HELP to get rid of Trojan:PowerShell/PsInjection.A

[SHT]

Hi, Good day to all.

Four days ago, my pc windows defender/windows security was detected Trojan:PowerShell/PsInjection.A as severe threat, example as below:

I have scanned through Malwarebytes, but no virus detected. Report as follows:

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 10/10/19
Scan Time: 12:52 PM
Log File: d37b26f4-eb19-11e9-a05d-98eecb7ba763.json

-Software Information-
Version: 3.8.3.2965
Components Version: 1.0.627
Update Package Version: 1.0.12833
License: Free

-System Information-
OS: Windows 10 (Build 18362.418)
CPU: x64
File System: NTFS
User: DESKTOP-7ICM204\User

-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 404571
Threats Detected: 0
Threats Quarantined: 0
Time Elapsed: 2 min, 53 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 0
(No malicious items detected)

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)

(end)

As I have read from the forum,  I have downloaded FRST64 and scanned, the FRST.txt and Addition.txt are attached as follows:

Addition.txtFRST.txt

 

Hope that anyone can help on this matter. Thanks in advance!

 

Best Regards,

SHT

[Maurice Naggar]

Hi,   

My name is Maurice. I will be helping and guiding you, going forward on this case.

Please follow my directions as we go along.  Please do not do any changes on your own without first checking with me.

If you will be away for more than 3 consecutive days,  do try to let me know ahead of time, as much as possible.

 

Please only just attach   all report files, etc  that I ask for as we go along.

.

Look at the following Malwarebytes Blog article and scroll down to the section marked *Clear your browser's cache* 
and do that for each of your web browser programs.
https://blog.malwarebytes.com/puppum/2017/04/adware-the-series-part-1/

---

 

Keep in mind that the design and what is scanned by Windows Defender is a whole different design from Malwarebytes

Windows 10 has the Microsoft Windows Defender which can run the Windows Defender Offline scan.
Windows Defender Offline in Windows 10 can be run directly from within Windows..

Click the Windows Start menu button on the Taskbar, select Settings icon. Then choose Update and Security.
 

In Windows Settings  >>> click on Windows Security from the left side list.

Next, In Windows Security section:  Click on the grey button Open Windows Security

next click on the blue Scan options

Look down the options list.  Tick on Windows Defender Offline scan.   Then click the grey "Scan now" button.

and let it scan the system.

Do let me know how this scan goes and what the result is.

.

[SHT]

Hi Maurice,

 

Thanks for the reply. I have tried to scan using Windows Defender Offline scan, however I couldn't get the report from it but it seems no threat detected.

 

Please advise for the next step. Thank you.

 

Best regards,

SHT

[Maurice Naggar]

Good morning.

You indicate that Windows Defender found no threats.  You can re-check by looking at its history.

This is the way to look at the Windows Defender scan history.

 

Go to the Windows Start menu.  Click on the Settings icon.

Now click on Update & Security.   Then click on Open Windows Security.

·  Click the Virus & threat protection tile     and then the Protection  history label  ( in blue color)

The Protection history will have a list of recent events.

 

[   2   ]

It is very encouraging that the run of Windows Defender found no present malware.

You may do some other scans with different programs.

 

Do a new scan with Malwarebytes for Windows.

https://support.malwarebytes.com/docs/DOC-1156

 

[  3  ]

Next, a different scan.

I  would suggest to download, Save, and then run Malwarebytes ADWCLEANER.

Please close Chrome and all other open web browsers after you have saved the Adwcleaner and before you start Adwcleaner scan.

Version 7.4 of Adwcleaner  detects factory Preinstalled applications too!

I  encourage you to take a look at the announcement blogpost to learn more this new detection category: https://blog.malwarebytes.com/malwarebytes-news/2019/07/your-device,-your-choice:-adwcleaner-now-detects-preinstalled-software/.

 

Please download  Malwarebytes AdwCleaner  https://downloads.malwarebytes.com/file/adwcleaner
 

Be sure to Save the file first, to your system.  Saving to the Downloads folder should be the default on your system.

 

Go to the folder where you saved Adwcleaner. Double click Adwcleaner  to start it.

At the prompt for license agreement, review and then click on I agree.

 

You will then see a main screen for Adwcleaner. ( if you do not see it right away, minimized the other open windows, so you can see Adwcleaner).

Then click on Dashboard button.

Click the blue button "Scan Now".

 

allow it a few minutes to finish the Scan.   Let it remove what it finds.

NOTE:  When it comes to the section "

Pre-installed applications

 

You can skip that.

Please find and send the Adwcleaner "C" clean report.

In Adwcleaner, click the "Reports" button.  Look at the list of reports for the latest date & type "Clean".

Double Click that line & it will open in Notepad.   Save the file to your system and then Attach that with your reply.

 

That C clean report will be the one with the most recent Date and time at folder  C:\AdwCleaner\Logs

Thanks.  Keep me advised.

 

[SHT]

Hi Maurice! 

Thanks again for the prompt reply.

 

For the protection history, here are the latest screenshot. FYI, I did the Windows Defender Offline scan at about 4.00pm. I couldn't find the result of the scan. All the result are done by the auto detection from Windows Defender.

[2]

Here is the result from Malwarebytes. Malwarebytes Scanned Result.txt

[3]

Here is the Adwcleaner "C" clean report.

AdwCleaner[C01].txt

 

Thank you. Hope to hear from you soon.

 

Best regards

SHT

[Maurice Naggar]

Hello.

