infected with wmail-endpoint.com and wmail-chat.com

[UnbakablePotato]

Hi,

 

I've been infected with this virus and I have no idea how to remove it. It seems to be making rounds in the internet lately as many people are infected by it.

 

Any help would be appreciated.

[Maurice Naggar]

Hello   My name is Maurice. I will guide you. 

 Do a new scan with Malwarebytes for Windows.

Do a Check for Update using the Malwarebytes Settings >> General tab.

See this Support Guide https://support.malwarebytes.com/hc/en-us/articles/360042187934-Check-for-updates-in-Malwarebytes-for-Windows

When it shows a new version available, Accept it and let it proceed forward.  Be sure it succeeds.

If prompted to do a Restart, just please follow all directions.

Let me know how that goes.    Next, the Malwarebytes scan.

Then click the Security tab.  Scroll down and lets be sure the line in SCAN OPTIONs for

"Scan for rootkits" is ON 👈   Click it to get it ON if it does not show a blue-color .

 

Next, click the small x on the Settings line to go to the main Malwarebytes Window.   Next click the blue button marked Scan.

 

When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.

>>>>>>      👉      You can actually click the topmost left  check-box  on the very top line to get ALL lines  ticked   ( all selected).         <<<<     💢

 

Please double verify you have that TOP  check-box tick marked.   and that then, all lines have a tick-mark

 

Then click on Quarantine  button.

 

Then, locate the Scan run report;  export out a copy;  & then attach in with your  reply.
See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4

😉

[Maurice Naggar]

Secondary note. Please be sure to not use this machine to do banking or for online buying, shopping, etc

Do not use the machine to do any loose web surfing. Stay out of social media and the likes. Stay out of Discord or any other instant messaging. Minimize all online use to only this forum and the website for tools I guide you to.  

I will guide you along on looking for malware. Lets keep these principles as we go along.

• Please don't run any other scans, download, install or uninstall any programs while I'm working with you.
• Only run the tools I guide you to.
• Do not run online games while case is on-going. Do not do any free-wheeling web-surfing.
• The removal of malware isn't instantaneous, please be patient.
• Cracked or or hacked or pirated programs are not only illegal, but also will make a computer a malware victim. Having such programs installed, is the easiest way to get infected. It is the leading cause of ransomware encryptions. It is at times also big source of current trojan infections. Please uninstall them now, if any are here, before we start the cleaning procedure.
• Please stick with me until I give you the "all clear".
• We have found that most infections such as this one are due to using or getting a recent game-modification hack, or a MP3 or MP4 capture add-on, or "converter",  or a hacked or pirated application. If in the past few days something like that was added, let me know what it is, where it was obtained, and Uninstall that "add-on".

[UnbakablePotato]

Done, here's the export.

Report.txt

[Maurice Naggar]

It seems this last scan is very much helpful in a few ways. It indicates there had been some dodgy hacks / cracks. One I am curious about is 

Quote

G:\GAMES\BIOSHOCK INFINITE - THE COMPLETE EDITION

Any idea as to where that came from ?

• My colleagues & I have found that most infections such as this one are due to using or getting a recent game-modification hack, or a MP3 or MP4 capture add-on, or "converter", or a hacked or pirated application. If in the past few days something like that was added, let me know what it is, where it was obtained, and Uninstall that "add-on".
• Cracked or or hacked or pirated programs are not only illegal, but also will make a computer a malware victim. Having such programs installed, is the easiest way to get infected. It is the leading cause of ransomware encryptions. It is at times also big source of current trojan infections. Please uninstall them now, if any are here, before we start the cleaning procedure.
• Be sure you have stopped starting or using any sort of games while this case is going on.

NEXT steps to be done.
I urge you to Uninstall CALL OF DUTY INFINITE WARFARE.

Also, Uninstall BIOSHOCK INFINITE

[ 2 ]
Please set File Explorer to SHOW ALL folders, all files, including Hidden ones. Use OPTION ONE or TWO of this article
Please use thuis guide https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html

[ 3 ]

I would like a report set for review.   This is a report only.

Please download MALWAREBYTES MBST Support Tool

Once you start it click Advanced >>> then   Gather Logs

 Have patience till the run has finished.

Upload an archive once it is done. Attach the mbst-grab-results.zip from the Desktop.

 

• Please attach  mbst-grab-results.zip    to your reply 😀
• Stick with me. There is a bunch more to be done.

[UnbakablePotato]

2 hours ago, Maurice Naggar said:

Any idea as to where that came from ?

I got it from Fitgirl's website. I don't think it's the cause of the infection, as I had the cracked game on a separate hard drive, which went through multiple computers with no issues.

 

I deleted Infinite warfare and Bioshock, though.

mbst-grab-results.zip

[Maurice Naggar]

Thank you for the report. Stick with me. 

Let's check your system with another ( different ) antivirus scan tool.

Please download and run the following Kaspersky Virus Removal Tool 2020 and save it to your Desktop.

