Jump to content

Strange detections on a USB drive; Phonzy.A!ml


Recommended Posts

Today I was checking my flash drives for malware out of anxiety. I plugged one of them in and ran a custom scan with Microsoft Windows Defender. It showed this

image.png.78ade6a187b56e3569b5354232bc3834.png

I immediately chose the option to remove the file, waited until the removal was finished, and took the flash drive out.

I ran a scan with Malwarebytes, it showed that all is clear, tried to run another scan with Microsoft Defender Offline but couldn't exactly figure out how so not sure if it worked, then ran a full scan with Microsoft Defender, it showed that all is clear, then ran another scan with ESET online scanner, it did not find anything related to the issue (only an unrelated PUA - i remember installing it, so it wasn't brought here by the virus or anything. deleted it.). Right before posting this, ran FRST as well. Files attached, attached the ESET log too. All seems to be clear, but I've heard that this Trojan can hide quite well.

I have also been told that autorun scripts like this are not a threat anymore. I hope that is true; but it is worth noting that when I was looking through settings later, the Autoplay feature was turned on, and the default action for external drives was set to "open folder to view files". I turned it off; not sure if it could've let the trojan through though. So, my main question is, is there anything I should do?

Also, this is not the first time malware has been detected on this particular USB, just about a month ago I found the movemenoreg.vbs, helper.vbs and installer.vbs scripts in the WindowsServices folder on the E:\ drive - they did not do anything, and were also deleted by Windows Defender, so the computer wasn't infected, but, thing is, I am absolutely sure I have not plugged the flash drive into anything else after that problem, and this detection (phonzy) is completely new. I am confused by that. Maybe the flash drive is just broken and these are all false detections?

eset scan log.txt Addition.txt FRST.txt

Link to post
Share on other sites

  • Root Admin

Hello @InternetUser

Please run the following Kaspersky antivirus full scan. Make sure you insert the USB drive in question as well and make sure Kaspersky is set to scan that drive as well.

 

 

Please download and run the following Kaspersky Virus Removal Tool 2020 and save it to your Desktop.

(Kaspersky Virus Removal Tool version 20.0.10.0 was released on November 9, 2021)

Download: Kaspersky Virus Removal Tool

https://devbuilds.s.kaspersky-labs.com/devbuilds/KVRT/latest/full/KVRT.exe

How to run a scan with Kaspersky Virus Removal Tool 2020
https://support.kaspersky.com/15674

How to run Kaspersky Virus Removal Tool 2020 in the advanced mode
https://support.kaspersky.com/15680

How to restore a file removed during Kaspersky Virus Removal Tool 2020 scan
https://support.kaspersky.com/15681

 


Select the  image.png  Windows Key and R Key together, the "Run" box should open.

user posted image

Drag and Drop KVRT.exe into the Run Box.

user posted image

C:\Users\{your user name}\DESKTOP\KVRT.exe will now show in the run box.

image.png

add -dontencrypt   Note the space between KVRT.exe and -dontencrypt

C:\Users\{your user name}\DESKTOP\KVRT.exe -dontencrypt should now show in the Run box.
 
image.png


That addendum to the run command is very important, when the scan does eventually complete the resultant report is normally encrypted, with the extra command it is saved as a readable file.

Reports are saved here C:\KVRT2020_Data\Reports and look similar to this report_20210123_113021.klr
Right-click direct onto that report, select > open with > Notepad. Save that file and attach it to your reply.

To start the scan select OK in the "Run" box.

A EULA window will open, tick all confirmation boxes then select "Accept"

image.png

In the new window select "Change Parameters"

image.png

In the new window ensure all selection boxes are ticked, then select "OK" The scan should now start...

user posted image

When complete if entries are found there will be options, if "Cure" is offered leave as is. For any other options change to "Delete" then select "Continue"

user posted image

When complete, or if nothing was found select "Close"

image.png

Attach the report information as previously instructed...
 
Thank you
 
 

 

 

Link to post
Share on other sites

  • 3 weeks later...
  • Root Admin

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Tips to help protect from infection

Thanks

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.