C:\Windows\SysWOW64\vmnat.exe Trojan 46.8.8.100

[horseradish]

Once I've started Ubuntu in VMWare, Malwarebytes opens the notification below with blocked Trojan for vmnat.exe file to 46.8.8.100 (IP in Czechia). I am running Win10 Pro and VMWare Workstation 16 Player w/ Ubuntu 22.04.1 LTS. Please advise, thanks.

 

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 9/12/22
Protection Event Time: 3:31 PM
Log File: 9913761c-32ea-11ed-a9ea-305a3ae078c7.json

-Software Information-
Version: 4.5.14.210
Components Version: 1.0.1751
Update Package Version: 1.0.59983
License: Premium

-System Information-
OS: Windows 10 (Build 18363.1556)
CPU: x64
File System: NTFS
User: System

-Blocked Website Details-
Malicious Website: 1
, C:\Windows\SysWOW64\vmnat.exe, Blocked, -1, -1, 0.0.0, ,

-Website Data-
Category: Trojan
Domain:
IP Address: 46.8.8.100
Port: 80
Type: Outbound
File: C:\Windows\SysWOW64\vmnat.exe

 

(end)

[AdvancedSetup]

Hello  and        @horseradish

 

My screen name is AdvancedSetup and I will assist you with your system issues.
 

Let's keep these principles as we proceed. Make sure to read the entire post below first.

• Please follow all steps in the provided order and post back all requested logs
• Please attach all log files to your post, unless otherwise requested
• Temporarily disable your antivirus or other security software first. Make sure to turn it back on once the scans have been completed.
• Temporarily disable Microsoft SmartScreen to download the software below if needed. Make sure to turn it back on once the scans are completed.
• Searching, detecting, and removing malware isn't instantaneous and there is no guarantee to repair every system.
• Before we start, please make sure that you have an external backup, not connected to this system, of all private data.
• Do not run online games while the case is ongoing. Do not do any free-wheeling or risky web-surfing.
• Only run the tools I guide you to use. Please don't run any other scans, download, install or uninstall any programs while I'm working with you.
• Cracked, Hacked, or Pirated programs are not only illegal but also can make a computer a malware victim. Having such programs installed is the easiest way to get infected. It is the leading cause of ransomware encryption. It is at times also a big source of current Trojan infections. If there are any on the system you should uninstall them before we proceed.
• Please be patient and stick with me until I give you the "all clear". We don't want to waste your time, please don't waste ours.
• If your system is running Discord, please be sure to Exit it while this case is ongoing.

 

Edited September 13, 2022 by AdvancedSetup
Updated information

[AdvancedSetup]

The IP is known to be bad.

https://www.abuseipdb.com/check/46.8.8.100

I would check what you're running on the Player and remove the cause.

 

[horseradish]

The only thing I'm running is Ubuntu 22.04.1 LTS and Firefox and Brave Linux versions. I ran a complete Ubuntu version update on Sep. 12, Monday, and right after rebooting the Ubuntu VM, Malwarebytes alerted me. Since then I've install ClamAV and Gufw firewall. ClamAV shows zero infections on Ubuntu. Should I follow your instructions per the above and run a Malwarebytes scan?

 

----------- SCAN SUMMARY -----------
Known viruses: 8633902
Engine version: 0.103.6
Scanned directories: 101861
Scanned files: 367822
Infected files: 0
Total errors: 43697
Data scanned: 13224.89 MB
Data read: 21852.72 MB (ratio 0.61:1)
Time: 1922.888 sec (32 m 2 s)
Start Date: 2022:09:13 10:16:50
End Date:   2022:09:13 10:48:53

 

[AdvancedSetup]

18 hours ago, horseradish said:

Once I've started Ubuntu in VMWare, Malwarebytes opens the notification below with blocked Trojan for vmnat.exe file to 46.8.8.100 (IP in Czechia)

 

That tells me that "something" in your Linux installation is calling out to that address. If you only run VMware without starting the Linux host do you still get an alert? I'm betting that you don't. So, that implies again that "something" from Linux is calling out.

 

[horseradish]

I restarted Windows and started VMWare Player and thus far no Malwarebytes alert.

I started Ubuntu and thus far no Malwarebytes alert.

I started Firefox and thus far no Malwarebytes alert.

I opened up a terminal command line and initiated a ping to 46.8.8.100 and received the Malwarebytes Trojan alert. This is the only alert received.

Not sure if the Gufw firewall is blocking the initial alert I received at startup from the first time or if my Ubuntu is still infected.

[AdvancedSetup]

Infected is not necessarily the perception. Many reasons that IP could be hit, called, etc. without being an infection.

Just in case though, please run the following.

 

 

Microsoft Safety Scanner

Please make sure you Exit out of any other program you might have open so that the sole task is to run the following scan.   
That goes especially for web browsers, make sure all are fully exited out of and messenger programs are exited and closed as well
 

STEP 1

Please set File Explorer to SHOW ALL folders, all files, including hidden ones.  Use OPTION ONE or TWO of this article

https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html

STEP 2

I suggest a new scan for viruses & other malware. This may take several hours, depending on the number of files on the system and the speed of the computer.

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. 

The download links & the how-to-run-the tool are at this link at Microsoft 

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Look on the Scan Options & select the FULL scan.

Then start the scan. Have lots of patience. It may take several hours.

• Once you see it has started, take a long long break;  walk away.  Do not pay credence if you see some intermediate early flash messages on the screen display.  The only things that count are the End result at the end of the run.
• The scan will take several hours.  Leave it alone. It will remove any other remaining threats as it goes along.  Take a very long break, do your normal personal errands .....just do not use the computer during this scan.

This is likely to run for many hours as previously mentioned  ( depending on the number of files on your machine & the speed of the hardware.)

The log is named MSERT.log  and the log will be at C:\Windows\debug\msert.log

Please attach that log with your next reply.

 

 

It is normal for the Microsoft Safety Scanner to show detections during the scan process. It is scanning for basically all bread crumbs or traces of files and registry entries that "might" be or have been part of some infection or previous infection.

That DOES NOT mean the computer is infected. Once the scan has been completed it uploads the log to their Cloud service which then uses Artificial Intelligence to determine if in fact any of the traces are an infection or not.

Then it writes into the log on your computer what it found.

 

 

[horseradish]

Sorry, I forgot to mention that the terminal command line I initiated was from within Ubuntu, not Windows.

I will followup on running the scan in a few days.

[AdvancedSetup]

Okay, thank you for the update

 

[AdvancedSetup]

Are you all set now @horseradish are still having an issue?

 

 

[horseradish]

Sorry, not yet. I have not had the time to follow up on this yet. If you need to close this ticket, go ahead and I will open a new one when I have the chance.

[AdvancedSetup]

The IP still shows as blocked. We can check your Windows computer, but if the block is not present while the VMware Player is not running then that pretty much shows that something in the Player is making that call.

 

[AdvancedSetup]

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Tips to help protect from infection

Thanks