Continued pop up indicating "AMSI detected harmful content Reason: LNK/Dldr.Agent.VPLZ"

Hello,
My F-secure software continually reports (every 5 minutes or so) the following message in the Windows notification area:
"AMSI detected harmful content Reason: LNK/Dldr.Agent.VPLZ"
I have run a full scan and nothing was found. I also ran multiple antimalware and antivirus software programs, and nothing has been found. There was an infection on my computer, but I thought it was resolved.
How can I find out what is causing this notification?
Thanks!
Mark
Answers
-
Hello @Mark393
Welcome to the F-Secure Community. Thank you for your question.
Could you please take a screenshot of the notification and share it with us?
Based on the detection, "LNK" refers to a shortcut file (.LNK), which may be used to execute malicious commands. To investigate further, please check the detection details in the F-Secure app:
- Open the F-Secure app
- Go to Events > View All
- Locate the exact file path of the detected item and remove the file if possible.
If you need any further assistance, please donβt hesitate to reach outβweβre happy to help.
Thank you, and have a wonderful day.
Firmy
Community Manager | F-Secure Community
π Strengthening digital security through knowledge and collaboration
π Explore our User Guides | Knowledge Base for self-help resources
π» Empower yourself with Cybersecurity Insights and protect what matters -
Thanks for the reply!
The issue is that this is a PowerShell trojan. So, how do I remove this?
I have copied the information from the event log:
Log Name: FSecureSpApi
Source: F-Secure Device Protection
Date: 2025-03-18 00:12:33
Event ID: 1
Task Category: F-Secure notification
Level: Information
Keywords:User: SYSTEM
Computer: mpsmith
Description:
The description for Event ID 1 from source F-Secure Device Protection cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.If the event originated on another computer, the display information had to be saved with the event.
The following information was included with the event:
sp.evt.amsi.alert
{"SessionID":1,"ifmly":"virus","iname":"LNK/Dldr.Agent.VPLZ","obj":{"appname":"PowerShell_C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe_10.0.26100.1","contentname":"","path":"C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe","sha256":"f6bbd56c53eb9cc80bd394c2b3c6385f4acd8cd4490e1014b275f1fa92519702"},"termsess":1,"tickcount":3227308487}
defaultThe message ID for the desired message could not be found
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="F-Secure Device Protection" Guid="{7c7ce274-88b9-4649-8a9b-ade462900c80}" />
<EventID>1</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2025-03-18T04:12:33.5814021Z" />
<EventRecordID>668</EventRecordID>
<Correlation />
<Execution ProcessID="6332" ThreadID="4256" />
<Channel>FSecureSpApi</Channel>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="rl">sp.evt.amsi.alert</Data>
<Data Name="rv">{"SessionID":1,"ifmly":"virus","iname":"LNK/Dldr.Agent.VPLZ","obj":{"appname":"PowerShell_C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe_10.0.26100.1","contentname":"","path":"C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe","sha256":"f6bbd56c53eb9cc80bd394c2b3c6385f4acd8cd4490e1014b275f1fa92519702"},"termsess":1,"tickcount":3227308487}</Data>
<Data Name="data">
</Data>
<Data Name="namespace">default</Data>
</EventData>
</Event> -
Hello @Mark393
Thank you for your comment.
It is likely that a piece of malware or a potentially unwanted application has created a scheduled task in Windows Task Scheduler. This task may be triggering the PowerShell application with instructions that are being detected as malicious or suspicious.
To investigate further, please collect a debug log and share it with us. I have sent you a private message with detailed instructions. Kindly follow them and share the logs privately to ensure your security and privacy.
If you have any questions or need further assistance, feel free to reach out.
Thank you, and have a wonderful day.
Firmy
Community Manager | F-Secure Community
π Strengthening digital security through knowledge and collaboration
π Explore our User Guides | Knowledge Base for self-help resources
π» Empower yourself with Cybersecurity Insights and protect what matters -
Hello @Mark393
Thank you for your cooperation. We have received the fsdiag.
After reviewing the log files, we found a scheduled task named "Set-DnsClientDohServerAddress" which executes the following command
conhost --headless powershell -ep bypass AzureSet-DnsClientDohServerAddress
This task appears unusual and potentially suspicious due to it uses PowerShell with "-ep bypass", which is often exploited by malware to bypass security policies. The task runs every 3 minutes which is an uncommon frequency for legitimate system tasks. The task name does not match any standard Windows system tasks, and we could not confirm its legitimacy. Also, the author field is empty ("N/A") which is unusual for a legitimate task.
To ensure your system's security, we suggest the following steps:
Check the task details:
- Open "Task Scheduler" (
taskschd.msc
) > "Task Scheduler Library" - Locate "Set-DnsClientDohServerAddress"
- Review the "Actions" tab to see the full script being executed.
If the task is unfamiliar, remove it:
- Right-click on the task > Delete β Confirm with OK
- Restart your computer
Run a full system scan:
- Scan your system with the F-Secure app to detect any potential threats: Running a virus scan manually
If you recognize this task as part of a legitimate application (such as a VPN or DNS management tool), please let us know. Otherwise, we highly recommend removing it and scanning your system for potential threats.
Let us know if you need any further assistance. Thank you and stay safe.
Firmy
Community Manager | F-Secure Community
π Strengthening digital security through knowledge and collaboration
π Explore our User Guides | Knowledge Base for self-help resources
π» Empower yourself with Cybersecurity Insights and protect what matters - Open "Task Scheduler" (