When I run Windows MSERT, it shows I have a Trojan: PDF / Phish, which it says is dangerous. It tells me it has partially removed the trojan, but every time I run the MSERT program from Windows the same Trojan is found. I have F Secure Internet Security and when I run it, it does not find the Trojan. I also have Malwarebytes, which does not find the trojan. This bothers me very much and I would like help on it. MSERT does not give the location of the virus, it only shows that it has been found. Can someone please help me with this?
I finally got rid of it. I believe it was a remnant of a trojan I had about a month ago and a tech from F Secure helped me kill it, but I think it left a remnant that Microsoft Safety Scanner kept finding and identifying as a serious virus. Malwarebytes helped me with a special program they have that zapped the remainder of the trojan and now I don't get the error. Thank you for the help, I am 73 years old and know little about these things and depend on those of you who know more than I do. Thanks again but I'm okay now, it's gone!
Hello,
I'm also only F-Secure user (their home solutions). So, only unofficial suggestions and my own feelings.
Good to re-check or know some things:
->> did you run F-Secure IS and Malwarebytes with their "Full Scan" mode?
For example, with F-Secure Internet Security:
-- open Main UI (doubleclick desktop F-Secure logo; or one-click F-Secure tray picture);
-- switch to "Tools" tab;
-- Scan option - "Full Scan" under pop-up menu.
Also, possible to re-check settings for manual scanning (Main UI -> Settings -> Manual Scan tab -> check option for scanning zipped-archived files and uncheck option for scan only known types).
->> then there is next Microsoft article:
where potential advice and tips -> how to re-check MSERT log files (to open "%systemroot%\debug"-location and see MSERT.log). Even I'm not sure that detected items are placed there too (but most likely - yes).
->> detection MAYBE is false positive:
https://www.f-secure.com/v-descs/false_positive.shtml
But if not - so, there is Microsoft description for "Trojan: PDF / Phish"
https://www.microsoft.com/en-gb/wdsi/threats/malware-encyclopedia-description?Name=Trojan: PDF/Phish
So, it is potentially .pdf-file. Maybe it is an attachment. If previous suggestion with potential log-files where visible 'location' is valid -> good to see does it .pdf-file or, for example, .pst file or other database file for any of mail clients.
If it is .pdf-file -> good to use F-Secure SAS (and transfer file to F-Secure Labs):
https://www.f-secure.com/en/web/labs_global/submit-a-sample#sample-file
If it is a .pst (or any other archives, containers or so) -> maybe... required additional steps to troubleshoot. But good to receive your feedback about such suggestions (before any other potential advices). Since MSERT with 'partial' remove and then detection is back -> possible to suspect that 'item' inside something like archive or database (container) for mail-letters. Unclear why F-Secure (or Malwarebytes) does not detect it -> except that it is can be a direct phishing/spam try or Microsoft scanner with too generic rules for such detection (and that 'manual scan' settings with ignorance this extension -> which should be possible to tweak and re-scan then).
Thanks!
First, thank you for the reply. Second, yes, I ran the long scans of Malwarebytes and F Secure and they found nothing. Unfortunately the MSERT from Microsoft does not give you the location of the malware. They do say it is a harmful trojan. They say it is removed with the regular microsoft antivirus program that comes with Winsdows, but I don't know if this is true and it won't run with Malwarebytes or F Secure. I'm at a loss. You seem to know far more than I ever expect to know about these things, but I have no idea how to fix this. It may just be a remnant of a virus that was removed and it may not be a problem, but if it is a serious malware I would like to remove it.
wrote:First, thank you for the reply. Second, yes, I ran the long scans of Malwarebytes and F Secure and they found nothing. Unfortunately the MSERT from Microsoft does not give you the location of the malware. They do say it is a harmful trojan. They say it is removed with the regular microsoft antivirus program that comes with Winsdows, but I don't know if this is true and it won't run with Malwarebytes or F Secure. I'm at a loss. You seem to know far more than I ever expect to know about these things, but I have no idea how to fix this. It may just be a remnant of a virus that was removed and it may not be a problem, but if it is a serious malware I would like to remove it.
Hello,
So, with direct suggestions:
-- Do you able to open Explorer (for example, C:\ drive). And type there "%systemroot%\debug" (only text inside "").
It should open folder like "C:\Windows\debug" (as example). Where can be text-file with filename "msert.log"
Does it possible to open such file with Notepad (if such file there)?
Maybe this log-file with some strings about detected item. Or you already tried it and there is no such information about?
-- If not -> do you able to re-check that F-Secure Internet Security with next settings:
"Open main user interface -> Settings -> Manual scan tab -> "scan inside zipped"-files is checked and "scan only known types" is unchecked).
Then, that your experience is about "Full Scan" with such configuration (main user interface -> Tools tab -> Scan Options button -> Full Scan).
-- Based on detection name and noted Microsoft's description -> it can be a .pdf-file (document).
So, if you did not open any suspicious .pdf-files or attachments from received mail-letters (for example) -> most likely, it is a passive threat (not like virus; or active malicious software). But good to be carefully.
I think that file can be packed/compressed and it is not possible automatically remove it by MSERT -> so, item is detected but not cleaned (maybe). Basically, with such state -> it is safe situation.
Thank you Ukko, I will try your suggestions
It says "scan inside compressed files" instead of "scan inside of zip files" and that is the way I always run it
wrote:It says "scan inside compressed files" instead of "scan inside of zip files" and that is the way I always run it
Yes, sorry for my wrong wording.
Did you manage to find MSERT logs?
I could find no logs that told me anything useful
wrote:I could find no logs that told me anything useful
Hello,
Sorry for my ask.
Does your experience about their Safety Scanner tool (msert):
https://www.microsoft.com/en-gb/wdsi/products/scanner
Or your experience monthly Removal Tool (and maybe it is also marked as msert)?
If not about Safety Scanner tool -> maybe it is possible to run it. And then re-check if there is 'msert.log' with some information. Otherwise -> I will re-check it with my system too!
Thanks!
This topic has been closed due to inactivity. If you would like to discuss this topic further, please start a new post.
You can reference this topic in your post by adding this link:
https://community.f-secure.com/t5/F-Secure-SAFE/I-have-a-Trojan-and-can-t-get/td-p/104854
Visit the Community
Check our Forums or How-to & FAQs for advice or answers