Jump to content

Infected with wmail-chat.com need a fix to prevent further exploit


Go to solution Solved by Maurice Naggar,

Recommended Posts

My computer got compromised recently I'm trying to fix the issue i've already run a full scan with Malwarebytes it deleted some unwanted Scheduled task as seen here

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 18/07/2022
Scan Time: 23:28
Log File: 9f467916-06e0-11ed-b91e-001a7dda7115.json

-Software Information-
Version: 4.5.11.202
Components Version: 1.0.1716
Update Package Version: 1.0.57404
Licence: Trial

-System Information-
OS: Windows 10 (Build 19044.1826)
CPU: x64
File System: NTFS
User: Bastien-PC\Bastien

-Scan Summary-
Scan Type: Custom Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 2326177
Threats Detected: 4
Threats Quarantined: 4
Time Elapsed: 12 hr, 14 min, 45 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 3
RiskWare.KMS, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\Online_KMS_Activation_Script-Renewal, Quarantined, 895, 820454, , , , , , 
RiskWare.KMS, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{220A6292-75D4-468F-A553-670A173D41DB}, Quarantined, 895, 820454, , , , , , 
RiskWare.KMS, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\PLAIN\{220A6292-75D4-468F-A553-670A173D41DB}, Quarantined, 895, 820454, , , , , , 

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 1
RiskWare.KMS, C:\WINDOWS\SYSTEM32\TASKS\Online_KMS_Activation_Script-Renewal, Quarantined, 895, 820454, 1.0.57404, , ame, , A95C97AF19C6E85F4DAB7647D09192F0, 104AEEAC08E13B73AC1FE6F6BECABDF43525DFF8B0DDCBB223B4000BC2646FFB

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)


(end)

And now since then i've a request to wmail-chat.com that is blocked 

Malwarebytes

www.malwarebytes.com



-Log Details-

Protection Event Date: 19/07/2022

Protection Event Time: 11:30

Log File: 785c4db6-0745-11ed-a5fd-001a7dda7115.json



-Software Information-

Version: 4.5.11.202

Components Version: 1.0.1716

Update Package Version: 1.0.57404

Licence: Trial



-System Information-

OS: Windows 10 (Build 19044.1826)

CPU: x64

File System: NTFS

User: System



-Blocked Website Details-

Malicious Website: 1

, C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, Blocked, -1, -1, 0.0.0, , 



-Website Data-

Category: Trojan

Domain: wmail-chat.com

IP Address: 193.239.84.207

Port: 80

Type: Outbound

File: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

(end)

i've already run a full Malwarebytes scan i've already run an AdwCleaner i've seen another post where you've had a user run "Farbar Recovery Scan Tool" and fixed the issue 

 

https://forums.malwarebytes.com/topic/287924-infected-with-wmail-chatcom-wmail-endpointcom/

Link to post
Share on other sites

Hi 

I will guide you on doing a few system scans.

This here you can start & once it is under way, you can leave the machine alone & let it run over-night. No need to keep watch once it starts the actual scan run. 

Next, This will be a check with ESET Onlinescanner for viruses, other malware, adwares, & potentially unwanted applications.

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

 

It will start a download of "esetonlinescanner.exe"

  • Save the file to your system, such as the Downloads folder, or else to the Desktop.
  • Go to the saved file, and double click it to get it started.

 

  • When presented with the initial ESET options, click on "Computer Scan".
  • Next, when prompted by Windows, allow it to start by clicking Yes
  • When prompted for scan type, Click on Full scan

Look at & tick ( select ) the radio selection "Enable ESET to detect and quarantine potentially unwanted applications" and click on Start scan button.

  • Have patience. The entire process may take an hour or more. There is an initial update download.

There is a progress window display. You may step away from machine &. Let it be.  That is, once it is under way, you should leave it running.  It will run for several hours.

  • At screen "Detections occured and resolved" click on blue button "View detected results"
  • On next screen, at lower left, click on blue "Save scan log"
  • View where file is to be saved. Provide a meaningful name for the "File name:"
  • On last screen, set to Off (left) the option for Periodic scanning
  • Click "save and continue"
  • Please attach the report file so I can review
  • After this run, I expect that the main issue will be gone. Be sure to let me know "How things are" at this point.
Link to post
Share on other sites

I will guide you along on looking for remaining malware. Lets keep these principles as we go along.