(Kaspersky Virus Removal Tool version 20.0.10.0 was released on November 9, 2021)

Download: Kaspersky Virus Removal Tool

• How to run a scan with Kaspersky Virus Removal Tool 2020

          https://support.kaspersky.com/15674

• How to run Kaspersky Virus Removal Tool 2020 in the advanced mode

          https://support.kaspersky.com/15680

• How to restore a file removed during Kaspersky Virus Removal Tool 2020 scan

          https://support.kaspersky.com/15681

 

Select the    Windows Key and R Key together, the "Run" box should open. Drag and Drop KVRT.exe into the Run Box. C:\Users\{your user name}\DESKTOP\KVRT.exe will now show in the run box. add -dontencrypt   Note the space between KVRT.exe and -dontencrypt C:\Users\{your user name}\DESKTOP\KVRT.exe -dontencrypt should now show in the Run box.   That addendum to the run command is very important, when the scan does eventually complete the resultant report is normally encrypted, with the extra command it is saved as a readable file. Reports are saved here C:\KVRT2020_Data\Reports and look similar to this report_20210123_113021.klr Right-click direct onto that report, select > open with > Notepad. Save that file and attach it to your reply. To start the scan select OK in the "Run" box. A EULA window will open, tick all confirmation boxes then select "Accept" In the new window select "Change Parameters" In the new window ensure all selection boxes are ticked, then select "OK" The scan should now start... When complete if entries are found there will be options, if "Cure" is offered leave as is. For any other options change to "Delete" then select "Continue" When complete, or if nothing was found select "Close" Attach the report information as previously instructed...   Thank you

[Maurice Naggar]

For AFTER you have completed the Kaspersky tool scan & you have attached its report file. This next procedure(s) have goal to alleviate the "wmail*" trojan infection.
Please  set File Explorer to SHOW ALL folders, all files, including Hidden ones.  Use OPTION ONE or TWO of this article
Please use thuis guide https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html
NEXT,
Start Malwarebytes. Click Settings ( gear ) icon. Next, lets make real sure that Malwarebytes does NOT register with Windows Security Center

Click the Security Tab. Scroll down to

"Windows Security Center"

Click the selection to the left  for the line "Always register Malwarebytes in the Windows Security Center".
{ We want that to be set as Off   .... be sure that line's  radio-button selection is all the way to the Left.  thanks. }

This will not affect any real-time protection of the Malwarebytes for Windows Trial   😃.

Close Malwarebytes.

>
DO keep in mind, given a infection like this one, you will want to get a Premium license for Malwarebytes so that a future serious infection like the one now is prevented. Malwarebytes Premium has multiple real-time protections.
>
 

What follows below is a next step. There will still be more to do after this. 

This custom script is for  UnbakablePotato  only / for this machine only.

Be very sure to Save any work-files you have open at this point. Close & Save any open edits, if any. . 

We will use FRSTENGLISH  on the Downloads  folder to run a custom script.    The system will be rebooted after the script has run.

Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this.

• Please save the (attached file named) FIXLIST.txt   to the   Downloads   folder

Fixlist.txt       <<< - - - - -

Then, Start the Windows Explorer and then, go  to the Downloads   folder.

RIGHT click on FRSTENGLISH   and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

• IF you get a block message from Windows about this tool......

               click line More info information on that screen
               and click button Run anyway on next screen.

• on the FRST window:

Click the Fix button just once, and wait.

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. 

1. Please attach the FIXLOG.txt with your next reply later, at your next opportunity.
2. Also, look on your DESKTOP for a ZIP file created with Today's date & approximate time of run. Attach that ZIP with your Reply.

[UnbakablePotato]

Hi, sorry for taking so long to get back to you, but I can't for the life of me get KVRT to run properly. For some reason, the application would always close mid-scan. No crash code. Nothing.

 

I never saw it close, though, as the scan takes so long that I would get distracted doing something else around the house. But I would always come back to it being closed. I attached to this message what I found in the report folder, though the report file doesn't contain much of anything.

 

Is it okay to skip KVRT and just run the custom script? I'll be waiting for your confirmation before doing anything.

 

report_2022.07.05_10.58.40.txt

[UnbakablePotato]

After looking around in KVRT's folder, I found a dump file. It may explain why it isn't scanning properly.

 

 

It's apparently suffering from 'DUMP_ON_UNHANDLED_EXCEPTION_CREATED'

KVRT.dumpwriter.log

[Maurice Naggar]

Hello. Please proceed forward and do the custom-run-Fix that I listed above  

[UnbakablePotato]

Done. Here's the log.

Fixlog.txt

[UnbakablePotato]

Oh, and here's the zip file as well.

05.07.2022_22.32.00.zip

[Maurice Naggar]

Hello. I got the files, Thank you. As we continue, and when you reply, Keep me advised if the block notice-messages about "wmail" have ceased. We have more work ahead. 

