miner.Bitcoinminer activity 7 and 9 detected from norton

[cedi]

Since a couple of weeks I'm always getting an bitcoin miner activity warning from my norton and even though I used the power eraser and malwarebytes the message is still popping up.
My Pc is also quite slow since then so I guess there is a connection. I would like to get help solving this issue.

Thank you

Addition_31-07-2018 20.21.18.txt

FRST_31-07-2018 20.21.18.txt

[nasdaq]

Hello, Welcome to Malwarebytes.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Please download the attached Fixlist.txt file to  the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Let me know if the problem persists.

fixlist.txt

[cedi]

Hello

I followed your steps and got the fixlog.txt but the bitcoin miner notification persists, but it seems that the computer is working faster.

Fixlog_06-08-2018 20.50.21.txt

[cedi]

No the bitcoin notification is coming from norton anti virus.

[cedi]

Iwill go on holiday on monday so if possible I would like to resolve this problem until then if possible ^^

[nasdaq]

Hi,

Could this be just a Norton Notification?
Being the case disable it.
https://www.howtogeek.com/291934/how-to-disable-nortons-notifications-and-bundled-software/

If not can you post the message you received from norton or an image if you can.

I will be here all weekend.
Send me a Personal Message and your post a reply.

[nasdaq]

--RogueKiller--

• Download & SAVE to your Desktop Download RogueKiller
• Quit all programs that you may have started.
• Please disconnect any USB or external drives from the computer before you run this scan!
• For Vista or above, right-click the program file and select "Run as Administrator"
• Accept the user agreements.
• Execute the scan and wait until it has finished.
• If a Windows opens to explain what [PUM's] are, read about it.
• Click the RoguKiller icon on your taksbar to return to the report.
• Click open the Report
• Click Export TXT button
• Save the file as ReportRogue.txt
• Click the Remove button to delete the items in RED  
• Click Finish and close the program.
• Locate the ReportRogue.txt file on your Desktop and copy/paste the contents in your next.
  

=======

[cedi]

I run the porogramm and it found some stuff from clover

I had that programm since a couple of years so I dont think that is the problem

ReportRogue.txt

[nasdaq]

Hi,

What I was expecting to see was some references to
the IP addresses at:
159.60.0.20 port 450

or  port 49975.

As detailed in the Norton Image.
===

There is a reference to
Log2.systemlog.Host ....

I'm wandering if this is not the entry in the HOSTS file.

Find the Hosts file in your computer (It has not extention)
How to: https://www.thewindowsclub.com/hosts-file-in-windows

It may be hidden by the operating system.
Unhide files/folders Windows.
How To:
http://windows.microsoft.com/en-ca/windows/show-hidden-files#show-hidden-files=windows-7
<<<>>>

Open it with Notepad.

If you find and references to 159.60.0.20 delete all the lines associated with that IP address.
Safe the File and restart the computer.
===

If the problem persists continue.

On the Norton Image there is also a reference to 192.168.1.109 port 4997.

Open Internet Explorer (IE)
On the Menu select Tools > Internet Options > Connection

Select: LAN Settings

The Automatically detext settings should be checked.

Under Proxy server remove the check mark and if you see a Port no. 450 or 4997 remove it
Click the OK  button

Exit IE and restart the computer normally.

Keep me posted.

 

[cedi]

there was neither anything in the host file

nor anything unusual in the connection settings

just the automatically detect is active and no proxy

[nasdaq]

Hello, Welcome to Malwarebytes.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Please download the attached Fixlist.txt file to  the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

If the problem persists after a restart of the computer continue.

Run the Farbar program one more time as an Administrator.

In the Search text area, copy and paste the following:
159.69.0.20
Once done, click on the Search Registry button and wait for FRST to finish the search
On completion, a log will open in Notepad. Copy and paste its content in your next reply
====

If nothing is found reset your Router.

How to Reset a Router Back to the Factory Default Settings
http://www.ehow.com/how_2110924_reset-back-factory-default-settings.html

Then, please reconfigure it back to your preferred setting.. Below is the list of default username and password, should you don't know it

http://www.routerpasswords.com/
http://www.phenoelit-us.org/dpl/dpl.html
===

Reset for Linksys, Netgear, D-Link and Belkin Routers
http://www.techsupportforum.com/2763-reset-for-linksys-netgear-d-link-and-belkin-routers/

====
How to tell if my Wireless is secure.
http://www.ehow.com/how_6775466_tell-wireless-secure_.html

 

fixlist.txt

[cedi]

here is the fixlog of the first try
the problem persists

Fixlog.txt

[cedi]

the registry scan didnt find anything

Farbar Recovery Scan Tool (x64) Version: 02.08.2018
durchgeführt von cedi (11-08-2018 16:25:16)
Gestartet von C:\Users\cedi\Downloads
Start-Modus: Normal

================== Registry-Suche: "159.69.0.20" ===========

====== Ende von Suche ======

[nasdaq]

Did you reset your Router?

[cedi]

not yet
I have to do that this evening, because other people are also using the router at the moment

[nasdaq]

I see.

If this does not solved the Norton issue then I suspect that Norton is finding some string that may be remnant of the infection.

You may try to check with them. Not sure if there are open on weekends.

[cedi]

the problem still persists after resetting the router

[nasdaq]

Temporarily disable your AV program so it does not interfere.
Info on how to disable your security applications How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - Security Mini-Guides.

Download Zoek tool from here

When the download appears, save to the Desktop.
On the Desktop, right-click the Zoek.exe file and select: Run as Administrator 
(Give it a few seconds to appear.)

Next, copy/paste the entire script inside the code box below to the input field of Zoek:

createsrpoint;
autoclean;
emptyclsid;
emptyffcache;
FFdefaults;
emptyiecache;
iedefaults;
emptychrcache;
CHRdefaults;
emptyalltemp;
emptyfolderscheck;delete
ipconfig /flushdns;b

Now...
Close any open Browsers.
Click the Run script button, and wait. It takes a few minutes to run all the script.

When the tool finishes, the zoek-results.log is opened in Notepad.
The log is also found on the systemdrive, normally C:\
If a reboot is needed, the log is opened after the reboot.

Please attach the zoek-results.log in your reply.
===

[AdvancedSetup]

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Thanks