Jump to content

Trojan:Script/Phonzy.A!ml (setup.exe on drive E: )


Go to solution Solved by Maurice Naggar,

Recommended Posts

Hello :welcome: @MrJoy

I will guide you along on looking for remaining malware. Lets keep these principles as we go along.

  • Removing malware can be unpredictable
  • Please don't run any other scans, download, install or uninstall any programs while I'm working with you.
  • Only run the tools I guide you to.
  • Do not run online games while case is on-going. Do not do any free-wheeling web-surfing.
  • The removal of malware isn't instantaneous, please be patient.
  • Cracked or or hacked or pirated programs are not only illegal, but also will make a computer a malware victim. Having such programs installed, is the easiest way to get infected. It is the leading cause of ransomware encryptions. It is at times also big source of current trojan infections. Please uninstall them now, if any are here, before we start the cleaning procedure.
  • Please stick with me until I give you the "all clear".
  • If your system is running Discord, please be sure to Exit out of it while this case is on-going.

I need more information from this machine. Close as many other apps as you can before running this report. 

I would like a report set for review.   This is a report only.

Please download MALWAREBYRES MBST Support Tool

Once you start it click Advanced >>> then   Gather Logs

 Have patience till the run has finished.

Upload an archive once it is done. Attach the mbst-grab-results.zip from the Desktop.

 

  • Please attach  mbst-grab-results.zip    to your reply
  • The IP block actions by Malwarebytes are keeping the machine safe from potential threats.
  • We do need the support zip reports to see more detail  ( the screen grabs just do not have full details + those screens give no clue as to what processes are running.
Link to post
Share on other sites

Antivírus do Microsoft Defender detetou malware maligno ou outro software potencialmente indesejável.
Para obter mais informações, consulte:
https://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Script/Phonzy.A!ml&threatid=2147772966&enterprise=0
Nome: Trojan:Script/Phonzy.A!ml
Gravidade: Grave
Categoria: Trojan
Caminho: file:_E:\Setup.exe

I suggest that you DELETE this file E:\Setup.exe

Link to post
Share on other sites

  • Solution

What follows is a custom procedure. This is the first part. Please  set File Explorer to SHOW ALL folders, all files, including Hidden ones.  Use OPTION ONE or TWO of this article
Please use thuis guide https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html

NEXT

Since you did run the support tool, there -is- a tool named FRSTENGLISH on the Downloads folder . This script works as one of a pair.

This custom script is for  MrJoy  only / for this machine only.

Be very sure to Save any work-files you have open at this point. Close & Save any open edits, if any. Next, a custom script to do  checks & some  cleanups. 

We will use FRSTENGLISH  on the Downloads  folder to run a custom script.    The system will be rebooted after the script has run.

This custom script has some specific things, plus some general aspect to help the system overall.  Hoping it will not exceed 60 minutes in execute time.

NOTE-1:  This script will  run a scan using System File Checker to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. .It will also run the Windows tool DISM to check Windows integrity.  It will rebuild the Winsock. 

NOTE-2: This run will attempt to do some scans with Microsoft Defender antivirus. It will attempt to delete setup.exe on E drive if still present. Plus, it will do a CHKDSK run on the next future system Restart.

Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this.

 

  • If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached,  please disconnect any of those.
  • Please save the (attached file named) FIXLIST.txt   to the   Downloads   folder

Fixlist.txt       <<< - - - - -

Then, Start the Windows Explorer and then, go  to the Downloads   folder.


RIGHT click on FRSTENGLISH   and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

  • IF you get a block message from Windows about this tool......

               click line More info information on that screen
               and click button Run anyway on next screen.

  • on the FRST window:

Click the Fix button just once, and wait.

frst-fix.jpg.f6a25291b39a03d418acc9a3b7136900.jpg

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. 
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity. Stick with me.

Link to post
Share on other sites

  • AdvancedSetup changed the title to Trojan:Script/Phonzy.A!ml (setup.exe on drive E: )

Thank you. The custom run is a success. It accomplished what was intended. This Windows system should be in much better shape. We will now do a new scan with a tool from Microsoft.
As to your doing something such as that script, you would need to get into a malware-removal-school to learn about different tools (including Farbar FRST ), and about ways that malware use to infect & to persist. There are a few free reputable schools that can be recommended, if you are so inclined. This is not something I can teach you or summarized for you in any simple way, nor short period of time either.

