NVIDIA Trojan.Crypt?

[LinkinForcer]

OK so I was just sitting at my computer and had been for a while. I wasn't surfing the web or anything as I was doing other things. I got an alert that Malwarebytes had quarantined a Trojan. It asked me to restart the computer to complete the removal of the malware so I did. When I looked at the log it told me that a file named Ontology.dll was the culprit and labeled it as a Trojan.Crypt. I just ran a full scan thew other day and everything was fine. NVIDIA has not updated in a while for me so its not like I updated the drivers or programs that use the graphics card.

End result is that Ontology.dll is no longer on my computer but Im thinking this could have been a false positive as it is part of the NVIDIA software.

Does anyone have any information on this?

Edited October 7, 2017 by LinkinForcer

[Jaldy]

Reporting in.

[Eestimeister]

Same, must be false postive...

[LinkinForcer]

Thank God I'm not the only one!

[dpexx]

Same thing just happened to me after a scan. I was trecking my memory wondering where i could have gotten any malware, looks like it's a false positive if we're all getting the same issue.

[CHRONOMASTER]

Same. GeForce Experience now fails to scan for games.

Edited October 7, 2017 by CHRONOMASTER

[thisisu]

Hi,

Can someone please attach a log showing the detection?

 

Thank you

[hidenxd]

Not the only one, must've been a false positive, someone please report this problem to Malwarebytes Support Team.

here's my log after i tried getting it out of Exclusions because i just restarted my PCs Windows:

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 10/7/17
Protection Event Time: 3:32 AM
Log File: ef0c8d14-aaf6-11e7-9b46-2c56dc9667a5.json
Administrator: Yes

-Software Information-
Version: 3.2.2.2029
Components Version: 
Update Package Version: 
License: Trial

-System Information-
OS: Windows 10 (Build 15063.608)
CPU: x64
File System: NTFS
User: System

-Blocked Malware Details-
File: 1
Trojan.Crypt, C:\Users\rauld\AppData\Local\NVIDIA\NvBackend\ApplicationOntology\Ontology.dll, Quarantined, [24], [443270],

(end)

Edited October 7, 2017 by hidenxd

[coldone]

sure

falsepositive.txt

[dpexx]

Attached;

detection.txt

MBAMSERVICE.LOG

[thisisu]

 

6 minutes ago, coldone said:

sure

falsepositive.txt

Thank you. Fix going out now

Sorry for the inconvenience everyone.

[hidenxd]

This thing scared me so much,thanks staff for looking into it.

[LinkinForcer]

I've got the original file. I'm going to put it back onto my pc and exclude it and see what happens. Or do you guys think I should just leave it be for now?

Edited October 7, 2017 by LinkinForcer

[thisisu]

Clean database for MBAM2 is available now: 2017.10.07.01

MBAM3 database should be available soon as well. Will update thread with database version when it's available.

Can someone attach the ONTOLOGY.DLL file from quarantine please?

[thisisu]

8 minutes ago, LinkinForcer said:

I've got the original file. I'm going to put it back onto my pc and exclude it and see what happens. Or do you guys think I should just leave it be for now?

You can restore it now and exclude if you'd like.

[LinkinForcer]

OK Thanks!

[TheQuickFox]

I got the same message. C:\Users\Administrator\AppData\Local\NVIDIA\NvBackend\ApplicationOntology\Ontology.dll was quarantined.

File version 36.0.5.1

File signed by NVIDIA Corporation 2017-OCT-06 16:42:53 (Issued by VeriSign Class 3 Code Signing)

Strange thing is that I did not install any NVIDIA graphics drivers /software on or after this date. (Today/yesterday based on your time zone)

 

https://www.virustotal.com/en/file/39e2df03737c3429fcb7c44055d2cede0f64d0e6ebbd1987a57242fd643a570e/analysis/1507336836/

Attachement:

Ontology.rar

 

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 10/7/17
Scan Time: 2:55 AM
Log File: 4731d7f8-aafa-11e7-81b5-64006a4ca71b.json
Administrator: Yes

-Software Information-
Version: 3.2.2.2018
Components Version: 1.0.188
Update Package Version: 1.0.2966
License: Premium

-System Information-
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: T5810\Administrator

-Scan Summary-
Scan Type: Custom Scan
Result: Completed
Objects Scanned: 1
Threats Detected: 1
Threats Quarantined: 0
(No malicious items detected)
Time Elapsed: 0 min, 5 sec

-Scan Options-
Memory: Disabled
Startup: Disabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 1
Trojan.Crypt, C:\USERS\ADMINISTRATOR\APPDATA\LOCAL\NVIDIA\NVBACKEND\APPLICATIONONTOLOGY\ONTOLOGY.DLL, No Action By User, [24], [443270],1.0.2966

Physical Sector: 0
(No malicious items detected)


(end)

 

Edited October 7, 2017 by TheQuickFox
Additional additions added.

[thisisu]

11 minutes ago, thisisu said:

Can someone attach the ONTOLOGY.DLL file from quarantine please?

 

6 minutes ago, TheQuickFox said:

Attachement:

 

Ontology.rar

Found it on virustotal as well. Thank you

[octaviom18]

I got the file for you good sir!

Ontology.zip

[TheQuickFox]

Just now, thisisu said:

 

Found it on virustotal as well. Thank you

That must have been my upload :-)

[LinkinForcer]

Be quick when excluding it because it will grab it again lol For some reason they had it listed twice in my quarantine.

[JaskaTheK9]

Haven't seen anyone mention this yet:

When manually scanning the Nvidia folder, it also picks up .exe file along side with the ontology.dll

 

Nvidia exe and dll.txt

[LinkinForcer]

OK after I restored it and excluded it. GeForce Experience is working 100% again!

[thisisu]

8 minutes ago, JaskaTheK9 said:

Haven't seen anyone mention this yet:

When manually scanning the Nvidia folder, it also picks up .exe file along side with the ontology.dll

 

Nvidia exe and dll.txt

Thanks for reporting.

It was the same rule for both.

Here are clean database versions: Let us know if you continue to experience detection with the below database versions

MBAM2 Version: v2017.10.07.01
MBAM3 Version: 1.0.2967

 

 

 

[TheQuickFox]

2 minutes ago, thisisu said:

Thanks for reporting.

It was the same rule for both.

Here are clean database versions: Let us know if you continue to experience detection with the below database versions

MBAM2 Version: v2017.10.07.01
MBAM3 Version: 1.0.2967

 

 

 

Thanks. File is detected as clean now:

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 10/7/17
Scan Time: 3:02 AM
Log File: 34a3a372-aafb-11e7-b27e-64006a4ca71b.json
Administrator: Yes

-Software Information-
Version: 3.2.2.2018
Components Version: 1.0.188
Update Package Version: 1.0.2967
License: Premium

-System Information-
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: T5810\Administrator

-Scan Summary-
Scan Type: Custom Scan
Result: Completed
Objects Scanned: 1
Threats Detected: 0
(No malicious items detected)
Threats Quarantined: 0
(No malicious items detected)
Time Elapsed: 0 min, 2 sec

-Scan Options-
Memory: Disabled
Startup: Disabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 0
(No malicious items detected)

Physical Sector: 0
(No malicious items detected)


(end)