PDA

View Full Version : New quarantine appearance - Trojan.FakeAV.NMi



WHONOZEABOT
2013-08-08, 20:26
Completion of full scan on this machine usually produces list of "unthreatening" items - I read quickly, ignore and monthly empty quarantine after a glance.
Windows XP Home, V.2002, SvPk 3 updated. Spybot,SuperAntiSpyware, Vipre 2013 Anti-virus all run regularly.
TROJAN.FakeAV.NMI appeared 2 days ago - I don't think it should even have gotten into quarantine as I have settings I thought
blocked and deleted such things. Obviously I don't.

It is quarantined. Should I delete it? If it appears again what should I do. Any advice I'm not smart enuf to ask for?

WHONOZEABOT
2013-08-08, 20:29
Completion of full scan on this machine usually produces list of "unthreatening" items - I read quickly, ignore and monthly empty quarantine after a glance.
Windows XP Home, V.2002, SvPk 3 updated. Spybot,SuperAntiSpyware, Vipre 2013 Anti-virus all run regularly.
TROJAN.FakeAV.NMI appeared 2 days ago - I don't think it should even have gotten into quarantine as I have settings I thought
blocked and deleted such things. Obviously I don't.

It is quarantined. Should I delete it? If it appears again what should I do. Any advice I'm not smart enuf to ask for?

CORRECTION: The item appearing was; TROJAN.FakeAV.NMl (original submission said NMi)

WHONOZEABOT
2013-08-08, 21:32
CORRECTION: The item appearing was; TROJAN.FakeAV.NMl (original submission said NMi)

If reader cannot tell, I am utterly confused with this SpyBot forum process. What I do know is"

Spybot AV identified a virus clearly today as follows: (HERE ARE THE LINE ITEMS ON THE AV SCAN REPORT:

Trojan.FakeAV.NMI

Executable

C:\System Volume Info\_restore{BEE3A94B-B755-457B -A573-F68398179D8}\RP67w\A0144573.exe

This info is in my Quarantine file; I have not clicked on the "fix" function.

I haven't the slightest idea how to handle this - and I have read everything I can from SpyBot.

Do I delete? Is there another step first?

I will not use this PC until this is dealt with.

Thank you for assistance.

tashi
2013-08-08, 23:58
Hello WHONOZEABOT,

I will leave a note for one of the detectives to advise regarding the actual detection. :)

When something is in quarantine it is inactive. How is the computer running in general, any issues?

Best regards.

WHONOZEABOT
2013-08-09, 05:47
Hello WHONOZEABOT,

I will leave a note for one of the detectives to advise regarding the actual detection. :)

When something is in quarantine it is inactive. How is the computer running in general, any issues?

Best regards.

Thank you - I knew it was "harmless" left alone; I've always proceeded with other security programs to follow their delete or don't delete recommendation, but couldn't find anything to tell me what was the correct course.

I was surprised to find it showing up, frankly, as I am running the SpyBot Pro version - but that may be something I'm doing or not - I keep AV/AM on (it seems to shut itself down). I haven't seen or found a Trojan on this machine in 2 or 3 years; may have opened something inadvertantly.

Given the time I put into keeping machine secure, cookie and malware cleaned, and the discipline I've gradually learned to use to pare back my start-up list, I'm surprised on the machine being slower that early days, but I can't say I'm having problems. I use Secunia for updates, and do spot clean with CCCleaner and WinClean, the former mostly to reduce the advertising cookies I never seem to keep out.

thank you for your assistance.

WHONOZEABOT
2013-08-11, 05:25
I am waiting for "detective" to follow up tashi response. Trojan sits near end of every full

scan - I "fix" the rest and am leaving it alone until advised.

I guess the best answer to tashi on computer running is, in general, it is. Not as fast as I've had it run before, and
I keep zip on it - oddly erratic on archiving of Google emails but Google keeps changing things that don't need changing but may need fixing when they are thru - so I don't blame that on a Trojan. this machine is scanned twice a day, once AV/AM, once pure Malware with spot checks to clear cookies and garbage out using CCleaner - for the amount of work I put into it, it should run faster - the start-up menu is bare-bones, etc. I use no social networks, no video, few photos, mostly mail and general search and it still seems to
be slow - lots of trouble with MS UPdate but that seems to be nothing unusual and their Mr. Fixit is useless.

I would just like to know I've kept it secure so it'll run - thank you.

WHAT DOES IT MEAN "MOVED" WHEN I ENTERED MY THREAD -? WHERE AND WHY? I could not find anything in the FAQ specific enough to make that understandable.