In the meantime, stick with Malwarebytes & also Microsoft Defender.
*

Just want to do a visual check in Windows Security to see (visually) that Microsoft Defender is on .  And do a Update run & do a Custom scan on the C drive.

  • From the Windows Start menu, select Settings, then select Update and Security.
  • Next, look at the left-side menu & select Windows Security
  • Next, In Windows Security section: Click on the grey button Open Windows Security
  • Now, click on the shield Virus and threat protection
  • Look to see that Microsoft Defender is shown & available for use.
  • On the next display, look at all the options.  Look down the list and see "Check for Updates" .
  • You should click on that to have the system check for updates for Windows Defender.  Watch & wait for that to complete.
  • Please also note that the Scan options (all) can be displayed by clicking on Scan options.
  • I would like you to select CUSTOM scan from scan options
  • Then select the C drive
  • Then have it scan the whole C drive.

NEXT:

I would highly suggest to insure that this pc is all up-to-date with security updates & cumulative updates on Windows. select the Windows Start  button, and then go to Settings  > Update & Security  > Windows Update . and click Check for Updates.
Have much patience. According to what I saw in first reports, and from my notes, this Windows O S needs to get the 21H2 build update. 

Edited by Maurice Naggar
Link to post
Share on other sites

Malware Removal University at Malwareremoval forum

Bleepingcomputer school

There is also a list at this site
https://uniteagainstmalware.com/

Note though: The SpywareHammer is no longer around.

*

I would recommend getting a report on the update status of some key apps.

                               This tool is safe.   Smartscreen is overly sensitive.

Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"   and reply YES to allow to run & go forward
Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file.  Attach it with your next reply.
You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

Link to post
Share on other sites

  • Root Admin

Please uninstall, update, or otherwise address the following as appropriate for your system.

 

------------------------------ [ ArchAndFM ] ------------------------------
7-Zip 21.06 (x64) v.21.06 Warning! Download Update
Uninstall old version and install new one.


-------------------------- [ IMAndCollaborate ] ---------------------------
Discord v.1.0.9003 Warning! Download Update


--------------------------------- [ P2P ] ---------------------------------
qBittorrent 4.4.1 v.4.4.1 Warning! Download Update


-------------------------------- [ Java ] ---------------------------------
Java 8 Update 311 (64-bit) v.8.0.3110.11 Warning! Download Update
Uninstall old version and install new one (jre-8u333-windows-x64.exe).

 

---------------------------- [ UnwantedApps ] -----------------------------
Bonjour v.3.0.0.10 Warning! Application is distributed through the partnership programs and bundle assemblies. Uninstallation recommended. Possible you became a victim of fraud or social engineering.

Driver Booster 9 v.9.1.0 Warning! Suspected demo version of anti-spyware, driver updater or optimizer. If this program is not familiar to you it is recommended to uninstall it and execute PC scanning using Malwarebytes Anti-Malware. Possible you became a victim of fraud or social engineering. Computer experts no longer recommend this program.

ICARUS Warning! Suspected Adware! If this program is not familiar to you it is recommended to uninstall it and execute PC scanning using Malwarebytes Anti-Malware and Malwarebytes AdwCleaner. Before uninstallation and scanning it is necessary to consult in the forum where cure is provided for you!!!

 

 

Once that is done, then click on Start - Search and type in "Check for updates" and have Windows scan for and install any updates it finds.

 

Keep us posted, please.

 

Edited by AdvancedSetup
Updated information
Link to post
Share on other sites

Good morning. Your system is good-to-go.
We can proceed with cleanup of tools we used.

To remove the FRSTENGLISH tool & its work files, do this. Go to your Downloads folder. Do a RIGHT-click on FRSTENGLISH.exe & select RENAME & then change it to

UNINSTALL.exe

.
Then run that ( double click on it) to begin the cleanup process.

Delete mb-support-1.8.n.nnn.exe
Delete mbst-grab-results.zip on the Desktop.
Delete SecurityCheck.exe.

Consider using PatchMyPC, keep all your software up-to-date - https://patchmypc.com/home-updater#download

Keep your system and programs up to date. Several programs release security updates on a regular basis to patch vulnerabilities. Keeping your software patched up prevents attackers from being able to exploit them to drop malware.

I am marking this case for closure.
I wish you all the best. Stay safe.
Sincerely.

Maurice

Link to post
Share on other sites

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following to help you better protect your computer and privacy Tips to help protect from infection

Thank you

 

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.