Jump to content

wmail-endpoint + wmail-chat trojan.tasker.powershell

KLo13
 Share
Go to solution Solved by Maurice Naggar,

Recommended Posts

Maurice Naggar

Maurice Naggar

Posted
Posted

Hello @KLo13

I will guide you along on looking for remaining malware. Lets keep these principles as we go along.

  • Removing malware can be unpredictable
  • Please don't run any other scans, download, install or uninstall any programs while I'm working with you.
  • Only run the tools I guide you to.
  • Do not run online games while case is on-going. Do not do any free-wheeling web-surfing.
  • The removal of malware isn't instantaneous, please be patient.
  • Cracked or or hacked or pirated programs are not only illegal, but also will make a computer a malware victim. Having such programs installed, is the easiest way to get infected. It is the leading cause of ransomware encryptions. It is at times also big source of current trojan infections. Please uninstall them now, if any are here, before we start the cleaning procedure.
  • Please stick with me until I give you the "all clear".
  • If your system is running Discord, please be sure to Exit out of it while this case is on-going.

The Malwarebytes is protecting your system from potential harm. Wait for my next reply. I first need to pore over your report set. Stick only to this thread.

This is a trojan classified as trojan.tasker.powershell by Malwarebytes.

Link to post
Share on other sites
KLo13

KLo13

Posted
  • Author
Posted

Hi,

To stop the Malwarebytes' Notification from popping up every 30secs, I've created Windows Firewall rules for the 2 IPs and Powershell.exe itself from connecting outbound. It was really, REALLY annoying.

I patiently await your instructions.

-Ken

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

Hello @KLo13 First step: 

This next tool ought to take something in the range of 15 - 25 minutes tops, depending on hardware speed.
get & run the Malwarebytes MBAR anti-rootkit tool to do 1 run with it.
Disregard the title subject of the topic.Run the MBAR tool as listed here 

https://forums.malwarebytes.com/topic/198907-requested-resource-is-in-use-error-unable-to-start-malwarebytes

  • when done, I need the MBAR logs.
  • Upon completion of the scan or after the reboot, two files named mbar-log.txt and system-log.txt will be created.
  • Both files can be found in the extracted MBAR folder on your Desktop.
  • Please attach both files in your next reply.
Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

Thank you. Take these actions so that Windows 11 is set to show all hidden files and folders.
Open File Explorer from the taskbar.

Select View > Show > Hidden items.

Start Malwarebytes. Click Settings ( gear ) icon. Next, lets make real sure that Malwarebytes does NOT register with Windows Security Center

  • Click the Security Tab. Scroll down to

"Windows Security Center"

Click the selection to the left  for the line "Always register Malwarebytes in the Windows Security Center".
{ We want that to be set as Off   .... be sure that line's  radio-button selection is all the way to the Left.  thanks. }

This will not affect any real-time protection of the Malwarebytes for Windows    😃.

Scroll down and lets be sure the line in SCAN OPTIONs for

"Scan for rootkits" is ON 👈   Click it to get it ON if it does not show a blue-color .

  • Now click on the GENERAL tab

Do a Check for Update using the Malwarebytes Settings >> General tab.

See this Support Guide https://support.malwarebytes.com/hc/en-us/articles/360042187934-Check-for-updates-in-Malwarebytes-for-Windows

When it shows a new version available, Accept it and let it proceed forward.  Be sure it succeeds.

If prompted to do a Restart, just please follow all directions.

  • Next, the Malwarebytes scan.
  • Next click the blue button marked Scan.

 

When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.

>>>>>>      👉      You can actually click the topmost left  check-box  on the very top line to get ALL lines  ticked   ( all selected).         <<<<     💢

MB4_scan_tick_ALL.jpg.954dd31097351eba2c305a1321a445d6.jpg

 

Please double verify you have that TOP  check-box tick marked.   and that then, all lines have a tick-mark

 

Then click on Quarantine  button.

MB4_scan_all_Quarantine2.jpg.99b8d9b73d90d347577ae0826ac406b1.jpg

 

Then, locate the Scan run report;  export out a copy;  & then attach in with your  reply.
See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4

There will be more to do. Stick with me, please.

