Solved Norton blocked attack by: System Infected: Miner.Bitcoinminer Activity #

[rickyralph]

Farbar Service Scanner Version: 13-08-2022 01
Ran by Rich (administrator) on 28-01-2023 at 13:55:32
Running from "C:\Users\Rich\Desktop"
Windows 10 Education (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============


Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============


Firewall Disabled Policy:
==================


System Restore:
============


System Restore Policy:
========================


Windows Security:
============


Windows Update:
============


Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend: ""C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2011.6-0\MsMpEng.exe"".


Windows Defender Disabled Policy:
==========================


Other Services:
==============


File Check:
========
C:\Windows\System32\nsisvc.dll => File is digitally signed
C:\Windows\System32\Drivers\nsiproxy.sys => File is digitally signed
C:\Windows\System32\Drivers\netbt.sys => File is digitally signed
C:\Windows\System32\Drivers\tdx.sys => File is digitally signed
C:\Windows\System32\Drivers\afd.sys => File is digitally signed
C:\Windows\System32\Drivers\tcpip.sys => File is digitally signed
C:\Windows\System32\dnsrslvr.dll => File is digitally signed
C:\Windows\System32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\System32\mpssvc.dll => File is digitally signed
C:\Windows\System32\bfe.dll => File is digitally signed
C:\Windows\System32\Drivers\mpsdrv.sys => File is digitally signed
C:\Windows\System32\SDRSVC.dll => File is digitally signed
C:\Windows\System32\vssvc.exe => File is digitally signed
C:\Windows\System32\SecurityHealthService.exe => File is digitally signed
C:\Windows\System32\wscsvc.dll => File is digitally signed
C:\Windows\System32\\wbem\WMIsvc.dll => File is digitally signed
C:\Windows\System32\wuaueng.dll => File is digitally signed
C:\Windows\System32\qmgr.dll => File is digitally signed
C:\Windows\System32\es.dll => File is digitally signed
C:\Windows\System32\cryptsvc.dll => File is digitally signed
C:\Windows\System32\usosvc.dll => File is digitally signed
C:\Windows\System32\WaaSMedicSvc.dll => File is digitally signed
C:\Program Files\Windows Defender\MpSvc.dll => File is digitally signed
C:\Windows\System32\ipnathlp.dll => File is digitally signed
C:\Windows\System32\iphlpsvc.dll => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed


**** End of log ****

 

[rickyralph]

Sophos Scan & Clean
www.sophos.com

Computer name . . . . : RICH
Windows . . . . . . . : 10.0.0.19045.X64/8
User name . . . . . . : RICH\Rich
UAC . . . . . . . . . : Enabled
License . . . . . . . : Free

Scan date . . . . . . : 2023-01-28 14:03:32
Scan mode . . . . . . : Normal
Scan duration . . . . : 3m 2s
Disk access mode . . : Direct disk access (SRB)
Cloud . . . . . . . . : Internet
Reboot . . . . . . . : No

Threats . . . . . . . : 0
Traces . . . . . . . : 54

Objects scanned . . . : 4,610,462
Files scanned . . . . : 284,973
Remnants scanned . . : 2,379,600 files / 1,945,889 keys