Hello WHONOZEABOT,

I will leave a note for one of the detectives to advise regarding the actual detection. :)

When something is in quarantine it is inactive. How is the computer running in general, any issues?

Best regards.

micha
2013-08-15, 14:00
Hallo WHONOZEABOT,
try booting your computer into Safe Mode, then run Spybot, try to remove these items and boot your computer again.

How to Start Your Computer in Safe Mode:


Restart the computer.
As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
Use the arrow keys to select the Safe mode with Networking menu item
Press Enter.


Best regards.

WHONOZEABOT
2013-08-15, 18:06
My thread on this topic was moved, presumably by Tashi, who answered most of my questions, but said a "detective" or some such would
assist with malware issues and, I presume, how I remove this. It sits in quarantine and I know you'll say it can do no harm - but why keep it there and
run risk I delete it when I shouldn't - I'm no expert but I don't believe you'd tell me to keep it there for the life of this machine (or my life).

I ask other questions but this is the most concerning one. I don't know where my thread is now - I"m sure I didn't need to post new thread but
I could find nothing as far as I went in FAQ that told me how to find a thread that had been moved. thank you

Is there anyway I can get email notice when threads are responded to ? I thought there was but again didn't have an hour find out how and where.\
I did the "subscribe to thread" and I did not check box to confine response to Forum, but I received no notice.

WHONOZEABOT
2013-08-20, 00:31
Hallo WHONOZEABOT,
try booting your computer into Safe Mode, then run Spybot, try to remove these items and boot your computer again.

How to Start Your Computer in Safe Mode:


Restart the computer.
As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
Use the arrow keys to select the Safe mode with Networking menu item
Press Enter.


Best regards.

I HAVE NOT BEEN ABLE TO REMOVE TROJAN.FakeAVE.NMI shown as executable C:\SystemVolumeInfo\_restore{huge number here
which I have recorded} then column info is file Viruses Rule=SpybotAV

Please note carefully:

I have two administrator approved users: here are my step-by-step actions:
Using Safe Mode and SpyBot, I opened Scan results, scrolled down to last item (the Trojan virus) and was surprised to find
two in that listing, each dated June 8,2013 5 or 6 seconds apart. I used Spybot to delete both.
I then went to Administrator II, and this time found no virus.
I exited, re-booted and opened in the usual way.

Virus was still in Admin I - I deleted it with the normal check and fix-checked method.

When I used the machine next, I found it had re-appeared. I deleted it within SAfe Mode.

The next time I used Admin I or II it was not there. I closed the machine for that day.

I opened the machine this AM and it is there again.

I have thus used the safe mode method and the regular method and it still appears as I described in the beginning of this reply.

WHAT DO YOU WANT ME TO DO NEXT? Tho despite best efforts machine is slower, the odd thing is I do not use Internet Explorer
in either Admin account, yet Admin II, particularly, shows 35-40 cookies every time and Admin I something like 26. Why do I have cookies in a program I don't use (it is on the machine as it is Windows XP Home - but I use Google, Chrome for any function I might have once used IE for.

Do you want me to send you the long locator number? It is followed by \RP672\AO144573.exe

tashi
2013-08-20, 06:52
Hello WHONOZEABOT,
WHAT DOES IT MEAN "MOVED" WHEN I ENTERED MY THREAD -? WHERE AND WHY? I could not find anything in the FAQ specific enough to make that understandable.

It means you started a new topic and it was moved and merged with your open thread. :)

There is an edit at the bottom of the post, for instance,
"Last edited by tashi; Aug 15th, 2013 at 09:20 AM. Reason: Moved from the malware forum and merged"



Is there anyway I can get email notice when threads are responded to ? I thought there was but again didn't have an hour find out how and where.\
I did the "subscribe to thread" and I did not check box to confine response to Forum, but I received no notice.
Members can keep track of their threads and choose how to be notified about updates. Subscriptions (http://forums.spybot.info/faq.php?faq=vb3_user_profile#faq_vb3_subscriptions)

Please upload the suspected file to VirusTotal (https://www.virustotal.com/en/) to recheck and verify the scan result with different engines, then let us know the result please. :)

Best regards.

WHONOZEABOT
2013-08-27, 01:49
Using Safe Mode, I made two complete efforts to delete this Trojan.FakeAV.NMI and it returned every time,, once even double with different date of
entry into my system.

I was using the "fix" key because that's all I ever use - I didn't hear from the "detective" and finally tried once more and noticed the "Purge" instruction.

