Hello,

I am running a home network with four Windows 7 x64 PCs. I’ve recently gotten two warnings from Time Warner Cable about botnet traffic from my IP. I hoped they weren’t legit, but I recently got an automated CAPTCHA request from Google after a simple web search, quoting “unusual traffic from my IP,” and I think that settles it – there’s something here.

I have scanned every computer with:

Avast Free
Malwarebytes Anti-Malware
Malwarebytes Anti-Rootkit
Spybot S&D
McAfee Stinger
Kaspersky TDSS
Microsoft MSRT

Not one positive was found.

I had some results from using an Avast Rescue Disk on a USB stick on Computer #1. Unfortunately, Rescue Disk doesn’t tell you what it found (argh). So all I know is that some hundreds of infected files were repaired and a smaller number were deleted.

Running the same USB on Computer #2 on the network provided a list of 15K or so infected files. It’s hard to visually scan 15K file names, and they weren’t in the text log, but they appeared to be mostly “SafeOS.Mount” Windows system files and one online game installer (SWTOR). Selecting “Repair” returned the result that 0 files could be cleaned and froze up the utility. I couldn’t continue and delete the files.

Avast Rescue Disk won’t recognize Laptop #3’s hard drive. It uses Intel RST and a small 32gb caching SSD to speed up the main drive, but apparently, this means the Rescue Disk can’t see the real HD without drivers. I don’t know how to resolve this problem.

Computer #4, I haven’t gotten to try the Rescue Disk yet.

What can I do to isolate the computer from which the botnet traffic is coming? I don’t even know if the Rescue Disk is finding anything relevant to the real problem. My wife works from home, and losing our Internet access, even for a short time, would be devastating.

Any advice on a further course of action would be deeply appreciated. I am willing to purchase paid software, but I cannot afford the $80-per-computer McAfee virus-removal service TWC is trying to foist on me.

I apologize for the lack of useful log files. Rescue Disk isn’t generating useful logs and no other program has returned a single hit on anything.

EDIT #1: The computers are connecting through a Netgear R6300 router to a Motorola SB6131 cable modem, both owned by me. There’s also an Ooma VoIP box connected to the router. No other device except for an iPhone was connected to the network when I got the Google pop-up, so I think the problem must be with the computers or devices described.

follow instructions here >> https://forum.avast.com/index.php?topic=53253.0
Scroll down to second picture > Farbar Recovery Scan Tool < run as instructed and attach the two diagnostic logs

Thank you very much for your quick response! Here are the requested logs. I’ll be online hammering away at this for as long as necessary this morning.

This scan was run on Computer #1 (mine). The others are #2 (wife’s), #3 (laptop/kid’s) and #4 (housemate).

I am seeing nothing at the moment on this system, so I am wondering whether the router is infected

Lets try a few small resets and see what happens… Are you noticing anything on the systems ?

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f RemoveProxy: CMD: netsh advfirewall reset CMD: netsh advfirewall set allprofiles state ON CMD: ipconfig /flushdns CMD: netsh winsock reset catalog CMD: netsh int ip reset c:\resetlog.txt CMD: ipconfig /release CMD: ipconfig /renew CMD: netsh int ipv4 reset CMD: netsh int ipv6 reset EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your Desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool
[*]Click the Scan button and wait for the process to complete.
[*]Click the logfile button and the log will open in Notepad
[*]Click on the Clean button follow the prompts.
[]A log file will automatically open after the scan has finished and the PC has rebooted
[]Please post the content of that log file with your next answer.
[*]The report will be saved in the C:\AdwCleaner folder.

I’ve been wondering if the router could be at fault, but I have no idea how to interact with it, except through its web interface.

I followed the steps you described. After running the FRST64 fix and rebooting, the computer locked up on the login screen with a nasty whine coming from the speakers – but a hard reset got it running again. Just mentioning in case it’s relevant to anything!

The logs should all be attached.

EDIT: As for symptoms – the only symptoms on my end have been:

• two warnings from Time-Warner Cable about botnet activity
• some positives from running Avast’s Rescue Disk on computers #1 and #2
• earlier this morning, while troubleshooting, Google required me to complete CAPTCHAS to perform searches, notifying me that that traffic from my computer was unusual

My Internet connection isn’t super-stable, and runs inexplicably slowly sometimes, but the might just be TWC being TWC.

The Google CAPTCHAs happened after the Rescue Disk positives got repaired/deleted, so if that’s a legitimate symptom, the problem hasn’t been resolved yet.