Cookies _____________________________________________________________________

C:\Users\Rich\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies:addthis.com
C:\Users\Rich\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies:adform.net
C:\Users\Rich\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies:adgrx.com
C:\Users\Rich\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies:adnxs.com
C:\Users\Rich\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies:ads.samba.tv
C:\Users\Rich\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies:ads.stickyadstv.com
C:\Users\Rich\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies:adsrvr.org
C:\Users\Rich\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies:adsymptotic.com
C:\Users\Rich\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies:advertising.com
C:\Users\Rich\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies:agkn.com
C:\Users\Rich\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies:bidr.io
C:\Users\Rich\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies:bidswitch.net
C:\Users\Rich\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies:bluekai.com
C:\Users\Rich\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies:casalemedia.com
C:\Users\Rich\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies:comcast.demdex.net
C:\Users\Rich\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies:crwdcntrl.net
C:\Users\Rich\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies:ctnsnet.com
C:\Users\Rich\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies:demdex.net
C:\Users\Rich\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies:dlx.addthis.com
C:\Users\Rich\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies:dotomi.com
C:\Users\Rich\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies:doubleclick.net
C:\Users\Rich\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies:dpm.demdex.net
C:\Users\Rich\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies:everesttech.net
C:\Users\Rich\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies:flashtalking.com
C:\Users\Rich\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies:imrworldwide.com
C:\Users\Rich\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies:ipredictive.com
C:\Users\Rich\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies:krxd.net
C:\Users\Rich\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies:linksynergy.com
C:\Users\Rich\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies:mathtag.com
C:\Users\Rich\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies:media6degrees.com
C:\Users\Rich\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies:ml314.com
C:\Users\Rich\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies:mookie1.com
C:\Users\Rich\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies: openx.net
C:\Users\Rich\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies: owneriq.net
C:\Users\Rich\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies: postrelease.com
C:\Users\Rich\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies: pubmatic.com
C:\Users\Rich\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies:rfihub.com
C:\Users\Rich\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies:rlcdn.com
C:\Users\Rich\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies:rubiconproject.com
C:\Users\Rich\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies:scorecardresearch.com
C:\Users\Rich\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies:serving-sys.com
C:\Users\Rich\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies:simpli.fi
C:\Users\Rich\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies:smartadserver.com
C:\Users\Rich\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies:taboola.com
C:\Users\Rich\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies:tapad.com
C:\Users\Rich\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies:tidaltv.com
C:\Users\Rich\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies:tremorhub.com
C:\Users\Rich\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies:tribalfusion.com
C:\Users\Rich\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies:turn.com
C:\Users\Rich\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies:w55c.net
C:\Users\Rich\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies:www.googleadservices.com
C:\Users\Rich\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies:linksynergy.com
C:\Users\Rich\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies:scorecardresearch.com
C:\Users\Rich\AppData\Roaming\Mozilla\Firefox\Profiles\pv6rb7rq.default-release\cookies.sqlite:ctnsnet.com

 

[rickyralph]

Spaces were added on this 4 lines after the last colon because it was creating emoji's

C:\Users\Rich\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies: openx.net
C:\Users\Rich\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies: owneriq.net
C:\Users\Rich\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies: postrelease.com
C:\Users\Rich\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies: pubmatic.com

 

[Broni]

Your computer is clean

1. This step will remove all cleaning tools we used, it'll reset restore points (so you won't get reinfected by accidentally using some older restore point) and it'll make some other minor adjustments...
[COLOR=#ff0000][B]This is a very crucial step so make sure you don't skip it.[/B][/COLOR]
Download [IMG]http://www.imgdumper.nl/uploads6/51a5ce45267c1/51a5ce45263de-delfix.pngDelFix by Xplode to your desktop. Delfix will delete all the used tools and logfiles.

Double-click Delfix.exe to start the tool.
Make sure the following items are checked:

• Activate UAC (optional; some users prefer to keep it off)
• Remove disinfection tools
• Create registry backup
• Purge System Restore
• Reset system settings

Now click "Run" and wait patiently.
Once finished a logfile will be created. You don't have to attach it to your next reply.

2. Make sure Windows Updates are current.

3. If any trojans, rootkits or bootkits were listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

4. Check if your browser plugins are up to date.
Firefox - https://www.mozilla.org/en-US/plugincheck/
other browsers: https://browsercheck.qualys.com/ (click on "Scan without installing plugin" and then on "Scan now")

5. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

6. Run Temporary File Cleaner (TFC) and AdwCleaner weekly (you need to redownload these tools since they were removed by DelFix).

7. (optional) If you want to keep all your programs up to date, download and install FileHippo App Manager.
The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

8. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

9. Read:
How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html
Simple and easy ways to keep your computer safe and secure on the Internet: http://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/
About those Toolbars and Add-ons - Potentially Unwanted Programs (PUPs) which change your browser settings: http://www.bleepingcomputer.com/for...curity-questions-best-practices/#entry3187642

10. Please, let me know, how your computer is doing.

 

[rickyralph]

Thank you so much Broni, I appreciate it a lot. I am going through the final steps but wanted to ask if I was infected with any trojans, rootkits or bootkits?

 

[Broni]

No.

 

[rickyralph]

Awesome, thank you so much again. I went through the last steps and since yesterday haven't seen the Norton alert in regards to the bitcoin miner or anything else either. Very relieved.

 

[Broni]

You're very welcome

Good luck and stay safe