Jump to content

wmail-service.com riskware blocked powershell.exe


Go to solution Solved by Maurice Naggar,

Recommended Posts

Hi roughly 8-10 hours ago when it looks like others had issue with Malwarebytes reporting riskware every 30 seconds it was doing the same on my pc. It showed 2 different ip addresses on port 80

104.21.4.86
172.67.131.222

Category: RiskWare
Domain: wmail-service.com
IP Address: 104.21.4.86
Port: 80
Type: Outbound
File: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

I put rules in windows firewall to block and had reset pc. Then suddenly a windows update appeared so updated. This morning it seems fine and I see no new reports from users. It looked strange it was all at the same time as other users and no one has issue this morning so wondering if it is fixed or why there is no big news about it?

I guess I'm asking for everyone that has not been in contact

Is there something we should do? 

Is it fixed?

should anyone who had this issue get in touch?

sorry if straight to point but I've just signed up to forum and haven't posted before

Link to post
Share on other sites

@JohnW2

Hello :welcome: My name is Maurice. I will guide you. 

A Windows restart in itself would not have covered all bases. I would like to get reports and do a review for potential leftover.

Please  set File Explorer to SHOW ALL folders, all files, including Hidden ones.  Use OPTION ONE or TWO of this article

https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html

Gotta have history and all logs from Malwarebytes for Windows. 

 [   2   ]

  • I would like a report set for review.   This is a report only.

Please download MALWAREBYTES MBST Support Tool

Once you start it click Advanced >>> then   Gather Logs

 Have patience till the run has finished.

Upload an archive once it is done. Attach the mbst-grab-results.zip from the Desktop.

 

  • Please attach  mbst-grab-results.zip    to your reply 
Link to post
Share on other sites

@JohnW2

Thank you. However the Farbar FRST reports are needed. This zip did not have it. Do this 

In order to begin to help you properly, I will need a diagnostic report in order to review & diagnose.
Specifically the FRST Farbar diagnostic report.  It is safe to get & use. Be very sure you SAVE it first.
https://support.malwarebytes.com/hc/en-us/articles/360039025013-Run-Farbar-Recovery-Scan-Tool-to-gather-logs

Attach FRST.txt + Addition.txt with your reply.  You may if you wish, ZIP the 2 into a zip file & then attach.
{ just please do not copy, paste their contents in main body of reply box here.)

Link to post
Share on other sites

Yeppers, this machine has the rogue scheduled task for a rogue exploit, and also includes 2 related sub-folders used by it. Close all games if any are running. Close Discord and any other instant messenger. 

I will guide you along on looking for potential malware. Lets keep these principles as we go along.

  • Please don't run any other scans, download, install or uninstall any programs while I'm working with you.
  • Only run the tools I guide you to.
  • Do not run online games while case is on-going. Do not do any free-wheeling web-surfing.
  • The removal of malware (if present)  isn't instantaneous, please be patient.
  • Cracked or or hacked or pirated programs are not only illegal, but also will make a computer a malware victim. Having such programs installed, is the easiest way to get infected. It is the leading cause of ransomware encryptions. It is at times also big source of current trojan infections. Please uninstall them now, if any are here, before we start the cleaning procedure.
  • Please stick with me until I give you the "all clear".

This custom script is for  JohnW2  only / for this machine only.

Be very sure to Save any work-files you have open at this point. Close & Save any open edits, if any. Next, a custom script to do  checks & some  cleanups. This is really just housekkeping.

We will use FRST64  on the Downloads  folder to run a custom script.    The system will be rebooted after the script has run.

This custom script has some specific things, plus some general aspect to help the system overall.  Hoping it will not exceed 60 minutes in execute time.

NOTE-1:  This script will  run a scan using System File Checker to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. .It will also run the Windows tool DISM to check Windows integrity.  It will rebuild the Winsock. It will remove the rogue scheduled task.

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. 

The following directories are emptied:

  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome,  and Opera  & BRAVE caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Flash Player cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

  •  
  • Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this.

 

  • If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached,  please disconnect any of those.
  • Please save the (attached file named) FIXLIST.txt   to the   Downloads   folder

Fixlist.txt        <<< - - - - -

Then, Start the Windows Explorer and then, go  to the Downloads   folder.


