Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Suspicious Outbound Traffic Detected in Norton 360

  • Please log in to reply
2 replies to this topic

#1 Zombiehunter99


  • Members
  • 1 posts
  • Local time:07:31 PM

Posted 14 June 2017 - 05:13 PM

Hi, everyone, earlier today went turned on my monitor for my computer I saw a pop-up from my Norton 360 Security suite saying "Outbound Traffic Detected, We have detected a large amount of suspicious activity on your system. Your computer may be infected with something that Norton Power Eraser can detect and remove." Then it asks if I want to run Norton Power Eraser. Here is a screenshot of it:


After this happened I checked the logs and I noticed that Norton said that "An intrusion attempt by 66.240.250 was blocked." (there were two of these instances or entries the Security History Window/Popup.) I have

circled them in orange in the picture below:


There is also an instance or entry in the Security History Window/Popup that says Intrusion Prevention Auto Block has blocked IP: for a period of 30 minutes. (circled in above screenshot in green) When I clicked on the more details option of one of the intrusion attempts, in the IPS Alert section it said System Infected: GhostNet Backdoor Activity 3 (the Second entry or instance was called System Infected: GhostNet Backdoor Activity), and the traffic description was TCP, Port 60670. Here is a screenshot of it:


After this I ran Norton Power Eraser and detected something but I think they are false positives because two of the files were installers for Adobe CS2 that I download from Adobe's website, two were batch files that I made myself, one was a Google Chrome bookmarks file and the last one which I think the most suspicious was a registry key for "microsoft. powershell". See screenshot Below: BYG9rYp.png

The registry key is:  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell\"ExecutionPolicy" and the file thumbprint is  SHA: Not Available. Here is a screenshot of it:


What does this mean? What should I do? What is going on? Is my computer infected? Should I repair the Registry Key? One thing that I think is odd is that in the Security History Window/Popup that there are several entries or instances of "ip Address has disappeared from adapter Microsoft Teredo Tunneling Adapter" (then it lists ip address.) Here is a screenshot of it: XvqInOT.png


Is this normal?  The software that I have downloaded and installed recently is Seagate Sea Tools, Acronis Disk Director, Paragon Partition Manager 14 Free, and I have reinstalled and updated AOMEI Partition Assistant Standard, I have also updated Western Digital Data Lifeguard Diagnostics and tried install Seagate DiscWizard. All of the software that I have mentioned was downloaded from the developer's website My computer seems to be running as well at it used to I have not noticed any abnormal performance slow downs except for wireless adapter. I done multiple antivirus scan recently with Malwarebytes and Norton 360 and both of them have not come up with anything. Today I ran a scan with Malwarebytes Adwcleaner it found one threat which was a registry key. Here it is: HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\geekbuddyrsp . Here is a screenshot of it:


My operating system is Windows 10 64 bit, Do I need to post anymore system specifications? Thank you, I hope you guys can help me.

Edited by Zombiehunter99, 14 June 2017 - 10:54 PM.

BC AdBot (Login to Remove)


#2 me2ubear29


  • Members
  • 2 posts
  • Local time:03:31 AM

Posted 30 June 2017 - 04:50 AM

im having the same problem. no matter what i do norton still pops up multiple times a day saying suspicious outbound traffic detected  even though the scans dont find anything. did you sort the issue out? kind regards

#3 jwoods301


  • Members
  • 1,489 posts
  • Gender:Male
  • Local time:06:31 PM

Posted 30 June 2017 - 04:26 PM

The IP address is registered to Shodan (legitmate).




The domain is for Shodan's Malware Hunter product (also legitimate)...




As described on the site...


Malware Hunter is a specialized Shodan crawler that explores the Internet looking for command & control (C2s) servers for botnets.


See the topic Why did my security software raise an alert?

Edited by jwoods301, 30 June 2017 - 04:27 PM.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users