Trojan warning - but always again...
Hello,
since 4 days, I receive a message from F-Secure about 10 Minutes after starting my system that says, a trojan was found, and I should restart the system to remove it. After the restart, same thing happens. According to the log, a malicous file was found and removed (TROJAN.TR/AD.FIREHOOKER.BU) , the path is in trhe windows/temp/ - directory, and a system restart is required to remove. Searching the system with other programs didn't recover any Malware. Could this be a false alarm, and where can I see which file causes the problem?
Thank you!
Accepted Answer
-
Thank you F-Secure for your help. The AV-Team identified a fake PxHlpa64 file , the recommended Program Autoruns then found a directory jsnode, which pretended to come from nvidia. After deleting that, the message is gone now. I hope all the other questioneers get their problem solved, too!
Answers
-
Hello,
Sorry for my reply. I am only an F-Secure user (their home solutions).
Before my suggestions about own potential troubleshoot steps - I can to suggest to contact their official Support Channel (for example, web-chat) or to transfer detected item to F-Secure SAS:
- https://www.f-secure.com/en/business/support-and-downloads/submit-a-sample
- you can try to collect quarantined files via these steps: https://community.f-secure.com/common-home-en/kb/articles/5429-how-do-i-collect-quarantined-files
- and the Support page (with web-chat form) is: https://www.f-secure.com/en/home/support/contact
Could this be a false alarm, and where can I see which file causes the problem?
Perhaps, it could be a false positive detection. At least, based on multiple recent discussions about this certain detection. However, sounds that the reason for detection is somewhat really suspicious.
How I can to understand the situation:
Something is detected under Windows/Temp folder. So, there is a dropped file or downloaded by something from somewhere. Since it is a system (temporary) folder and detection itself is about critical view - restart is requested. However, then 'something' is retriggered.
It is possible to try check whether situation is depends on certain steps or not. For example, occurs only after launching web-browser; only with network connection (so, it is not what is on the file system already); only after launching certain application and so on.
So, as a general steps - you could check some browser's addons or extensions (what if something is suspicious there or recently updated). I am not quite sure about detection name [TROJAN.TR/AD.FIREHOOKER.BU] - whether "AD" is a random or means adware type. If all is fine with browsers - then to check system Task Scheduler about any scheduled tasks and if there is something strange enough. In addition, maybe good to check some DNS settings and hosts file.
However, the most useful is to contact F-Secure official Support or directly F-Secure Labs (F-Secure SAS) and to transfer quarantined item. This way - it will be clear whether it is a false positive or not. You could to provide (checkbox 'I want to give more details about this sample and to be notified of the analysis results') more information and your email - so you will receive a response about.
Thanks! And sorry for my English.
-
In addition to @Ukko 's comment, you can try to manually delete the infection by tracing the path via the F-Secure program but sometimes, it is hidden in the Temp folder as mentioned.
To locate the trojan location, open the F-Secure program, to go Tools then click on Virus Scan Options. Click on Open last scanning report and you will be able to see the path where these harmful files are located then you can manually delete. Remember to empty your Recycle Bin and run another virus scan.
-
-
Hi @Mi37St72
Where did you submit the request? Kindly provide us with the URL you used to send us the sample so we could check as I could not trace your submission when I searched using your email address.
If F-Secure SAFE still flags the trojan repeatedly, this implies it is still present on your device but will not interfere with the rest of your files however, there's need to take action as quickly as possible.
@Phoenixrising Kindly update us on the status of yours as well. If the issue still persists, kindly try the above instructions in my last comment.
-
Hello DominikE,
I mean the Dump file you can collect as described here: https://community.f-secure.com/common-home-en/kb/articles/5429-how-do-i-collect-quarantined-files and upload as described here: https://community.f-secure.com/common-home-en/kb/articles/5429-how-do-i-collect-quarantined-files .
The guys really helped me out there.
🚩 What Do You Think?
We’d love your thoughts on our fresh look! Quick survey, big impact!