Possible Trojan on my computer.

Diablo2K

Diablo2K

Supreme [H]ardness
Joined
Aug 10, 2000
Messages
6,794
I started seeing that the Windows defender kept showing there was something on my computer by the icon in the taskbar. I tried to run a scan but it just automatically shut down, same thing when I tried to view the report. I downloaded Adaware 14 and ran it. Did the scan it found nothing. It asked me to restart the PC so I did and when back in windows I started seeing a little window saying an application had been blocked, this was flashing over and over, the location listed was c:/windows/system32/windowspo...That is all I could see. When I look in the system32 folder there is a WindowsPowerShell Folder. I ran a full scan and once again Adaware 14 didn't find anything nor is there any notifications.
I am about to reinstall Windows but I don't want to if not needed.
 
Maybe you could try :
https://superuser.com/questions/144...-protected-folders-blocked-by-windows-ransomw

if you type this in your terminal:
wevtutil qe "Microsoft-Windows-Windows Defender/Operational" /c:10 /f:text /rd:true

You should have the latest 10 event show up (you can change 10 to 50, etc...) > nameFile.log to have it in a text file, maybe you will see the program that try to launch PowerShell scripts/commands

In powershell: Get-WinEvent -ProviderName “Microsoft-Windows-Windows Defender” -MaxEvents 100, should give you a list of even maybe there is some clue of why it crash if there is nothing above and if it is recent, maybe you can look if windows created a restore point just before it started and if it noted an application-installation making some change to the system.
 
Last edited:
socK said:
Time to nuke from orbit, why even waste time fucking around?

Just flatten it and move on - if you're infected, your Windows install can never be trusted again.
Click to expand...
Yeah, that's kinda what I thought also. I have the Image file from Lenovo specifically for my laptop on a flash drive that I can reinstall windows from. Only thing is it takes like 3 times longer to install than doing an OS reset within windows. I have no clue as to what it is that makes it take so much longer but when I watch it do its thing it does do alot of stuff that the normal windows install doesn't do.

Here is the results of the scans:

Code: 
Event[0]:
  Log Name: Microsoft-Windows-Windows Defender/Operational
  Source: Microsoft-Windows-Windows Defender
  Date: 2023-07-10T13:10:15.4270000Z
  Event ID: 1117
  Task: N/A
  Level: Information
  Opcode: Info
  Keyword: N/A
  User: S-1-5-18
  User Name: NT AUTHORITY\SYSTEM
  Computer: LAPTOP-8RRN8TGA
  Description:
Microsoft Defender Antivirus has taken action to protect this machine from malware or other potentially unwanted software.
 For more information please see the following:
https://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:MSIL/CryptInject!MSR&threatid=2147742930&enterprise=0
        Name: Trojan:MSIL/CryptInject!MSR
        ID: 2147742930
        Severity: Severe
        Category: Trojan
        Path: amsi:_\Device\HarddiskVolume3\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        Detection Origin: Unknown
        Detection Type: FastPath
        Detection Source: AMSI
        User: NT AUTHORITY\SYSTEM
        Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        Action: Quarantine
        Action Status:  No additional actions required
        Error Code: 0x00000000
        Error description: The operation completed successfully.
        Security intelligence Version: AV: 1.391.4116.0, AS: 1.391.4116.0, NIS: 1.391.4116.0
        Engine Version: AM: 1.1.23050.3, NIS: 1.1.23050.3

Event[1]:
  Log Name: Microsoft-Windows-Windows Defender/Operational
  Source: Microsoft-Windows-Windows Defender
  Date: 2023-07-10T13:09:58.7130000Z
  Event ID: 2010
  Task: N/A
  Level: Information
  Opcode: Info
  Keyword: N/A
  User: S-1-5-18
  User Name: NT AUTHORITY\SYSTEM
  Computer: LAPTOP-8RRN8TGA
  Description:
Microsoft Defender Antivirus used cloud protection to get additional security intelligence.
        Current security intelligence Version: 1.391.4116.0
        Security intelligence Type:
        User: \
        Current Engine Version: 1.1.23050.3
        Cloud protection intelligence Type: Security intelligence update
        Persistence Path: C:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\data\fd7661fd0ce8f3014557671b541884b72d615dea
        Cloud protection intelligence Version: 0.0.0.0
        Cloud protection intelligence Compilation Timestamp: 7/10/2023 6:09:58 PM
        Persistence Limit Type: Duration
        Persistence Limit: 1728000000

