Norton and Malwarebytes keep notifying me about RTP/Coinminer infection

[Naska]

So Basically i've had several reports on my older desktop pc with norton saying i gotta use power eraser cause of out going traffic from my pc, once i've done that, it comes up clean, back then i downloaded malwarebytes and checked everything but nothing

so i did remove my old motherboard, replaced with a new i had laying around, new cpu and all, this time i upgraded to windows 11, i also did download norton once more, but i also did go for malwarbytes premium this time cause in future i'll remove norton and use microsoft instead.

But now today i got notified by malwarbytes there has been quite traffic from ip's that want to access svchost, the almost same port norton warned before with "coinminers" and stuff, so i'm trying to connect dots why this is always happening to me, it's constant at times, it disturbs during gameplay and stuff when this happens.

It always starts with this CVE-2023-28771 i always get this first then after just a couple of days it starts with norton power eraser and it shows high output of traffic before prompting me about coinminer activity 2 and stuff. Within Norton this is.

So far i have not recieved any warnings from norton about coinminers, but malwarebytes has detected significant outside traffic wanting to connect towards me and svchost that it has warned me about, just a few minutes after each.

I would love to know thoughts and what i should do, cause i've done everything even resetting the whole pc, formating and all that stuff, but it keeps coming back somehow. I was thinking maybe it could easily just be the router, but that router i can't do anything about since it's run locally by the fiber provider.

I will attach the malwarebytes screenshot here, i have yet to get norton notification yet, but i'm certain it'll come up eventually.

fyi: CET timezone.

[Porthos]

2 hours ago, Naska said:

but malwarebytes has detected significant outside traffic wanting to connect towards me and svchost that it has warned me about, just a few minutes after each.

Are all the blocks incoming? If so,

The blocks are on addresses that are attempting to do a forced attempt to exploit remote-desktop-protocol. 

The Real-Time Protection of Malwarebytes for Windows  is actively doing its job to protect the system.

In most cases, the attempted probes will automatically stop on their own. If it continues you can add the IP to the local firewall to prevent it from contacting the computer period.
If you wish to do so, here is one how-to guide
https://www.interserver.net/tips/kb/add-ip-address-windows-firewall/

[Porthos]

Go ahead and do the following

Let's get the info to get the process started. Be aware it will take many steps and scans to fully remove malware.

Please respond to all future instructions from your helper in a timely manner.

Please do the following so that we may take a closer look at your system for any possible infections.

Do these 2 steps FIRST so that files and folders are set to SHOW, plus also, Turn OFF Windows Fast Start.
Show-Hidden-Folders-Files-Extensions
https://forums.malwarebytes.com/topic/299345-show-hidden-folders-files-extensions/

Disable-Fast-Startup
https://forums.malwarebytes.com/topic/299350-disable-fast-startup/

Then please restart the computer and then do the following.

WARNING: Do Not click the Repair option under Advanced unless requested by a Malwarebytes support agent or authorized helper

NOTE: The tools and the information obtained are safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

• Download the Malwarebytes Support Tool
• In your Downloads folder, open the mb-support-x.x.x.xxx.exe file
• In the User Account Control pop-up window, click Yes to continue the installation
• Run the MBST Support Tool. The tool also downloads and runs a file called FRSTEnglish. Please allow it to run.
• In the left navigation pane of the Malwarebytes Support Tool, click Advanced
• In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine 
• A zip file named mbst-grab-results.zip will be saved to the Desktop or on the hidden Public desktop (usually C:\Users\Public\Desktop), please upload that file on your next reply

• Then be patient for the next expert to take your case.

Thank you

 

• 
• 

 

[Naska]

6 hours ago, Porthos said:

Are all the blocks incoming? If so,

The blocks are on addresses that are attempting to do a forced attempt to exploit remote-desktop-protocol. 

The Real-Time Protection of Malwarebytes for Windows  is actively doing its job to protect the system.

