Jump to content

Can't find source of botnet activity, not sure how to remove it

Recommended Posts

I started to notice suspicious activity when I booted up my computer one day and I got a boot failure.  I loaded the optimized defaults for bios and my computer booted fine.  Then I had some problems opening pictures, and music. The default program in windows 10 would say that the file was not found or something to that effect.  However I could choose 'open with', pick a program to open it with and it worked fine.  (I forgot the name that default windows program used to open music and pictures).  There was some other suspicious activity - once I had trouble opening any program or task manager for about 10 seconds.

I ran McAfee, malwarebytes, and about a half dozen other malware scans.  I couldn't find anything.  So I reinstalled windows while keeping my files without formatting my hard drives.

A few days after that I got an email from my internet service provider that said that they had detected botnet activity.  Here is the text of the email:



Dear Time Warner Cable Customer, 

Please be aware that Time Warner Cable has detected signs of botnet traffic being transmitted from a device connected to the cable modem on your Time Warner Cable Internet connection. 

Have you noticed any suspicious email account activity, unusual error messages, or unfamiliar browsers? Your computer may be infected by a "bot," malicious software that secretly uses your computer to send spam, host phishing sites, and steal your personal information. 

Time Warner Cable is using botnet detection technology and is notifying customers whose computers are found to be communicating servers controlled by criminals. 

We recommend that you take steps to clean and secure both your computer(s)and your wireless device(s) to prevent your devices being used by malicious third parties without your knowledge. Please note that this computer may not be the infected device if you have other computers on your home network. 

Please visit our self-help Web site https://help.twcable.com/BSMS/BotHelpSMS.html?cid=email once you have read this notice for a suggested course of action, or, should you have further questions, you may call us at 1-855-222-7342. 

Thank you for assisting Time Warner Cable Security.


I called them and they said they the traffic was sent by a windows device on my network.  My computer is the only windows device on my network.  Since I couldn't detect anything with virus or malware scans, I immediately formatted both my drives.  I have an ssd and a spinning disk.  I am little freaked out because I do my online banking on this computer.  And I read online that malware can survive formatting the hard drive if it is in the boot sector.  I'm not sure how to detect if the problem is still there.  And if it is: then how to get rid of it.  Any help is appreciated.

I found some instructions to run RKill, backup the registry, run MalwareBytes and post the history log from a few other posts.  I have followed those instructions.  Here is my log:

Malwarebytes Anti-Malware

Scan Date: 7/30/2016
Scan Time: 11:21 PM
Administrator: Yes

Malware Database: v2016.07.31.02
Rootkit Database: v2016.05.27.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 10
CPU: x64
File System: NTFS
User: Geoffrey

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 277983
Time Elapsed: 3 min, 34 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


Link to post
Share on other sites

Hello and :welcome:
If you've not already done so please start here and post back the 2 log files FRST.txt and Addition.txt

P2P/Piracy Warning:

If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall them or completely disable them from running while being assisted here.
Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.
If you have illegal/cracked software, cracks, keygens etc. on the system, please remove or uninstall them now and read the policy on Piracy.

Before we proceed further, please read all of the following instructions carefully.
If there is anything that you do not understand kindly ask before proceeding.
If needed please print out these instructions.

  • Please do not post logs using CODE, QUOTE, or FONT tags. Just paste them as direct text.
  • If the log is too large then you can use attachments by clicking on the More Reply Options button.
  • Please enable your system to show hidden files: How to see hidden files in Windows
  • Make sure you're subscribed to this topic:
    • Click on the Follow This Topic Button (at the top right of this page), make sure that the Receive notification box is checked and that it is set to Instantly

  • Removing malware can be unpredictable...It is unlikely but things can go very wrong! Please make sure you Backup all files that cannot be replaced if something were to happen. You can copy them to a CD/DVD, external drive or a pen drive
  • Please don't run any other scans, download, install or uninstall any programs unless requested by me while I'm working with you.
  • The removal of malware is not instantaneous, please be patient. Often we are also on a different Time Zone.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while following my instructions, Stop there and tell me the exact nature of the issue.
  • When we are done, I'll give you instructions on how to cleanup all the tools and logs
  • Please stick with me until I give you the "all clear" and Please don't waste my time by leaving before that.
  • Your topic will be closed if you haven't replied within 3 days
  • (If I have not responded within 24 hours, please send me a Private Message as a reminder)

Also, to rule out a RootKit / MBR infection, please run the following and post that log(s).

Please download Malwarebytes Anti-Rootkit from here

  • Unzip the contents to a folder in a convenient location.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder... mbar-log.txt and system-log.txt


Link to post
Share on other sites

Download the attached fixlist.txt file and save it to the Desktop.