Event[2]:
  Log Name: Microsoft-Windows-Windows Defender/Operational
  Source: Microsoft-Windows-Windows Defender
  Date: 2023-07-10T13:09:52.6550000Z
  Event ID: 1116
  Task: N/A
  Level: Warning
  Opcode: Info
  Keyword: N/A
  User: S-1-5-18
  User Name: NT AUTHORITY\SYSTEM
  Computer: LAPTOP-8RRN8TGA
  Description:
Microsoft Defender Antivirus has detected malware or other potentially unwanted software.
 For more information please see the following:
https://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:MSIL/CryptInject!MSR&threatid=2147742930&enterprise=0
        Name: Trojan:MSIL/CryptInject!MSR
        ID: 2147742930
        Severity: Severe
        Category: Trojan
        Path: amsi:_\Device\HarddiskVolume3\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        Detection Origin: Unknown
        Detection Type: FastPath
        Detection Source: AMSI
        User: LAPTOP-8RRN8TGA\digit
        Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        Security intelligence Version: AV: 1.391.4116.0, AS: 1.391.4116.0, NIS: 1.391.4116.0
        Engine Version: AM: 1.1.23050.3, NIS: 1.1.23050.3

Event[3]:
  Log Name: Microsoft-Windows-Windows Defender/Operational
  Source: Microsoft-Windows-Windows Defender
  Date: 2023-07-10T13:09:52.6520000Z
  Event ID: 1117
  Task: N/A
  Level: Information
  Opcode: Info
  Keyword: N/A
  User: S-1-5-18
  User Name: NT AUTHORITY\SYSTEM
  Computer: LAPTOP-8RRN8TGA
  Description:
Microsoft Defender Antivirus has taken action to protect this machine from malware or other potentially unwanted software.
 For more information please see the following:
https://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:MSIL/CryptInject!MSR&threatid=2147742930&enterprise=0
        Name: Trojan:MSIL/CryptInject!MSR
        ID: 2147742930
        Severity: Severe
        Category: Trojan
        Path: amsi:_\Device\HarddiskVolume3\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        Detection Origin: Unknown
        Detection Type: FastPath
        Detection Source: AMSI
        User: NT AUTHORITY\SYSTEM
        Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        Action: Quarantine
        Action Status:  No additional actions required
        Error Code: 0x00000000
        Error description: The operation completed successfully.
        Security intelligence Version: AV: 1.391.4116.0, AS: 1.391.4116.0, NIS: 1.391.4116.0
        Engine Version: AM: 1.1.23050.3, NIS: 1.1.23050.3

Event[4]:
  Log Name: Microsoft-Windows-Windows Defender/Operational
  Source: Microsoft-Windows-Windows Defender
  Date: 2023-07-10T13:09:37.3450000Z
  Event ID: 1116
  Task: N/A
  Level: Warning
  Opcode: Info
  Keyword: N/A
  User: S-1-5-18
  User Name: NT AUTHORITY\SYSTEM
  Computer: LAPTOP-8RRN8TGA
  Description:
Microsoft Defender Antivirus has detected malware or other potentially unwanted software.
 For more information please see the following:
https://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:MSIL/CryptInject!MSR&threatid=2147742930&enterprise=0
        Name: Trojan:MSIL/CryptInject!MSR
        ID: 2147742930
        Severity: Severe
        Category: Trojan
        Path: amsi:_\Device\HarddiskVolume3\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        Detection Origin: Unknown
        Detection Type: FastPath
        Detection Source: AMSI
        User: LAPTOP-8RRN8TGA\digit
        Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        Security intelligence Version: AV: 1.391.4116.0, AS: 1.391.4116.0, NIS: 1.391.4116.0
        Engine Version: AM: 1.1.23050.3, NIS: 1.1.23050.3

Event[5]:
  Log Name: Microsoft-Windows-Windows Defender/Operational
  Source: Microsoft-Windows-Windows Defender
  Date: 2023-07-10T13:09:26.3950000Z
  Event ID: 2010
  Task: N/A
  Level: Information
  Opcode: Info
  Keyword: N/A
  User: S-1-5-18
  User Name: NT AUTHORITY\SYSTEM
  Computer: LAPTOP-8RRN8TGA
  Description:
Microsoft Defender Antivirus used cloud protection to get additional security intelligence.
        Current security intelligence Version: 1.391.4116.0
        Security intelligence Type:
        User: \
        Current Engine Version: 1.1.23050.3
        Cloud protection intelligence Type: Security intelligence update
        Persistence Path: C:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\data\7286fc081af890a289428d98cbb0d856197ae980
        Cloud protection intelligence Version: 0.0.0.0
        Cloud protection intelligence Compilation Timestamp: 7/10/2023 6:09:26 PM
        Persistence Limit Type: Duration
        Persistence Limit: 864000000