In most cases, the attempted probes will automatically stop on their own. If it continues you can add the IP to the local firewall to prevent it from contacting the computer period.
If you wish to do so, here is one how-to guide
https://www.interserver.net/tips/kb/add-ip-address-windows-firewall/

Well on malwarebytes it sure tells me it's incoming yup.

Still waiting if Norton would start giving me notifications about "high network outgoing traffic" and stuff as it did on the older system i had

however so far it's just these that has happened and malwarebytes has notified me so yeah, so let's go from here, and maybe it could prevent something atleast, cause it's getting annoying to the point of i dont know what to do.

[Naska]

mbst-result.zipmbst-result.zip

mbst-grab-results.zip mbst-grab-results.zip mbst-grab-results.zip mbst-result.zip mbst-result.zip

[AdvancedSetup]

These are Inbound blocks. The logs show no obvious signs of infection.

Normally these blocks will go away on their own within a week as automated system attempt to probe your system.

 

[Naska]

6 minutes ago, AdvancedSetup said:

These are Inbound blocks. The logs show no obvious signs of infection.

Normally these blocks will go away on their own within a week as automated system attempt to probe your system.

 

Hmm okie, i will keep a look atleast, and if i do find something once more or if Norton starts acting up like it has done before with the "we see potential high outgoing traffic and then prompting miner stuff" i might want to come back and ask for advice regardless, since it has been bugging in and out for 1-2 months, of course did i change motherboard cpu and stuff, which i had laying around, updated to win11, got malwarebytes premium too just to be on safe side and planning on quitting norton as the subscription rules out. If that is fine that is!

And if it is, i will redo same procedour + i will also send new screenshots if so, so i will mark this as solved for now, but for the future i'll have a look!

Thank you AdvancedSetup!

[AdvancedSetup]

We can run some other scanners.

Please temporarily disable the Norton real-time protection and run the following scanner. Make sure to re-enable Norton real-time protection when done.

 

 

Please download and run the following Kaspersky Virus Removal Tool 2020 and save it to your Desktop.

(Kaspersky Virus Removal Tool version 20.0.10.0 was released on November 9, 2021)

Download: Kaspersky Virus Removal Tool

https://devbuilds.s.kaspersky-labs.com/devbuilds/KVRT/latest/full/KVRT.exe

How to run a scan with Kaspersky Virus Removal Tool 2020
https://support.kaspersky.com/15674

How to run Kaspersky Virus Removal Tool 2020 in the advanced mode
https://support.kaspersky.com/15680

How to restore a file removed during Kaspersky Virus Removal Tool 2020 scan
https://support.kaspersky.com/15681

 

Select the     Windows Key and R Key together, the "Run" box should open. Drag and Drop KVRT.exe into the Run Box. C:\Users\{your user name}\DESKTOP\KVRT.exe will now show in the run box. add -dontencrypt   Note the space between KVRT.exe and -dontencrypt C:\Users\{your user name}\DESKTOP\KVRT.exe -dontencrypt should now show in the Run box.   That addendum to the run command is very important, when the scan does eventually complete the resultant report is normally encrypted, with the extra command it is saved as a readable file. Reports are saved here C:\KVRT2020_Data\Reports and look similar to this report_20210123_113021.klr Right-click direct onto that report, select > open with > Notepad. Save that file and attach it to your reply. To start the scan select OK in the "Run" box. A EULA window will open, tick all confirmation boxes then select "Accept" In the new window select "Change Parameters" In the new window ensure all selection boxes are ticked, then select "OK" The scan should now start... When complete if entries are found there will be options, if "Cure" is offered leave as is. For any other options change to "Delete" then select "Continue" When complete, or if nothing was found select "Close" Attach the report information as previously instructed...   Thank you

 

 

[Naska]

17 hours ago, AdvancedSetup said:

We can run some other scanners.

Please temporarily disable the Norton real-time protection and run the following scanner. Make sure to re-enable Norton real-time protection when done.

