Trojan warning - but always again...

Mi37St72
Mi37St72 Posts: 10 Observer
edited October 2020 in Web Browsing

Hello,

since 4 days, I receive a message from F-Secure about 10 Minutes after starting my system that says, a trojan was found, and I should restart the system to remove it. After the restart, same thing happens. According to the log, a malicous file was found and removed (TROJAN.TR/AD.FIREHOOKER.BU) , the path is in trhe windows/temp/ - directory, and a system restart is required to remove. Searching the system with other programs didn't recover any Malware. Could this be a false alarm, and where can I see which file causes the problem?

Thank you!

Accepted Answer

  • Mi37St72
    Mi37St72 Posts: 10 Observer
    Answer ✓

    Thank you F-Secure for your help. The AV-Team identified a fake PxHlpa64 file , the recommended Program Autoruns then found a directory jsnode, which pretended to come from nvidia. After deleting that, the message is gone now. I hope all the other questioneers get their problem solved, too!

Answers

  • Kauffixi
    Kauffixi Posts: 1 New Member

    Hello everywhere,

    The same problem, no solution.

    I have scanned the system with various other programmes, but no malware was found.

    F-Secure still is warning, want´s a reboot, but nothing changes.

    ???

    Stay healthy and safe

    Kauffixi

  • Ukko
    Ukko Posts: 3,769 Superuser

    Hello,

    Sorry for my reply. I am only an F-Secure user (their home solutions).

    Before my suggestions about own potential troubleshoot steps - I can to suggest to contact their official Support Channel (for example, web-chat) or to transfer detected item to F-Secure SAS:

    Could this be a false alarm, and where can I see which file causes the problem?

    Perhaps, it could be a false positive detection. At least, based on multiple recent discussions about this certain detection. However, sounds that the reason for detection is somewhat really suspicious.

    How I can to understand the situation:

    Something is detected under Windows/Temp folder. So, there is a dropped file or downloaded by something from somewhere. Since it is a system (temporary) folder and detection itself is about critical view - restart is requested. However, then 'something' is retriggered.

    It is possible to try check whether situation is depends on certain steps or not. For example, occurs only after launching web-browser; only with network connection (so, it is not what is on the file system already); only after launching certain application and so on.

    So, as a general steps - you could check some browser's addons or extensions (what if something is suspicious there or recently updated). I am not quite  sure about detection name [TROJAN.TR/AD.FIREHOOKER.BU] - whether "AD" is a random or means adware type. If all is fine with browsers - then to check system Task Scheduler about any scheduled tasks and if there is something strange enough. In addition, maybe good to check some DNS settings and hosts file.

    However, the most useful is to contact F-Secure official Support or directly F-Secure Labs (F-Secure SAS) and to transfer quarantined item. This way - it will be clear whether it is a false positive or not. You could to provide (checkbox 'I want to give more details about this sample and to be notified of the analysis results') more information and your email  - so you will receive a response about.

    Thanks! And sorry for my English.

  • Jaims
    Jaims Posts: 846 Former F-Secure Employee

    Hi @Kauffixi @Mi37St72

    In addition to @Ukko 's comment, you can try to manually delete the infection by tracing the path via the F-Secure program but sometimes, it is hidden in the Temp folder as mentioned.

    To locate the trojan location, open the F-Secure program, to go Tools then click on Virus Scan Options. Click on Open last scanning report and you will be able to see the path where these harmful files are located then you can manually delete. Remember to empty your Recycle Bin and run another virus scan.

  • Mi37St72
    Mi37St72 Posts: 10 Observer

    Hello and thanks for all your answers. The message kept appearimg, then suddenly vanished - and now appears again. I submitted a sample to F-Secure, let's see what they find...

  • Phoenixrising
    Phoenixrising Posts: 1 New Member

    Hi same happens here..did you get a Solution for the Problem?

  • Mi37St72
    Mi37St72 Posts: 10 Observer

    Unfortunately not, F-Secure didn't answer to my submitted sample yet. Nevertheless, other Scanners don't find anything.

  • Jaims
    Jaims Posts: 846 Former F-Secure Employee

    Hi @Mi37St72

    Where did you submit the request? Kindly provide us with the URL you used to send us the sample so we could check as I could not trace your submission when I searched using your email address.

    If F-Secure SAFE still flags the trojan repeatedly, this implies it is still present on your device but will not interfere with the rest of your files however, there's need to take action as quickly as possible.

    @Phoenixrising Kindly update us on the status of yours as well. If the issue still persists, kindly try the above instructions in my last comment.

  • Mi37St72
    Mi37St72 Posts: 10 Observer

    Hello Jaims,

    thanks for your answer, I uploaded an actual dump-file via FTP (/ftp.f-secure.com/incoming/malware_samples.zip), maybe this will help.

  • Jaims
    Jaims Posts: 846 Former F-Secure Employee

    Hi @Mi37St72

    I can see that you have now summited the file to us. Our anti-malware team will analyze your submission and revert to you via that ticket you have opened with us. Kindly wait for their response.

    Thank you.

  • DominikE
    DominikE Posts: 3 New Member

    I have the same problems.

    Could somebody post updates as soon as the anti-malware team has finished?

  • Mi37St72
    Mi37St72 Posts: 10 Observer

    I uploaded my FSDiag to them, let's see what they find.

  • Jaims
    Jaims Posts: 846 Former F-Secure Employee

    Hi @Mi37St72

    Our anti-malware team sent you an email on Monday 16th November 2020 and you are yet to reply to that email.

    Kindly check your inbox and spam folder just in case it is hiding there.

  • Mi37St72
    Mi37St72 Posts: 10 Observer

    Hello Jaims,

    strange, I uploaded it. I'll do it again...

  • Mi37St72
    Mi37St72 Posts: 10 Observer

    Hello everyone,

    the problem is solved. Thanks to the AV-Team!

    They identified a file, that I could trace to a Dirctory on C: . After deleting that, the message is gone! So everyone with that problem, submit your FSDumps to the Malware-team.

  • DominikE
    DominikE Posts: 3 New Member

    Thank you for the update!

    What does "FSDump" mean?

  • Mi37St72
    Mi37St72 Posts: 10 Observer

    Hello DominikE,


    I mean the Dump file you can collect as described here: https://community.f-secure.com/common-home-en/kb/articles/5429-how-do-i-collect-quarantined-files and upload as described here: https://community.f-secure.com/common-home-en/kb/articles/5429-how-do-i-collect-quarantined-files .

    The guys really helped me out there.

  • Mi37St72
    Mi37St72 Posts: 10 Observer

    ...sorry, wrong link to file-submission. It is found here (somehow, I am not allowed to post this link...) : https://www.f-secure.com/en/business/support-and-downloads/submit-a-sample

This discussion has been closed.
Feedback on New Design