Sign in to follow this  
BWarriner

FP: FraudTool.Win32.FakeVimes!delf (v) Engine in Norton 360?

Recommended Posts

Currently residing in the Quarantine of Adaware, please let me know if this is a false positive. Based on what Adaware is telling me, will it automatically delete upon reboot?

Share this post


Link to post
Share on other sites
Hi BWarriner,

Thanks for your report. Can I ask you to upload the file from quaratine that looks like this:

[b]e2f37708.tmp.<lots of number>.aawqff[/b].

The .aawqff file is the quaratined file whereas the .aawqif just stores information about the quarantined file's original location. When I get a copy of the .aawqff file, I can check it out for you.

Thanks!

Regards,

Andy
Lavasoft Malware Labs

Share this post


Link to post
Share on other sites
Based on your guide for posting False Positives, the download instructions for XP state to navigate to: C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\Quarantine which is what I zipped above already.
The location that the potential FP was quarantined from within the Norton folder is unaccesible to me at all. I receive an "Access is Denied" message.
Should I be looking for this file somewhere else? I did a physical search for "e2f37708.tmp" and found nothing on the C drive.
I would like to add, it occured to me that about a week or so ago, Norton 360 stopped a trojan while browsing the internet via Sandboxie. Since this is the first time I have run across malware while sandboxed, how does that instance interact with Norton 360? I believe that once I close Sandboxie the malware is removed, or because Norton 360 caught it, it sill makes a record within it's own files possibly?

Share this post


Link to post
Share on other sites
>>> Quarantined items:
>>> Description: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\srtsp\srtetmp\e2f37708.tmp Family Name: FraudTool.Win32.FakeVimes!delf (v) Engine: 3 Clean status: Reboot required Item ID: 1 Family ID: 0 MD5: ADBBEC6897909D14C5DEF5E7C8E46D7

That you cannot find the file and with above information from the log: e2f37708.tmp is a temporary file and it is possible that the file did not exist after the reboot and therefore was never put in the quarantine. It is also possible that Norton protects that folder and stops Ad-Aware from removing any files from it. See http://community.norton.com/t5/Norton-Internet-Security-Norton/SrtETmp-Directory-Can-Not-Be-Accessed/td-p/8406 and http://www.symantec.com/connect/forums/cdocuments-and-settingsall-usersapplication-datasymantecsrtspsrtetmpxxxtmp

I don't think this is the best place for questions regarding Sandboxie and Norton programs.

Share this post


Link to post
Share on other sites
Ok, next question. I want to restore this instance back to the original Norton 360 location. Everytime I click on restore from the Quarantine tab in Ad-Aware, all it does is display 'Do Nothing' immediately afterwards. If I click on 'Custom' it adds the instance to the Ignore List. I am unable to remove or restore this instance at all from Ad-Aware.
Removing the file from C:Documents and Settings > Application Data > Lavasoft > Quarantine folder doesn't affect the listing, nor does removing C:Documents and Settings > Application Data > Lavasoft > Logs text file do anything to change what appears in the Quarantine GUI. Any advice?

Share this post


Link to post
Share on other sites
Since the file has not been quarantined, it cannot be restored.

Share this post


Link to post
Share on other sites
The problem now is that I am unable to remove, edit. modify the GUI listing under the Quarantine tab. Whatever I attempt to do to remove the listing doesn't work, it just reverts back to 'Do Nothing'. I thought it had fixed itself once I rebooted, but it simply reappeared under the Quarantine tab. How do I remove this listing from the GUI?

Share this post


Link to post
Share on other sites
I have asked my contact person at Lavasoft and they will investigate the issue.

Share this post


Link to post
Share on other sites
Lavasoft has not been able to reproduce the error. :(
If it is important that the list is empty, you can try to uninstall Ad-Aware and then install it again. Maybe do an upgrade to Ad-Aware 10.1.

Share this post


Link to post
Share on other sites
Sign in to follow this