 

 

Please download and run the following Kaspersky Virus Removal Tool 2020 and save it to your Desktop.

(Kaspersky Virus Removal Tool version 20.0.10.0 was released on November 9, 2021)

Download: Kaspersky Virus Removal Tool

https://devbuilds.s.kaspersky-labs.com/devbuilds/KVRT/latest/full/KVRT.exe

How to run a scan with Kaspersky Virus Removal Tool 2020
https://support.kaspersky.com/15674

How to run Kaspersky Virus Removal Tool 2020 in the advanced mode
https://support.kaspersky.com/15680

How to restore a file removed during Kaspersky Virus Removal Tool 2020 scan
https://support.kaspersky.com/15681

 

Select the     Windows Key and R Key together, the "Run" box should open. Drag and Drop KVRT.exe into the Run Box. C:\Users\{your user name}\DESKTOP\KVRT.exe will now show in the run box. add -dontencrypt   Note the space between KVRT.exe and -dontencrypt C:\Users\{your user name}\DESKTOP\KVRT.exe -dontencrypt should now show in the Run box.   That addendum to the run command is very important, when the scan does eventually complete the resultant report is normally encrypted, with the extra command it is saved as a readable file. Reports are saved here C:\KVRT2020_Data\Reports and look similar to this report_20210123_113021.klr Right-click direct onto that report, select > open with > Notepad. Save that file and attach it to your reply. To start the scan select OK in the "Run" box. A EULA window will open, tick all confirmation boxes then select "Accept" In the new window select "Change Parameters" In the new window ensure all selection boxes are ticked, then select "OK" The scan should now start... When complete if entries are found there will be options, if "Cure" is offered leave as is. For any other options change to "Delete" then select "Continue" When complete, or if nothing was found select "Close" Attach the report information as previously instructed...   Thank you

 

 

Had to change so it didn't end up as .klr, so it could become a .txt file to be able to attach it.report_2024.04.14_13.11.33klr.txt

[AdvancedSetup]

Nothing found.

Please run the following

 

 

Let's go ahead and run a couple of scans and get some updated logs from your system. Please read the entire post below before starting so that you're more familiar with the process

[ 1 ]

Please make the following system changes.

• Temporarily disable your antivirus real-time protection or other security software first only if it blocks or interferes with the scans or downloads.. Make sure to turn it back on once the scans are completed.
• Temporarily disable Microsoft SmartScreen to download software below only if needed. Make sure to turn it back on once the scans are completed.
• Disable-Fast-Startup
• Show-Hidden-Folders-Files-Extensions

[ 2 ]

I suggest a new scan for viruses & other malware. This may take several hours, depending on the number of files on the system and the speed of the computer.

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. 

The download links & the how-to-run-the tool are at this link at Microsoft 

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Look on the Scan Options & select the FULL scan.

Then start the scan. Have lots of patience. It may take several hours.

• Once you see it has started, take a long long break;  walk away.  Do not pay credence if you see some intermediate early flash messages on the screen display.  The only things that count are the End result at the end of the run.
• The scan will take several hours.  Leave it alone. It will remove any other remaining threats as it goes along.  Take a very long break, do your normal personal errands .....just do not use the computer during this scan.

This is likely to run for many hours as previously mentioned  ( depending on the number of files on your machine & the speed of the hardware.)

The log is named MSERT.log  and the log will be at C:\Windows\debug\msert.log

Please attach that log with your next reply.

 

It is normal for the Microsoft Safety Scanner to show detections during the scan process.

It is scanning for basically all bread crumbs or traces of files and registry entries that "might" be or have been part of some infection or previous infection.

That DOES NOT mean the computer is infected. Once the scan has been completed it uploads the log to their Cloud service which then uses Artificial Intelligence to determine if in fact any of the traces are an infection or not.

Then it writes into the log on your computer what it found.

 

Thank you

[Naska]

On 4/15/2024 at 8:11 PM, AdvancedSetup said:

Nothing found.

