Author Topic: Win 32: Fake Vimes-B [Trj] how to remove????  (Read 10071 times)

0 Members and 1 Guest are viewing this topic.

strat893

  • Guest
Win 32: Fake Vimes-B [Trj] how to remove????
« on: May 04, 2012, 10:29:46 AM »
Hi everyone, ive been redirected here from another section.

I've got a problem i need some help with. I've tried everything i know and still haven't had any luck.

I'm using a mac and i have recently replaced sophos antivirus with the free avast mac antivirus. I also have a windows bootcamp partition that is running avast as well. After installing avast on the OSX side, i ran a full system scan and it came back with and infection Win 32:FakeVimes-B [Trj]. Once the scan completed i tried to remove and repair the infection with no luck. I always got an error saying "User Permissions check failed: Read-only file system". I have no idea how to fix this error so i decided to start up windows and do a scan with avast again, thinking it might have something to do with me trying to delete a file from windows while im in OSX. Now once the scan had finished, avast didnt find anything, which doesnt make sense to me. Why would avast for mac find it, but not avast for windows? So i ran another scan with malwarebytes and once again nothing. So i decided to run the same scan again in OSX thinking it might be an error, but no, it found it again. I decided to try another OSX based scan, with ClamXAV and that found nothing either. So its only avast for mac thats showing it.

This is really bugging me, sorry for the wall of text, but i just dont now what to do. Is it a false find, or is the really something there that nothing else can find. If anyone can help me remove it, it would be great.

Offline .: Mac :.

  • Avast Überevangelist
  • Ultra Poster
  • *****
  • Posts: 5093
Re: Win 32: Fake Vimes-B [Trj] how to remove????
« Reply #1 on: May 08, 2012, 01:30:16 PM »
Did it find the infection in the bootcamp partition? If so the real issue is that Mac SO X can only read NTFS formatted drives, not write/modify them. This is why most Flash Drives that are used between the two platforms still use FAT32.

Try taking note of the file's location on the windows partition, boot into windows and find the file. Then upload it to a analysis site like Virus Total. If this is a False Positive by the Mac Scanner it should be obvious when sending it to VirusTotal and then you can submit the file to the virus lab for them to correct.
"People who are really serious about software should make their own hardware." - Alan Kay

strat893

  • Guest
Re: Win 32: Fake Vimes-B [Trj] how to remove????
« Reply #2 on: May 11, 2012, 07:13:33 AM »
Yeah the infection has been found in the bootcamp partition. I guess that's the reason why i can't delete it through the mac OS X anti-virus, since the bootcamp partition is formatted differently.

I've tried what you said, but the problem is i can't find the file at all. Avast for mac gives me the says the location of the file is: /volumes/bootcamp/pagefile.sys

when i booted up windows and tried to find it i had no luck. I made sure there's no hidden files or folders and did a search for the "pagefile.sys" and nothing was found.

What does this mean? How can i find the file to remove or check it if it's not there?

Offline Jan Gahura

  • Avast team
  • Full Member
  • *
  • Posts: 162
    • ALWIL Software
Re: Win 32: Fake Vimes-B [Trj] how to remove????
« Reply #3 on: May 14, 2012, 12:29:30 PM »
Hi,

The pagefile.sys is a system file which is also used to store memory pages which have to be temporarily removed from RAM to make a space for i. e. running an application.

In short, a Windows application might have that trojan in it's run-time memory which has been written to the pagefile.sys. You shouldn't remove the file. Try to install an antivirus on your Windows to remove this infection.

Jan

strat893

  • Guest
Re: Win 32: Fake Vimes-B [Trj] how to remove????
« Reply #4 on: May 15, 2012, 11:53:27 AM »
Thanks for explaining what pagefile.sys is.

