[SOLVED] Suspicious activity, malware?

Status
Not open for further replies.
Oct 16, 2019
4
0
10
Upon installing said software (Nox app player) from bignox.com, i came across this which raised my attention but i didn't put too much thought to it. I placed their ips on hosts and blocked them, and got on with my life. That was 2 months ago.

It was recently that i got fed up with nox and promptly uninstalled it. However, i still see these appear everytime i use my pc. I'm terribly worried that it has drilled itself into my programs and software.

I have Malwarebytes, i update windows defender often, and they always end with a virus free scan. I went online and searched for answers, but little came up as none were similar to my situation. I did manage to pick up a few tools to investigate further, which further shocked me.

Please take a look at the screenshots.

When i first noticed the problem This was after i've scrubbed my pc clean of anything nox, ie i removed everything that had "nox" in name, purged registry with everything "nox app player" related, and then multiple virus scans afterwards. It is a point to note that at no time did my antivirus flag nox.

After i discovered netstat could help me peek at network transactions that i realised how wide the issue was. Every single instance
of 127.0.0.1 was a blocked process attempting to communicate with 8.bignox.com as i will show promptly. The follow screenshots come from "process explorer" to take a deeper peek at individual services.

Process 9100 (discord)

Process 5356 (utorrent)

Process 5874, 1476 and 7484 (all firefox) they were identically like this.

Process 6000 Legitimate Nvidia program.

Program 3084 similar to 6000

This is the chilling part, It seems to have infiltrated windows as well! omg!

Process 3000

Process 3404

Nothing seems out of the ordinary for these applications, infact virustotal reports 0/60 for all of these infected applications except for utorrent, which was flagged at 2/60.

Please, any help would be appreciated. [redacted] this company and what they did to my pc. I'm fairly tech savy, i hope. But i doubt this is a battle even i can fight.
 

Lutfij

Titan
Moderator
At this point, like in the old days, you should backup all your content and then reinstall your OS after recreating it using Windows Media Creation Tools. I would also ask you to look through Windows Defender's firewall option and see if your outgoing and incoming traffic list has Nox in it. From there, see if preventing Nox from communicating changes anything.
 
Oct 16, 2019
4
0
10
At this point, like in the old days, you should backup all your content and then reinstall your OS after recreating it using Windows Media Creation Tools. I would also ask you to look through Windows Defender's firewall option and see if your outgoing and incoming traffic list has Nox in it. From there, see if preventing Nox from communicating changes anything.

Hi,

Firstly, I apologize for my choice of words, my bad.

Secondly, I'm not sure exactly how to back up at this point. The reason i panicked is because it somehow clicked. I do regular backups. But recently, this drive i bought 4 months ago for backups started to mysteriously malfunction. I say malfunction because it works great, no data is lost (i believe), chkdsk is fine, SMART is fine. Except it takes a whole 8minutes to mount/appear as usable on explorer. It started off a month ago taking 30s, a minute and slowly taking longer and longer. I immediately bought a new drive, moved everything onto it and left this malfunctioning aside. I had originally passed it off as possibly a bad unit, perhaps reformatting would help. Didn't do much just incase the new one i had transfered over had any issue, and i had to recopy again. Redundancy right?

Event log of a mount i tried yesterday of that unit

That would've been the end of that issue.

Except... This new drive started to have the same symptoms, appearing as just "Local Disk" for an unusually long time (before then it was instant or several seconds, but now 20 or more seconds). This time round, event log doesn't say anything except when it actually mounts, ie a simple "ntfs (microsoft-windows-NTFS), Drive has no issues" message like above.

I'm really scared. I'm not wealthy enough to buy drives every month. I need to isolate this issue, and this issue fast. Most, i hope, of my items are safely backed up, but how safe they are on that new drive is anyone's guess until i find out what is actually happening.

I'm not sure how much this is related to the above, but its just jarring. Idk i might be paranoid but i really don't wish to plug any of my currently filled drives in atm until i resort this. I have no proof that this wsearch that's interrupting mounting has anything to do with nox, but considering we only know the service is infected by virtue of it attempting to communicate, and at this time, wsearch is not active, its difficult to say. If i can get wsearch to activate and see if it screams for 8.bignox, maybe we'll know?

Thirdly, Nox is enabled but i've disabled it as of now. Not sure if it will make any difference considering Nox.exe and NoxVMHandle.exe that used to have access are both deleted.
 
Oct 16, 2019
4
0
10
'Fringe' software sources (Utorrent often a big indicator of same) often lead to practice dealing with these sorts of 'features'...(subsequent long hours of practice tracking down pernicious software installs can be anticipated...unless having/willing to reinstall a pristine image safely stored elsewhere)

A secondary drive possibly having backups potentially but currently giving issues is another matter.

Back up what stuff you need to a few 32/64 GB flash drives, if nothing else is available..

Then nuke and pave, lessons learned.
 
Status
Not open for further replies.