Trojan/Malware get in my computer through cmd. It's automatically send messenger from Discord, Steam Friendlist to my friends.

[Clouding]

Someday when i was downloading an audio file from y2mate . com (the website which when you paste youtube link into it, you can download mp4, mp3...from that youtube video). 

Then i got a captcha that request 3 steps:
1 - Run cmd on my computer

2- Copy and paste the text from the captcha to cmd window

3- Enter

I didn't know what is it. though it was captcha test. 

And then i got problem. I remember some text like "PowerShell..."

The virus automatically send link (virus inside website ask victim login). The link is fake to steamcommunity website.

Please help me get out of it. 

[harlan4096]

Welcome to Kaspersky Community.

 

Do you have K. product installed?

 

Since that site it is detected here:

 

[Clouding]

6 minutes ago, harlan4096 said:

Welcome to Kaspersky Community.

 

Do you have K. product installed?

 

Since that site it is detected here:

 

Hi Harlan, i get K standard and begin scanning, 2 trojan of them was killed after. Now, im still waiting for the result at all

[Clouding]

I did scanning all computer yesterday. Though it's been cleaned. But today, it appear again by automatically sending virus link on steam chat. Really need help now. Thank you

[harlan4096]

Ok, try this tool: https://www.malwarebytes.com/adwcleaner

 

Run a scan and post there the log with results.

 

That fake site is also detected by K.:

 

 

[Clouding]

Here it is

Quote

 

# -------------------------------
# Malwarebytes AdwCleaner 8.4.2.0
# -------------------------------
# Build:    03-04-2024
# Database: 2024-03-04.1 (Cloud)
#
# -------------------------------
# Mode: Scan
# -------------------------------
# Start:    09-06-2024
# Duration: 00:00:14
# OS:       Windows 10 (Build 19045.4780)
# Scanned:  32053
# Detected: 19

***** [ Services ] *****

No malicious services found.

***** [ Folders ] *****

PUP.Optional.DriveTheLife       C:\ProgramData\DRIVERTALENT
PUP.Optional.DriveTheLife       C:\ProgramData\Microsoft\Windows\Start Menu\Programs\DRIVER TALENT
PUP.Optional.DriveTheLife       C:\Users\DANG HUYNH PHAT\AppData\Roaming\DRIVERTALENT
PUP.Optional.DriverTalent       C:\Program Files (x86)\OSTotoSoft
PUP.Optional.Legacy             C:\Users\DANG HUYNH PHAT\AppData\Roaming\Hola

***** [ Files ] *****

PUP.Optional.CosmosSystemCare   C:\ProgramData\Microsoft\Windows\Start Menu\Cosmos.lnk
PUP.Optional.CosmosSystemCare   C:\Users\DANG HUYNH PHAT\Desktop\Cosmos.lnk
PUP.Optional.GoodGame           C:\Users\DANG HUYNH PHAT\Desktop\GOODGAME EMPIRE.URL

***** [ DLL ] *****

No malicious DLLs found.

***** [ WMI ] *****

No malicious WMI found.

***** [ Shortcuts ] *****

No malicious shortcuts found.

***** [ Tasks ] *****

No malicious tasks found.

***** [ Registry ] *****

PUP.Optional.DriveTheLife       HKLM\Software\Wow6432Node\\MICROSOFT\INTERNET EXPLORER\MAIN\FEATURECONTROL\FEATURE_BROWSER_EMULATION|DRIVERTALENT.EXE
PUP.Optional.DriveTheLife       HKLM\System\Setup\FirstBoot\Services\LDRVSVC
PUP.Optional.DriverTalent       HKCU\Software\OSTotoSoft
PUP.Optional.DriverTalent       HKLM\Software\Wow6432Node\OSTotoSoft
PUP.Optional.Legacy             HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{7D2B3E1D-D096-4594-9D8F-A6667F12E0AC}
PUP.Optional.Legacy             HKLM\SOFTWARE\Microsoft\MediaPlayer\ShimInclusionList\browser.exe
PUP.Optional.Legacy             HKLM\Software\Wow6432Node\\Microsoft\Active Setup\Installed Components\{7D2B3E1D-D096-4594-9D8F-A6667F12E0AC}
PUP.Optional.Legacy             HKLM\Software\Wow6432Node\\Microsoft\MediaPlayer\ShimInclusionList\browser.exe
PUP.Optional.SpeedBrowser       HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\browser.exe
PUP.Optional.SpeedBrowser       HKLM\Software\Wow6432Node\\Microsoft\Windows\CurrentVersion\App Paths\browser.exe

***** [ Chromium (and derivatives) ] *****

No malicious Chromium entries found.

