Jump to content

C:\Windows\SysWOW64\vmnat.exe Trojan

Recommended Posts

Once I've started Ubuntu in VMWare, Malwarebytes opens the notification below with blocked Trojan for vmnat.exe file to (IP in Czechia). I am running Win10 Pro and VMWare Workstation 16 Player w/ Ubuntu 22.04.1 LTS. Please advise, thanks.



-Log Details-
Protection Event Date: 9/12/22
Protection Event Time: 3:31 PM
Log File: 9913761c-32ea-11ed-a9ea-305a3ae078c7.json

-Software Information-
Components Version: 1.0.1751
Update Package Version: 1.0.59983
License: Premium

-System Information-
OS: Windows 10 (Build 18363.1556)
CPU: x64
File System: NTFS
User: System

-Blocked Website Details-
Malicious Website: 1
, C:\Windows\SysWOW64\vmnat.exe, Blocked, -1, -1, 0.0.0, ,

-Website Data-
Category: Trojan
IP Address:
Port: 80
Type: Outbound
File: C:\Windows\SysWOW64\vmnat.exe



Link to post
Share on other sites

  • Root Admin

Hello  and  :welcome:      @horseradish


My screen name is AdvancedSetup and I will assist you with your system issues.

Let's keep these principles as we proceed. Make sure to read the entire post below first.

  • Please follow all steps in the provided order and post back all requested logs
  • Please attach all log files to your post, unless otherwise requested
  • Temporarily disable your antivirus or other security software first. Make sure to turn it back on once the scans have been completed.
  • Temporarily disable Microsoft SmartScreen to download the software below if needed. Make sure to turn it back on once the scans are completed.
  • Searching, detecting, and removing malware isn't instantaneous and there is no guarantee to repair every system.
  • Before we start, please make sure that you have an external backup, not connected to this system, of all private data.
  • Do not run online games while the case is ongoing. Do not do any free-wheeling or risky web-surfing.
  • Only run the tools I guide you to use. Please don't run any other scans, download, install or uninstall any programs while I'm working with you.
  • Cracked, Hacked, or Pirated programs are not only illegal but also can make a computer a malware victim. Having such programs installed is the easiest way to get infected. It is the leading cause of ransomware encryption. It is at times also a big source of current Trojan infections. If there are any on the system you should uninstall them before we proceed.
  • Please be patient and stick with me until I give you the "all clear". We don't want to waste your time, please don't waste ours.
  • If your system is running Discord, please be sure to Exit it while this case is ongoing.


Edited by AdvancedSetup
Updated information
Link to post
Share on other sites

The only thing I'm running is Ubuntu 22.04.1 LTS and Firefox and Brave Linux versions. I ran a complete Ubuntu version update on Sep. 12, Monday, and right after rebooting the Ubuntu VM, Malwarebytes alerted me. Since then I've install ClamAV and Gufw firewall. ClamAV shows zero infections on Ubuntu. Should I follow your instructions per the above and run a Malwarebytes scan?


----------- SCAN SUMMARY -----------
Known viruses: 8633902
Engine version: 0.103.6
Scanned directories: 101861
Scanned files: 367822
Infected files: 0
Total errors: 43697
Data scanned: 13224.89 MB
Data read: 21852.72 MB (ratio 0.61:1)
Time: 1922.888 sec (32 m 2 s)
Start Date: 2022:09:13 10:16:50
End Date:   2022:09:13 10:48:53


Link to post
Share on other sites

  • Root Admin
18 hours ago, horseradish said:

Once I've started Ubuntu in VMWare, Malwarebytes opens the notification below with blocked Trojan for vmnat.exe file to (IP in Czechia)


That tells me that "something" in your Linux installation is calling out to that address. If you only run VMware without starting the Linux host do you still get an alert? I'm betting that you don't. So, that implies again that "something" from Linux is calling out.


Link to post
Share on other sites

I restarted Windows and started VMWare Player and thus far no Malwarebytes alert.

I started Ubuntu and thus far no Malwarebytes alert.

I started Firefox and thus far no Malwarebytes alert.

I opened up a terminal command line and initiated a ping to and received the Malwarebytes Trojan alert. This is the only alert received.

Not sure if the Gufw firewall is blocking the initial alert I received at startup from the first time or if my Ubuntu is still infected.

Link to post
Share on other sites

  • Root Admin

Infected is not necessarily the perception. Many reasons that IP could be hit, called, etc. without being an infection.

Just in case though, please run the following.



Microsoft Safety Scanner

Please make sure you Exit out of any other program you might have open so that the sole task is to run the following scan.   
That goes especially for web browsers, make sure all are fully exited out of and messenger programs are exited and closed as well


Please set File Explorer to SHOW ALL folders, all files, including hidden ones.  Use OPTION ONE or TWO of this article



I suggest a new scan for viruses & other malware. This may take several hours, depending on the number of files on the system and the speed of the computer.

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. 

The download links & the how-to-run-the tool are at this link at Microsoft 



Look on the Scan Options & select the FULL scan.

Then start the scan. Have lots of patience. It may take several hours.

  • Once you see it has started, take a long long break;  walk away.  Do not pay credence if you see some intermediate early flash messages on the screen display.  The only things that count are the End result at the end of the run.
  • The scan will take several hours.  Leave it alone. It will remove any other remaining threats as it goes along.  Take a very long break, do your normal personal errands .....just do not use the computer during this scan.

This is likely to run for many hours as previously mentioned  ( depending on the number of files on your machine & the speed of the hardware.)

The log is named MSERT.log  and the log will be at C:\Windows\debug\msert.log

Please attach that log with your next reply.



It is normal for the Microsoft Safety Scanner to show detections during the scan process. It is scanning for basically all bread crumbs or traces of files and registry entries that "might" be or have been part of some infection or previous infection.

That DOES NOT mean the computer is infected. Once the scan has been completed it uploads the log to their Cloud service which then uses Artificial Intelligence to determine if in fact any of the traces are an infection or not.

Then it writes into the log on your computer what it found.



Link to post
Share on other sites

  • Root Admin

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Tips to help protect from infection



Link to post
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.