Link to post
Share on other sites
  • Solution
Maurice Naggar

Maurice Naggar

Posted
  • Solution
Posted

1, Find where in firewall rules you had blocked "powershell" and lets get that removed.

2. This custom script will help out a lot for removal of the trojan at hand on this machine. 

This custom script is for  Klo13  only / for this machine only.

Be very sure to Save any work-files you have open at this point. Close & Save any open edits, if any.  

We will use FRST64  on the Desktop\Trojan Malware Removal  folder to run a custom script.    The system will be rebooted after the script has run.

This custom script has some specific things, plus some general aspect to help the system overall.  Hoping it will not exceed 60 minutes in execute time.

NOTE-1:  This script will  run a scan using System File Checker to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. .It will also run the Windows tool DISM to check Windows integrity.  It will rebuild the Winsock. 

NOTE-2: This should run scans with MS Defender antivirus and remove outstanding action items, if any.

  •  
  • Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this.

 

  • If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached,  please disconnect any of those.
  • Please save the (attached file named) FIXLIST.txt   to the   Desktop\Trojan Malware Removal   folder

Fixlist.txt          <<< - - - - -

Then, Start the Windows Explorer and then, go  to the Desktop\Trojan Malware Removal   folder.


RIGHT click on FRST64  and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

  • IF you get a block message from Windows about this tool......

               click line More info information on that screen
               and click button Run anyway on next screen.

  • on the FRST window:

Click the Fix button just once, and wait.

frst-fix.jpg.f6a25291b39a03d418acc9a3b7136900.jpg

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. 
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity.

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

Y W. Yay 😀 Stick with me. Do not abandon this. Plus do not remove tools we used ( I will guide you later on cleanups ). 

This here you can start & once it is under way, you can leave the machine alone & let it run over-night. No need to keep watch once it starts the actual scan run. 

Next, This will be a check with ESET Onlinescanner for viruses, other malware, adwares, & potentially unwanted applications.

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

 

It will start a download of "esetonlinescanner.exe"

  • Save the file to your system, such as the Downloads folder, or else to the Desktop.
  • Go to the saved file, and double click it to get it started.

 

  • When presented with the initial ESET options, click on "Computer Scan".
  • Next, when prompted by Windows, allow it to start by clicking Yes
  • When prompted for scan type, Click on Full scan

Look at & tick ( select ) the radio selection "Enable ESET to detect and quarantine potentially unwanted applications" and click on Start scan button.

  • Have patience. The entire process may take an hour or more. There is an initial update download.

There is a progress window display. You may step away from machine &. Let it be.  That is, once it is under way, you should leave it running.  It will run for several hours.

  • At screen "Detections occured and resolved" click on blue button "View detected results"
  • On next screen, at lower left, click on blue "Save scan log"
  • View where file is to be saved. Provide a meaningful name for the "File name:"
  • On last screen, set to Off (left) the option for Periodic scanning
  • Click "save and continue"
  • Please attach the report file so I can review
  • Like 1
Link to post
Share on other sites
  • AdvancedSetup changed the title to wmail-endpoint + wmail-chat trojan.tasker.powershell
Maurice Naggar

Maurice Naggar

Posted
Posted

Let's do one scan with Malwarebytes Adwcleaner to check for adwares. Just before pressing that "scan" button, be sure that Chrome & Edge, or other web browser are Closed.

It will not take much time,

First download & save it

https://support.malwarebytes.com/hc/en-us/articles/360038520054-Download-and-install-Malwarebytes-AdwCleaner

Then be sure to close all web browsers.

Then go to where the EXE file is saved. Start Adwcleaner.  Then do a scan with Adwcleaner

https://support.malwarebytes.com/hc/en-us/articles/360038520114-Malwarebytes-AdwCleaner-scan-and-clean

Attach the clean log.

  • Like 1
Link to post
Share on other sites
KLo13

KLo13

Posted
  • Author
Posted

Hi Maurice,

I had ran adwcleaner and Hitman before submitting this ticket. Found nothing then, and found nothing now.