  • Removing malware can be unpredictable
  • Please don't run any other scans, download, install or uninstall any programs while I'm working with you.
  • Only run the tools I guide you to.
  • Do not run online games while case is on-going. Do not do any free-wheeling web-surfing.
  • The removal of malware isn't instantaneous, please be patient.
  • Cracked or or hacked or pirated programs are not only illegal, but also will make a computer a malware victim. Having such programs installed, is the easiest way to get infected. It is the leading cause of ransomware encryptions. It is at times also big source of current trojan infections. Please uninstall them now, if any are here, before we start the cleaning procedure.
  • Please stick with me until I give you the "all clear".
  • If your system is running Discord, please be sure to Exit out of it while this case is on-going.
Link to post
Share on other sites

one more problem is that even though eset says it was fixed by deleting it when i restarted the computer it recreated itself somehow i'm doing another scan but exluding the useless the drive and path to see if it is the same one  

Link to post
Share on other sites

Hello. 2 Steps here: First a Scan + new Reports. 

 Do a new scan with Malwarebytes for Windows.

Do a Check for Update using the Malwarebytes Settings >> General tab.

See this Support Guide https://support.malwarebytes.com/hc/en-us/articles/360042187934-Check-for-updates-in-Malwarebytes-for-Windows

When it shows a new version available, Accept it and let it proceed forward.  Be sure it succeeds.

If prompted to do a Restart, just please follow all directions.

Let me know how that goes.    Next, the Malwarebytes sca

Next, click the small x on the Settings line to go to the main Malwarebytes Window.   Next click the blue button marked Scan.

 

When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.

>>>>>>      👉      You can actually click the topmost left  check-box  on the very top line to get ALL lines  ticked   ( all selected).         <<<<     💢

 

MB4_scan_tick_ALL.jpg.d5c4071c62ed66534301fbb217b93bc0.jpg

Please double verify you have that TOP  check-box tick marked.   and that then, all lines have a tick-mark

 

Then click on Quarantine  button.

MB4_scan_all_Quarantine2.jpg.6c45445994d4125c0b617ac7c5551e03.jpg

 

AFTER that has completed: 

This is a report only.

Please download MALWAREBYTES MBST Support Tool

Once you start it click Advanced >>> then   Gather Logs

Upload an archive once it is done. Attach the mbst-grab-results.zip from the Desktop.

  • Please attach  mbst-grab-results.zip    to your reply. We will do more later. Stick with me.
Link to post
Share on other sites

  • Solution

Take these actions so that Windows 10 is set to show all hidden files and folders.  Use OPTION ONE or TWO of this article
Please use thuis guide https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html

This custom script is for  Ymir39  only / for this machine only.

Be very sure to Save any work-files you have open at this point. Close & Save any open edits, if any. . 

We will use FRSTENGLISH  on the Downloads  folder to run a custom script.    The system will be rebooted after the script has run.

Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this.

  • Please save the (attached file named) FIXLIST.txt   to the   Downloads   folder

Fixlist.txt       <<< - - - - -

Then, Start the Windows Explorer and then, go  to the Downloads  folder.


RIGHT click on FRSTENGLISH   and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

  • IF you get a block message from Windows about this tool......

               click line More info information on that screen
               and click button Run anyway on next screen.

  • on the FRST window:

Click the Fix button just once, and wait.

frst-fix.jpg.f6a25291b39a03d418acc9a3b7136900.jpg

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. 

  1. Please attach the FIXLOG.txt with your next reply later, at your next opportunity.
  2. Also, look on your DESKTOP for a ZIP file created with Today's date & approximate time of run. Attach that ZIP with your Reply.
  3. There is more to do later. I will guide you. Do not make any changes on your own without first checking with me.
Link to post
Share on other sites

At the next opportunity, just run this report.

 Let's pause and make time and just get a set of fresh reports to see what is running, what is active. Your machine has the FRSTENGLISH report tool on the Downloads folder. We will use that. Go to Downloads folder. RIGHT-click on FRSTENGLISH and select 

Run as Administrator

and tap ENTER. And reply YES to allow to proceed.  

  •  When the tool opens click Yes to the disclaimer.  And be very sure to TICK the box for Addition.txt
  • Press the Scan button.

_frst_scan.jpg

  • It will make a log (FRST.txt & Addition.txt) in the same directory the tool is run
  • Have patience since the run may take something like 10 or so minutes  (less depending on your hardware speed)
  • Close Notepad IF those show up on Notepad.
  • Just please Attach the 2 files FRST.txt +Addition.txt  with your next reply.
  • ALSO attach FIXLOG.txt
Edited by Maurice Naggar
Link to post
Share on other sites

Thank you. 

