wmail-service.com & powershell.exe

[8aehj8zc]

Hello,

I am in need of assistance with the removal of suspected malware. I ran the MB Support tool and have attached the resulting zip file. Please let me know if there is anything I can do to further assist.

Regardsmbst-grab-results.zip

[Maurice Naggar]

Hello  My name is Maurice. I will guide you.

 Do a new scan with Malwarebytes for Windows.

Do a Check for Update using the Malwarebytes Settings >> General tab.

See this Support Guide https://support.malwarebytes.com/hc/en-us/articles/360042187934-Check-for-updates-in-Malwarebytes-for-Windows

When it shows a new version available, Accept it and let it proceed forward.  Be sure it succeeds.

If prompted to do a Restart, just please follow all directions.

Let me know how that goes.    Next, the Malwarebytes scan.

Then click the Security tab.  Scroll down and lets be sure the line in SCAN OPTIONs for

"Scan for rootkits" is ON 👈   Click it to get it ON if it does not show a blue-color .

 

Next, click the small x on the Settings line to go to the main Malwarebytes Window.   Next click the blue button marked Scan.

 

When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.

>>>>>>      👉      You can actually click the topmost left  check-box  on the very top line to get ALL lines  ticked   ( all selected).         <<<<     💢

 

Please double verify you have that TOP  check-box tick marked.   and that then, all lines have a tick-mark

 

Then click on Quarantine  button.

 

Then, locate the Scan run report;  export out a copy;  & then attach in with your  reply.
See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4

😉

[Maurice Naggar]

Secondary note. Please be sure to not use this machine to do banking or for online buying, shopping, etc

Do not use the machine to do any loose web surfing. Stay out of social media and the likes. Stay out of Discord or any other instant messaging. Minimize all online use to only this forum and the website for tools I guide you to.  

I will guide you along on looking for malware. Lets keep these principles as we go along.

• Please don't run any other scans, download, install or uninstall any programs while I'm working with you.
• Only run the tools I guide you to.
• Do not run online games while case is on-going. Do not do any free-wheeling web-surfing.
• The removal of malware isn't instantaneous, please be patient.
• Cracked or or hacked or pirated programs are not only illegal, but also will make a computer a malware victim. Having such programs installed, is the easiest way to get infected. It is the leading cause of ransomware encryptions. It is at times also big source of current trojan infections. Please uninstall them now, if any are here, before we start the cleaning procedure.
• Please stick with me until I give you the "all clear".
• We have found that most infections such as this one are due to using or getting a recent game-modification hack, or a MP3 or MP4 capture add-on, or "converter",  or a hacked or pirated application. If in the past few days something like that was added, let me know what it is, where it was obtained, and Uninstall that "add-on".

[Maurice Naggar]

For AFTER you have completed the Malwarebytes scan & you have attached its report file. This next procedure(s) have goal to alleviate the "wmail*" trojan infection.
Please  set File Explorer to SHOW ALL folders, all files, including Hidden ones.  Use OPTION ONE or TWO of this article
Please use thuis guide https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html
NEXT,
Start Malwarebytes. Click Settings ( gear ) icon. Next, lets make real sure that Malwarebytes does NOT register with Windows Security Center

Click the Security Tab. Scroll down to

"Windows Security Center"

Click the selection to the left  for the line "Always register Malwarebytes in the Windows Security Center".
{ We want that to be set as Off   .... be sure that line's  radio-button selection is all the way to the Left.  thanks. }

This will not affect any real-time protection of the Malwarebytes for Windows   😃.

Close Malwarebytes.

>
Do keep in mind, the Block notices by Malwarebytes do mean it is protecting the system from harm.
BUT be aware that this machine has a very serious Trojan infection that uses 9 different scheduled tasks that abuse the system to likely exfiltrate information.

What follows below is a next step. There will still be more to do after this. 

This custom script is for  8aehj8zc  only / for this machine only.

Be very sure to Save any work-files you have open at this point. Close & Save any open edits, if any. . 

We will use FRSTENGLISH  on the Downloads  folder to run a custom script.    The system will be rebooted after the script has run.

Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this.

• Please save the (attached file named) FIXLIST.txt   to the   Downloads   folder

Fixlist.txt       <<< - - - - -

Then, Start the Windows Explorer and then, go  to the Downloads   folder.

RIGHT click on FRSTENGLISH   and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

• IF you get a block message from Windows about this tool......

               click line More info information on that screen
               and click button Run anyway on next screen.

• on the FRST window:

Click the Fix button just once, and wait.

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. 

1. Please attach the FIXLOG.txt with your next reply later, at your next opportunity.
2. ALSO look for a ZIP file on your Desktop with the Date of this run & the approximate start-time of run. Please attach that with your Reply.
3. Also, A request please 

   I would like to get a copy of what we placed in Quarantine, from the runs I had you do. Please. 

4. Using Windows File Explorer, Navigate to C:\FRST folder on your system. Expand the folder so you see all contents.
5. Right click on Quarantine > Send to > Compressed (zipped) folder
6. Upload the archive in your next reply
7. If archive is too big you can upload here > https://wetransfer.com/

8. Also, Let me know how the situation is at this point as to any new "block" notices, or some other active security issue.
   Also, please do one new Scan with Malwarebytes after insuring it has the very latest Version. 

   Do a Check for Update using the Malwarebytes Settings >> General tab.

   See this Support Guide https://support.malwarebytes.com/hc/en-us/articles/360042187934-Check-for-updates-in-Malwarebytes-for-Windows

   When it shows a new version available, Accept it and let it proceed forward.  Be sure it succeeds.

   If prompted to do a Restart, just please follow all directions.

   Thank you!

[Maurice Naggar]

Hello @8aehj8zc How is the situation on this system? Are you still with us ?

[Maurice Naggar]

There has not been even one single reply. I consider this to be abandoned. This thread is now closed.