I have a Trojan and can't get rid of it, F-Secure doesn't find it

Jack

When I run Windows MSERT, it shows I have a Trojan: PDF / Phish, which it says is dangerous.  It tells me it has partially removed the trojan, but every time I run the MSERT program from Windows the same Trojan is found.  I have F Secure Internet Security and when I run it, it does not find the Trojan.  I also have Malwarebytes, which does not find the trojan.  This bothers me very much and I would like help on it.  MSERT does not give the location of the virus, it only shows that it has been found.  Can someone please help me with this?  

Ukko

Hello,

 

I'm also only F-Secure user (their home solutions). So, only unofficial suggestions and my own feelings.

 

Good to re-check or know some things:

 

->> did you run F-Secure IS and Malwarebytes with their "Full Scan" mode?

For example, with F-Secure Internet Security:

-- open Main UI (doubleclick desktop F-Secure logo; or one-click F-Secure tray picture);

-- switch to "Tools" tab;

-- Scan option - "Full Scan" under pop-up menu.

Also, possible to re-check settings for manual scanning (Main UI -> Settings -> Manual Scan tab -> check option for scanning zipped-archived files and uncheck option for scan only known types).

 

->> then there is next Microsoft article:

https://support.microsoft.com/en-gb/help/2520970/how-to-troubleshoot-an-error-when-you-run-the-microsoft-safety-scanner

where potential advice and tips -> how to re-check MSERT log files (to open "%systemroot%\debug"-location and see MSERT.log). Even I'm not sure that detected items are placed there too (but most likely - yes).

 

->> detection MAYBE is false positive:

https://www.f-secure.com/v-descs/false_positive.shtml

But if not - so, there is Microsoft description for "Trojan: PDF / Phish"

https://www.microsoft.com/en-gb/wdsi/threats/malware-encyclopedia-description?Name=Trojan: PDF/Phish

 

So, it is potentially .pdf-file. Maybe it is an attachment. If previous suggestion with potential log-files where visible 'location' is valid -> good to see does it .pdf-file or, for example, .pst file or other database file for any of mail clients.

If it is .pdf-file -> good to use F-Secure SAS (and transfer file to F-Secure Labs):

https://www.f-secure.com/en/web/labs_global/submit-a-sample#sample-file

If it is a .pst (or any other archives, containers or so) -> maybe... required additional steps to troubleshoot. But good to receive your feedback about such suggestions (before any other potential advices). Since MSERT with 'partial' remove and then detection is back -> possible to suspect that 'item' inside something like archive or database (container) for mail-letters. Unclear why F-Secure (or Malwarebytes) does not detect it -> except that it is can be a direct phishing/spam try or Microsoft scanner with too generic rules for such detection (and that 'manual scan' settings with ignorance this extension -> which should be possible to tweak and re-scan then).

 

Thanks!

Jack

First, thank you for the reply.  Second, yes, I ran the long scans of Malwarebytes and F Secure and they found nothing.  Unfortunately the MSERT from Microsoft does not give you the location of the malware.  They do say it is a harmful trojan.  They say it is removed with the regular microsoft antivirus program that comes with Winsdows, but I don't know if this is true and it won't run with Malwarebytes or F Secure.  I'm at a loss.  You seem to know far more than I ever expect to know about these things, but I have no idea how to fix this.  It may just be a remnant of a virus that was removed and it may not be a problem, but if it is a serious malware I would like to remove it. 

Ukko

---

wrote:

First, thank you for the reply.  Second, yes, I ran the long scans of Malwarebytes and F Secure and they found nothing.  Unfortunately the MSERT from Microsoft does not give you the location of the malware.  They do say it is a harmful trojan.  They say it is removed with the regular microsoft antivirus program that comes with Winsdows, but I don't know if this is true and it won't run with Malwarebytes or F Secure.  I'm at a loss.  You seem to know far more than I ever expect to know about these things, but I have no idea how to fix this.  It may just be a remnant of a virus that was removed and it may not be a problem, but if it is a serious malware I would like to remove it. 

---

Hello,

 

So, with direct suggestions:

 

-- Do you able to open Explorer (for example, C:\ drive). And type there "%systemroot%\debug" (only text inside "").

It should open folder like "C:\Windows\debug" (as example). Where can be text-file with filename "msert.log"

Does it possible to open such file with Notepad (if such file there)?

Maybe this log-file with some strings about detected item. Or you already tried it and there is no such information about?