***** [ Chromium URLs ] *****

PUP.Optional.Legacy             Conduit Search

***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries found.

***** [ Firefox URLs ] *****

No malicious Firefox URLs found.

***** [ Hosts File Entries ] *****

No malicious hosts file entries found.

***** [ Preinstalled Software ] *****

No Preinstalled Software found.

########## EOF - C:\AdwCleaner\Logs\AdwCleaner[S00].txt ##########

 

 

[harlan4096]

Delete all those registry keys, also try to find in Your full system these 2 exe files:

 

DRIVERTALENT.EXE

browser.exe

[Clouding]

Not that one. I installed it (cracked) for scanning missing driver long time ago. That is not the way that i killed some cracked software on my computer, the problem still there from 2 days ago after i command it (text with trojan/malware) to cmd like i said. 

Kaspersky's seem to being not worked after i've scanned yesterday. Please help

[harlan4096]

Did You have Kaspersky installed when You did that steps in Your 1st posts? because Kaspersky detects all those malicious sites, so, or You did not have K. installed, or You ignored the warnings 🙄

 

What versions of Kaspersky do You installed now?

[Clouding]

Not yet at that post. But after your 1st commend, i did scanning and kill some trojan/malware from Disk C, not include some software that i've known it safe. But now the trojan is still alive

 

You please take a look at this log

I got standard K for personal/home for 1 PC a year version.

 

Edited September 5 by Clouding

[Clouding]

I got some problem which not be fixed in Drive C\Windows\Installer\"name".msi

[harlan4096]

I can't understand anything in that captures, please change into English Your K. (being with main application window open) pressing SHIFT + F12, and upload again the detection captures.

 

Also, go to Microsoft Store, find Sysinternals Suite, and install it.

 

Find tool AutoRuns, once executed as Administrator rights, go to Options -> Scan Options, and:

 

 

Go to tabs: WinLogon, Logon and Scheduled Tasks, and check if something suspicious, checking column VirusTotal.

[Clouding]

Here you are

 

[harlan4096]

Not Processed does not mean any error or issue, those files were ignored probably because matching different rules: legit system files, etc.

[Clouding]

I have an idea. Would you please using Ultraviewer and connect for take a look at my PC? I'll be glad if everything's done. 

[harlan4096]

This should be done by official Kaspersky Support staff: K. Support

[Clouding]

Im getting insane with this virus problem. Hope it's been fixed soon

otherwise, this is from autoruns

[harlan4096]

What about the other 2 tabs?

[harlan4096]

Also, open Windows Admin Tasks -> tab StartUp, check what's enabled there.

[Clouding]

Everything's ok in startup. Today, the virus make my discord logging out. Maybe it wants me relogging in by typing password, but i scan QR from my phone. 

[harlan4096]

Can you go to Intrusion Prevention -> Manage Applications, and show a capture of the apps located at Low, High and Untrusted groups?

[Clouding]

Excute me, how to get there? 

 

[harlan4096]

Being in main K. window -> go to Security in the left -> scroll down a bit -> Intrusion Prevention -> Manage Applications

[Clouding]

Here you are

[harlan4096]

I guess that Windows Launcher (HunGame.exe) is legit 🤔?

 

Try to download this tool: https://www.kaspersky.com/downloads/free-virus-removal-tool

 

Run it, enable the 3 checkboxes -> Accept

 

Then go to Change Parameters -> Add Object, find Your C : drive and add, one by one, these 2 additional entries:

 

Quote

 

C:\ProgramData

C:\Users

 

 

It should show like this:

 

 

Then click Ok -> Start Scan

 

Send detections (if any) once ended.