I have a Trojan and can't get rid of it, F-Secure doesn't find it

Jack
Jack Posts: 69 Active Engager

When I run Windows MSERT, it shows I have a Trojan: PDF / Phish, which it says is dangerous.  It tells me it has partially removed the trojan, but every time I run the MSERT program from Windows the same Trojan is found.  I have F Secure Internet Security and when I run it, it does not find the Trojan.  I also have Malwarebytes, which does not find the trojan.  This bothers me very much and I would like help on it.  MSERT does not give the location of the virus, it only shows that it has been found.  Can someone please help me with this?  

Comments

  • Ukko
    Ukko Posts: 3,741 Superuser

    Hello,

     

    I'm also only F-Secure user (their home solutions). So, only unofficial suggestions and my own feelings.

     

    Good to re-check or know some things:

     

    ->> did you run F-Secure IS and Malwarebytes with their "Full Scan" mode?

    For example, with F-Secure Internet Security:

    -- open Main UI (doubleclick desktop F-Secure logo; or one-click F-Secure tray picture);

    -- switch to "Tools" tab;

    -- Scan option - "Full Scan" under pop-up menu.

    Also, possible to re-check settings for manual scanning (Main UI -> Settings -> Manual Scan tab -> check option for scanning zipped-archived files and uncheck option for scan only known types).

     

    ->> then there is next Microsoft article:

    https://support.microsoft.com/en-gb/help/2520970/how-to-troubleshoot-an-error-when-you-run-the-microsoft-safety-scanner

    where potential advice and tips -> how to re-check MSERT log files (to open "%systemroot%\debug"-location and see MSERT.log). Even I'm not sure that detected items are placed there too (but most likely - yes).

     

    ->> detection MAYBE is false positive:

    https://www.f-secure.com/v-descs/false_positive.shtml

    But if not - so, there is Microsoft description for "Trojan: PDF / Phish"

    https://www.microsoft.com/en-gb/wdsi/threats/malware-encyclopedia-description?Name=Trojan: PDF/Phish

     

    So, it is potentially .pdf-file. Maybe it is an attachment. If previous suggestion with potential log-files where visible 'location' is valid -> good to see does it .pdf-file or, for example, .pst file or other database file for any of mail clients.

    If it is .pdf-file -> good to use F-Secure SAS (and transfer file to F-Secure Labs):

    https://www.f-secure.com/en/web/labs_global/submit-a-sample#sample-file

    If it is a .pst (or any other archives, containers or so) -> maybe... required additional steps to troubleshoot. But good to receive your feedback about such suggestions (before any other potential advices). Since MSERT with 'partial' remove and then detection is back -> possible to suspect that 'item' inside something like archive or database (container) for mail-letters. Unclear why F-Secure (or Malwarebytes) does not detect it -> except that it is can be a direct phishing/spam try or Microsoft scanner with too generic rules for such detection (and that 'manual scan' settings with ignorance this extension -> which should be possible to tweak and re-scan then).

     

    Thanks!

  • Jack
    Jack Posts: 69 Active Engager

    First, thank you for the reply.  Second, yes, I ran the long scans of Malwarebytes and F Secure and they found nothing.  Unfortunately the MSERT from Microsoft does not give you the location of the malware.  They do say it is a harmful trojan.  They say it is removed with the regular microsoft antivirus program that comes with Winsdows, but I don't know if this is true and it won't run with Malwarebytes or F Secure.  I'm at a loss.  You seem to know far more than I ever expect to know about these things, but I have no idea how to fix this.  It may just be a remnant of a virus that was removed and it may not be a problem, but if it is a serious malware I would like to remove it. 

  • Ukko
    Ukko Posts: 3,741 Superuser

    wrote:

    First, thank you for the reply.  Second, yes, I ran the long scans of Malwarebytes and F Secure and they found nothing.  Unfortunately the MSERT from Microsoft does not give you the location of the malware.  They do say it is a harmful trojan.  They say it is removed with the regular microsoft antivirus program that comes with Winsdows, but I don't know if this is true and it won't run with Malwarebytes or F Secure.  I'm at a loss.  You seem to know far more than I ever expect to know about these things, but I have no idea how to fix this.  It may just be a remnant of a virus that was removed and it may not be a problem, but if it is a serious malware I would like to remove it. 


    Hello,

     

    So, with direct suggestions:

     

    -- Do you able to open Explorer (for example, C:\ drive). And type there "%systemroot%\debug" (only text inside "").

    It should open folder like "C:\Windows\debug" (as example). Where can be text-file with filename "msert.log"

    Does it possible to open such file with Notepad (if such file there)?

