need help about dorkbot???

Today I received warning calls from my ip rogers about my security is compromised and if I do not solve it then my internet will be suspended and cut in 48 hours. I called and they said its a dorkbot. I tried and scan with lots of AVs from MBAM, hotman prom zemana am, rogers security which uses bitdefender and even a lengthy full "C" scan by secureaplus scan which uses dozens of AVs and ALL WERE CLEAN.

I did research on dorkbot and it said MABA, hitman pro, emsisoft among others should detect it.

My system is clean and I do-not know what else to do as to why rogers is picking up this BOT on my connection systems??

Does anyone have any clue and also does this dorkbot infect androids?? I have 3 android phones that use my wifi.

 

Go here: http://support.eset.com/kb2372/ . Scroll down the page till you find the standalone cleaner for Dorkbot. Download it and run it. If indeed you're infected with Dorkbot, this should get rid of it.

Also I would strongly advise not doing any Internet e-commerce activities until you're sure Dorkbot has been removed. Dorkbot will set up a backdoor on your PC.

-EDIT- BTW Eset's retail AV and Internet security versions do have botnet protection.

 

Good luck.

Tagging for later.

 

thx. I went through a dozen avs even those named for detecting dorkbot and all came back clean. Also I clean installed Linux on both pc and called rogers telling them but they said it still risky and i have 2 choices. Either wait and see their next security scan to show if I am clean or not and if clean then nothing and if not then i will loose my internet services for a week and after that so on based on state of my pc. OR i can pay a monthly 15 dollars plus tax for their techexpert service and these guys can go into my pc check everything and do all things to see solve are my issue plus more and this way my internet will not be blocked or cut. SO I chose the second one and registered with them. Will come into effect 2 days from now. In 2 days i will ask them to run a test and scan on my pcs and my network to see if they all are clean.

IT SUCKS.

Eventhough I am sure my pcs are clean since everything including clean linux install but still do not want my internet to be banned.

I wonder can a dorkbot hide in the modem or in the network? not on PC?

 

Dorkbot is a worm and is designed to infect the entire network. So if you have a network setup, every PC on it has to be scanned for traces of Dorkbot.

I suggest you try one of the malware removal sites such as http://www.bleepingcomputer.com/forums/f/103/am-i-infected-what-do-i-do/ or https://malwaretips.com/forums/malware-removal-assistance.10/ for assistance. Additional if you are using a paid AV solution, the vendor will assist you in malware removal.

 

He is using his home wifi router for his android phones. Either that or rogers is trying to make some extra cash via tech support.

"To hide itself from detecting by anti-virus solutions, the malware injects its code into files like cmd.exe, ipconfig.exe, regedit.exe, regsvr32.exe, rundll32.exe, verclsid.exe and explorer.exe,"

I am assuming when you scanned your computer, you used the Linux version of the software?

 

http://www.zdnet.com/article/microsoft-law-enforcement-disrupt-sprawling-dorkbot-botnet/

 

There are a few other possibilities.

The OP is part of a botnet and the ISP is misidentifying it as Dorkbot. Or, his router has been hacked and a botnet is redirecting traffic thought it.

 

well I had rogers techexpert look at my systems and since I am on linux now after a format they said I should be fine since dorkbot is a windows OP only. Now I am scared on going back to windows. I wonder if I reinstall in a clean (deleted partition plus formatted 3 times) system and put a fresh windows 10 would be safe?. Anyone know?

Also today through shieldup test I found that my rogers router is holes and some of the ports are not stealth and are LOCKED. SO I called them and had them to tweak their system so I can use a d-link router with full firewall (set it to max) and now my ports are stealthed. Rogers had to update their modem too since it was old.

SO now I think i am 100% clean. Anyway as I mentioned above, can I go and install a clean fresh windows 10 now that my pc is clean or should I be worried and not to so not to get reinfected?

I appreciate it your input guys and help.

 

yeah I have 2 android phones using my wifi for imo and telegram. I get lots of add but as the techxpert said dorkbot is a windows infecter so androids and linux should be fine I think.

 

no it can infect android too

 

really? I have not read anything online about it. If so then I have to shut both of the androids wifi off or factory reset?

 

it most likely was your computer. don't see why you cant reinstall windows 10. it may have even been a fluke at your isp.

what is your android os? version 4?

http://phandroid.com/2016/04/25/android-malware-ransomware-website/

 

here is an article from 2014 from eset. found 4 manufactures selling phones with maleware preinstalled.

http://www.welivesecurity.com/2014/03/05/android-phones-and-tablets-ship-pre-infected-with-malware/

 

my android phones have android 4.1 to 4.4.

Waiting for the next rogers security scan and I was told it would take 1 to 3 weeks to scan me again and HOPEFULLY shows I am clean.I already paid for one month of rogers techexpert so if seeing my pc is clean then i can cancel it next month.

 

Probably or maybe hiding on my network somewhere because MBAM, hitman pro, zemana antimalware and secureaplus scan (has dozens of avs) all showed my systems were clean a day before receiving the warning from the rogers. Also installed rogers security suite (uses bitdefender ) and scan and all was clean. tdsskiller shows all ok and no ill-effect on my pcs (no sign of pc acting up), So I was shocked to see the dorkbot warning from rogers as my research shows that mabam, hitman pro were among the mentioned avs that would detect dorkbot.