NOTE. It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 by right clicking on the FRST64.exe file, selecting "Run as Administrator..".  The User Account Control may open up; if it does, select Yes to continue to let FRST open and load.  

The tool will check for an updated version of itself every time it loads; please allow it to do this and the program will either inform you it is downloading an updated copy (and to wait until it is safe to continue) or show that it is ready to use (meaning there is no update found) and you can continue on.  Press the Fix button just once and wait.  The tool will create a restore point, process the script and ask for a restart of your system.


If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.

When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post the log in your next reply.



Link to post
Share on other sites


Fix result of Farbar Recovery Scan Tool (x64) Version: 27-07-2016
Ran by Geoffrey (2016-08-02 06:27:45) Run:1
Running from C:\Users\Geoffrey\Desktop
Loaded Profiles: Geoffrey (Available Profiles: Geoffrey)
Boot Mode: Normal

fixlist content:
CHR Extension: (Google Drive) - C:\Users\Geoffrey\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2016-07-26]
CHR HKLM\...\Chrome\Extension: [fheoggkfdfchfphceeifdbepaooicaho] - hxxp://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [fheoggkfdfchfphceeifdbepaooicaho] - hxxp://clients2.google.com/service/update2/crx
CHR Extension: (Chrome Web Store Payments) - C:\Users\Geoffrey\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-07-26]
S3 mfeaack01; \Device\mfeaack01.sys [X]
2016-07-26 23:01 - 2016-07-26 23:01 - 00000000 ____H C:\ProgramData\DP45977C.lfl
cmd: ipconfig /flushdns
cmd: netsh advfirewall reset
cmd: netsh advfirewall set allprofiles state on
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
CMD: bitsadmin /reset /allusers


Restore point was successfully created.
Processes closed successfully.
C:\Users\Geoffrey\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf => moved successfully
"HKLM\SOFTWARE\Google\Chrome\Extensions\fheoggkfdfchfphceeifdbepaooicaho" => key removed successfully
"HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\fheoggkfdfchfphceeifdbepaooicaho" => key removed successfully
C:\Users\Geoffrey\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda => moved successfully
mfeaack01 => service removed successfully
C:\ProgramData\DP45977C.lfl => moved successfully
C:\Users\Geoffrey\AppData\Local\Temp\McCSPInstall.dll => moved successfully

========= ipconfig /flushdns =========

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========= End ofCMD: =========

========= netsh advfirewall reset =========


========= End ofCMD: =========

========= netsh advfirewall set allprofiles state on =========


========= End ofCMD: =========

========= reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f =========

The operation completed successfully.

========= End of Reg: =========

========= reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f =========

The operation completed successfully.

========= End of Reg: =========

========= bitsadmin /reset /allusers =========

BITSADMIN version 3.0 [ 7.8.10586 ]
BITS administration utility.
(C) Copyright 2000-2006 Microsoft Corp.

BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows.
Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets.

0 out of 0 jobs canceled.

========= End ofCMD: =========

========= RemoveProxy: =========

HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value removed successfully
HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value removed successfully
HKU\S-1-5-21-4230656208-3379943766-1725914147-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value removed successfully
HKU\S-1-5-21-4230656208-3379943766-1725914147-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value removed successfully

========= End of RemoveProxy: =========

=========== EmptyTemp: ==========

BITS transfer queue => 9402896 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 5339130 B
Java, Flash, Steam htmlcache => 826 B
Windows/system/drivers => 4805531 B
Edge => 16136929 B
Chrome => 840098714 B
Firefox => 0 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 222 B
systemprofile32 => 128 B
LocalService => 13034 B
NetworkService => 1874 B
Geoffrey => 14598064 B

RecycleBin => 7503 B
EmptyTemp: => 849.2 MB temporary data Removed.


The system needed a reboot.

==== End of Fixlog 06:27:53 ====

Link to post
Share on other sites


FIRST >>>>

Junkware Removal Tool
Please download JRT from here to your desktop.

Note: Temporarily disable/shut down your protection software now to avoid potential conflicts, how to do so can be read here.

Double click the JRT.exe file to run the application.

The application will open an Command Prompt window and run from there (this is normal for this program, so not to be alarmed).

When it is asked, press any key to allow the program to continue / run.

This will create a log on the desktop; please copy and paste the JRT.txt log text in your next post.

Note: After the log file is created, please enable your protection software / reboot your system and verify your protection software is enabled.


AdwCleaner by Xplode

Download AdwCleaner from here or from here. Save the file to the desktop.

NOTE: If you are using IE 8 or above you may get a warning that stops the program from downloading. Just click on the warning and allow the download to complete.

Close all open windows and browsers.

Vista/7/8 users: Right click the AdwCleaner icon on the desktop, click Run as administrator and accept the UAC prompt to run AdwCleaner.
You will see the following console:

Click the Scan button and wait for the scan to finish.

