Maurice Naggar Posted April 30, 2023 ID:1565240 Share Posted April 30, 2023 Thanks for the Fixlog. That is a good run. Let us not do any other steps at this point. Just wait to see ( for the rest of today & maybe tomorrow) to see if Norton make a new claim of "coinminer pest". What you can do, is this scan with Adwcleaner. Let's do one scan with Malwarebytes Adwcleaner to check for adwares. Just before pressing that "scan" button, be sure that Chrome & Edge, or other web browser are Closed. It will not take much time, First download & save itguide & download link Then be sure to close all web browsers after the download & before launching the tool. Then go to where the EXE file is saved. Start Adwcleaner. Then do a scan with Adwcleaner Guide article Attach the clean log from Adwcleaner when all completed. 1 Link to post Share on other sites More sharing options...
Jammerjim Posted April 30, 2023 Author ID:1565246 Share Posted April 30, 2023 Have already seen coinminer message once. Will continue to monitor. Adwcleaner logs attached. One with Norton on, one with autoprotect and firewall off. AdwCleaner[C00].txt AdwCleaner[C01].txt Link to post Share on other sites More sharing options...
Jammerjim Posted May 1, 2023 Author ID:1565265 Share Posted May 1, 2023 The messages continued to show up all night. I'm going to sleep now, but we need to try again. Link to post Share on other sites More sharing options...
Maurice Naggar Posted May 1, 2023 ID:1565305 Share Posted May 1, 2023 One must ask, Do you have some log from the Norton program that has details ? If so, I suggest that you attach that log if possible so that I can see it. Secondly, have you contacted Norton support to ask about this ? I honestly suggest you do do that. Meanwhile, since this pc has Malwarebytes, you should be able to run this on-demand scan. Do a new scan with Malwarebytes for Windows. Do a Check for Update using the Malwarebytes Settings >> General tab. See this Support Guide https://support.malwarebytes.com/hc/en-us/articles/360042187934-Check-for-updates-in-Malwarebytes-for-Windows When it shows a new version available, Accept it and let it proceed forward. Be sure it succeeds. If prompted to do a Restart, just please follow all directions. Let me know how that goes. Next, the Malwarebytes sca Next, click the small x on the Settings line to go to the main Malwarebytes Window. Next click the blue button marked Scan. When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical. >>>>>> 👉 You can actually click the topmost left check-box on the very top line to get ALL lines ticked ( all selected). <<<< 💢 Please double verify you have that TOP check-box tick marked. and that then, all lines have a tick-mark Then click on Quarantine button. Then, locate the Scan run report; export out a copy; & then attach in with your reply. See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4 Link to post Share on other sites More sharing options...
Maurice Naggar Posted May 1, 2023 ID:1565317 Share Posted May 1, 2023 (edited) NOTE: As I look back on your topmost post (of original), You copied the text of the Norton advisory message. The message did say No further action is required." . Edited May 1, 2023 by Maurice Naggar Link to post Share on other sites More sharing options...
Jammerjim Posted May 1, 2023 Author ID:1565340 Share Posted May 1, 2023 While it is true it says no further action required, I saw indications out there that maybe some further action *was* required. I don't have them handy, but there were people who got the messages to stop. You yourself felt there were a couple of rogue processes, and I've seen an explorer.exe process with a weird command line that looks like a long string of random letters. I've dug into the Norton setting and I'm pretty sure I can disable the Deep protect function that may have interfered with the last FRST run. I guess I haven't tried resetting my browsers, but the message has appeared even after a reboot where no browser has been opened. mb scan report.txt norton Recent History.txt Link to post Share on other sites More sharing options...
Jammerjim Posted May 1, 2023 Author ID:1565344 Share Posted May 1, 2023 Before you go to the trouble of setting up another Fixlist, let me try running Zemana Antimalware (suggested via a Norton forum post). It's already claiming to have found some things, and I'll try to reset my browsers and we'll see what happens. That will probably take another hour. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted May 1, 2023 Root Admin ID:1565347 Share Posted May 1, 2023 Would like to also see the following @Jammerjim SecurityCheck by glax24 I would like you to run a tool named SecurityCheck to inquire about the current security update status of some applications. Download SecurityCheck by glax24: https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe If Microsoft SmartScreen blocks the download, click through to save the file This tool is safe. Smartscreen is overly sensitive. If SmartScreen blocks the file from running click on More info and Run anyway Right-click with your mouse on the Securitycheck.exe and select "Run as administrator" and reply YES to allow to run & go forward Wait for the scan to finish. It will open a text file named SecurityCheck.txt Close the file. Attach it with your next reply. You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt Thank you Link to post Share on other sites More sharing options...
