Hi Carlos,

Please find the below answers.

1. Brand and model of the affected computers.

HP EliteBook 820

2. Wireless adapter models, and current driver versions in use.

Intel (R) Dual Band Wireless-N 7260

Version: 16.10.0.5

Please note: This details is from only one of the laptop which we observed the traffic.

Thanks & Regards,

Kiran Vyas

Hi Carlos,

Please note, the Dst port is 443 (ssl) and hence we are unable to see the content of the packet.

https://exchange.xforce.ibmcloud.com/ip/208.91.197.27 https://exchange.xforce.ibmcloud.com/ip/208.91.197.27

Regards,

Praveen P

Hello Praveen,

 

 

As we mentioned before, the Intel® PROSet/Wireless Zero Configure Service does not communicate with external IPs.

 

 

This service helps maintain reliable WiFi connections in areas with radio frequency difficulties by monitoring the link status and automatically invoking the adapter's driver, if it is down, to scan for a profile match and reconnect.

 

 

In this case, we suspect you may be dealing with a Trojan or malware infection mascarating as our service. While we don't provide direct virus/malware removal assistance, we strongly recommend checking your systems for infection.

 

 

From our end, we can recommend performing a clean installation of your wireless drivers. However, this may not be entirely effective if you are indeed dealing with an infection:

 

 

1. Download and save our http://www.intel.com/content/www/us/en/support/network-and-i-o/wireless-networking/000005559.html latest Intel® PROSet/Wireless Software for your adapter.

 

2. Under Programs and Features in the Control Panel, uninstall any instance of the "Intel® PROSet/Wireless Software." When prompted, choose to "discard settings."

 

3. Go to the Device Manager > Network Adapters > Right click on your Intel(R) Dual Band Wireless-N 7260 and uninstall it. Make sure to select the option to "Delete the driver software for this device."

 

4. Clear out your temporary files: Press the Windows* Key + R to open the run box. Type Cleanmgr.exe and press OK. Here you will need to make sure Temporary Files are checked, you may uncheck everything else (unless you're ok with the extra wait) and press OK.

 

5. Install the Intel® PROSet/Wireless Software that was downloaded back in step one.

 

6. Reboot your computer.

 

 

We hope this information helps.

 

 

Best regards,

 

Carlos A.

Hi Carlos,

Thanks for the update.

Even my initial understanding was that this could be a case of malware/trojan. However, I investigated the .exe which is initiating the connection (intel.exe) and also upload to some of the malware analysis tools. All the result showed its clean and no suspicious/strange behavior observed.

Lets assume, that malware is mascarating the intel service, in that case we should have 2 services with the same name, right? However, we are seeing only 1 service.

Will disabling Intel® PROSet/Wireless Zero Configure Service, cause any issue in using the Wifi?

Regards,

Praveen P

Hello Praveen,

We can't promise that disabling this service won't cause issues. However, if this is indeed an infection, the actual service may not be active already. So go ahead and disable, or remove it altogether. Depending on your OS version, you may be fine with just the driver.

If you start experiencing issues afterwards, simply follow the clean installation method described earlier.

Are you able to see the path that this service is running from?

Best regards,

Carlos A.

Hi Carlos,

I have tried to unistalled the Intel® PROSet/Wireless Software from my laptop and installed the new version (Version 20.x) as instructed by you previously. But after that my WiFi was not working, So I had to remove the software which I downloaded from the Intel website. And I've re installed the WiFi software which is downloaded from Lenovo software portal and that automatically installed the Intel® PROSet/Wireless Software version 16.x.

So Currently I have downgraded to the version 16.x and still I could observe the suspicious traffic towards the previously mentioned Botnet C&C IP.

Expecting your reply on this.

Regards,

Kiran Vyas

Hello Kiran.Vyas,

 

 

We do not provide virus removal support. As mentioned before, this is not the designed behavior of this software, depending on the type of infection a simple driver reinstall may not get rid of the problem. Our best recommendation in this case will be to perform a back up of any important data and then perfom a clean installation of the operating system.

 

 

The drivers provided on our website are generic versions, which do not take into account any personalization and feature changes performed by your computer manufacturer. Because of this, your OEM drivers, even if older, are always our main recommendation.

 

 

Best regards,

 

Carlos A.

Hi,

May we please have a response to this question?

I have compared the file hash between the exe file that connects to the IP 208.91.197.27 with the legitimate exe files. They are the same.

Please check if this is really an infection or a false positive.

Thank you