none
"Trojan:XML/FakePhish.A" in a newly created text file??? RRS feed

  • Question

  • I just restarted Windows 10 on my Surface Book, and it began reporting:

    Trojan:XML/FakePhish.A
    file: C:\Users\loren\AppData\Roaming\Mozilla\Firefox\Profiles\zx3lv14r.default
    \storage\default\https+++www.432player.com\.metadata-v2
    file: C:\Users\loren\AppData\Roaming\Mozilla\Firefox\Profiles\zx3lv14r.default
    \storage\default\https+++www.432player.com\.metadata-v2-tmp

    --> Reported nine times, same info - but checking each required scroll into view, down arrow,
    show details, ...
    Couldn't we just have one list?

    The more info link

    <https://www.microsoft.com/en-us/wdsi/threats/threat-search?query=trojan:xml/fa kephish.a&2147728241&page=1&showall=false&sortby=relevance&sortdir=desc&size=1 0
    -----
    No results found for: trojan:xml/fakephish.a
    -----

    Is the space in "/fa kephish.a" intentional?

    I saved the above in a text file...  And instantly:

    Affected items:
    file: C:\Users\loren\Documents\Acquire S\New Bugs\Windows 10\Misc Curiosities
    \FakePhish malware in 432 Player.txt

    Looks like I can't keep the file...

    It had already deleted the saved version, but I could print it from the editor.

    Looks like it is OK as a pdf.

    The 432 Player has been here untouched for months. Maybe this is a new definition? But how can having the name of a threat in a text file be a threat?

    Tuesday, July 31, 2018 2:51 AM

All replies

  • Still at this an hour later. In Firefox about:preferences#privacy I blocked:
    https://www.432player.com
    from storing cookies or site data
    (It was not listed in the GUI remove data list!)

    I have no idea why it gets attention, I haven't been there for months, but Firefox kept rewriting its data.

    Now touching Firefox only occasionally triggers a malware warning.

    But I can't have the link to this forum web page stored in a text file on my system! Nor any version of the https://www.432player.com url, even if I insert spaces between the letters! The text file gets deleted instantly before I even look at the notification.

    I really didn't need this today.

    Tuesday, July 31, 2018 3:59 AM
  • I am sorry that I never seen the similar situation.

    Seems to be a issue related to Firefox browser, try to backup your favorites and completely uninstall Firefox and delete Firefox folder in:

    C:\Users\loren\AppData\Roaming\Mozilla

    https://www.432player.com/ is a safe website, I visit it without issue, you may try Chrome or IE.

    Regards


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, July 31, 2018 7:28 AM
    Moderator
  • Sorry, No, Firefox is behaving rationally, it is Windows Defender that has gone rogue. It instantly deletes any file that includes the text name of the supposed malware, or a link to this web page. When I opened the eMail notification of your reply, it instantly deleted the .tmp file where the message was decoded into readable form! (My mail client uses the Microsoft IE engine to display HTML messages. I can't show the report because I was in touch mode at the time and the "Modern" Defender screens don't respond fully to touch or pen.) 

    Even more disgusting is that there is no way I can find to pause this behavior or ignore/allow this particular detection. The Modern app looks like it allows such control, but all of those controls seem to be ignored. Likewise, Defender is now five separate services, and none of them are allowed to be stopped even by the Administrator.

    I miss Windows 7! 

    Tuesday, July 31, 2018 6:15 PM
  • I can reproduce this: a link to this page pasted to my desktop is indeed removed automatically after some seconds.
    And defender logs the event.
    So you could contact the owner of the page.

    Tuesday, July 31, 2018 6:34 PM
  • Seems to have stopped harassing me, for now. But somehow one of the text files I had copied the deadly link to, and then deleted the link and re-saved, got mysteriously deleted again... Luckily I have backups!

    What I just now noticed is that Event Viewer shows:

    Updated Windows Defender status successfully to SECURITY_PRODUCT_STATE_ON

    Hundreds of them, often more than ten per second, for the entire time I was struggling with this bug, and for the rest of the evening until the system went to hibernation.

    Only one little group of four of them this morning, none at all yesterday.

    Does anyone understand this?

    Wednesday, August 1, 2018 11:41 PM