Jammerjim Posted May 1, 2023 Author ID:1565363 Share Posted May 1, 2023 Have run Zeman and Security Check. Report attached. Note that the Zeman is actually three reports. Could not find it log file did a copy paste from the application display. Reset the browsers. Still getting the messages. Did look over on the Norton forums and while I have not exhausted the search there or posted yet, I haven't seen much different in terms of apps. Some people suggest coming here. SecurityCheck.txt Zeman Reports.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted May 1, 2023 ID:1565373 Share Posted May 1, 2023 Norton Security version 22.23.3.8 / Norton360 is the resident antivirus & firewall on this box. I am listing here the highlighted apps from the SecurityCheck report that need your follow-up & attention. Along with 2 apps to uninstall. Microsoft Office Home and Student 2019 - en-us v.16.0.16227.20280 Warning! Download UpdateHow Install Office updates? Python 3.10.6 (64-bit) v.3.10.6150.0 Warning! Download Update 7-Zip 21.07 (x64) v.21.07 Warning! Download UpdateUninstall old version and install new one. Audacity 3.3.0 v.3.3.0 Warning! Download Update Bonjour v.3.1.0.1 Warning! Your pc does not need it. Uninstall. FreeFixer v.1.19 Warning! Suspected demo version of anti-spyware, driver updater or optimizer. Computer experts no longer recommend this program. Link to post Share on other sites More sharing options...
Jammerjim Posted May 1, 2023 Author ID:1565376 Share Posted May 1, 2023 Office updated. Python updated. 7-Zip uninstalled and replaced with new. Audacity updated. Freefixer removed. Bonjour removed. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted May 1, 2023 Root Admin ID:1565401 Share Posted May 1, 2023 How is the computer running now? Are there still any signs of infection? Link to post Share on other sites More sharing options...
Jammerjim Posted May 1, 2023 Author ID:1565406 Share Posted May 1, 2023 I still get the messages every 30 minutes or so. I really haven't noticed any performance issues, but I also haven't been doing anything to push it. Link to post Share on other sites More sharing options...
Solution Maurice Naggar Posted May 1, 2023 Solution ID:1565450 Share Posted May 1, 2023 I am going to list a number of suggestions here. Plus remmber that the Norton is super fussy with its protections. So that IF it interferes with a process or task or report, remember the steps that were needed to get it temporarily turn off. A. This article is a guide https://www.lifewire.com/disable-norton-antivirus-4589389 we will want to pick the option to turn off ""Until system restart"" plus, step B. Turn off Dataprotect in Norton. Here is what I would suggest you do. This is a good point to emphasize not playing online games or games in general, while the case is on-going. I would also emphasize to reduce the auto-started applications that start with Windows down to the absolute minimum. Which would basically be just security applications. Apply these principles now from the following How-to How to perform a clean boot in Windowshttps://support.microsoft.com/en-us/help/929135/how-to-perform-a-clean-boot-in-windows ( 2 ) After the Windows restart, Create an Autoruns Log: Please download Sysinternals Autoruns from here: https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns Save Autoruns.zip to your computer. Then locate it and extract it to a new folder where you can find and run it. Once it starts you may not be able to easily stop the scan but you can try to press the Escape key on your keyboard. Once scanning is stopped, click on the Options menu at the top of the program and select Scan Options... Then place a check mark on the following items Verify Code Signatures, Check VirusTotal.com, and Submit Unknown Images Then click the Rescan button. Agree to the VirusTotal EULA Once the new scan has been completed, please click on the File button at the top of the program and select Save, or use the Save icon, and save the Autoruns.arn file to your desktop and close Autoruns. Right-click on the Autoruns.arn file (it will typically be the name of your computer) on your desktop or where you save it, and hover your mouse over Send To and select Compressed (zipped) Folder Attach the Autoruns.zip folder (your computer name.zip) you just created to your next reply. ( 3 ) You have FRST64.exe on Desktop RIGHT-click on FRST64.exe and select Run as Administrator and tap ENTER. And reply YES to allow to proceed. When the tool opens click Yes to the disclaimer. And be very sure to TICK the box for Addition.txt Look close on the "Whitelist section" and UN-Tick the box "Services" Press the Scan button. It will make a log (FRST.txt & Addition.txt) in the same directory the tool is run Have patience since the run may take something like 10 or so minutes (less depending on your hardware speed) Close Notepad IF those show up on Notepad. Just please Attach the 2 files FRST.txt +Addition.txt with your next reply. Link to post Share on other sites More sharing options...
Jammerjim Posted May 2, 2023 Author ID:1565483 Share Posted May 2, 2023 Okay, got all that. I'm pretty tired right now so I'll work on this tomorrow morning (Tuesday). Thanks for sticking with me. Link to post Share on other sites More sharing options...
