w32/Filcout

F-secure SAFE:s weekly scan detects 'w32/Filcout', that is classified as 'severe malware' by Microsoft, but F-secure does not remove or even quarantine it...

 

How do I make F-secure remove this malware?

Best Answer

Comments

  • UkkoUkko Posts: 3,025 Superuser

    Hello,

     

     

    Spoiler

    Sorry for my reply.

     

    But which information provided F-Secure SAFE (which reason for point.. that it not possible to remove/quarantine it)?

    Based on Microsoft page - this is can be application as "valid" program (and just in some situations... as part of malicious payload).

     

    So... my potential steps there can be:

     

    Spoiler

    --> Open F-Secure SAFE Main UI - Choose Settings.

    --> Re-check settings under Manual Scanning tab t:

       ---> Check "Scan compressed files", Check "Advanced scanning" and uncheck "Scan just known type of files".

     

    After this.. save changes and run "Full Scan" for system (by Main UI - second tab Tools - Options for Scan-Check and choose there in menu "Full Scan");

    And re-check result of full scan.

     

    If there is "archive/zipped/compressed/packed/encrypted" file, which detected by this "detection-name";  This is can be a reason for "trouble" with "remove/quarantine". But if it like that... most likely you able to remove/delete this file just manually (like "Shift+Del").

    But there can be points.. if system with some else "malicious results" (payloads, main malicious software or other). Full scan / re-check can be helpful.

     

     

  • Hello again!

    I did a search like you said, and the same file was found. Now i got the option to choose what to do, so  I choosed the option to remove it, but F-secure then said it couldn't be removed!

     

    The report reads:

    Application:W32/Filcout

    • C:\Users\Myname\AppData\Local\Temp\1F0D.tmp\stream_68.bin

    Suggestions?

  • UkkoUkko Posts: 3,025 Superuser

    Hello,

     

     

    Spoiler

    So... just because there is .tmp-file (and stream_68.bin)... most likely that "malicious detection" (Application:W32/Filcout - which probably more like as riskware, potentially suspicious, PUA, spyware) about just some of resources under executable/archive/packed/zipped file, but not about full package.

     

    Basically.. F-Secure should to create information about it (under log-reports after scan / or during "removal"-try).

     

    I can to create just some suggestions (if you able to do this).

     

    --> First "to collect' this  1F0D.tmp  to zip-file  (like copy) and transfer to F-Secure SAS:

    https://www.f-secure.com/en/web/labs_global/submit-a-sample#sample-url

     

    With option about "I want to give more words and get response". Where you able to add your mail-address/description. But not sure.. which category there is better (but... anyway it will be under analysis).

    So.. F-Secure can to re-check... if there potential false-positive detection. And in fact.. this is not harmful-file/resource.

    Or provide more information about this (if harmful indeed).... which else places you have to re-check for be "sure" about safe-status under system.

     

    --> Second... I think... if F-Secure do not detected something else (with all additional/advanced scan options) most likely... system can be with safe-status. And you able just "manually" remove this file from "Temp"-folder.

    Like "Shift+Del" for 1F0D.tmp.

     

     

    But I think this is can be partly suspicious that this "some kind of" strange detection placed under Temp-folder as temp-file.

    Because like it was under F-Secure description page ( https://www.f-secure.com/sw-desc/application_w32_filcout.shtml ) for this detection-name... this is can be safe-based resource/application. But can be "payload" by another malicious software (remotely downloaded for user's system).

     

    If you have any dreams.. about potential "safe"-source of this file.. maybe all OK. Maybe this is was something like "adware" (with meanings.. software, which can to provide during installation tips to install something - which usually can be suspicious). And if this is not related with FileScout (which descripted under F-Secure page).

     

    If not.. maybe there requried additional steps. Maybe will scan system with another "additional" solution as temporary one-check scan. This is can be something like Malwarebytes solution (just as example).. or online scanners like Nod32 will provide... or HitmanPro (in fact.. less reasons to use in this situation, but can be some of specific helpful things there).

     

     

  • Hello Ukko

    Thank you for you help.

    I have sent the zipped file to f-secure for analysis, and will await their answer before I take any further actions.

     

    But the only thing needed to totaly get rid of 'w32/Filcout' is to delete the ' 1F0D.tmp' -file?

     

    /Anders

    Ukko
  • UkkoUkko Posts: 3,025 Superuser

    Hello,

     

     

    Sorry for my some kind of long reply Smiley Sad.

     

     

    Spoiler

    In common meanings - yes, this is will be enough. And technically will be same with autodeleting/removing by F-Secure (if it possible, but not available with current situation).

