Suspicious Outbound Traffic Detected in Norton 360

Status
Not open for further replies.

Zombie_hunter99

Commendable
Mar 8, 2016
3
0
1,510
Hi, everyone, earlier today went turned on my monitor for my computer I saw a pop-up from my Norton 360 Security suite saying "Outbound Traffic Detected, We have detected a large amount of suspicious activity on your system. Your computer may be infected with something that Norton Power Eraser can detect and remove." Then it asks I want to run Norton Power Eraser. Here is a screenshot of it:
kR0Qg8Z.png

After this happened I checked the Security History Window/Popup and I noticed that Norton said that "An intrusion attempt by 66.240.250 was blocked." (There were two of these instances or entries the Security History windows.) I have circled them in orange in the picture below:
GqplohD.png

There is also an instance or entry in the Security History Window/Popup that says Intrusion Prevention Auto Block has blocked IP: 66.240.205.34 for a period of 30 minutes. (Circled in above screenshot in green) When I clicked on the more details option of one of the intrusion attempts, in the IPS Alert section it said System Infected: GhostNet Backdoor Activity 3 (the Second entry or instance was called System Infected: GhostNet Backdoor Activity), and the traffic description was TCP, Port 60670. Here is a screenshot of it:
N5Cpaux.png

After this I ran Norton Power Eraser and detected something but I think they are false positives because two of the files were installers for Adobe CS2 that I download from Adobe's website, two were batch files that I made myself, one was a Google Chrome bookmarks file and the last one which I think the most suspicious was a registry key for "microsoft. powershell". See screenshot Below:
BYG9rYp.png

The registry key is: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell\"ExecutionPolicy" and the file thumbprint is SHA: Not Available. Here is a screenshot:
NNU8mb9.png

What does this mean? What should I do? What is going on? Is my computer infected? Should I repair the Registry Key? One thing that I think is odd is that in the Security History Window/Popup that there are several entries or instances of "ip Address has disappeared from adapter Microsoft Teredo Tunneling Adapter" (then it lists ip address.) Here is a screenshot of it:
XvqInOT.png

Is this normal? The software that I have downloaded and installed recently is Seagate Sea Tools, Acronis Disk Director, Paragon Partition Manager 14 Free, and I have reinstalled and updated AOMEI Partition Assistant Standard, I have also updated Western Digital Data Lifeguard Diagnostics and tried install Seagate DiscWizard. All of the software that I have mentioned was downloaded from the developer's website My computer seems to be running as well at it used to I have not noticed any abnormal performance slow downs except for my wireless adapter. I done multiple antivirus scan recently with Malwarebytes and Norton 360 and both of them have not come up with anything. Today I ran a scan with Malwarebytes Adwcleaner it found one threat which was a registry key. Here it is: HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\geekbuddyrsp . Here is a screenshot of it:
PKGyYYS.png

My operating system is Windows 10 64 bit, Do I need to post anymore system specifications? Thank you, I hope you guys can help me.
 
Solution
Unless there is a specific problem attributable to the registry - best to just leave the registry alone.

As for the external hard drive (USB I trust) you can protect it to some extent by leaving it unplugged and unpowered until needed. Just be sure that there are no apps looking for it or other drive mappings in general.

May or may not help with a virus/malware as that virus may be waiting to discover a hard drive when connected and strike accordingly. Keep your AV up-to-date and run frequently.

Do consider doing more backups and be sure to test or otherwise verify the backups.

I copy/backup selected folders on a daily basis to a USB flash drive on my router. I also have a NAS for more extensive backups and an external USB...
I think Norton is just doing its' job.

Which also includes making sure you are aware of that fact and getting you to purchase and/or renew other related services.

With all of the downloads and changes I am not surprised that Norton flagged something.

And your system may well have suffered some hacking attempt from the provided IP. Google that IP.

I just did so: some company CARInet, Inc. and some references to malware hunters. Could be one of your recent downloads slipped in some additional app. I.e., crapware....

Keep an eye on things. Keep your AV software up to date. Back up just in case.

Let Malwarebytes clean the registry. Do not do so yourself.
 

Zombie_hunter99

Commendable
Mar 8, 2016
3
0
1,510


Do I need to clean the Windows Registry even though it is probably very dirty? I probably have entries/ instances from 1-2.5 years ago. I did make an image backup of computer after this incident happened so if I were to go get a bad virus or malware infection then I would just restore from it. Should I leave my external hard drive plugged in all the time since I do not make frequent backups? Will this stop my back-ups from getting infected by malware or viruses, or will it at least minimize a malware or virus infection?
 
Unless there is a specific problem attributable to the registry - best to just leave the registry alone.

As for the external hard drive (USB I trust) you can protect it to some extent by leaving it unplugged and unpowered until needed. Just be sure that there are no apps looking for it or other drive mappings in general.

May or may not help with a virus/malware as that virus may be waiting to discover a hard drive when connected and strike accordingly. Keep your AV up-to-date and run frequently.

Do consider doing more backups and be sure to test or otherwise verify the backups.

I copy/backup selected folders on a daily basis to a USB flash drive on my router. I also have a NAS for more extensive backups and an external USB drive for images. Regularily clone my drives as well.

Also be sure that you have created recovery discs/flash drives for your computers. Be sure to test the recovery process as well.

Edit for typo.
 
Solution
Status
Not open for further replies.