Trojan:Script/Phonzy.A!ml
SolvedVILE57 Posted messages 10 Registration date Status Membre Last intervention -
Good evening,
I have a problem that started a week ago. Due to a lapse in judgment, I was caught out by a file I received, which I immediately deleted after opening it and Windows Defender went into a panic...
The issue is that the damage has been done and since then I have had to change my passwords absolutely everywhere. The other concern is that I'm not sure if the intrusion has completely disappeared because even though the supposed contaminated file no longer exists, the Windows Defender alert continues to trigger with the mention (Active)...
At first, I received an alert for "Trojan:Script/Wacatac.H!ml" on a file in the AppData Temp, then a few minutes later it was "Trojan:Script/Phonzy.A!ml" detected on an exe that I had used a long time ago and which no longer exists at that location due to the alert (but continues to appear when I run a scan, hence the screenshot above).
I have taken the initiative with FRST: you will find the file reports attached. Thank you in advance for your help:
Thanks in advance for your help!
10 réponses
Hello,
The reports FRST.txt and Addition.txt are expected.
All reports must be hosted at https://security-x.fr/up/ and you should include the obtained links in your response.
Here it is:
https://up.security-x.fr/file.php?h=R78a0c82cd1dba8770761937f32b76a8d
and
https://up.security-x.fr/file.php?h=Ra450976288e43191d1caceda7ffdd3f2
RE_
Nothing infectious, we are going to clean up the obsolete files that are cluttering the PC
****************
--> Copy everything from HERE from start:: to end:: (without pasting it anywhere)
--> Open FRST (or FRST64) as an administrator and click on Fix
If FRST seems to freeze or is unresponsive, let it run
--> The PC will restart
--> A fixlog file is created in the same location as FRST, post it like the other reports
*********************
--> Initiate a full scan with Windows Defender and let me know if you still have the issue.
Thank you, it's done!
Here is the log:
https://up.security-x.fr/file.php?h=Rb44be930440d820341dc6f34ddf13650
I launched a complete scan after the restart, but very quickly the detection message inexorably comes back, I don't understand why:
After which the complete scan resumes its course (for an announced 4 hours)...
RE_
The fixlog is not complete, so I don't know what has been corrected.
Did the PC restart at the end of the fix? Or did you turn it off beforehand?
Check if the fixlog file you have on your PC ends with =========End of fixlog========
If not, you need to relaunch the fix and make sure to wait until the PC asks to restart.
Indeed, I realize now that there is a problem: my PC restarted a few seconds after I launched your tool, without warning/asking, so I thought it was normal with this kind of method!
Now, indeed it took longer, it notified me. So this time I think the file is complete:
https://up.security-x.fr/file.php?h=R61a36afd01ae5118ff374d01a5d75527
I will try to redo the analysis now.
RE_
This time it's OK.
For the detection, it dates back to 06-04 (it's noted on your screenshot), if it appears again Delete the Windows Defender history and restart the scan
It's all good! I didn't do the "access to protected memory" step since the old detection has disappeared. I'm doing a complete scan that will take 2 or 3 hours to be sure, but it should go all the way without reminding me of the infection from April 6th.
So, can I consider the PC to be "safe" and that the threat was indeed removed before the manipulations we carried out? The fact is, as I said, for the rest "the damage is done," and I have to enable two-factor authentication and change passwords on the sites where I lurked and that my browser logged me into without having to re-enter a password... This has made me paranoid to the point of not using the login saving functions of sites and browsers, even though I have to type everything in every time. You just don't know what to trust anymore, and on which application to log in automatically even after strengthening security and changing passwords.
RE_
We no longer really know what to trust, and on which application to log in automatically, even after strengthening security and changing passwords.
That's the world of the internet and life in general, every day, people wake up and wonder how to cheat their fellow citizens to make money without too much effort :-\
If it's OK:
To automatically delete all files/folders created by FRST and the tool itself, rename FRST/FRST64.exe to uninstall.exe and run it.
The procedure requires a restart.
@ see you later on CCM