Norton activity message: Miner.Bitcoinminer Activity [X]

[Jammerjim]

On 4/25 in the evening I was on some dodgy website and I guess it snagged me because that was when this started.

Every 30 minutes I receive a series of three messages from Norton saying it has blocked an intrusion attempt. "We blocked an attack from System: Infected: Miner.Bitcoinminer Activity X. No further action is required.".

Clicking on details provides the information "system infected: miner.bitcoinminer activity X". X is always either 9, 27, or 7, and in that order. The attacking computer IP is always the same (192.242.218.232, 443). Further, the message says "network traffic from 192.242.218.232 matches a known attack. the attack resulted from \device\harddickvolume3\windows\explorer.exe"

Looking further into history, I see notifications that that address was blocked for 30 minutes. So I suppose it attacks, get blocked, and then when the 30 minutes are up attacks again?

I ran Smart Scan, and then Deep Eraser. No hits. Then I proceeded to search the internet for those warning messages, and proceeded to download and run assorted software. I've tried (in no particular order): Malwarebytes, RogueKiller, HitmanPro, ESET, Avast, Bitdefender, Microsoft's Malicious Software Removal tool, CCCleaner, ADWCleaner, and Sophos.

Nothing identified anything suspicious, aside from a few cookies (removed). I have seen two copies of explorer running, one with a very strange command line that basically looks like gibberish.

I should add that occasionally in the last few months (and also after this issue started) I have received a message about suspicious amounts of network traffic, but I do have a cloud backup set up, and when i would look, I saw nothing odd in terms of uploading.

 

At some point yesterday I began receiving only two messages, for activity 25 and 7.

So I have run FRST, attaching the files. Also ran Malwarebytes scan again, log attached..

Thank you for your assistance.

 

Addition.txt FRST.txt mbrpt.txt

[Maurice Naggar]

Hello  

I will guide you along on looking for remaining malware. Lets keep these principles as we go along.

• Removing malware can be unpredictable
• Please don't run any other scans, download, install or uninstall any programs while I'm working with you.
• Only run the tools I guide you to.
• Do not run online games while case is on-going. Do not do any free-wheeling web-surfing.
• The removal of malware isn't instantaneous, please be patient.
• Cracked or or hacked or pirated programs are not only illegal, but also will make a computer a malware victim. Having such programs installed, is the easiest way to get infected. It is the leading cause of ransomware encryptions. It is at times also big source of current trojan infections. Please uninstall them now, if any are here, before we start the cleaning procedure.
• Please stick with me until I give you the "all clear".
• If your system is running Discord, please be sure to Exit out of it while this case is on-going.
• Do please keep in mind I am a volunteer here.

I would like a report set for review. This is a report only.

Please download MALWAREBYTES MBST Support Tool

Once you start it click Advanced >>> then Gather Logs

Have patience till the run has finished.
Attach the mbst-grab-results.zip from the Desktop to your reply..

[Jammerjim]

Thank you, attaching MBST log.

mbst-grab-results.zip

[Maurice Naggar]

Quote

I ran Smart Scan, and then Deep Eraser. No hits. Then I proceeded to search the internet for those warning messages, and proceeded to download and run assorted software. I've tried (in no particular order): Malwarebytes, RogueKiller, HitmanPro, ESET, Avast, Bitdefender, Microsoft's Malicious Software Removal tool, CCCleaner, ADWCleaner, and Sophos.
 

Please do NOT any further runs, adjustments, installs, de-installs, or in general do anything on your own without checking with me first.

 

[Jammerjim]

3 minutes ago, Maurice Naggar said:

Please do NOT any further runs, adjustments, installs, de-installs, or in general do anything on your own without checking with me first.

 

Check. That was all from *before* I came here.

[Maurice Naggar]

It will be some 50 minutes to an hour or so before I have a customized script for what ails this box. Meantime, kindly no web surfing, no social media, no games, no shopping or banking. Only use just 1 web browser, one you believe is least messed up. And have patience pls. There is not a single-magic-bullet fix all

[Maurice Naggar]

Please set File Explorer to SHOW ALL folders, all files, including Hidden ones. Use OPTION ONE or TWO of this article
Please use this Guide

( 2 )

Next action step:
Disable ( turn OFF ) Fast Startup

https://www.windowscentral.com/how-disable-windows-10-fast-startup
Then restart the computer

( 3 )

What follows is just the beginning first steps. We will be doing several tasks over several rounds. Please have lots of patience.

Please run the following custom script. Read all of this before you start. Please Close all open work.