    At least... if it will be confirmed by F-Secure analysis.. that there is false-positive (like... wrong detection and there is  not a reason for harm-points).

     

    If not (and there is "valid" detection):

    But just because there is (for me) not visible clear.. about  "'w32/Filcout" (and connection with this .tmp-file).

    How it comes to your system?; launched it?; part of something else?; or this file should to drop something. Or simply there is safe file.

     

    F-Secure detection (name) more looks like about riskware (and classified under F-Secure description page). And for my opinion... that this .tmp-file can be executable-file. Or simply this "filescout.exe" (I not meet this before your topic); or some of other applications (installers), which have "payload" with this file/resource (as optionally advice during installation).

    Just because F-Secure full scan did not detect something else (with all advanced scan settings checked)... maybe this can to mean.. that this is just "static" file (which comes to system in somewhat strange reason, but did not something harmful).

     

    I can to recommend to do just some steps:

     

    ---> When F-Secure analysis completed and there will be "answer" for you.

    Maybe you able to re-ask them to advice about "next actions" (if there is "valid" detection). For their opinion or "information".

     

    ---> Re-check system, folder and system-registry about query "FileScout" (how I can to understand.. this is software, which main reason for this detection). For get more visible "view"... if there was actions.
    And re-check just random places.. what if you get something strange for you, which can to be looks like something "which suspicious".

    ---> Run something like one-time scan-check by another security software (additional to F-Secure).
    I can to think about Nod32 online scanner solution:
    https://www.eset.com/us/online-scanner/
    This is possibility to get "malicious" (which eventually did not detected by F-Secure).
    but  also Nod32 will provide advanced settings for scanning/get more Potentially Unwanted Applications, Potentially suspicious. Usually this is will be safe applications, normal and valid ones. But you able to re-check results.. and see.. if this software installed by you and known for you. If not.. maybe this is can be "cleaned".

    Or something like brief online-check (which partly will be same with F-Secure powerful) as "Hitman Pro":
    http://www.surfright.nl/en/hitmanpro

    If there will be "without results". maybe system can be indeed with safe-status.
    And just "deleted"  the "1F0D.tmp" was one required step.

     

     

  • This is F-secures reply:

     

    Hello, Thank you for your submission.

    The submitted sample contains a file within the exe that is an riskware. The riskware may download and execute malicious file. It is best to go to your control panel > add/remove program and uninstall any unwanted/suspicious file. If there is no unwanted file, do delete the file manually.

    Thank you.

    Should you have further concerns, please do not hesitate to contact us again.

     

    Best regards, Azim

    Malware Analyst F-Secure Security Labs

    So you think I should delete the 1F0D.tmp -file now? (right click-delete)

    Ukko
  • I have now deleted it and restarted the computer. I did a file search to make sure it hadn't re-created itself, and it is now gone. I will do a system scan later, but I think it's gone

    Ukko
  • UkkoUkko Posts: 3,025 Superuser

    Hello,

     

    I also re-read F-Secure description page for this detection-name: http://www.europe.f-secure.com/cgi-bin/AT-Wdescssearch.cgi?search=Application:W32/Filcout

     

    And maybe you able also to re-check one point:

     

    Spoiler
    Usually when F-Secure determinate/detect riskware (or potentially unwanted application) there can be just prompt about block-action at attempt to launch/using (and it possible randomly or not.. to some kind of "exclude it").

    Maybe you able also will check under Main F-Secure Settings about two tabs "Real-time scanning" and "Manual scanning".. option/place, which called as "Exclusion list / Exclude files from scan" (different for both tabs). If there is have some files/application under first tab (or other)... this is can be explanation if something else under system, but do not detected by scan.

    If all OK and else.. under system there not installed any software with "strange for you names" (or FileScout). So all ok.

     

    Anyway.. sorry for me else one reply. Smiley Sad

    This is more about potential ANOTHER threats under system (and not about just this probably static ".tmp"-file.. which I also think gone after your actions). 

     

    Thanks.

  • If I can thrown in a few words from me.

    F-Secure has just one major flaw. Sometimes he has a problem with deleting files. Other AV have no such problem.

    Secondly.
    This file is located in the Temp. Temp is junk on your computer.
    If the F-Secure could not delete the file, you can remove it manually yourself. If you are not sure, do not delete (or move to kwarantany)
    Well that sent the file to the lab F-Secure.

    But, this file is located in the TEMP folder. There are, as I wrote above junk. From this folder, you should manually remove everything manually. Also this file.

    Regards

    Ukko
  • Thanks to both Ukko and IceMan7 for your help and input.

    I have not done a full scan yet, but I think/hope it's gone.

     

    Best regards

    Anders

    Ukko
This discussion has been closed.