Norton activity message

[jammerjim]

On 4/25 in the evening I was on some dodgy website and I guess it snagged me because that was when this started.

Every 30 minutes I receive a series of three messages from Norton saying it has blocked an intrusion attempt. "We blocked an attack from System: Infected: Miner.Bitcoinminer Activity X. No further action is required.".

Clicking on details provides the information "system infected: miner.bitcoinminer activity X". X is always either 9, 27, or 7, and in that order. The attacking computer IP is always the same (192.242.218.232, 443). Further, the message says "network traffic from 192.242.218.232 matches a known attack. the attack resulted from \device\harddickvolume3\windows\explorer.exe"

Looking further into history, I see notifications that that address was blocked for 30 minutes. So I suppose it attacks, get blocked, and then when the 30 minutes are up attacks again?

I ran Smart Scan, and then Deep Eraser. No hits. Then I proceeded to search for those messages, and proceeded to download and run assorted software, including stuff suggested here. I've tried (in no particular order): Malwarebytes, RogueKiller, HitmanPro, ESET, Avast, Bitdefender, Microsoft's Malicious Software Removal tool, CCCleaner, ADWCleaner, and Sophos.

Nothing identified anything suspicious, aside from a few cookies (removed).

I should add that occasionally in the last few months (and also after this issue started) I have received a message about suspicious amounts of network traffic, but I do have a cloud backup set up.

So I have run FRST, attaching the files. Also ran FSS, and attaching that file. And...heck I'll attach all the logs I have handy.

Thank you for your assistance.

 

[icotonev]

Hello..! Welcome to MalwareTips..!

I ran Smart Scan, and then Deep Eraser. No hits. Then I proceeded to search for those messages, and proceeded to download and run assorted software, including stuff suggested here. I've tried (in no particular order): Malwarebytes, RogueKiller, HitmanPro, ESET, Avast, Bitdefender, Microsoft's Malicious Software Removal tool, CCCleaner, ADWCleaner, and Sophos.

This is a gross mistake..! That's not how it's done..! To help you please remove all the arsenal you have used. Keep only one antivirus program of your choice. Please use:

STEP 1 :

• Download KpRm and save it to your Desktop (see here if you must use Chrome)
• Note: If the file is detected as malware it is not and it is safe to download. The detection is a false positive.
• Right click on the icon and select Run as administrator
• Click Yes on the Disclaimer
• Place a check mark in Delete Tools, Create Restore Point, and Delete in 7 days
• Click Run
• Click OK on All operations are completed
• KpRm will delete itself from you Desktop and you can either save or remove the report that is generated
• You are free to remove any other tools/reports still remaining
• Please copy and paste its contents in your next reply.

STEP 2 :

Uninstalling Programs Using Revo Uninstaller Free Portable

• Download Revo Uninstaller Free Portable and save it to your Desktop
• Right click on the folder and select Extract All..., then click Extract
• Double click on the RevoUninstaller-Portable folder
• Right click on RevoUPort and select Run as administrator
• Click OK on the License Agreement
• From the list of programs double click on the listed program(s), or anything similar, to remove it (if it exists)
• If the program's uninstaller appears work through the steps to remove the program(s)
• Be sure the Advanced option is selected then click Scan
• For each window that may appear identifying leftover items click Select All, Delete, then confirm the deletion
• Once done click Finish
• Reboot your computer

STEP 3 :

Scanning with SecurityCheck by glax24

• Download SecurityCheck by glax24 from here and remember the tool on the desktop.
• Run the program right-click the administrator name
• Wait for the scan to finish. It will open in a text file named SecurityType.txt. Copy the contents of this file to your next post
• You can find this file in the root of the system disk in a folder called SecurityCheck, C: \\ SecurityCheck \\ SecurityCheck.txt

 

[icotonev]

Do you still need help..? If you have not replied within 24 hours I will assume you have abandoned the Topic and it will be closed..!

 

[jammerjim]

KpRM did not direct me to remove anything. Report:

# Run at 5/1/2023 4:13:20 PM
# KpRm (Kernel-panik) version 2.13.0
# Website https://kernel-panik.me/tool/kprm/
# Run by Jammer from C:\Users\Jammer\Desktop
# Computer Name: JAMMERJIM
# OS: Windows 10 X64 (19044) (10.0.19044.0)
# Number of passes: 1

- Checked options -

~ Delete Tools
~ Create Restore Point
~ Delete Quarantines after 7 days

- Delete Tools -

FYI, in the interim I have removed Bonjour, Zemana, Malwarebytes, and Freefixer.

Security check report:

SecurityCheck by glax24 & Severnyj v.1.4.0.54 [06.12.21]
WebSite: www.safezone.cc
DateLog: 01.05.2023 13:03:07
Path starting: C:\Users\Jammer\AppData\Local\Temp\SecurityCheck\SecurityCheck.exe
Log directory: C:\SecurityCheck\
IsAdmin: True
User: Jammer
VersionXML: 10.54is-30.04.2023
___________________________________________________________________________