RIGHT click on FRST64   and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

  • IF you get a block message from Windows about this tool......

               click line More info information on that screen
               and click button Run anyway on next screen.

  • on the FRST window:

Click the Fix button just once, and wait.

frst-fix.jpg.f6a25291b39a03d418acc9a3b7136900.jpg

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. 
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity.

NOTE: For me, it is late night-time. I will check on your case in the morning.

Link to post
Share on other sites

  • Solution

We need to do a new run because the last one hit the limit of 60 minutes. This run is just to do what is left to do. We made progress, but there is more to check.

Please delete the previous Fixlist that I had you save.

This custom script is for  JohnW2  only / for this machine only.

Be very sure to Save any work-files you have open at this point. Close & Save any open edits, if any. Next, a custom script to do  checks & some  cleanups. This is really just housekkeping.

We will use FRST64  on the Downloads  folder to run a custom script.    The system will be rebooted after the script has run.

  • Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this.

 

  • If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached,  please disconnect any of those.
  • Please save the (attached file named) FIXLIST.txt   to the   Downloads   folder

Fixlist.txt       <<< - - - - -

Then, Start the Windows Explorer and then, go  to the Downloads   folder.


RIGHT click on FRST64   and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.

  • on the FRST window:

Click the Fix button just once, and wait.

frst-fix.jpg.f6a25291b39a03d418acc9a3b7136900.jpg

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. 

Please attach the FIXLOG.txt with your next reply later, at your next opportunity.

NOTE: For me, it is late night-time. I will check on your case in the morning.

Link to post
Share on other sites

A request please 

I would like to get a copy of what we placed in Quarantine, from the runs I had you do. Please. 

  • Using Windows File Explorer, Navigate to C:\FRST folder on your system. Expand the folder so you see all contents.
  • Right click on Quarantine > Send to > Compressed (zipped) folder
  • Upload the archive in your next reply
  • If archive is too big you can upload here > https://wetransfer.com/

Also, Let me know how the situation is at this point as to any new "block" notices.
Also, please do one new Scan with Malwarebytes.

Thank you!

Link to post
Share on other sites

Hello. Good morning. I am glad to know that there are no more "block" notices. The rogue scheduled task that was the source of the whole matter has been removed, along with the associated sub-folders. This was a mis-use ( a rogue use) of a Microsoft VBS file thru the exploitation of powershell for the purpose of coin-mining ( it is thought). One may describe it as a obfuscated scheduled task.
The one that was on this machine is pretty much similar to the others I have dealt with.
In all this, it is important to know that the "block event" by Malwarebytes stopped it from doing potential harm.
As noted, the booger is now no more.
How did it get there? It is likely somehow via a download via a web browser.
*
For the Firefox browser, suggest you install the Malwarebytes Browser Guard on it.
See Support article how-to for Firefoxhttps://support.malwarebytes.com/hc/en-us/articles/4413298841747--Install-Malwarebytes-Browser-Guard-on-Firefox-browser*
Thank you for relaying the Quarantine archive file.

We can proceed with cleanup of tools we used.

To remove the FRST64 tool & its work files, do this. Go to your Downloads folder. Do a RIGHT-click on FRST64.exe & select RENAME & then change it to

UNINSTALL.exe

.
Then run that ( double click on it) to begin the cleanup process.

Delete mb-support-1.8.7.918.exe
Delete mbst-grab-results.zip on the Desktop.

Any other download file I had you download, you may delete.

Tell me, is there something else you need ?

  • Thanks 1
Link to post
Share on other sites

Thanks you have been a tremendous help. I always take care of virus protection and has been a good while since I've seen anything like this and hopefully won't for another good while again. 

All deleted 

thanks again for everything there

Link to post
Share on other sites

You are very welcome. I am glad to have worked with you.

Consider using PatchMyPC, keep all your software up-to-date - https://patchmypc.com/home-updater#download

Keep your system and programs up to date. Several programs release security updates on a regular basis to patch vulnerabilities. Keeping your software patched up prevents attackers from being able to exploit them to drop malware.

I am marking this case for closure.
I wish you all the best. Stay safe.
Sincerely.

Maurice

Link to post
Share on other sites

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following to help you better protect your computer and privacy Tips to help protect from infection

Thank you

 

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.