Jammerjim Posted May 2, 2023 Author ID:1565604 Share Posted May 2, 2023 Okay, here we go. JAMMERJIM.zip Addition.txt FRST.txt 1 Link to post Share on other sites More sharing options...
Jammerjim Posted May 2, 2023 Author ID:1565622 Share Posted May 2, 2023 I will say things have been relatively quiet this morning. Last warning message was at ~10:18AM, and nothing like that in my Norton history. Zemana Antimalware found some stuff buried in Mozilla and removed it, before I uninstalled Zemana to simplify things. But it did that more than once over the past few days and I still had the message, so I'm not assuming things are clear. I'm thinking I should go into my router/firewall and hard block that IP, just to be sure. Link to post Share on other sites More sharing options...
Maurice Naggar Posted May 2, 2023 ID:1565638 Share Posted May 2, 2023 A. This article is a guide https://www.lifewire.com/disable-norton-antivirus-4589389 we will want to pick the option to turn off ""Until system restart"" plus, step B. Turn off Dataprotect in Norton. C. Please run the following custom script. Read all of this before you start. Please Close all open work. Farbar program : is FRSTENGLISH.exe is already on this machine Please download the attached fixlist.txt file and save it to Downloads folder Fixlist.txt <-- - - - - NOTE. It's important that both files, FRSTENGLISH, and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone. Use File Explorer to go to the Downloads folder RIGHT-Click on FRSTENGLISH and select RUN as Administrator and reply YES to allow it to go forward to start. That is important so that this run has Elevated Administrator rights !! NEXT press the Fix button just once and wait. If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Downloads folder (Fixlog.txt) . Please attach or post it to your next reply. Note: If the tool warned you about an outdated version please download and run the updated version. The system will be rebooted after the fix has run. Attach FIXLOG.txt with your next reply. Link to post Share on other sites More sharing options...
Jammerjim Posted May 2, 2023 Author ID:1565645 Share Posted May 2, 2023 Gotcha. Meeting until 3:15, will run after. Link to post Share on other sites More sharing options...
Jammerjim Posted May 2, 2023 Author ID:1565670 Share Posted May 2, 2023 Ran smoothly. Fixlog.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted May 2, 2023 ID:1565674 Share Posted May 2, 2023 This run invoked the Windows System File Checker & it made some corrections. Windows Resource Protection found corrupt files and successfully repaired them. And the last traces of rogue task "ConfigSecurityPolicy" is all gone. Please do this special search. There is the FRST64.exe tool on the Downloads folder. We will use that to do a search. Find & then start FRST64 Type the following ( better yet, use COPY then Paste) into the search box exactly as shown then press the Search Files button SearchAll: WindowsMalwareProtection Please wait while the program searches for all entries relating to this , when done a search.txt log will be saved to the desktop. Please attach this log to your next reply. Link to post Share on other sites More sharing options...
Jammerjim Posted May 2, 2023 Author ID:1565676 Share Posted May 2, 2023 Completed. Search.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted May 2, 2023 ID:1565679 Share Posted May 2, 2023 (edited) One new run. A. This article is a guide https://www.lifewire.com/disable-norton-antivirus-4589389 we will want to pick the option to turn off ""Until system restart"" plus, step B. Turn off Dataprotect in Norton. C. Please run the following custom script. Read all of this before you start. Please Close all open work. Farbar program : is FRST64.exe is already on this machine Please download the attached fixlist.txt file and save it to Downloads folder Fixlist.txt <-- - - - - NOTE. It's important that both files, FRST64, and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone. Use File Explorer to go to the Downloads folder RIGHT-Click on FRST64 and select RUN as Administrator and reply YES to allow it to go forward to start. That is important so that this run has Elevated Administrator rights !! NEXT press the Fix button just once and wait. If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Downloads folder (Fixlog.txt) . Please attach or post it to your next reply. Note: If the tool warned you about an outdated version please download and run the updated version. The system will be rebooted after the fix has run. Attach FIXLOG.txt with your next reply. Edited May 2, 2023 by Maurice Naggar Link to post Share on other sites More sharing options...
Jammerjim Posted May 2, 2023 Author ID:1565685 Share Posted May 2, 2023 Another smooth run. Saw it pause as it went after that directory and its contents. Fixlog.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted May 2, 2023 ID:1565689 Share Posted May 2, 2023 Cool. mission accomplished. 👍 At this time, I would like to see this Windows get the latest build 22H2 for this Windows operating system. I would highly suggest to insure that this pc is all up-to-date with security updates & cumulative updates on Windows. select the Windows Start button, and then go to Settings > Update & Security > Windows Update . and click Check for Updates. Have much patience. Link to post Share on other sites More sharing options...
Recommended Posts