Please run the following

 

 

Let's go ahead and run a couple of scans and get some updated logs from your system. Please read the entire post below before starting so that you're more familiar with the process

[ 1 ]

Please make the following system changes.

• Temporarily disable your antivirus real-time protection or other security software first only if it blocks or interferes with the scans or downloads.. Make sure to turn it back on once the scans are completed.
• Temporarily disable Microsoft SmartScreen to download software below only if needed. Make sure to turn it back on once the scans are completed.
• Disable-Fast-Startup
• Show-Hidden-Folders-Files-Extensions

[ 2 ]

I suggest a new scan for viruses & other malware. This may take several hours, depending on the number of files on the system and the speed of the computer.

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. 

The download links & the how-to-run-the tool are at this link at Microsoft 

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Look on the Scan Options & select the FULL scan.

Then start the scan. Have lots of patience. It may take several hours.

• Once you see it has started, take a long long break;  walk away.  Do not pay credence if you see some intermediate early flash messages on the screen display.  The only things that count are the End result at the end of the run.
• The scan will take several hours.  Leave it alone. It will remove any other remaining threats as it goes along.  Take a very long break, do your normal personal errands .....just do not use the computer during this scan.

This is likely to run for many hours as previously mentioned  ( depending on the number of files on your machine & the speed of the hardware.)

The log is named MSERT.log  and the log will be at C:\Windows\debug\msert.log

Please attach that log with your next reply.

 

It is normal for the Microsoft Safety Scanner to show detections during the scan process.

It is scanning for basically all bread crumbs or traces of files and registry entries that "might" be or have been part of some infection or previous infection.

That DOES NOT mean the computer is infected. Once the scan has been completed it uploads the log to their Cloud service which then uses Artificial Intelligence to determine if in fact any of the traces are an infection or not.

Then it writes into the log on your computer what it found.

 

Thank you

I will do this tomorrow 20th april, i have now also gotten a few detections which isn't just "compromised" but riskware

+ now detections comes from steam.exe which is new.

Just letting you know, but i will do this tomorrow asap and post it!

[Naska]

1 minute ago, Naska said:

I will do this tomorrow 20th april, i have now also gotten a few detections which isn't just "compromised" but riskware

+ now detections comes from steam.exe which is new.

Just letting you know, but i will do this tomorrow asap and post it!

Also should i disable norton along with smartscreen and what not? or just smartscreen in this one?

[Naska]

On 4/15/2024 at 8:11 PM, AdvancedSetup said:

Nothing found.

Please run the following

 

 

Let's go ahead and run a couple of scans and get some updated logs from your system. Please read the entire post below before starting so that you're more familiar with the process

[ 1 ]

Please make the following system changes.

• Temporarily disable your antivirus real-time protection or other security software first only if it blocks or interferes with the scans or downloads.. Make sure to turn it back on once the scans are completed.
• Temporarily disable Microsoft SmartScreen to download software below only if needed. Make sure to turn it back on once the scans are completed.
• Disable-Fast-Startup
• Show-Hidden-Folders-Files-Extensions

[ 2 ]

I suggest a new scan for viruses & other malware. This may take several hours, depending on the number of files on the system and the speed of the computer.

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. 

The download links & the how-to-run-the tool are at this link at Microsoft 

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Look on the Scan Options & select the FULL scan.

Then start the scan. Have lots of patience. It may take several hours.

• Once you see it has started, take a long long break;  walk away.  Do not pay credence if you see some intermediate early flash messages on the screen display.  The only things that count are the End result at the end of the run.
• The scan will take several hours.  Leave it alone. It will remove any other remaining threats as it goes along.  Take a very long break, do your normal personal errands .....just do not use the computer during this scan.

This is likely to run for many hours as previously mentioned  ( depending on the number of files on your machine & the speed of the hardware.)