After the Scan has finished the window may or may not show what it found and above, in the progress bar, you will see: Waiting for action. Please uncheck elements you don't want to remove.

Click the Clean button.

Everything checked will be deleted.

When the program has finished cleaning a report appears.

Once done it will ask to reboot, allow this

On reboot a log will be produced please copy / paste that in your next reply. This report is also saved to C:\AdwCleaner\AdwCleaner[S0].txt

NOTE: If you see AVG Secure Search being targeted for deletion, Here's Why and Here. You can always Reinstall it.

LAST >>>>

Malwarebytes' Anti-Malware
Please start Malwarebytes' Anti-Malware.

When the main screen opens, if the database is out of date, you can click on the Fix Now banner or the Update Now link

Once the program has loaded and updated, select "Scan Now >>" to start the scan.

The scan may take some time to finish, so please be patient.

If any malware is found, you will be presented with a screen like the one below.

If any malware is found, make sure that everything is checked, and click Remove Selected.
When the scan is complete, click View detailed log >> to view the results.
The report screen will open.
At the bottom click on Export and select as txt file, save the file to your desktop and click OK.  When the export is complete, select OPEN.
The log file will be opened in your default text file viewer (usually Notepad); select the whole text (Ctrl + A) and copy (Ctrl + c) it to paste here in a reply.

Link to post
Share on other sites

Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.0.7 (07.03.2016)
Operating System: Windows 10 Home x64 
Ran by Geoffrey (Administrator) on Tue 08/02/2016 at 22:01:38.47

File System: 1 

Successfully deleted: C:\ProgramData\Start Menu\Programs\search.lnk (Shortcut) 

Registry: 0 

Scan was completed on Tue 08/02/2016 at 22:02:26.26
End of JRT log

# AdwCleaner v5.201 - Logfile created 02/08/2016 at 22:08:24
# Updated 30/06/2016 by ToolsLib
# Database : 2016-08-02.3 [Server]
# Operating system : Windows 10 Home  (X64)
# Username : Geoffrey - DESKTOP-K5P7BIT
# Running from : C:\Users\Geoffrey\Desktop\AdwCleaner.exe
# Option : Clean
# Support : https://toolslib.net/forum

***** [ Services ] *****

***** [ Folders ] *****

***** [ Files ] *****

***** [ DLLs ] *****

***** [ WMI ] *****

***** [ Shortcuts ] *****

***** [ Scheduled tasks ] *****

***** [ Registry ] *****

***** [ Web browsers ] *****

[-] [C:\Users\Geoffrey\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : microsoft-office-word-viewer-2007.en.softonic.com
[-] [C:\Users\Geoffrey\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : abiword.en.softonic.com
[-] [C:\Users\Geoffrey\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : ask.com
[-] [C:\Users\Geoffrey\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : aol.com


:: "Tracing" keys deleted
:: Winsock settings cleared


C:\AdwCleaner\AdwCleaner[C1].txt - [1244 bytes] - [02/08/2016 22:08:24]
C:\AdwCleaner\AdwCleaner[S1].txt - [1283 bytes] - [02/08/2016 22:07:16]

########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [1390 bytes] ##########

Malwarebytes Anti-Malware

Scan Date: 8/2/2016
Scan Time: 10:11 PM
Logfile: MalwarebytesLog.txt
Administrator: Yes

Malware Database: v2016.08.03.01
Rootkit Database: v2016.05.27.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 10
CPU: x64
File System: NTFS
User: Geoffrey

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 278110
Time Elapsed: 3 min, 31 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


Link to post
Share on other sites

Check Browsers' LNK  by Alex Dragokas & regist                                 ver. ( Beta )

OS:       x64 Windows 10 (Home), 10.0.10586, Service Pack: 0        (SM=Personal + SingleUserTS, PT=Workstation)
Time:     03.08.2016 - 06:10
Language: OS: English (0x409). Display: English (0x409). Non-Unicode: English (0x409). Codepage: OEM - c_437.nls (!) (Valid), ANSI - c_1252.nls (!) (Valid)
Elevated: Yes
User:     Geoffrey    (group: Administrator) on DESKTOP-K5P7BIT

* Suspicious objects will be marked with prefix >>>

                ((((((       Other shortcuts       ))))))

[______________________  Suspicious ( low risk )  ________________________]

-[*.URL] "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ERUNT\ERUNT Homepage.lnk"   -> ["D:\ERUNT\ERUNT.URL"] -> hxxp://vvv.larshederer.homepage.t-online.de/erunt ( >>> ERUNT.exe exists <<< )

[_______________________  Target does not exist  _________________________]

>>>  "C:\Users\Geoffrey\Desktop\erunt-setup - Shortcut.lnk"  -> ["C:\Users\Geoffrey\Downloads\erunt-setup.exe"]

                 ((((((      Internet shortcuts       ))))))

[_________________________   Custom protocols   __________________________]

- "C:\Users\Geoffrey\Desktop\Road Not Taken.url"  ->                  steam://rungameid/293740

[____________________ Statistics ___________________]

Threats found:      1
Files listed:       4244 (folders: 2408, shortcuts: 161)
Time spent:         1 sec. (search: 1 sec.)