Windows 10(6.3.19044) (x64) Professional Release: 2009 Lang: English(0409)
Installation date OS: 14.09.2021 10:13:09
LicenseStatus: Windows(R), Professional edition The machine is permanently activated.
Boot Mode: Normal
Default Browser: C:\Program Files\Mozilla Firefox\firefox.exe
SystemDrive: C: FS: [NTFS] Capacity: [930.9 Gb] Used: [425.9 Gb] Free: [505 Gb]
------------------------------- [ Windows ] -------------------------------
User Account Control enabled (Level 3)
Norton WSC Service (nsWscSvc) - The service is running
Remote Registry (RemoteRegistry) - The service has stopped
SSDP Discovery (SSDPSRV) - The service is running
Remote Desktop Services (TermService) - The service has stopped
Windows Remote Management (WS-Management) (WinRM) - The service has stopped
Account guest is enabled. Not require a password.
---------------------------- [ Antivirus_WMI ] ----------------------------
Malwarebytes (disabled and up to date)
Windows Defender (disabled and up to date)
Norton 360 (enabled)
---------------------------- [ Firewall_WMI ] -----------------------------
Norton 360
---------------------- [ AntiVirusFirewallInstall ] -----------------------
Malwarebytes version 4.5.27.262 v.4.5.27.262
Norton 360 v.22.23.3.8
-------------------------- [ SecurityUtilities ] --------------------------
Zemana AntiMalware version 3.2.28 v.3.2.28
--------------------------- [ OtherUtilities ] ----------------------------
Git v.2.40.1
Microsoft Office Home and Student 2019 - en-us v.16.0.16227.20280 Warning! Download Update
How Install Office updates?
NVIDIA GeForce Experience 3.27.0.112 v.3.27.0.112
Python 3.10.6 (64-bit) v.3.10.6150.0 Warning! Download Update
Steam v.2.10.91.91
Intel® Driver & Support Assistant v.23.1.9.7
------------------------------- [ Backup ] --------------------------------
Microsoft OneDrive v.23.076.0409.0001 [+]
------------------------------ [ ArchAndFM ] ------------------------------
7-Zip 21.07 (x64) v.21.07 Warning! Download Update
Uninstall old version and install new one.
7-Zip 22.01 (x64 edition) v.22.01.00.0
------------------------------- [ Imaging ] -------------------------------
IrfanView 4.62 (64-bit) v.4.62
---------------------------- [ ProxyAndVPNs ] -----------------------------
NordVPN v.7.7.5.0
-------------------------------- [ Media ] --------------------------------
Audacity 3.3.0 v.3.3.0 Warning! Download Update
VLC media player v.3.0.18
--------------------------- [ AdobeProduction ] ---------------------------
Adobe Acrobat (64-bit) v.23.001.20143
------------------------------- [ Browser ] -------------------------------
Mozilla Firefox (x64 en-US) v.112.0.2
Google Chrome v.112.0.5615.138
Microsoft Edge v.112.0.1722.64
----------------------------- [ EmailClient ] -----------------------------
Mozilla Thunderbird (x64 en-US) v.102.10.1
------------------ [ AntivirusFirewallProcessServices ] -------------------
Malwarebytes Service (MBAMService) - The service has stopped
Norton Security (NortonSecurity) - The service is running
C:\Program Files\Norton Security\Engine\22.23.3.8\NortonSecurity.exe v.17.2.3.65
Microsoft Defender Antivirus Service (WinDefend) - The service has stopped
Microsoft Defender Antivirus Network Inspection Service (WdNisSvc) - The service has stopped
---------------------------- [ UnwantedApps ] -----------------------------
Bonjour v.3.1.0.1 Warning! Application is distributed through the partnership programs and bundle assemblies. Uninstallation recommended. Possible you became a victim of fraud or social engineering.
FreeFixer v.1.19 Warning! Suspected demo version of anti-spyware, driver updater or optimizer. If this program is not familiar to you it is recommended to uninstall it and execute PC scanning using Malwarebytes Anti-Malware. Possible you became a victim of fraud or social engineering. Computer experts no longer recommend this program.
----------------------------- [ End of Log ] ------------------------------

 

[icotonev]

FYI, in the interim I have removed Bonjour, Zemana, Malwarebytes, and Freefixer.

Please follow the following instruction ..:

Download Farbar Recovery Scan Tool and save it to your desktop. --> IMPORTANT

If your antivirus software detects the tool as malicious, it’s safe to allow FRST to run. It is a false-positive detection.
If English is not your primary language, right click on FRST.exe/FRST64.exe and rename to FRSTEnglish.exe/FRST64English.exe

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

• Double-click the FRST icon to run the tool. When the tool opens click Yes to disclaimer.
• Press Scan button and wait for a while.
• The scanner will produced two logs on your Desktop: FRST.txt and Addition.txt.
• Please attach the content of these two logs in your next reply.

---------------------------------------------------

In your next reply, please include:

• FRST.txt
• Addition.txt

 

[jammerjim]

I will say things have been quiet this morning. Last warning message was at ~10:18AM.

 

[icotonev]

Hello..!

Farbar Recovery Scan Tool - Fix

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone

Please download the attached file to the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The Computer will restart when the fix is completed.

It will create a log (Fixlog.txt) please post it to your reply.


In your next reply, please include:

• Fixlog.txt

 

[jammerjim]

I may have gotten this solved via some local assistance. We found and removed unsigned files in a WindowsMalwareProtection directory. The messages have stopped. I'm not sure that I should run your fix as things stand. Should I run another scan for you first?

 

[icotonev]

I'm not sure that I should run your fix as things stand.

I'm sorry..! Topic is closing ..!

By Staff - [MANDATORY] Preparation Guide Before Requesting Malware Removal Help

Hi and welcome to MalwareTips Malware Removal Forum. If you are reading this, then you are probably seeking help or feel infected. Over 5000 topics have been posted in this forum and most of them have reached a successful conclusion. All instructions are very simple and you need only basic...

malwaretips.com