The log is named MSERT.log  and the log will be at C:\Windows\debug\msert.log

Please attach that log with your next reply.

 

It is normal for the Microsoft Safety Scanner to show detections during the scan process.

It is scanning for basically all bread crumbs or traces of files and registry entries that "might" be or have been part of some infection or previous infection.

That DOES NOT mean the computer is infected. Once the scan has been completed it uploads the log to their Cloud service which then uses Artificial Intelligence to determine if in fact any of the traces are an infection or not.

Then it writes into the log on your computer what it found.

 

Thank you

msert.log

[AdvancedSetup]

Nothing found by Microsoft scan.

Please get me the following log

 

Scan with SecurityCheck by glax24
https://forums.malwarebytes.com/topic/307301-scan-with-securitycheck-by-glax24/

 

 

Scan with FSS Farbar Service Scanner
https://forums.malwarebytes.com/topic/306736-scan-with-fss-farbar-service-scanner/

 

 

[Naska]

On 4/20/2024 at 12:11 AM, AdvancedSetup said:

Nothing found by Microsoft scan.

Please get me the following log

 

Scan with SecurityCheck by glax24
https://forums.malwarebytes.com/topic/307301-scan-with-securitycheck-by-glax24/

 

 

Scan with FSS Farbar Service Scanner
https://forums.malwarebytes.com/topic/306736-scan-with-fss-farbar-service-scanner/

 

 

SecurityCheck.txtFSS.txt

[AdvancedSetup]

That looks good as well aside from one program that needs an update.

• Discord v.1.0.9041 Warning! Download Update

 

How is the computer running now?

Are you still getting an alert from Malwarebytes or Norton?

 

 

[Naska]

34 minutes ago, AdvancedSetup said:

That looks good as well aside from one program that needs an update.

• Discord v.1.0.9041 Warning! Download Update

 

How is the computer running now?

Are you still getting an alert from Malwarebytes or Norton?

 

 

From norton, not at all, from malwarebytes it keeps blocking the prompted in the picture.

Most of it originates from steam or svchost. Inbound. that's all i can see that is happening.

[AdvancedSetup]

Inbound blocks are normal. Malwarebytes is doing it's job blocking sites that are a potential threat.

If you're running P2P games that can possibly cause it too. Other times there are probes looking for exploits to attack a system.

 

[Naska]

54 minutes ago, AdvancedSetup said:

Inbound blocks are normal. Malwarebytes is doing it's job blocking sites that are a potential threat.

If you're running P2P games that can possibly cause it too. Other times there are probes looking for exploits to attack a system.

 

Aighto, i will add some of these to the firewall as blocks just to be on safe side, and it's only these that pops up at random times, otherwise i do not see any other pop up at the time.

[AdvancedSetup]

Sometimes a router reset can also resolve it.

 

 

If you own your own router and are not renting it from your Internet Service Provider

Please ensure that you have the user manual for your router. Then perform a factory reset.

How To Reset Your Router
https://setuprouter.com/networking/how-to-reset-your-router/

Depending on one's preferences and the Router's capabilities please consider the following.

• Disable acceptance of ICMP Pings
• Change the Default Router password using a Strong Password
• Use a Strong WiFi password on WPA2 using AES encryption or Enable WPA3 if it is an option.
• Disable Remote Management
• Create separate WiFi networks for groups of devices with similar purposes to prevent an entire network of devices from being compromised if a malicious actor is able to gain unauthorized access to one device or network.
  Example: Keep IoT devices on one network and mobile devices on another.
• Change the network name (SSID).  Do not use your; Name, Postal address or other personal information.  Make it unique or whimsical and known to your family/group.
• Is the Router Firmware up-to-date ?  Updating the firmware mitigates exploitable vulnerabilities.
• Specifically set Firewall rules to BLOCK;   TCP and UDP ports 135 ~ 139, 445, 1234, 3389, 5555 and 9034
• Document passwords created and store them in a safe but accessible location.