 

-- If not -> do you able to re-check that F-Secure Internet Security with next settings:

"Open main user interface -> Settings -> Manual scan tab -> "scan inside zipped"-files is checked and "scan only known types" is unchecked).

Then, that your experience is about "Full Scan" with such configuration (main user interface -> Tools tab -> Scan Options button -> Full Scan).

 

-- Based on detection name and noted Microsoft's description -> it can be a .pdf-file (document).

So, if you did not open any suspicious .pdf-files or attachments from received mail-letters (for example) -> most likely, it is a passive threat (not like virus; or active malicious software). But good to be carefully.

I think that file can be packed/compressed and it is not possible automatically remove it by MSERT -> so, item is detected but not cleaned (maybe). Basically, with such state -> it is safe situation.

Jack

Thank you Ukko, I will try your suggestions

Jack

It says "scan inside compressed files" instead of "scan inside of zip files" and that is the way I always run it

Ukko

---

wrote:

It says "scan inside compressed files" instead of "scan inside of zip files" and that is the way I always run it

---

Yes, sorry for my wrong wording.

Did you manage to find MSERT logs?

Näsäviisas

I did testing with this case.
(Win7, admin rights)
TESTRESULTS:

commandline
cd Windows
dir d*
cd debug
dir > found msert.log
more msert.log
or
type msert.log >
text and results summary,
no infection found,
but information about scanning

As @Ukko wrote, with Notepad you can open msert.log-file > I tested it.

Näsäviisas

Jack

I could find no logs that told me anything useful

Ukko

---

wrote:

I could find no logs that told me anything useful

---

Hello,

 

Sorry for my ask.

Does your experience about their Safety Scanner tool (msert):

https://www.microsoft.com/en-gb/wdsi/products/scanner

 

Or your experience monthly Removal Tool (and maybe it is also marked as msert)?

 

If not about Safety Scanner tool -> maybe it is possible to run it. And then re-check if there is 'msert.log' with some information. Otherwise -> I will re-check it with my system too!

 

Thanks!

Ukko

---

wrote:

---

wrote:

I could find no logs that told me anything useful

---

Hello,

Sorry for my ask.

Does your experience about their Safety Scanner tool (msert):

https://www.microsoft.com/en-gb/wdsi/products/scanner 

Or your experience monthly Removal Tool (and maybe it is also marked as msert)?

If not about Safety Scanner tool -> maybe it is possible to run it. And then re-check if there is 'msert.log' with some information. Otherwise -> I will re-check it with my system too! 

Thanks!

---

With my experience it was with next view:

 

-> I downloaded Safety Scanner (msert) from noted URL.

-> launch it.

-> tool detected items.

-> I open "C:\Windows\debug\msert.log"

latest scan was with next view:

-- tool-name;

-- timestamp;

-- Extended Scan Results (I choose certain folder for scan also);

-- scan mistakes (resources which are not scanned);

-- then string "Threat detected: Virus: DOS/EICAR_Test_File"

And next view:

    containerfile://drive:\folder\malicious-file.exe
    containerfile://drive:\folder\malicious.com
    containerfile://drive:\folder\suspicious.txt

further strings with hashes and metadata for items; then some removal strings.

 

 

Where "drive:\folder\malicious-file.exe" is path like "C:\folder\malicious-file.exe" (so, destination of detected item).

 

Maybe with your experience -> such log-file (text-file) also should be with some entries about detected item. And if not -> does item is still detected by scan-process?

Thanks!

Jack

I finally got rid of it.  I believe it was a remnant of a trojan I had about a month ago and a tech from F Secure helped me kill it, but I think it left a remnant that Microsoft Safety Scanner kept finding and identifying as a serious virus.  Malwarebytes helped me with a special program they have that zapped the remainder of the trojan and now I don't get the error.  Thank you for the help, I am 73 years old and know little about these things and depend on those of you who know more than I do.  Thanks again but I'm okay now, it's gone!

kontzBern

Glad the problem has been sorted out by yourself after all. You did choose the right soft for it - f-secure is good but it's not enough when dealing with phish trojans and other things of that type. Speaking of the corrupted pdf files, I'm receiving them from time to time and used to misclick on them simultaneously. Now, when I receive a file via mail, I paste it by the link to this app edit-pdf.pdffiller.com/ in order to inspect it first. But it's a paid tool, so you need something similar to Adobe Acrobat but not the software one