Event[6]:
  Log Name: Microsoft-Windows-Windows Defender/Operational
  Source: Microsoft-Windows-Windows Defender
  Date: 2023-07-10T13:09:20.5080000Z
  Event ID: 1002
  Task: N/A
  Level: Warning
  Opcode: Info
  Keyword: N/A
  User: S-1-5-18
  User Name: NT AUTHORITY\SYSTEM
  Computer: LAPTOP-8RRN8TGA
  Description:
Microsoft Defender Antivirus scan has been stopped before completion.
        Scan ID: {FFD79CEB-9E26-46AE-95FC-A4590B948081}
        Scan Type: Antimalware
        Scan Parameters: Quick Scan
        User: LAPTOP-8RRN8TGA\digit

Event[7]:
  Log Name: Microsoft-Windows-Windows Defender/Operational
  Source: Microsoft-Windows-Windows Defender
  Date: 2023-07-10T13:09:17.2070000Z
  Event ID: 1116
  Task: N/A
  Level: Warning
  Opcode: Info
  Keyword: N/A
  User: S-1-5-18
  User Name: NT AUTHORITY\SYSTEM
  Computer: LAPTOP-8RRN8TGA
  Description:
Microsoft Defender Antivirus has detected malware or other potentially unwanted software.
 For more information please see the following:
https://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:MSIL/CryptInject!MSR&threatid=2147742930&enterprise=0
        Name: Trojan:MSIL/CryptInject!MSR
        ID: 2147742930
        Severity: Severe
        Category: Trojan
        Path: amsi:_\Device\HarddiskVolume3\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        Detection Origin: Unknown
        Detection Type: FastPath
        Detection Source: AMSI
        User: LAPTOP-8RRN8TGA\digit
        Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        Security intelligence Version: AV: 1.391.4116.0, AS: 1.391.4116.0, NIS: 1.391.4116.0
        Engine Version: AM: 1.1.23050.3, NIS: 1.1.23050.3

Event[8]:
  Log Name: Microsoft-Windows-Windows Defender/Operational
  Source: Microsoft-Windows-Windows Defender
  Date: 2023-07-10T13:08:29.3410000Z
  Event ID: 1000
  Task: N/A
  Level: Information
  Opcode: Info
  Keyword: N/A
  User: S-1-5-18
  User Name: NT AUTHORITY\SYSTEM
  Computer: LAPTOP-8RRN8TGA
  Description:
Microsoft Defender Antivirus scan has started.
        Scan ID: {FFD79CEB-9E26-46AE-95FC-A4590B948081}
        Scan Type: Antimalware
        Scan Parameters: Quick Scan
        Scan Resources:
        User: LAPTOP-8RRN8TGA\digit

Event[9]:
  Log Name: Microsoft-Windows-Windows Defender/Operational
  Source: Microsoft-Windows-Windows Defender
  Date: 2023-07-10T13:08:16.1780000Z
  Event ID: 1002
  Task: N/A
  Level: Warning
  Opcode: Info
  Keyword: N/A
  User: S-1-5-18
  User Name: NT AUTHORITY\SYSTEM
  Computer: LAPTOP-8RRN8TGA
  Description:
Microsoft Defender Antivirus scan has been stopped before completion.
        Scan ID: {D875C08F-1D16-4098-8B51-4EFA591DC48F}
        Scan Type: Antimalware
        Scan Parameters: Quick Scan
        User: LAPTOP-8RRN8TGA\digit
 
I would not be resetting Windows.

Bare minimum I'd be going to another computer and making a bootable flash drive and promptly obliterating that Windows partition.
 
socK said:
I would not be resetting Windows.

Bare minimum I'd be going to another computer and making a bootable flash drive and promptly obliterating that Windows partition.
Click to expand...
Yep. That pc can't be trusted now.
 
GoldenTiger said:
Yep. That pc can't be trusted now.
Click to expand...
Thanks everyone for your input.

I reinstalled Windows using a flash drive I made a while back long before the current install. It was an image from Lenovo made for my model of Laptop so I am sure it was safe from corruption.
 
You must log in or register to reply here.
Back
Top