Since I haven’t noticed any signs of botnet activity myself, it may prove difficult to know if I’ve fixed it…

but I have no idea how to interact with it,

EDIT: Missed The info above

Netgear R6300 router to a Motorola SB6131 cable modem, both owned by me. There's also an Ooma VoIP box connected to the router.

Somewhere on the router will be a small pinhole marked reset
Using a biro press the switch inside the pinhole and then release
After the router has reset then it will be a matter of waiting again I am afraid

http://setuprouter.com/networking/how-to-reset-your-router/

I don’t quite understand – waiting for what? Not sure if you mean “for the router to reset” or “for TWC to send another warning” or something else. I’ve been up all night working on this, I may be a bit dense. :

I can provide similar logs from the other three computers on this network and perform similar steps if you think that might help identify the culprit or further narrow down the cause to the router.

I’ll edit this post when I’ve been able to reset the router. Wife’s at her online job, but I will do so ASAP. Thank you again for helping me look into this.

EDIT: I have reset the router successfully. All settings appear to have reverted to their defaults and I can connect to the Internet.

You will need to wait for another warning from your ISP … But, if you wish I could look at the othere systems, one at a time

I appreciate your continued help! I’m a bit concerned that the third warning might come with a quarantine, and that wouldn’t be fun.

Here are the FRST logs from the laptop. (It’s the one I haven’t been able to scan with the bootable USB rescue disk, since the rescue disk can’t see the main hard drive, only the caching SSD.)

Again looks OK

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - No File Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f RemoveProxy: CMD: netsh advfirewall reset CMD: netsh advfirewall set allprofiles state ON CMD: ipconfig /flushdns CMD: netsh winsock reset catalog CMD: netsh int ip reset c:\resetlog.txt CMD: ipconfig /release CMD: ipconfig /renew CMD: netsh int ipv4 reset CMD: netsh int ipv6 reset EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your Desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool
[*]Click the Scan button and wait for the process to complete.
[*]Click the logfile button and the log will open in Notepad
[*]Click on the Clean button follow the prompts.
[]A log file will automatically open after the scan has finished and the PC has rebooted
[]Please post the content of that log file with your next answer.
[*]The report will be saved in the C:\AdwCleaner folder.

Here are the logs from the laptop…

How often was your ISP informing you of botnets ?

I received identical warning E-mails on July 1 and 6, and got the Google warnings/CAPTCHA requests early yesterday morning, July 9, while troubleshooting. Other than that, I haven’t had any specific evidence of infection. (Except for whatever Avast Rescue Disk found and fixed/deleted on 2 of the 4 computers.)

On the ones i have looked at there were no apparent botnet signs showing at all

That’s good! Are we pretty sure resetting the router eliminates any chance the router could be infected? I applied a firmware update after the TWC warnings that had been available for a while – maybe there was a vulnerability there…

Here’s the next set of FRST logs, from the wife’s work computer. If these last two computers turn up nothing, I’ll give up and see if any more warnings arrive.

At the moment after looking at the logs I would lean to an infected router

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - No File Toolbar: HKU\S-1-5-21-1633599915-3026970425-1524807270-1006 -> No Name - {D4027C7F-154A-4066-A1AD-4243D8127440} - No File Toolbar: HKU\S-1-5-21-1633599915-3026970425-1524807270-1018 -> No Name - {D4027C7F-154A-4066-A1AD-4243D8127440} - No File CHR HomePage: Profile 3 -> hxxp://search.conduit.com/?gd=&ctid=CT3323897&octid=EB_ORIGINAL_CTID&ISID=MB3CD9896-2E76-441F-ABD1-6CB26C6AB59E&SearchSource=55&CUI=&UM=5&UP=SP1CB79EBA-EE96-483C-AA28-A309B710F687&SSPV= C:\ProgramData\hash.dat Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f RemoveProxy: EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your Desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool
[*]Click the Scan button and wait for the process to complete.
[*]Click the logfile button and the log will open in Notepad
[*]Click on the Clean button follow the prompts.
[]A log file will automatically open after the scan has finished and the PC has rebooted
[]Please post the content of that log file with your next answer.
[*]The report will be saved in the C:\AdwCleaner folder.

Here are the FRST fixlog and Adwcleaner logs from computer #3 of 4.

Any further detections yet ?

Nothing new from TWC or any of my antivirus so far.

Here are the FRST logs from the last computer in the house, #4… it’s a much older machine.