[  Do a custom scan with Microsoft Defender Antivirus ]

Just want to do a visual check in Windows Security to see (visually) that Microsoft Defender is on , and to do a Custom scan.

From the Windows Start menu, select Settings, then select Update and Security.

Next, look at the left-side menu & select Windows Security

Next, In Windows Security section: Click on the grey button Open Windows Security

Now, click on the shield Virus and threat protection

Look to see that Microsoft Defender is shown & available for use.

On the next display, look at all the options.  Look down the list and see "Check for Updates" .

You should click on that to have the system check for updates for Windows Defender.  Watch & wait for that to complete.

Please also note that the Scan options (all) can be displayed by clicking on Scan options.   Click that & select FULL scan & have it go forward.

Once it has started the scan phase, you can go take a long break.   Let me know the results.

[UnbakablePotato]

I made a full scan, and I'm happy to report that Wmail is gone (I assume). The scan only reported a single false-positive (which I promptly deleted, anyway).

[Maurice Naggar]

Hello. Glad to hear that news. I would like to insure that over the next 2-3 days that there is still no Block notice about "wmail". and, 

I would highly suggest to insure that this pc is all up-to-date with security updates & cumulative updates on Windows. select the Windows Start  button, and then go to Settings  > Update & Security  > Windows Update . and click Check for Updates.
Have much patience.

[Maurice Naggar]

Good afternoon. Let's do a new report-collection.

On the Downloads folder, Launch mb-support-1.8.7.918.exe

Once you start it click Advanced >>> then   Gather Logs

 Have patience till the run has finished.

Upload an archive once it is done. Attach the mbst-grab-results.zip from the Desktop.

• Please attach  mbst-grab-results.zip    to your reply 😀

[UnbakablePotato]

Sure, I'll send the report as soon as I'm done from work.

[UnbakablePotato]

Alright,here it is.

 

 

 

mbst-grab-results.zip

[Maurice Naggar]

Hello. Thank you for the report. Looks good. According to this, after 6th of July thru today, there have been no "block" events by Malwarebytes. Please take a few minutes, start Malwarebytes, and do a new Scan. Let me know the result.

[Maurice Naggar]

There is what appears to be a hack or cracked-type program on the G drive.  Maybe it came thru the qbittorrent ???

Windows Defender:
================
Date: 2022-07-10 23:56:09
Description:
Microsoft Defender Antivirus has detected malware or other potentially unwanted software.
For more information please see the following:
https://go.microsoft.com/fwlink/?linkid=37020&name=HackTool:Win32/AutoKMS&threatid=2147685180&enterprise=0
Name: HackTool:Win32/AutoKMS
Severity: High
Category: Tool
Path: file:_G:\Torrents\Microsoft Office PRO Plus 2021 Retail Version 2108 Build 14326.20454 FULL

I would urge you to remove that file IF it is still there on the G drive. Plus if that was used to install Microsoft Office, then I would advise to Uninstall Microsoft Office. Cracked-type programs are one of the most frequent ways that infections happen. Stay away from stuff like that.

[Maurice Naggar]

@UnbakablePotato 

I would recommend getting a report on the update status of some key apps.

• Download SecurityCheck by glax24 from here  https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe
• and save the tool on the desktop.
• If Windows's  SmartScreen block that with a message-window, then
• Click on the MORE INFO spot and over-ride that and allow it to proceed.

                               This tool is safe.   Smartscreen is overly sensitive.

Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"   and reply YES to allow to run & go forward
Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file.  Attach it with your next reply.
You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

By the way, I will guide you to cleaning up on tools that I had you use, when we wrap up this case. For now, no action on that. 

[UnbakablePotato]

Hi, i'm sorry for the late reply. I completely missed the notification.

 

 

Here's the log from the application.

SecurityCheck.txt

[Maurice Naggar]

Hello. Applications that need your attention: 

Notepad++ (32-bit x86) v.8.4.2  Warning! Download Update

7-Zip 21.07 (x64) v.21.07  Warning! Download Update
Uninstall old version and install new one.

GIMP 2.10.30 v.2.10.30  Warning! Download Update

Discord v.1.0.9003  Warning! Download Update

Zoom v.5.10.4 (5035)  Warning! Download Update
  
Spotify v.1.1.88.612.gcc529952 Warning! Download Update

JDownloader 2 v.2.0.1  Warning! Suspected Adware! If this program is not familiar to you it is recommended to uninstall it 

Magic Ball  Warning! Suspected Adware! If this program is not familiar to you it is recommended to uninstall it 

Wise Registry Cleaner 10.7.3 v.10.7.3  Warning! Suspected demo version of anti-spyware, driver updater or optimizer. If this program is not familiar to you it is recommended to uninstall it

[UnbakablePotato]

Quote

Magic Ball  Warning! Suspected Adware!

I think this is where I got the adware. This is an old game I used to play when I was little, and I got a little desperate looking for it online. One sketchy website later and wouldn't you know, I got infected.

 

Everything is up to date now.