I have tried what you said multiple times with no luck. I have had avast on my windows partition from the moment i created it. I've tried to scan with it and it's found nothing. i have also tried scans with antimalwarebytes, spybot S&D and superantispyware with no luck as well. nothing finds the trojan file except the mac antivirus.

ispy6266

  • Guest
Re: Win 32: Fake Vimes-B [Trj] how to remove????
« Reply #5 on: July 27, 2012, 05:37:05 AM »
I am receiving the same error message: User permissions check failed: read only file system. I know from reading this posting that i cannot delete the trojan from the OSX partition if the error is in the Windows 7 partition. My problem is that the Windows 7 (bootcamp) partition wont boot up and I can't get to my anti-virus programs on that side. Any idea how I can remove it? I thought about trying to install the windows version of Avast on the MAC partition. Can I do that?

Offline Jan Gahura

  • Avast team
  • Full Member
  • *
  • Posts: 162
    • ALWIL Software
Re: Win 32: Fake Vimes-B [Trj] how to remove????
« Reply #6 on: July 27, 2012, 09:29:59 AM »
I'm afraid that a Windows version of avast! won't work on your Mac partition. If your Windows 7 installation doesn't boot, it would maybe make sense to reinstall/repair it.

REDACTED

  • Guest
Re: Win 32: Fake Vimes-B [Trj] how to remove????
« Reply #7 on: September 07, 2012, 01:29:51 PM »
Hi Jan,

I have the same problem.
It's a bit different but it seems to me to have the same reason.

On my MAC avast finds an infection on Win7 installtion running on a VM (I'm using Parallels).
Typically a file with the ending .mem is suspected.

Normally I don't shut down Windows when exiting the VM. I guess the image of the RAM is written into a file during shutdown of the VM.

Running avast on Win7 directly I doesn't find any infection.

It looks like avast MAC detects infections in memory images of Windows.
Checking Windows nothing suspicious can be found.
If these detected infections are false positive - I don't know.

Who can check this file it is false positive to clarify if this is a problem of the scanner or a real infection?

Matthias

Offline Jan Gahura

  • Avast team
  • Full Member
  • *
  • Posts: 162
    • ALWIL Software
Re: Win 32: Fake Vimes-B [Trj] how to remove????
« Reply #8 on: September 13, 2012, 10:20:12 AM »
Hi Matthias,

The problem is that these files are usually quite huge to be sent to an analysis. Can you post here what's precisely detected on those files on your system, please?

Thanks,
Jan

REDACTED

  • Guest
Re: Win 32: Fake Vimes-B [Trj] how to remove????
« Reply #9 on: September 17, 2012, 11:15:39 AM »
Hi Jan,

I've attached a screenshot - .

Infection: Win32:Small-HUF [Trj]
File: /Users/Shared/Parallels/Windows7.pvm/{.....}.mem
Process: /Library/Parallels/Parallels Service.app/Contents/PulgIns/Parallels VM.app/Contents/MacOS/prl_vm_app
UID: 502

Matthias...

Offline Jan Gahura

  • Avast team
  • Full Member
  • *
  • Posts: 162
    • ALWIL Software
Re: Win 32: Fake Vimes-B [Trj] how to remove????
« Reply #10 on: September 20, 2012, 09:55:44 AM »
How big is that file, actually? Can you send it somehow (dropbox sharing etc.) to my email, please? I've installed Parallels on my Mac but the problem will be more related to actual content of a contained Windows 7 system.

REDACTED

  • Guest
Re: Win 32: Fake Vimes-B [Trj] how to remove????
« Reply #11 on: September 24, 2012, 12:42:41 PM »
Hi Ja,

I've send you a mail with a link to my dropbox.
The mem file is ziped.

Is it possible that the MAC avast scanner detects a virus signature of the WIN avast scanner which is kept in (Windows) memory ?

Matthias

Offline Jan Gahura

  • Avast team
  • Full Member
  • *
  • Posts: 162
    • ALWIL Software
Re: Win 32: Fake Vimes-B [Trj] how to remove????
« Reply #12 on: September 26, 2012, 08:29:17 PM »
Hi Matthias,

The detection is a false positive according to our viruslab. We're working on excluding Parallels VM files from scanning.

Jan

REDACTED

  • Guest
Re: Win 32: Fake Vimes-B [Trj] how to remove????
« Reply #13 on: September 26, 2012, 09:45:43 PM »
Hi Jan,

thanx a lot for your support.

Matthias.