Trojan:Script/Phonzy.A!ml and B!ml: False Positive or Malware?

Stephanie Adlam
Stephanie Adlam
24 Min Read
Phonzy Alert archive script check featured image
Editorial poster for Trojan:Script/Phonzy.A!ml and B!ml archive script analysis.

Trojan:Script/Phonzy.A!ml and Trojan:Script/Phonzy.B!ml are Microsoft Defender script Trojan detections. Keep the item quarantined while you check the affected path and source. An alert from a browser download, email HTML/JS file, MEGA link, ZIP/7z/RAR archive, crack, or unknown script should be treated as unsafe until the file is verified. If the file was your own code or came from a trusted signed tool, update Defender and submit the exact file to Microsoft before restoring it.

What should you do first?

  • Copy the exact label: Phonzy.A!ml and Phonzy.B!ml are close variants, but keep the full Defender name for searches and submissions.
  • Do not allow or restore blindly. Quarantine is safer while you inspect the file path, source, and repeat detections.
  • Check the container: if Defender found it inside a ZIP, 7z, RAR, browser cache, or MEGA download, delete the original archive/source too.
  • If it executed, run a full scan, review startup entries and browser extensions, and change important passwords from a clean device.
Detection variants Trojan:Script/Phonzy.A!ml, Trojan:Script/Phonzy.B!ml
Detected by Microsoft Defender Antivirus
Type Script Trojan / machine-learning script detection
Best action Quarantine, delete the source file or archive, update Defender, run a full scan, and check persistence if the script ran

What is Trojan:Script/Phonzy.A!ml or B!ml?

Microsoft Security Intelligence lists Trojan:Script/Phonzy.A!ml as a Defender script Trojan detection and says Defender detects and removes it [1]. The public entry is generic, so the affected item path is the practical evidence. Check whether Defender found a standalone script, an HTML/JS attachment, a browser cache item, or a file nested inside an archive.

The Microsoft Defender detection name format matters: Script describes the platform, Phonzy is the family label, A or B is the variant, and !ml means the detection was produced by machine-learning logic. That does not make the alert harmless; it only explains why users often see it around scripts, compressed downloads, and browser-cached files.

Phonzy.A!ml in a ZIP, 7z, RAR, or MEGA download

Archive detections create false-positive anxiety because Defender may report the archive member rather than a file you intentionally ran. Do not judge the alert from the extension alone. A compressed file can contain scripts, shortcut files, HTML payloads, installers, or obfuscated JavaScript even when the outer archive looks ordinary.

  • If the archive came from a crack, mod, game repack, password-protected link, or unknown MEGA folder, delete it and keep Defender’s quarantine.
  • If the file came from your own project or a trusted vendor, compare hashes, redownload from the official source, update Defender security intelligence [3], and submit the exact file to Microsoft as an incorrect detection if evidence supports a false positive [2].
  • If you only opened the archive but did not run anything, remove the archive/source and run a full scan. For general archive risk, see our guide on whether opening a ZIP or RAR file can give you a virus.
  • If you executed a script, installer, or command from the archive, treat the event as a possible compromise and continue with the cleanup steps below.

Can Phonzy.A!ml or B!ml be a false positive?

False positives are possible, especially with custom scripts, packed files, browser cache artifacts, or security tooling. The safer test is source plus behavior: a trusted signed file that still comes clean after updated scans is different from a script downloaded through an ad, fake update, crack, or unknown cloud link. Avoid exclusions until Microsoft or another trusted analysis confirms the file is clean.

If the alert appeared after you ran an unknown game/mod installer or entered passwords afterward, also review account risk. Our infostealer detection and recovery guide covers password changes, session revocation, and browser-token exposure.

How to remove Trojan:Script/Phonzy.A!ml or B!ml

  1. Open Windows Security and choose Remove or Quarantine for the Phonzy detection.
  2. Write down the affected item path, then delete the original download, archive, email attachment, or extracted folder that produced the alert.
  3. Update Microsoft Defender security intelligence before rescanning [3].
  4. Run a full scan. If the alert returns, or if the script ran before Defender blocked it, run Microsoft Defender Offline from Windows Security [4].
  5. Check Startup Apps, Task Scheduler, browser extensions, Run keys, and recently installed apps if the file executed.
  6. Change important passwords from a clean device if the script ran, opened a phishing page, or was bundled with a crack/mod/download manager.
  7. Run a second-opinion Gridinsoft Anti-Malware scan if Defender reports remediation incomplete, repeated detections, or suspicious startup/browser behavior.
After manual cleanup: reboot Windows and run a full scan to check startup entries, scheduled tasks, bundled apps, and hidden files that may restore the threat.

FAQ

Is Trojan:Script/Phonzy.A!ml the same as Phonzy.B!ml?

They are related Defender script-detection variants. Use the exact label from your alert, but the practical triage is similar: inspect the affected path, source, archive contents, and whether anything executed.

What does remediation incomplete mean?

Defender removed or quarantined part of the threat but could not confirm every related item. Reboot, update Defender, run a full scan or Offline scan, and remove the original source file or archive.

Should I restore a Phonzy file if Reddit says it is a false positive?

No. Keep it quarantined until you can verify the source, hash, signature, clean rescans, and Microsoft submission result. Forum reassurance is not enough for an unknown script or archive.

Can a script Trojan steal passwords?

It can lead to credential theft if it downloads a stealer, changes browser behavior, opens a phishing page, or runs commands. Change passwords and revoke sessions if the file executed.

References

  1. Microsoft Security Intelligence. “Trojan:Script/Phonzy.A!ml threat description.” Microsoft, published January 21, 2021, accessed June 2, 2026. https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan%3AScript%2FPhonzy.A%21ml
  2. Microsoft Security Intelligence. “Submit a file for malware analysis.” Microsoft, accessed June 2, 2026. https://www.microsoft.com/en-us/wdsi/filesubmission
  3. Microsoft Security Intelligence. “Security intelligence updates for Microsoft Defender Antivirus and other Microsoft antimalware.” Microsoft, accessed June 2, 2026. https://www.microsoft.com/en-us/wdsi/defenderupdates
  4. Microsoft Learn. “Microsoft Defender Offline scan in Windows.” Microsoft, accessed June 2, 2026. https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-offline
Trojan:BAT/PSRunner.VS!MSR
Arma dei Carabinieri Virus
VFXmed Virus Warning
Carbonate Browser: Is It Safe or a PUA?
Virus & Threat Protection Page Not Available
TAGGED:
Share This Article
ByStephanie Adlam
Follow:
Stephanie is our wordsmith, transforming technical research into engaging content that resonates with users. Her expertise in cybercrime prevention and online safety ensures that Gridinsoft's advice is accessible to everyone—whether they’re tech-savvy or not.
Previous Article LockBit Ransomware is Back After Europol Takedown LockBit is Back With New Claims and Victims
Next Article Misleading:Win32/Lodi Removal How to Remove Misleading:Win32/Lodi from Windows 11
Leave a Comment

AI Assistant

Hello! 👋 How can I help you today?