Jump to content
NJeffcoat

Possible hidden trojan hiding behind normal applications.

Recommended Posts

Hey Malwarebytes team/forum.

Recently I've been receiving notifications from Malwarebytes saying that it has blocked an inbound connection. Great! that means it's doing it's job. Or at least until yesterday when i took an extra moment to see what exactly it was blocking. Upon inspection of the notifications i saw several from the steam gaming platform, and one from Nvidia container. yesterday i tried looking into this blocked connection that was using Nvidia and tried posting to the forum only to be blocked by the forum's spam filter, oh well. so i took it into my own hands and uninstalled Geforce Experience and manually removed the folder containing the Nvidia container inside the Nvidia corporation folder just to be safe since i don't use the features provided by Geforce Experience aside from the FPS overlay, then called it a day.

That is until just now when i got another block this time in regards to another inbound connection this time using the program Spotify. now i'm familiar with both steam, nvidia, and spotify as one is my game client, one is my graphics card, and another is my music program. What concerns me is that the inbound connections are not associated with any site or host-name, only IP address. so i googled the IP address and a few results came back with china (minus one from a data center in Canada).

each notification lists the program behind these inbound connections and the files location, all back to the actual programs .exe's. Bummer i was hoping for an easy uninstall of some fake programs. so after some digging i found that this time (the block using Spotify) the file location was located inside "WindowsApp" folder (which is permission blocked by "trustedInstaller" a default outdated windows process[from my understanding]). This concerns me even more and i really don't want to try gaining access only to accidentally break something.

So now convinced that i in fact do have a Trojan and it is attempting to receive network communication via legitimate applications i have come to this forum in search of more professional help.

Once the malwarebytes scan is finished i will attach the result of the malwarebytes scan, the Adware cleaner scan, the Frst.txt / Addition.txt, and the Notifications (in .txt) from malwarebytes. Then i wil submit this post and hope that the weirdness yesterday with the forums spam filter is done.

FRST.txt Addition.txt AdwCleaner[S24].txt scan export.txt notifcation.txt notifcation(1).txt notifcation(2).txt notifcation(3).txt notifcation(4).txt notifcation(5).txt notifcation(6).txt

Share this post


Link to post
Share on other sites

Hello, Welcome to Malwarebytes.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Logs logs are clean of malware.

Please download the attached Fixlist.txt file to  the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The Computer will restart when the fix is completed.

It will create a log (Fixlog.txt) please post it to your reply.
===

If the problem persists and Chrome is Synced with other Devices reset it.

https://forums.malwarebytes.com/topic/214325-chrome-secure-preferences-detection-always-comes-back/
https://support.google.com/chrome/answer/185277

Execute the suggested fix.

Restart the computer normally.
===========

If the problem solved?

fixlist.txt

Share this post


Link to post
Share on other sites

The computer restarted normally. Fixlog.txt attached.

Sadly there's no immediate way for me to know if the problem is fixed. If there is/was a trojan then it is tricky because it wasn't consuming CPU/GPU usage and according to malwarebytes notifications it was hiding behind legitimate applications. So if it is gone i won't know unless i monitor the malwarebytes notifications for at least the next 48 hours. If it is still there i expect that within the next 48 hours malwarebytes should ping me about another blocked inbound connection from a random IP address. 

I will keep you informed on if i do or do not get another notification. In the mean time is there anything else i can do to see if there is a trojan hiding on my PC?
 

Fixlog.txt

Share this post


Link to post
Share on other sites

Hi,

 

As you said MBAM is doing it's job.

Just let me know if you get a notice from Malwarebytes.

Give me the details. Will take it from there.

Share this post


Link to post
Share on other sites

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Thanks

 

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.