When I used the "purge" instruction in Safe Mode it was gone and hasn't recurred. tuvm.









Thank you - I knew it was "harmless" left alone; I've always proceeded with other security programs to follow their delete or don't delete recommendation, but couldn't find anything to tell me what was the correct course.

I was surprised to find it showing up, frankly, as I am running the SpyBot Pro version - but that may be something I'm doing or not - I keep AV/AM on (it seems to shut itself down). I haven't seen or found a Trojan on this machine in 2 or 3 years; may have opened something inadvertantly.

Given the time I put into keeping machine secure, cookie and malware cleaned, and the discipline I've gradually learned to use to pare back my start-up list, I'm surprised on the machine being slower that early days, but I can't say I'm having problems. I use Secunia for updates, and do spot clean with CCCleaner and WinClean, the former mostly to reduce the advertising cookies I never seem to keep out.

thank you for your assistance.

WHONOZEABOT
2013-08-27, 02:09
Where do I find these things out without trial and error?

1. I was unaware I had an "open thread" and wouldn't have known how to find it if I did.

2. Below you say, "Members can keep track of their threads . . . . " Again, how would I learn this? This about the only forum where
I get answers when I read and thus I'd like not to be the village idiot. I use few forums as it is so inefficient and there are too many self proclaimed
experts. Secunia has always been different at least in my experience.

3. I don't speak tech talk and thus had no idea the was a difference between a new topic and an open thread - I thought a thread was one topic.

4. Is there any way other than the classic trial and error that haunts the computer industry, making it difficult for me and many to learn, that you can suggest.
I've read the instructions, but absent definitions and step by step discussion, I haven't been able to understand how to use the forum, divide into proper topics, etc.
Thanks for any help - I've read what's in the forum instructions, but it isn't integrated and it isn't step by step and, for me, speaks in terms the writers use, not the meanings new readers are familiar with - add to that, different forums work different ways and most people give up (they just don't admit it).

I failed to follow the instructions because I didn't see that this communique had arrived. I'm not sure I would have known how to do it, but I haven't had time
to find where one gets that info. As my note today says, once I accidentally saw the term "purge" and used it instead of "fix" the trojan didn't return.




Hello WHONOZEABOT,

It means you started a new topic and it was moved and merged with your open thread. :)

There is an edit at the bottom of the post, for instance,
"Last edited by tashi; Aug 15th, 2013 at 09:20 AM. Reason: Moved from the malware forum and merged"


Members can keep track of their threads and choose how to be notified about updates. Subscriptions (http://forums.spybot.info/faq.php?faq=vb3_user_profile#faq_vb3_subscriptions)

Please upload the suspected file to VirusTotal (https://www.virustotal.com/en/) to recheck and verify the scan result with different engines, then let us know the result please. :)

Best regards.

tashi
2013-08-27, 08:46
Hello WHONOZEABOT,

Where do I find these things out without trial and error?

1. I was unaware I had an "open thread" and wouldn't have known how to find it if I did.

2. Below you say, "Members can keep track of their threads . . . . " Again, how would I learn this? This about the only forum where
I get answers when I read and thus I'd like not to be the village idiot. I use few forums as it is so inefficient and there are too many self proclaimed
experts. Secunia has always been different at least in my experience.
A link was provided in post # 10. ;)

Members can keep track of their threads and choose how to be notified about updates. Subscriptions (http://forums.spybot.info/faq.php?faq=vb3_user_profile#faq_vb3_subscriptions)



3. I don't speak tech talk and thus had no idea the was a difference between a new topic and an open thread - I thought a thread was one topic.
Generally a topic is the subject, the matter under discussion. A thread is the string of posts responding to that topic. In other words the topic becomes a thread when more posts are added following the initial post.


4. Is there any way other than the classic trial and error that haunts the computer industry, making it difficult for me and many to learn, that you can suggest.
I've read the instructions, but absent definitions and step by step discussion, I haven't been able to understand how to use the forum, divide into proper topics, etc.
Thanks for any help - I've read what's in the forum instructions, but it isn't integrated and it isn't step by step and, for me, speaks in terms the writers use, not the meanings new readers are familiar with - add to that, different forums work different ways and most people give up (they just don't admit it).
I understand, a forum can be confusing for new members.

If one is asking a question about a particular subject it's best if the original poster keeps the discussion within the original topic and not start another topic about the same issue, unless it is requested that the member posts logs to be analyzed in our malware forum. :kboard:

Hope that helps. :)