Farbar program :  is FRSTENGLISH.exe is already on this machine

Please download the attached fixlist.txt file and save it to Downloads folder

Fixlist.txt <-- - - - -

NOTE. It's important that both files, FRSTENGLISH, and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Use File Explorer to go to the Downloads folder

RIGHT-Click on   FRSTENGLISH and select

RUN as Administrator

and reply YES to allow it to go forward to start.

That is important so that this run has Elevated Administrator rights !!

NEXT press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Downloads folder (Fixlog.txt) . Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

NOTE-1:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files.  It will also run scans with MS Defender antivirus. Depending on the speed of your computer this fix may take 50-55 minutes or more.

The system will be rebooted after the fix has run. Attach FIXLOG.txt with your next reply.

NOTES: This system currently has 2 definite threats, which hopefully this run will remove,

Some sort of rogue program WindowsMalwareProtection + a rogue task "ConfigSecurityPolicy".

This machine has way too many auto-started / auto-launched applications.
This machine looks like it has way too many installed "antivirus" programs. I mean the ones installed as programs.
You will need to settle on just one. Either one you have paid for. Or else I would suggest Microsoft Defender.
Having so many installed antivirus / security apps will & does lead to "friendly GRIDLOCK" at the worst time. We will need to address that later

[Jammerjim]

I cannot locate a FRSTENGLISH.EXE.  I do have FRST64.exe

[Jammerjim]

Oops NVM, I found it. This is not my week. Okay about to run it.

[Jammerjim]

seddfNot sure fix completed fully. Had to manual restart, got a memory allocation error warning box.

[Jammerjim]

Fixlog.txt Log file, dunno why it did not load earlier.

[AdvancedSetup]

Hello @Jammerjim

Please find and upload the following files

C:\Users\Jammer\Desktop\29.04.2023_15.56.40.zip

 

Then run the following scan

 

Microsoft Safety Scanner

Please make sure you Exit out of any other program you might have open so that the sole task is to run the following scan.   
That goes especially for web browsers, make sure all are fully exited out of and messenger programs are exited and closed as well
 

STEP 1

Please set File Explorer to SHOW ALL folders, all files, including hidden ones.  Use OPTION ONE or TWO of this article

https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html

STEP 2

I suggest a new scan for viruses & other malware. This may take several hours, depending on the number of files on the system and the speed of the computer.

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. 

The download links & the how-to-run-the tool are at this link at Microsoft 

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Look on the Scan Options & select the FULL scan.

Then start the scan. Have lots of patience. It may take several hours.

• Once you see it has started, take a long long break;  walk away.  Do not pay credence if you see some intermediate early flash messages on the screen display.  The only things that count are the End result at the end of the run.
• The scan will take several hours.  Leave it alone. It will remove any other remaining threats as it goes along.  Take a very long break, do your normal personal errands .....just do not use the computer during this scan.

This is likely to run for many hours as previously mentioned  ( depending on the number of files on your machine & the speed of the hardware.)

The log is named MSERT.log  and the log will be at C:\Windows\debug\msert.log

Please attach that log with your next reply.

 

It is normal for the Microsoft Safety Scanner to show detections during the scan process.

It is scanning for basically all bread crumbs or traces of files and registry entries that "might" be or have been part of some infection or previous infection.

That DOES NOT mean the computer is infected. Once the scan has been completed it uploads the log to their Cloud service which then uses Artificial Intelligence to determine if in fact any of the traces are an infection or not.

Then it writes into the log on your computer what it found.

 

Thank you

 

[Maurice Naggar]

Hello, Good morning JammerJIm. I'd like to know, what is the current status?
and have you completed the MS MSERT Safety Scanner run ?
and I am looking for you to attach the zip file from your desktop named

29.04.2023_15.56.40.zip

I also want to know if Norton is ( today) showing warning of "miner.bitcoinminer" ??

Edited April 30 by Maurice Naggar

[Jammerjim]

MSRT started one hour ago. Zip file too big to upload to forum. Still have problems posting here.

[Jammerjim]

Still getting miner messages. Posting from my phone, so it's harder to reply right. Hope you and Advanced Setup have received my messages.

[Maurice Naggar]

• If a report or the ZIP I asked for,  is too big you can upload here > https://wetransfer.com/
• and then provide me the link for that on wetransfer
• IF the MSRT safety scanner is still running, then pls just allow it to finish on its own time & pace
• IF what you see is on screen 

  IPS spam blocked

  while typing a reply or the like, do not worry. There is a flaw on this board where that blurb is shown on screen.....however it does not prevent one from posting

• What I am now looking for is the result from the Safety Scanner run. We will need to do more later.