 

 

[Naska]

On 4/24/2024 at 2:28 AM, AdvancedSetup said:

Sometimes a router reset can also resolve it.

 

 

If you own your own router and are not renting it from your Internet Service Provider

Please ensure that you have the user manual for your router. Then perform a factory reset.

How To Reset Your Router
https://setuprouter.com/networking/how-to-reset-your-router/

Depending on one's preferences and the Router's capabilities please consider the following.

• Disable acceptance of ICMP Pings
• Change the Default Router password using a Strong Password
• Use a Strong WiFi password on WPA2 using AES encryption or Enable WPA3 if it is an option.
• Disable Remote Management
• Create separate WiFi networks for groups of devices with similar purposes to prevent an entire network of devices from being compromised if a malicious actor is able to gain unauthorized access to one device or network.
  Example: Keep IoT devices on one network and mobile devices on another.
• Change the network name (SSID).  Do not use your; Name, Postal address or other personal information.  Make it unique or whimsical and known to your family/group.
• Is the Router Firmware up-to-date ?  Updating the firmware mitigates exploitable vulnerabilities.
• Specifically set Firewall rules to BLOCK;   TCP and UDP ports 135 ~ 139, 445, 1234, 3389, 5555 and 9034
• Document passwords created and store them in a safe but accessible location.

 

 

Going to fill in that, just that router is not owned by me but more or less the internet service provider, however we have an asus router for wifi, i have checked through this one and nothing there atleast that looks odd since last time i was on that one.

so it'd be safe to say that it might be the router from the service provider if so, so i might give them a call or something, cause it's quite odd so yeah.

[AdvancedSetup]

We're glad that we were able to assist you.

The following information will help you to keep your computer and data safer as well as improve your overall privacy

1. Recommend using a Password Manager for all websites, etc. that require a password. Never use the same password on more than one site.
   https://www.howtogeek.com/780233/best-password-manager/
2. Make sure you're backing up your files https://forums.malwarebytes.com/topic/136226-backup-software/
3. Keep all software up to date - PatchMyPC - https://patchmypc.com/home-updater#download     https://patchmypc.com/about-us
4. Keep your Operating System up to date and current at all times - https://support.microsoft.com/en-us/windows/windows-update-faq-8a903416-6f45-0718-f5c7-375e92dddeb2
5. Further tips to help protect your computer data and improve your privacy: https://forums.malwarebytes.com/topic/258363-tips-to-help-protect-from-infection/ 
6. Please consider installing the following Content Blockers for your Web browsers if you haven't done so already. This will help improve overall security

Malwarebytes Browser Guard

•   Google Chrome: https://chrome.google.com/webstore/detail/malwarebytes-browser-guar/ihcjicgdanjaechkgeegckofjjedodee
•   Microsoft Edge: https://support.malwarebytes.com/hc/en-us/articles/4413298736787-Install-Malwarebytes-Browser-Guard-on-Microsoft-Edge-browser
•   Mozilla Firefox: https://addons.mozilla.org/en-US/firefox/addon/malwarebytes/

uBlock Origin

• Google Chrome: https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm 
• Microsoft Edge: https://microsoftedge.microsoft.com/addons/detail/ublock-origin/odfafepnkmbhccpbejgmiehpchacaeak 
• Mozilla Firefox: https://addons.mozilla.org/en-US/firefox/addon/ublock-origin

 

Imagine a world without malware. We do
https://www.malwarebytes.com/why-upgrading-matters-ceo

 

Cybersecurity basics & protection
Everything you need to know about cybercrime
https://www.malwarebytes.com/cybersecurity

 

Further reading if you'd like to keep up on the malware threat scene: Malwarebytes Blog  https://blog.malwarebytes.com/

Hopefully, we've been able to assist you with correcting your system issues.

Thank you for using Malwarebytes. Please tell your friends and family if they too need assistance with malware removal

 

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following to help you better protect your computer and privacy Tips to help protect from infection

Thank you