Virus on cache
-
I had Vivaldi for some time and never had a problem, but lately Windows Defender has been detecting a malware that comes from the programs cache, a Troyan to be specific, I deleted the cache and even the cache folder but the Troyan seems to be coming back, is there anything I can do? Thanks (https://imgur.com/a/M0Wxr3x)
-
@Inmazes, Phonzy is an generic name by the Defender for this type of Virus. Deleting the cache isn't enough, because this script reproduce itself.
The only manner to eliminate it is to make an complete scan with the Defender (can last much time in which isn't advisable to use the PC) or also using MalwareBytes, Panda Cloud Cleaner, etc.Writeup by Andisearch about this Virus
Trojan:Script/Phonzy.A!ml, a malicious software that infiltrates systems, often without the user's knowledge. This Trojan is known to perform harmful activities such as downloading and installing additional malware, stealing sensitive information, modifying system settings, or opening backdoors for remote access21.
The Trojan:Script/Phonzy.A!ml typically spreads through various means such as malicious email attachments, infected websites, or social engineering techniques1. Once executed on a system, it may perform actions such as downloading and installing additional malware, stealing sensitive information, modifying system settings, or opening backdoors for remote access.
To eliminate this Trojan, users are advised to use specialized tools to detect and eradicate all associated files and registry entries. Tools such as WiperSoft Antispyware, Malwarebytes Anti-Malware, and GridinSoft Anti-Malware are recommended. Manual removal is also possible, but it requires a certain level of expertise2.
-
I don't recommend trying to get rid of the malware by using several scanner. You won't be able to detect and eliminate EVERY entry from the malware.
Best way is to format the device and to re-install the system. I hope you made a clean backup in the past? If so, you're lucky. If not, you have more work to do.
Don't slip up trusting diverse malware scanners. If you use them to scan your system be aware that that they are running on an already compromised system. For this reason you can't trust their findings.
Do you know how you got this malware? Did you open a suspicious link? Or was your system not up to date?
-
This post is deleted! -
@Inmazes Thank you for posting the information. I have mentioned this internally.
-
@ullman It's not a Vivaldi issue, it's just a file in your the browser cache. Might be a false positive, might not be. This file was is probably created when you visited a web site, maybe a shady one, maybe not.
- It's a pretty stupid antivirus to alert on files in browser cache
- The antivirus says the file is quarantined so should be deleted in any case
- It probably keeps getting generated because you keep visiting the same site
- The file can't hurt your system and there's no reason to think your system is "infected by malware" just from the existence of this single file
- A virus scan with a scanner can't hurt in any case
- Try closing all open tabs and clearing cache, then restart the browser
- Suggesting people reinstall the OS just for a single, possible false positive is ridiculous advice
If anyone wants, find this file in the
cachedirectory as per the AV report, or in the AV quarantine system. Move it out and zip it, then upload it somewhere and I could have a look what it actually is. -
This post is deleted! -
@ullman Well then I guess the natural next questions are:
Have you visited some "shady" websites lately or have you installed some downloaded software containing malware lately? And if so, why didn't the so-called "Defender" defend you? Why did it only report this browser cache file?
OR have you installed some shady extensions lately?
I can try to catch the file and send it to you, if you want.
Sure, do that
-
This post is deleted! -
From a little Googling and excluding all the BS advice sites that try to sell you some crap AV scanner or product, I found this nugget that made me laugh:
https://github.com/NextronSystems/aurora-agent-lite/issues/13
So basically the
!mlin the detection string means it's detected by "machine learning" AKA idiot AI.
It even detects a "virus" in a YML file
-
This post is deleted! -
@ullman said in Virus on cache:
So can we conclude that today's Windows Defender updated added some wrong AI scripts that now alert some normally generated cache files as a virus?
I don't know I don't use Defender, I use Avast
Ask MS I guess and ask them to improve their crappy productPS. Can you please check if your Vivaldi browser creates new cache files every few seconds even when no website opened?
It does not, no. Where would those files be created?
-
This post is deleted! -
@ullman And you're using Vivaldi to post this? Then this page/tab would create cache files obviously.
Do you have open web panels that create cache files?
Do you have extensions installed that would create cache?If you mean the files in cache named
data_0todata_3andindexthose are always generated.The files named
f_<number>are cached files. If you have a program that allows you to look at file content you can easily see what they are (if you know a little about file headers). -
This post is deleted! -
@ullman I have no idea why these files are created then. There's always a reason, and no need to panic in any case.
I use Total Commander to quickly examine the content of any file.
Here's a PNG file in cache
Here's a JPG file:
HxD is a good hex editor for Windows:
https://mh-nexus.de/en/hxd/Here's a list of common file signatures:
https://en.wikipedia.org/wiki/List_of_file_signaturesA great tool from Nirsoft to allow you to see cache files and their sources.
https://www.nirsoft.net/utils/chrome_cache_view.html
Doesn't necessarily list everything though. -
This post is deleted! -
@ullman Send me the zipped file if you want and I could have a look what it actually is.
-
This post is deleted! -
@ullman said in Virus on cache:
No web panels opened, only start page. I only have 3 extension installed:
Maybe check for rogue "service worker" as well?
vivaldi://serviceworker-internals