    Maybe this log-file with some strings about detected item. Or you already tried it and there is no such information about?

     

    -- If not -> do you able to re-check that F-Secure Internet Security with next settings:

    "Open main user interface -> Settings -> Manual scan tab -> "scan inside zipped"-files is checked and "scan only known types" is unchecked).

    Then, that your experience is about "Full Scan" with such configuration (main user interface -> Tools tab -> Scan Options button -> Full Scan).

     

    -- Based on detection name and noted Microsoft's description -> it can be a .pdf-file (document).

    So, if you did not open any suspicious .pdf-files or attachments from received mail-letters (for example) -> most likely, it is a passive threat (not like virus; or active malicious software). But good to be carefully.

    I think that file can be packed/compressed and it is not possible automatically remove it by MSERT -> so, item is detected but not cleaned (maybe). Basically, with such state -> it is safe situation.

  • Jack
    Jack Posts: 69 Active Engager

    Thank you Ukko, I will try your suggestions

  • Jack
    Jack Posts: 69 Active Engager

    It says "scan inside compressed files" instead of "scan inside of zip files" and that is the way I always run it

  • Ukko
    Ukko Posts: 3,741 Superuser

    wrote:

    It says "scan inside compressed files" instead of "scan inside of zip files" and that is the way I always run it


    Yes, sorry for my wrong wording.

    Did you manage to find MSERT logs?

  • Näsäviisas
    Näsäviisas Posts: 784 Superuser
    I did testing with this case.
    (Win7, admin rights)
    TESTRESULTS:

    commandline
    cd Windows
    dir d*
    cd debug
    dir > found msert.log
    more msert.log
    or
    type msert.log >
    text and results summary,
    no infection found,
    but information about scanning

    As @Ukko wrote, with Notepad you can open msert.log-file > I tested it.

    Näsäviisas



  • Jack
    Jack Posts: 69 Active Engager

    I could find no logs that told me anything useful

  • Ukko
    Ukko Posts: 3,741 Superuser

    wrote:

    I could find no logs that told me anything useful


    Hello,

     

    Sorry for my ask.

    Does your experience about their Safety Scanner tool (msert):

    https://www.microsoft.com/en-gb/wdsi/products/scanner

     

    Or your experience monthly Removal Tool (and maybe it is also marked as msert)?

     

    If not about Safety Scanner tool -> maybe it is possible to run it. And then re-check if there is 'msert.log' with some information. Otherwise -> I will re-check it with my system too!

     

    Thanks!

  • Ukko
    Ukko Posts: 3,741 Superuser

    wrote:

    wrote:

    I could find no logs that told me anything useful


    Hello,

    Sorry for my ask.

    Does your experience about their Safety Scanner tool (msert):

    https://www.microsoft.com/en-gb/wdsi/products/scanner 

    Or your experience monthly Removal Tool (and maybe it is also marked as msert)?

    If not about Safety Scanner tool -> maybe it is possible to run it. And then re-check if there is 'msert.log' with some information. Otherwise -> I will re-check it with my system too! 

    Thanks!


    With my experience it was with next view:

     

    -> I downloaded Safety Scanner (msert) from noted URL.

    -> launch it.

    -> tool detected items.

    -> I open "C:\Windows\debug\msert.log"

    latest scan was with next view:

    -- tool-name;

    -- timestamp;

    -- Extended Scan Results (I choose certain folder for scan also);

    -- scan mistakes (resources which are not scanned);

    -- then string "Threat detected: Virus: DOS/EICAR_Test_File"

    And next view:

        containerfile://drive:\folder\malicious-file.exe
        containerfile://drive:\folder\malicious.com
        containerfile://drive:\folder\suspicious.txt

    further strings with hashes and metadata for items; then some removal strings.

     

     

    Where "drive:\folder\malicious-file.exe" is path like "C:\folder\malicious-file.exe" (so, destination of detected item).

     

    Maybe with your experience -> such log-file (text-file) also should be with some entries about detected item. And if not -> does item is still detected by scan-process?


    Thanks!

  • kontzBern
    kontzBern Posts: 1 New Member

    Glad the problem has been sorted out by yourself after all. You did choose the right soft for it - f-secure is good but it's not enough when dealing with phish trojans and other things of that type. Speaking of the corrupted pdf files, I'm receiving them from time to time and used to misclick on them simultaneously. Now, when I receive a file via mail, I paste it by the link to this app edit-pdf.pdffiller.com/ in order to inspect it first. But it's a paid tool, so you need something similar to Adobe Acrobat but not the software one

This discussion has been closed.
Feedback on New Design