Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Suspicious Outbound Traffic Detected in Norton 360


  • Please log in to reply
2 replies to this topic

#1 Zombiehunter99

Zombiehunter99

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:06:07 AM

Posted 14 June 2017 - 05:13 PM

Hi, everyone, earlier today went turned on my monitor for my computer I saw a pop-up from my Norton 360 Security suite saying "Outbound Traffic Detected, We have detected a large amount of suspicious activity on your system. Your computer may be infected with something that Norton Power Eraser can detect and remove." Then it asks if I want to run Norton Power Eraser. Here is a screenshot of it:

kR0Qg8Z.png

After this happened I checked the logs and I noticed that Norton said that "An intrusion attempt by 66.240.250 was blocked." (there were two of these instances or entries the Security History Window/Popup.) I have

circled them in orange in the picture below:

GqplohD.png

There is also an instance or entry in the Security History Window/Popup that says Intrusion Prevention Auto Block has blocked IP: 66.240.205.34 for a period of 30 minutes. (circled in above screenshot in green) When I clicked on the more details option of one of the intrusion attempts, in the IPS Alert section it said System Infected: GhostNet Backdoor Activity 3 (the Second entry or instance was called System Infected: GhostNet Backdoor Activity), and the traffic description was TCP, Port 60670. Here is a screenshot of it:

N5Cpaux.png

After this I ran Norton Power Eraser and detected something but I think they are false positives because two of the files were installers for Adobe CS2 that I download from Adobe's website, two were batch files that I made myself, one was a Google Chrome bookmarks file and the last one which I think the most suspicious was a registry key for "microsoft. powershell". See screenshot Below: BYG9rYp.png

The registry key is:  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell\"ExecutionPolicy" and the file thumbprint is  SHA: Not Available. Here is a screenshot of it:

NNU8mb9.png

What does this mean? What should I do? What is going on? Is my computer infected? Should I repair the Registry Key? One thing that I think is odd is that in the Security History Window/Popup that there are several entries or instances of "ip Address has disappeared from adapter Microsoft Teredo Tunneling Adapter" (then it lists ip address.) Here is a screenshot of it: XvqInOT.png

 

Is this normal?  The software that I have downloaded and installed recently is Seagate Sea Tools, Acronis Disk Director, Paragon Partition Manager 14 Free, and I have reinstalled and updated AOMEI Partition Assistant Standard, I have also updated Western Digital Data Lifeguard Diagnostics and tried install Seagate DiscWizard. All of the software that I have mentioned was downloaded from the developer's website My computer seems to be running as well at it used to I have not noticed any abnormal performance slow downs except for wireless adapter. I done multiple antivirus scan recently with Malwarebytes and Norton 360 and both of them have not come up with anything. Today I ran a scan with Malwarebytes Adwcleaner it found one threat which was a registry key. Here it is: HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\geekbuddyrsp . Here is a screenshot of it:

PKGyYYS.png

My operating system is Windows 10 64 bit, Do I need to post anymore system specifications? Thank you, I hope you guys can help me.


Edited by Zombiehunter99, 14 June 2017 - 10:54 PM.


BC AdBot (Login to Remove)

 


#2 me2ubear29

me2ubear29

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:07 PM

Posted 30 June 2017 - 04:50 AM

im having the same problem. no matter what i do norton still pops up multiple times a day saying suspicious outbound traffic detected  even though the scans dont find anything. did you sort the issue out? kind regards



#3 jwoods301

jwoods301

  • Members
  • 1,489 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:07 AM

Posted 30 June 2017 - 04:26 PM

The IP address 66.240.205.34 is registered to Shodan (legitmate).

 

https://www.speedguide.net/ip/66.240.205.34

 

The domain is for Shodan's Malware Hunter product (also legitimate)...

 

https://malware-hunter.shodan.io/

 

As described on the site...

 

Malware Hunter is a specialized Shodan crawler that explores the Internet looking for command & control (C2s) servers for botnets.

 

See the topic Why did my security software raise an alert?


Edited by jwoods301, 30 June 2017 - 04:27 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users