5

I recently upgraded some desktop PC components (GPU, SSD). I decided to perform a clean install of Windows 10 onto the SSD. I used a USB created using the Installation Media tool provided by Microsoft, which I created on my personal laptop.

During the initial Windows Update after the first restart, a Trojan “Trojan:HTML/Phish.GR!MSR” is immediately identified, without me doing anything else aside from the Windows Update. No webpages visited, no files downloaded, nothing.

I’m no security expert, so I tried swapping my old parts with the upgraded ones to control the cause and check if my new components had anything to do with it, but it appears randomly. I suspect it’s the installation USB, but not sure.

Any idea what could cause this? What can I do if I can’t even trust a clean Windows install?!

Edit

Windows Defender flags microsoft_logo_ee5c8d9fb6248c938fd0dc19370e90bd[1].svg as the threat. The file is in the IE cache somewhere

Ishki
  • 51
  • 2
  • @schroeder Just the OS. I don’t install anything myself but it may be that some device drivers install on their own. For example, as soon as I log in ASUS armoury crate pops up (ASUS is the manufacturer of both my laptop and the desktop’s motherboard). So not sure whether it’s there because of the laptop used to create the install usb or because of the motherboard. Similar idea for other peripherals (keyboard, wireless mouse, etc). I get notifications that they are “ready to use”, not sure if that entails any automatic downloads. – Ishki Jul 25 '21 at 13:18
  • It appears that someone else ran into this a few days ago [here](https://docs.microsoft.com/en-us/answers/questions/485632/high-volume-of-3439phish39-malware-was-detected-on.html) (Identical filename, but mine shows [1] suffix, as in microsoft_logo_ee5c8d9fb6248c938fd0dc19370e90bd[1].svg) – Ishki Jul 25 '21 at 13:40
  • 1
    That's from the IE cache. That means it's a result of IE connecting out to something, and it looks like Microsoft. So, it's not about a problem with the install. The problem is with the site it connects to. – schroeder Jul 25 '21 at 16:23
  • @schroeder thanks for the update. I tried to run another update and actively searched for the file. I would find it consistently even though defender doesn’t flag it as a threat. A manual scan would deem it safe this time. Do you think it may just be a false alarm? – Ishki Jul 25 '21 at 17:34
  • Without further detail, it does appear to be a false positive. – schroeder Jul 25 '21 at 17:50

0 Answers0