The only thing I forgot to do is use AVAST network scan feature to scan as it has a NETWORK only scanner that checks the network and modems.

the thing is that rogers cable modem has so many holes and a basic firewall. many of my ports were visible because of that damn rogers modem. I used a a new d-link router and it stealthed most of them but still 2 posts from the rogers modem were not stealthed by d-link (even with its full firewall active). I even activated linux firewall and still those 2 ports are closed but visible.

Overall roger has a ****** modem and system.

 

anyone knows why port 135 and 445 are visible. my research shows they have to do with microsoft. Also I know its the damn rogers modem that has these forced visible. my previous providers modem with my reouter were stealthed.

here is shieldup result: As detailed in the port report below, one or more of your system's ports actively responded to our deliberate attempts to establish a connection. the above 2 ports.

Even linux firewall and my router can not stealthed it. Seems rogers modem keeps these visible on purpose?

 

FYI - Every router has a WAN side and a LAN side. When you do a port scan using a web based scanner like GRC's ShieldsUp, it is scanning the WAN side of the router. So the GRC's test is somewhat pointless when a router is installed since your PC traffic is interfacing with the LAN side of the router.

What you also need to ensure on your router is that NAT i.e. network address translation and SPI i.e. stateful packet inspection, if available, are both enabled. These two features alone will stop most malware based traffic before they reach the router's firewall. Beyond those protections, the router's firewall will catch any residual malware crap.

If you want to test the status of your security software firewall, you have to either;

1. Disconnect the router and forward all traffic through your cable modem.
2. Reconfigure the router to pass through all traffic to your cable router.

 

thx. for reply. So then I should be ok.

 

or install the paid version of AdGuard. then all web traffic will go through its web filter proxy and your IP WILL BE HIDDEN

try installing it and then try going to shields up

 

I would be a bit cautious of AdGuard's scanning of HTTPS traffic. Unlike other AV products that do the same, I have seen no detailed test reports on if AdGuard is doing SSL protocol scanning properly.

 

https://www.ssllabs.com/ssltest/viewMyClient.html

SSL/TLS Capabilities of Your Browser
User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.89 Safari/537.36

Other User Agents »

<div id=warningBox style="line-height: 145%"> <b>Without JavaScript, the following tests will not run:</b> (1) Accurate protocol support, (2) SSL 3 POODLE vulnerability, (3) mixed content handling, (4) TLS authentication bug in Apple's products, and (5) the FREAK attack. Please enable JavaScript for best results. </ul> </div> <br>


http://plaintext.ssllabs.com/plaintext/1x1-transparent.png?t=1466694718820https://www.ssllabs.com:10301/1x1-transparent.png?t=1466694718820https://www.ssllabs.com:10302/1x1-transparent.png?t=1466694718820https://www.ssllabs.com:10303/1x1-transparent.png?t=1466694718820https://www.ssllabs.com/plaintext/1x1-transparent.png?t=1466694718820

#protocolTestDiv, #ssl2TestDiv, #ssl3TestDiv, #appleTestDiv, #freakTestDiv, #jamTestDiv { display: none; } #protocolTestMsg, #ssl2TestMsg, #ssl3TestMsg, #appleTestMsg, #freakTestMsg, #jamTestMsg { font-size: 16px; font-weight: bold; } #protocolTestMsgNotes, #ssl2TestMsgNotes, #ssl3TestMsgNotes, #appleTestMsgNotes, #freakTestMsgNotes, #jamTestMsgNotes { color: grey; font-size: 14px; }
Protocol Support
Your user agent has good protocol support.
Your user agent supports TLS 1.2, which is the best available protocol version at the moment.
Logjam Vulnerability
Your user agent is not vulnerable.
For more information about the Logjam attack, please go to weakdh.org.
To test manually, click here. Your user agent is not vulnerable if it fails to connect to the site.
FREAK Vulnerability
Your user agent is not vulnerable.
For more information about the FREAK attack, please go to www.freakattack.com.
To test manually, click here. Your user agent is not vulnerable if it fails to connect to the site.
POODLE Vulnerability
Your user agent is not vulnerable.
For more information about the POODLE attack, please read this blog post.
SSL 2 Protocol Support
Your user agent supports SSL 2. You should upgrade.
SSL 2 is a very old, obsolete, and insecure version of the SSL protocol. You can usually disable this protocol version in configuration, but modern clients don't support it at all. This really means that you should upgrade your software to a better version.
iOS and OS X TLS Authentication Vulnerability
https://www.ssllabs.com/images/progress-indicator.gif Please wait, checking if your user agent is vulnerable...
To test manually, click here. If your user agent refuses to connect, you are not vulnerable. This test requires a connection to the SSL Labs server on port 10443. A strict outbound firewall might interfere. You should test Safari running on iOS or OS X. Chrome and Firefox are not vulnerable, even when running on a vulnerable operating system. MORE »
Protocol Features
https://www.ssllabs.com/images/icon-protocol.gif <tr class="tableRow"> <td colspan=2 align=left> <span style="color: #666666">(*) Without JavaScript, this test reliably detects only the highest supported protocol.</span> </td> </tr>
Protocols
TLS 1.2 Yes
TLS 1.1 Yes
TLS 1.0 Yes
SSL 3 No
SSL 2 No