamander

Scallamander

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:05:02 AM

Posted 07 September 2014 - 12:37 PM

         I got an email yesterday saying I had a bot and when I checked amibotted It said I only had TDSS/TDL_Generic. Seeing as how TDL is pretty serious I went ahead and spent the rest of my day trying to track it down, I scanned all of the windows 7 machines and they were squeaky clean.

       

         I then proceeded back to amibotted and was presented with 5 more hits. Along with TDSS/TDL_Generic Comcast now detected I had Zeus_Generic, Kvoter_Generic, Random_CriminalFinancial_Asprox, Multi_CriminalClick_MugaVuga, and SpyEye_Generic. I proceeded to scan and check for rootkits or even signs of intrusion on my laptop which is running linux and the most used machine and that turned up nothing also. 

 

        When I checked amibotted again around 1:30am Mountain time the site was down. This leads me to believe this could be a Comcast issue, even thought I still have the same hits this morning. If anyone else finds any leads please share!


Edited by Scallamander, 07 September 2014 - 12:40 PM.


#15 bchuckoreo1

bchuckoreo1

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:02 AM

Posted 07 September 2014 - 12:54 PM

I had that same email from Comcast, and "amibotted" showed 1 Bot Detected (TDSS-TDL_Generic)

 

Did all the same as those mentioned above, ran AV software, etc.

 

Tried calling Comcast today (tech support) and was told "maybe you should take your computer to a PC Doctor" by someone in India.

 

Sooooo......

 

I recently purchased a new Lynksys Router to replace my old one a while back, never hooked it up.

 

Today I installed it, with the help of Lynksys tech support (free with the new router purchase)

 

After installing the new router, went in to "amibotted" and guess what!!!!  It says "NO BOTS DETECTED" !!!

 

I am no computer expert, and I don't know why this worked but it did.  So I guess by replacing the router it got rid of the bot????

 

Maybe someone on here knows why this worked???

 

Note:  I only have one computer on my network and I am the only one using the computer, no tablet either. 

 

Note 2:  I remember something coming in the mail recently that said for a price, I should buy a new Comcast modem to keep up with all their new jazz.  Maybe they want us all to buy new modems now????


Edited by bchuckoreo1, 07 September 2014 - 01:02 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users