Thanks for the Adwcleaner & information.   There should be a link or way to get more detail on one or other of those lines shown by Windows Defender.

 

Let's do a couple of things.

[   1   ]

FRST64 is on the Downloads folder.

Start FRST64.
Type the following ( better yet, use COPY  then Paste)   into the search box exactly as show then press the Search Files button

SearchAll: cnazb.xyz

Please wait while the program searches for all entries relating to this program, when done a search.txt log will be saved to the desktop. Please attach this log to your next reply.

[   2   ]

I would suggest a free scan with the ESET Online Scanner
Go to https://www.eset.com/us/home/online-scanner/

Look on the right side of the page.  Click Scan Now
It will start a download of "esetonlinescanner_enu.exe"
Save the file to your system, such as the Downloads folder, or else to the Desktop.

Go to the saved file, and double click it to get it started.
When presented with the initial ESET options, click on "Computer Scan".

Next, when prompted by Windows, allow it to start by clicking Yes

When prompted for scan type, Click on Full scan
Click on the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click on Start scan button.

Have patience.  The entire process may take an hour or more. There is an initial update download.
There is a progress window display.
You should ignore all prompts to get the ESET antivirus software program.   ( e.g.  their standard program).   You do not need to buy or get or install anything else.

When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.

Click The blue “Save scan log” to save the log.

If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files”  ( in blue, at bottom).

Press Continue when all done.  You should click to off the offer for “periodic scanning”.

 

[Maurice Naggar]

Hello.  How are things ?

[Maurice Naggar]

Please provide a status update.   Do you need other help ?  Did you do what I last suggested on October 12 ?

[SHT]

Hi. I will provide the update by today. Sorry for the delay, as somehow I did not receive the notification. 

[Maurice Naggar]

Hi.    When you get a chance this weekend ….

Let's do a couple of things.

[   1   ]

FRST64 is on the Downloads folder.

Start FRST64.
Type the following ( better yet, use COPY  then Paste)   into the search box exactly as show then press the Search Files button

SearchAll: cnazb.xyz

Please wait while the program searches for all entries relating to this program, when done a search.txt log will be saved to the desktop. Please attach this log to your next reply.

[   2   ]

I would suggest a free scan with the ESET Online Scanner
Go to https://www.eset.com/us/home/online-scanner/

Look on the right side of the page.  Click Scan Now
It will start a download of "esetonlinescanner_enu.exe"
Save the file to your system, such as the Downloads folder, or else to the Desktop.

Go to the saved file, and double click it to get it started.
When presented with the initial ESET options, click on "Computer Scan".

Next, when prompted by Windows, allow it to start by clicking Yes

When prompted for scan type, Click on Full scan
Click on the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click on Start scan button.

Have patience.  The entire process may take an hour or more. There is an initial update download.
There is a progress window display.
You should ignore all prompts to get the ESET antivirus software program.   ( e.g.  their standard program).   You do not need to buy or get or install anything else.

When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.

Click The blue “Save scan log” to save the log.

If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files”  ( in blue, at bottom).

Press Continue when all done.  You should click to off the offer for “periodic scanning”.

[SHT]

Search.txt

Hi, Thanks for the replies!

Here attached FRST64 search files.

I will attach the ESET log scan in the next reply as it is taking a very long time to load.

[Maurice Naggar]

Thanks for the Search log.   The search found no traces of "cnazb.xyz"  on your machine.

I look forward to getting the LOG report from the ESET scan.

Sincerely.

[SHT]

Hi Maurice,

Here are the log from ESET.

ESET Scan.txt

Thanks!

Best regards,

SHT

[Maurice Naggar]

The ESET scanner tagged & removed 2 "offer tools" from Avast.   It considered them as P U P.

There were no malicious items found.

I believe this pc is good to go.

 

It is not enough to just have a security program installed. Each pc user needs to practice daily safe computer and internet use.

 

Best  practices & malware prevention:
Follow best practices when browsing the Internet, especially on opening links coming from untrusted sources.
First rule of internet safety: slow down & think before you "click".

Never click links without first hovering your mouse over the link and seeing if it is going to an odd address ( one that does not fit or is odd looking or has typos).

Free games & free programs are like "candy". We do not accept them from "strangers".

Never open attachments that come with unexpected ( out of the blue ) email no matter how enticing.
Never open attachments from the email itself. Do not double click in the email. Always Save first and then scan with antivirus program.
 

 

Pay close attention when installing 3rd-party programs. It is important that you pay attention to the license agreements and installation screens when installing anything off of the Internet. If an installation screen offers you Custom or Advanced installation options, it is a good idea to select these as they will typically disclose what other 3rd party software will also be installed.
Take great care in every stage of the process and every offer screen, and make sure you know what it is you're agreeing to before you click "Next".

Use a Standard user account rather than an administrator-rights account when "surfing" the web.
See more info on Corrine's SecurityGarden Blog http://securitygarden.blogspot.com/p/blog-page_7.html
Dont remove your current login. Just use the new Standard-user-level one for everyday use while on the internet.

 
Do a Windows Update.

Make certain that Automatic Updates is enabled.
https://support.microsoft.com/en-us/help/12373/windows-update-faq

Keep your system and programs up to date. Several programs release security updates on a regular basis to patch vulnerabilities. Keeping your software patched up prevents attackers from being able to exploit them to drop malware.

For other added tips, read "10 easy ways to prevent malware infection"

.

All best wishes.

Sincerely,

Maurice

 

[Maurice Naggar]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Thanks