Solved: Re: I have a Trojan and can't get rid of it, F-Secure doesn't find it - F-Secure Community

Jack · ‎05-02-2018

When I run Windows MSERT, it shows I have a Trojan: PDF / Phish, which it says is dangerous. It tells me it has partially removed the trojan, but every time I run the MSERT program from Windows the same Trojan is found. I have F Secure Internet Security and when I run it, it does not find the Trojan. I also have Malwarebytes, which does not find the trojan. This bothers me very much and I would like help on it. MSERT does not give the location of the virus, it only shows that it has been found. Can someone please help me with this?

Jack · ‎13-02-2018

I finally got rid of it. I believe it was a remnant of a trojan I had about a month ago and a tech from F Secure helped me kill it, but I think it left a remnant that Microsoft Safety Scanner kept finding and identifying as a serious virus. Malwarebytes helped me with a special program they have that zapped the remainder of the trojan and now I don't get the error. Thank you for the help, I am 73 years old and know little about these things and depend on those of you who know more than I do. Thanks again but I'm okay now, it's gone!

View solution in original post

Ukko · ‎05-02-2018

Hello,

I'm also only F-Secure user (their home solutions). So, only unofficial suggestions and my own feelings.

Good to re-check or know some things:

->> did you run F-Secure IS and Malwarebytes with their "Full Scan" mode?

For example, with F-Secure Internet Security:

-- open Main UI (doubleclick desktop F-Secure logo; or one-click F-Secure tray picture);

-- switch to "Tools" tab;

-- Scan option - "Full Scan" under pop-up menu.

Also, possible to re-check settings for manual scanning (Main UI -> Settings -> Manual Scan tab -> check option for scanning zipped-archived files and uncheck option for scan only known types).

->> then there is next Microsoft article:

https://support.microsoft.com/en-gb/help/2520970/how-to-troubleshoot-an-error-when-you-run-the-micro...

where potential advice and tips -> how to re-check MSERT log files (to open "%systemroot%\debug"-location and see MSERT.log). Even I'm not sure that detected items are placed there too (but most likely - yes).

->> detection MAYBE is false positive:

https://www.f-secure.com/v-descs/false_positive.shtml

But if not - so, there is Microsoft description for "Trojan: PDF / Phish"

https://www.microsoft.com/en-gb/wdsi/threats/malware-encyclopedia-description?Name=Trojan: PDF/Phish

So, it is potentially .pdf-file. Maybe it is an attachment. If previous suggestion with potential log-files where visible 'location' is valid -> good to see does it .pdf-file or, for example, .pst file or other database file for any of mail clients.

If it is .pdf-file -> good to use F-Secure SAS (and transfer file to F-Secure Labs):

https://www.f-secure.com/en/web/labs_global/submit-a-sample#sample-file

If it is a .pst (or any other archives, containers or so) -> maybe... required additional steps to troubleshoot. But good to receive your feedback about such suggestions (before any other potential advices). Since MSERT with 'partial' remove and then detection is back -> possible to suspect that 'item' inside something like archive or database (container) for mail-letters. Unclear why F-Secure (or Malwarebytes) does not detect it -> except that it is can be a direct phishing/spam try or Microsoft scanner with too generic rules for such detection (and that 'manual scan' settings with ignorance this extension -> which should be possible to tweak and re-scan then).

Thanks!

Jack · ‎05-02-2018

First, thank you for the reply. Second, yes, I ran the long scans of Malwarebytes and F Secure and they found nothing. Unfortunately the MSERT from Microsoft does not give you the location of the malware. They do say it is a harmful trojan. They say it is removed with the regular microsoft antivirus program that comes with Winsdows, but I don't know if this is true and it won't run with Malwarebytes or F Secure. I'm at a loss. You seem to know far more than I ever expect to know about these things, but I have no idea how to fix this. It may just be a remnant of a virus that was removed and it may not be a problem, but if it is a serious malware I would like to remove it.

Ukko · ‎05-02-2018

wrote:
First, thank you for the reply. Second, yes, I ran the long scans of Malwarebytes and F Secure and they found nothing. Unfortunately the MSERT from Microsoft does not give you the location of the malware. They do say it is a harmful trojan. They say it is removed with the regular microsoft antivirus program that comes with Winsdows, but I don't know if this is true and it won't run with Malwarebytes or F Secure. I'm at a loss. You seem to know far more than I ever expect to know about these things, but I have no idea how to fix this. It may just be a remnant of a virus that was removed and it may not be a problem, but if it is a serious malware I would like to remove it.

Hello,

So, with direct suggestions:

-- Do you able to open Explorer (for example, C:\ drive). And type there "%systemroot%\debug" (only text inside "").

It should open folder like "C:\Windows\debug" (as example). Where can be text-file with filename "msert.log"

Does it possible to open such file with Notepad (if such file there)?

Maybe this log-file with some strings about detected item. Or you already tried it and there is no such information about?

-- If not -> do you able to re-check that F-Secure Internet Security with next settings:

"Open main user interface -> Settings -> Manual scan tab -> "scan inside zipped"-files is checked and "scan only known types" is unchecked).

Then, that your experience is about "Full Scan" with such configuration (main user interface -> Tools tab -> Scan Options button -> Full Scan).

-- Based on detection name and noted Microsoft's description -> it can be a .pdf-file (document).

So, if you did not open any suspicious .pdf-files or attachments from received mail-letters (for example) -> most likely, it is a passive threat (not like virus; or active malicious software). But good to be carefully.

I think that file can be packed/compressed and it is not possible automatically remove it by MSERT -> so, item is detected but not cleaned (maybe). Basically, with such state -> it is safe situation.

Jack · ‎05-02-2018

Thank you Ukko, I will try your suggestions

Jack · ‎06-02-2018

It says "scan inside compressed files" instead of "scan inside of zip files" and that is the way I always run it

Ukko · ‎06-02-2018

wrote:
It says "scan inside compressed files" instead of "scan inside of zip files" and that is the way I always run it

Yes, sorry for my wrong wording.

Did you manage to find MSERT logs?

Näsäviisas · ‎06-02-2018

I did testing with this case.
(Win7, admin rights)
TESTRESULTS:

commandline
cd Windows
dir d*
cd debug
dir > found msert.log
more msert.log
or
type msert.log >
text and results summary,
no infection found,
but information about scanning

As @Ukko wrote, with Notepad you can open msert.log-file > I tested it.

Näsäviisas

Jack · ‎07-02-2018

I could find no logs that told me anything useful

Ukko · ‎07-02-2018

wrote:
I could find no logs that told me anything useful

Hello,

Sorry for my ask.

Does your experience about their Safety Scanner tool (msert):

https://www.microsoft.com/en-gb/wdsi/products/scanner

Or your experience monthly Removal Tool (and maybe it is also marked as msert)?

If not about Safety Scanner tool -> maybe it is possible to run it. And then re-check if there is 'msert.log' with some information. Otherwise -> I will re-check it with my system too!

Thanks!