Not what you are looking for? Ask the experts!
Norton blocked an attack by: System Infected: Bitcoinminer Activity 6
Since the automatic definition update this morning, we've had roughly 20 computers in 10 different homes or offices (we're an IT services provider for home and small businesses) all have a popup about Bitcoinminer Activity 6. All of the customers are running Norton from Xfinity.
The alert details are:
Category: Intrusion Prevention
Date & Time,Risk,Activity,Status,Recommended Action,IPS Alert Name,Default Action,Action Taken,Attacking Computer,Destination Address,Source Address,Traffic Description
1/30/2018 11:01:13 AM,High,An intrusion attempt by primary.mypools.xyz was blocked.,Blocked,No Action Required,System Infected: Bitcoinminer Activity 6,No Action Required,No Action Required,"primary.mypools.xyz (126.96.36.199, 5555)","TERMINAL2 (192.168.1.112, 49889)",primary.mypools.xyz (188.8.131.52),"TCP, Port 5555"
Network traffic from <b>primary.mypools.xyz</b> matches the signature of a known attack. The attack was resulted from \DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE. To stop being notified for this type of traffic, in the <b>Actions</b> panel, click <b>Stop Notifying Me</b>.
When I run NortonPowerEraser, as suggested, it finds the following registry key:
Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell\"ExecutionPolicy"
After allowing NPE to fix that key and reboot, the same popup/alert continues.
It seems very suspect to have this many random customers call (including one with a fresh install of W10 for an 80-year old woman who isn't doing things that would get her infected) and it leads me to suspect that we're just dealing with some sort of false-positive from the definition update that happened this morning.
I've run a manual LiveUpdate, which downloaded new definitions, but no change in the alert.
Anyone else seeing this out there that can tell me we're not alone?