Been verified:
_____________________________ End of Log ________________________________4004 bytes, CRC32: FFFFFFFF. Sign: ᱋

Link to post
Share on other sites

Thank you for the Link Checking; everything appears to be fine.

All right!!  Your logs are clean and you're good to go now!!  We've got some final steps left to do to clean up our tools and get your system in good running condition and then you are on your way. Thanks. :cool:

Clean up of Malware Removal Tools
Now that we are through using these tools, let's clean them off your system so that should you ever need to have malware removed again (we hope not) fresh, updated copies will be downloaded.

  • Download Delfix from here or here to your desktop and double click it to start the program
  • Ensure Remove disinfection tools is ticked
    Also tick:
  • Activate UAC
  • Create registry backup
  • Purge system restore
  • Reset system settings
  • DelFixSelectall_zps0f04cec4.png
  • Click Run
  • The program will run for a few moments and then notepad will open with a log. Please paste the log in your next reply.

You can delete any log files left on your desktop as these are no longer needed.

You are now done! :D :D:D:D

Now some information on programs to help keep you safe:

Along with Malwarebytes Antimalware, use the following as a base level security:

First, an Antivirus program. You NEED one; free is just as good as paid-for as long as you keep them updated. ONLY use one at a time as having more than that will cause system problems. Here are some free ones to check out:
Microsoft Security Essentials
Avast! Free Antivirus

Next, a firewall is a must have now-a-days. The built in firewall in Windows 7 is fine (just make sure it is turned on (Start > Control Panel > Windows Firewall)). Or, if you like, you could choose one of the free ones listed here:
Zone Alarm Free Firewall - installer includes foistware so read the options very carefully

=== options ====
Unchecky is a small service that runs in the background to help keep those "extra toolbars" and tag along search engines from automatically installing. By automatically directing you to a custom install with all the options unchecked, only what you manually choose and confirm gets installed.

CryptoPrevent is a free program that prevents CryptoLocker / ransomware from infecting your PC by locking down the OS so the malware can not get a grip on your system. You can read the details about this program here.

Lastly, if you use Firefox as your main web browser, consider adding the NoScript and AdBlockPlus add-ons to the browser to block scripting hijacks and remove unwanted ads from the pages you view.

You may also find some information and tips at this thread:
How did I get infected in the first place?
COMPUTER SECURITY - a short quide to staying safer online


Please come back and paste the DelFix.txt log when you can. After that, if you have no more questions, you are good to go. Surf safe, my friend!!


Link to post
Share on other sites

# DelFix v1.013 - Logfile created 03/08/2016 at 21:15:27
# Updated 17/04/2016 by Xplode
# Username : Geoffrey - DESKTOP-K5P7BIT
# Operating System : Windows 10 Home  (64 bits)

~ Activating UAC ... OK

~ Removing disinfection tools ...

Deleted : C:\FRST
Deleted : C:\AdwCleaner
Deleted : C:\Users\Geoffrey\Desktop\Addition (1).txt
Deleted : C:\Users\Geoffrey\Desktop\Addition.txt
Deleted : C:\Users\Geoffrey\Desktop\AdwCleaner.exe
Deleted : C:\Users\Geoffrey\Desktop\AdwCleaner[C1].txt
Deleted : C:\Users\Geoffrey\Desktop\Fixlog.txt
Deleted : C:\Users\Geoffrey\Desktop\FRST.txt
Deleted : C:\Users\Geoffrey\Desktop\FRST64.exe
Deleted : C:\Users\Geoffrey\Desktop\JRT.exe
Deleted : C:\Users\Geoffrey\Desktop\JRT.txt
Deleted : C:\Users\Geoffrey\Desktop\rkill.exe
Deleted : C:\Users\Geoffrey\Desktop\Rkill.txt

~ Creating registry backup ... OK

~ Cleaning system restore ...

Deleted : RP #3 [Restore Point Created by FRST | 08/02/2016 11:27:45]
Deleted : RP #4 [JRT Pre-Junkware Removal | 08/03/2016 03:01:38]
Deleted : RP #5 [In the middle of doing the malbytes forum protocol | 08/03/2016 03:41:15]

New restore point created !

~ Resetting system settings ... OK

########## - EOF - ##########


Link to post
Share on other sites

  • Root Admin

Glad we could help. :)If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.