[Jammerjim]

MSRT completed. Log attached. Wetransfer link for zip file. Still getting miner messages. Did you see my DM about an autolt memory allocation error yesterday? I am concerned that messed up the FRST run yesterday.

The posting error I get is different from what you describe. When I hit the submit reply button I get a popup saying something about how my reply looks like spam, try changing the wording or submit an error report. Then for a while it doesn;t matter what I type, I get the same message and dumped back to the thread. Very annoying.

msert.log

[Maurice Naggar]

Hello @Jammerjim I got the wetranser zip file. Thanks. As to any direct message ? pm from you, I did not get one from you. Could you please look now to see if there is any form of any other  "fixlog" on your system?

From what you say here, I think it looks like I will need to divide my custom fic script into different separate pieces.

[Maurice Naggar]

What follows is just the beginning first steps. I am making smaller script for this machine. If you see a old copy of Fixlist.txt on the Downloads folder, then delete that Fixlist.txt

Please run the following custom script. Read all of this before you start. Please Close all open work.

Farbar program :  is FRSTENGLISH.exe is already on this machine

Please download the attached fixlist.txt file and save it to Downloads folder

Fixlist.txt <-- - - - -

NOTE. It's important that both files, FRSTENGLISH, and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Use File Explorer to go to the Downloads folder

RIGHT-Click on   FRSTENGLISH and select

RUN as Administrator

and reply YES to allow it to go forward to start.

That is important so that this run has Elevated Administrator rights !!

NEXT press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Downloads folder (Fixlog.txt) . Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

The system will be rebooted after the fix has run. Attach FIXLOG.txt with your next reply.

[Jammerjim]

There is an empty, zero-byte fixlog.txt here: C:\Users\Jammer\AppData\Local\FreeFixer\logs, dating from 4/26, when I was flailing around on my own trying to fix this. Will now start next FRSTENGLISH run.

 

 

[Jammerjim]

FRST finished. I guess. I saw several messages from Norton about blocking this or that action from FRST along the way. Several automatic restart attempts, then Windows complained about not starting correctly, tried "exit and continue to Windows" first and that did not work, eventually went with "attempt repairs", it did a disc scan, said "attempting repairs" and then finally restarted all the way. Log attached.

Fixlog.txt

[Maurice Naggar]

Speaking very frankly, that last set of statements has a jarring effect. Tell me, do you know how to turn OFF all Norton protections ?

It looks like we will need to do that just before any upcoming other custom run. Every Norton user should know things like how to temporarily turn off the real-time protections of Norton. It is typically done via a step or two.

This article is a guide https://www.lifewire.com/disable-norton-antivirus-4589389

we will want to pick the option to turn off ""Until system restart""

Then, once you have insured to have completed that step, we need to do this other custom-fix-run using FRSTENGLISH

Please run the following custom script. Read all of this before you start. Please Close all open work.

Farbar program :  is FRSTENGLISH.exe is already on this machine

Please download the attached fixlist.txt file and save it to Downloads folder

Fixlist.txt <-- - - - -

NOTE. It's important that both files, FRSTENGLISH, and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Use File Explorer to go to the Downloads folder

RIGHT-Click on   FRSTENGLISH and select

RUN as Administrator

and reply YES to allow it to go forward to start.

That is important so that this run has Elevated Administrator rights !!

NEXT press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Downloads folder (Fixlog.txt) . Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

The system will be rebooted after the fix has run. Attach FIXLOG.txt with your next reply.

[Jammerjim]

Sorry, but the instructions did not tell me to turn those things off. I'm trying not to do anything unless you say so.

Next problem: FRSTENGLISH.exe is no longer on my machine. I did not do anything to it. I only noticed it when I went to run it with the new Fixlist. Re-run FRST64 or is there another place to download?

[Maurice Naggar]

Please go deliberate & careful. A:  I need you to be sure to temporarily turn off NORTON just like that article shows, to turn it off until next Restart of Windows.

B. If you do not see FRSTENGLISH  but you do see FRST64.exe  then I need you to save my last Fixlist to the same folder as where FRST64 is and, then, to run the custom run but you will instead launch FRST64  and only after that, click its Fix button.

again, we gotta be sure Norton is OFF

[Jammerjim]

Followed the directions n the article, but missed something called Dataprotect, so still saw messages about blocking actions. Restart was smooth, however, and got the official "All done" from FRST.

Try again after hunting that Dataprotect thing down? Sorry for the trouble. I was a programmer back in the day, I'm not used to being the dumb user. It's not fun.

Fixlog.txt