I see other queries for this same trojan in recent posts over the internet. Hope you guys come up with a general solution soon for everyone's sake.

Thanks again and have a good weekend.

 

-Ken

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

You're welcome, Ken. Don't go away. I would like you to run one other report. I would recommend getting a report on the update status of some key apps.

                               This tool is safe.   Smartscreen is overly sensitive.

Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"   and reply YES to allow to run & go forward
Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file.  Attach it with your next reply.
You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

*

In the days that preceded the 1st occurrence of the Block messages about "wmail"...Had you downloaded some "thing" & opened or installed it? Like possibly a "game mod" or "game hack"? My colleagues & I are finding that cases like this would often be due to getting some sort of hacked or cracked add-on.

  • Like 1
Link to post
Share on other sites
KLo13

KLo13

Posted
  • Author
Posted

I don't game. I have CnC: Yuri's Revenge installed that play every couple of years. The only thing I remember installing/updating was Cloudfare WARP based on the timestamp in Revo's Uninstaller. The other recent stuff are Microsoft product updates, Microsoft Office + Webview2 Runtime. There's Chrome Remote Desktop Host update and that's it, besides the handful of malware scanners.

 

 

SecurityCheck.txt

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

Here are the applications that need your attention, as per SecurityCheck.
calibre 64bit v.5.41.0  Warning! Download Update

Microsoft Teams v.1.4.00.8872  Warning! Download Update
Zoom v.5.9.3 (3169)  Warning! Download Update

-------------------------------- [ Java ] ---------------------------------
Java 8 Update 331 (64-bit) v.8.0.3310.9  Warning! Download Update
Uninstall old version and install new one (jre-8u333-windows-x64.exe).
Java 8 Update 331 v.8.0.3310.9  Warning! Download Update
Uninstall old version and install new one (jre-8u333-windows-i586.exe).
----
VLC media player 3.0.16 (64-bit) v.3.0.16.0  Warning! Download Update

HandBrake 1.3.3 v.1.3.3  Warning! Download Update

--------------------------- [ AdobeProduction ] ---------------------------
Adobe Acrobat DC v.22.001.20117  Warning! Download Update
^Please run Acrobat DC and go Help - Check for updates...^

------------------------------- [ Browser ] -------------------------------
Google Chrome v.102.0.5005.115  Warning! Download Update
Microsoft Edge v.102.0.1245.44  Warning! Download Update

[ UnwantedApps ] -----------------------------
CCleaner  is no longer recommend by most in the security field, ever since it was sold to another entity. You can uninstall it and instead use the Windows built-in "CLEANMGR" applet.
*
Let me suggest that you get your browsers each, as applicable, to have the Malwarebytes Browser Guard.

See Support article how-to

https://support.malwarebytes.com/hc/en-us/articles/360038520374-Install-Malwarebytes-Browser-Guard

See Support article how-to for Firefox
https://support.malwarebytes.com/hc/en-us/articles/4413298841747--Install-Malwarebytes-Browser-Guard-on-Firefox-browser

For the EDGE browser https://support.malwarebytes.com/hc/en-us/articles/4413298736787-Install-Malwarebytes-Browser-Guard-on-Microsoft-Edge-browser

Note: If your pc also has Opera or Brave or Vivaldi browser, you can install the Chrome version of the Malwarebytes Browser Guard ( on each as appropriate).

*

This here is for tools cleanup. 

Please download KpRm by kernel-panik and save it to your desktop.

  • right-click kprm_(version).exe and select Run as Administrator.
  • Read and accept the disclaimer.
  • When the tool opens, ensure all boxes under Actions are checked.
  • Under Delete Quarantines select Delete Now, then click Run.
  • Once complete, click OK.
  • A log may open in Notepad titled kprm-(date).txt.  I do not need it. Just close Notepad if it shows up.

 

Consider using PatchMyPC, keep all your software up-to-date - https://patchmypc.com/home-updater#download

I wish you all the best. 😎

  • Like 1
Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following to help you better protect your computer and privacy Tips to help protect from infection

Thank you

 

 

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.

  I accept