Continued pop up indicating "AMSI detected harmful content Reason: LNK/Dldr.Agent.VPLZ"

Mark393 · March 13

Hello,

My F-secure software continually reports (every 5 minutes or so) the following message in the Windows notification area:

"AMSI detected harmful content Reason: LNK/Dldr.Agent.VPLZ"

I have run a full scan and nothing was found. I also ran multiple antimalware and antivirus software programs, and nothing has been found. There was an infection on my computer, but I thought it was resolved.

How can I find out what is causing this notification?

Thanks!

Mark

Firmy · March 14

Hello @Mark393

Welcome to the F-Secure Community. Thank you for your question.

Could you please take a screenshot of the notification and share it with us?

Based on the detection, "LNK" refers to a shortcut file (.LNK), which may be used to execute malicious commands. To investigate further, please check the detection details in the F-Secure app:

Open the F-Secure app
Go to Events > View All
Locate the exact file path of the detected item and remove the file if possible.

If you need any further assistance, please don’t hesitate to reach out—we’re happy to help.

Thank you, and have a wonderful day.

Mark393 · March 18

Thanks for the reply!

The issue is that this is a PowerShell trojan. So, how do I remove this?

I have copied the information from the event log:

Log Name: FSecureSpApi
Source: F-Secure Device Protection
Date: 2025-03-18 00:12:33
Event ID: 1
Task Category: F-Secure notification
Level: Information
Keywords:User: SYSTEM
Computer: mpsmith
Description:
The description for Event ID 1 from source F-Secure Device Protection cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

If the event originated on another computer, the display information had to be saved with the event.

The following information was included with the event:

sp.evt.amsi.alert
{"SessionID":1,"ifmly":"virus","iname":"LNK/Dldr.Agent.VPLZ","obj":{"appname":"PowerShell_C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe_10.0.26100.1","contentname":"","path":"C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe","sha256":"f6bbd56c53eb9cc80bd394c2b3c6385f4acd8cd4490e1014b275f1fa92519702"},"termsess":1,"tickcount":3227308487}
default

The message ID for the desired message could not be found

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="F-Secure Device Protection" Guid="{7c7ce274-88b9-4649-8a9b-ade462900c80}" />
<EventID>1</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2025-03-18T04:12:33.5814021Z" />
<EventRecordID>668</EventRecordID>
<Correlation />
<Execution ProcessID="6332" ThreadID="4256" />
<Channel>FSecureSpApi</Channel>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="rl">sp.evt.amsi.alert</Data>
<Data Name="rv">{"SessionID":1,"ifmly":"virus","iname":"LNK/Dldr.Agent.VPLZ","obj":{"appname":"PowerShell_C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe_10.0.26100.1","contentname":"","path":"C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe","sha256":"f6bbd56c53eb9cc80bd394c2b3c6385f4acd8cd4490e1014b275f1fa92519702"},"termsess":1,"tickcount":3227308487}</Data>
<Data Name="data">
</Data>
<Data Name="namespace">default</Data>
</EventData>
</Event>

Firmy · March 18

Hello @Mark393

Thank you for your comment.

It is likely that a piece of malware or a potentially unwanted application has created a scheduled task in Windows Task Scheduler. This task may be triggering the PowerShell application with instructions that are being detected as malicious or suspicious.

To investigate further, please collect a debug log and share it with us. I have sent you a private message with detailed instructions. Kindly follow them and share the logs privately to ensure your security and privacy.

If you have any questions or need further assistance, feel free to reach out.

Thank you, and have a wonderful day.

Firmy · March 18

Hello @Mark393

Thank you for your cooperation. We have received the fsdiag.

After reviewing the log files, we found a scheduled task named "Set-DnsClientDohServerAddress" which executes the following command

conhost --headless powershell -ep bypass AzureSet-DnsClientDohServerAddress

This task appears unusual and potentially suspicious due to it uses PowerShell with "-ep bypass", which is often exploited by malware to bypass security policies. The task runs every 3 minutes which is an uncommon frequency for legitimate system tasks. The task name does not match any standard Windows system tasks, and we could not confirm its legitimacy. Also, the author field is empty ("N/A") which is unusual for a legitimate task.

To ensure your system's security, we suggest the following steps:

Check the task details:

Open "Task Scheduler" (taskschd.msc) > "Task Scheduler Library"
Locate "Set-DnsClientDohServerAddress"
Review the "Actions" tab to see the full script being executed.

If the task is unfamiliar, remove it:

Right-click on the task > Delete → Confirm with OK
Restart your computer

Run a full system scan:

Scan your system with the F-Secure app to detect any potential threats: Running a virus scan manually

If you recognize this task as part of a legitimate application (such as a VPN or DNS management tool), please let us know. Otherwise, we highly recommend removing it and scanning your system for potential threats.

Let us know if you need any further assistance. Thank you and stay safe.

Mark393 · March 19

Thanks! That has removed the notification. I deleted this suspicious task.

Continued pop up indicating "AMSI detected harmful content Reason: LNK/Dldr.Agent.VPLZ"

Answers

Check the task details:

If the task is unfamiliar, remove it:

Run a full system scan:

Categories