Start Malwarebytes. Click Settings ( gear ) icon. 

  • Click the Security Tab
  • Scroll down and lets be sure the line in SCAN OPTIONs for
  • "Scan for rootkits" is ON 👈   Click it to get it ON if it does not show a blue-color .
  • Now click on the GENERAL tab
  • Do a Check for Update using the Malwarebytes Settings >> General tab.

See this Support Guide https://support.malwarebytes.com/hc/en-us/articles/360042187934-Check-for-updates-in-Malwarebytes-for-Windows

When it shows a new version available, Accept it and let it proceed forward.  Be sure it succeeds.

If prompted to do a Restart, just please follow all directions.

  • Next, the Malwarebytes scan.
  • Next click the blue button marked Scan.

 

When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.

>>>>>>      👉      You can actually click the topmost left  check-box  on the very top line to get ALL lines  ticked   ( all selected).         <<<<     💢

MB4_scan_tick_ALL.jpg.954dd31097351eba2c305a1321a445d6.jpg

 

Please double verify you have that TOP  check-box tick marked.   and that then, all lines have a tick-mark

 

Then click on Quarantine  button.

MB4_scan_all_Quarantine2.jpg.99b8d9b73d90d347577ae0826ac406b1.jpg

 

Then, locate the Scan run report;  export out a copy;  & then attach in with your  reply.
See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4

Link to post
Share on other sites

Need to clean that up by doing a whole new clean setup of Malwarebytes. 

I would ask you to use the Malwarebytes Support tool to accomplish that.
to have the tool uninstall & re-install the Malwarebytes for Windows.
Use this support article as a guide https://support.malwarebytes.com/hc/en-us/articles/360039023473-Uninstall-and-reinstall-Malwarebytes-using-the-Malwarebytes-Support-Tool
Have infinite patience after the Reboot ( restart ) and just wait till the prompt window comes on
Reply YES when prompted to re-install Malwarebytes

Link to post
Share on other sites

The original issue of this case was all about a serious Trojan malware (first noticable from the block notices about wmail-chat ).
It has been found that the most common way of a system getting that type of malware was due to having "cracked / hacked" applications installed or in use.
For example, one notices here that these had been listed as "exclusions" from monitoring by Microsoft Defender antivirus

"D:\Downloads\Chrome\Microsoft Office 2021 Final LTSC v2105"
"D:\Downloads\Chrome\Microsoft Office Pro Plus 2016-2019 v2108 Build 14326.20348 (x64) Incl. Activator"
"F:\Microsoft Office 2021 Final LTSC v2105\OInstall.exe"


Plus the fact that Malwarebytes had flagged a "RiskWare.KMS" on a "Online_KMS" ( KMS is key-management for licenses {which in cases like this are pirated}.
This infection was caused by pirated apps.
Insure that any hacked / illegal software / apps are removed / uninstalled.
Cracked or pirated programs are not only illegal, but also will make a computer a malware victim. Having such programs installed, is the easiest way to get infected. It is the leading cause of ransomware encryptions. It is at times also big source of current trojan infections. Please uninstall them now, if any are here.
Link to post
Share on other sites

Alright. We need to do more scanning. This here you can start & once it is under way, you can leave the machine alone & let it run over-night. No need to keep watch once it starts the actual scan run. 

Next, This will be a check with ESET Onlinescanner for viruses, other malware, adwares, & potentially unwanted applications.

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

 

It will start a download of "esetonlinescanner.exe"

  • Save the file to your system, such as the Downloads folder, or else to the Desktop.
  • Go to the saved file, and double click it to get it started.

 

  • When presented with the initial ESET options, click on "Computer Scan".
  • Next, when prompted by Windows, allow it to start by clicking Yes
  • When prompted for scan type, Click on Full scan

Look at & tick ( select ) the radio selection "Enable ESET to detect and quarantine potentially unwanted applications" and click on Start scan button.

  • Have patience. The entire process may take an hour or more. There is an initial update download.

There is a progress window display. You may step away from machine &. Let it be.  That is, once it is under way, you should leave it running.  It will run for several hours.

  • At screen "Detections occured and resolved" click on blue button "View detected results"
  • On next screen, at lower left, click on blue "Save scan log"
  • View where file is to be saved. Provide a meaningful name for the "File name:"
  • On last screen, set to Off (left) the option for Periodic scanning
  • Click "save and continue"
  • Please attach the report file so I can review
Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.