What is WMPlayer TSS?
The Malwarebytes research team has determined that WMPlayer TSS is a Tech Support Scam. These so-called "Tech Support Scammers" try to trick you into calling their phone number for various reasons, all of which turn out to be fraudulent in the end.
How do I know if my computer is affected by WMPlayer TSS?
You will see this screen as soon as the file is executed:
How did WMPlayer TSS get on my computer?
Tech Support Scammers use different methods for distributing themselves. This particular one was offered as a media player.
How do I remove WMPlayer TSS?
Our program Malwarebytes Anti-Malware can detect and remove this potentially unwanted application, but due to the nature of the infection this will require a few extra steps.
There are several options, but if a simple reboot does not fix the problem, the easiest method is to enter the password in the text field before the Activate Now button.
- Note that the password for the prompt is 8716098676542789.
- Once you succeed, screenlocker will disappear, at that point you can use Ctr-Alt-Del to access Taskmanager.
- If still active End the process called wmplayer.exe. Then use Taskmanager to Run explorer.
- Then continue with the instructions below.
- Please download Malwarebytes to your desktop.
- Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program.
- Then click Finish.
- Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu.
- If another update of the definitions is available, it will be implemented before the rest of the scanning procedure.
- When the scan is complete, make sure that all Threats are selected, and click Remove Selected.
- Restart your computer when prompted to do so.
- No, Malwarebytes removes WMPlayer TSS completely.
We hope our application and this guide have helped you eradicate this hijacker.
As you can see below the full version of Malwarebytes would have protected you against the Tech Support Scam.
and the exploit protection module would have prevented the program from blocking your screen.
Technical details for experts
You may see these entries in FRST logs:
(Microsoft) C:\Users\{username}\Desktop\wmplayer.exeMalwarebytes scan log:
Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 8/17/17 Scan Time: 11:28 AM Log File: mbamWMPlayer.txt Administrator: Yes -Software Information- Version: 3.1.2.1733 Components Version: 1.0.160 Update Package Version: 1.0.2606 License: Premium -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 321549 Threats Detected: 3 Threats Quarantined: 3 Time Elapsed: 1 min, 31 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Enabled PUM: Enabled -Scan Details- Process: 1 Rogue.TechSupportScam, C:\USERS\{username}\DESKTOP\WMPLAYER.EXE, Quarantined, [382], [426298],1.0.2606 Module: 1 Rogue.TechSupportScam, C:\USERS\{username}\DESKTOP\WMPLAYER.EXE, Quarantined, [382], [426298],1.0.2606 Registry Key: 0 (No malicious items detected) Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 0 (No malicious items detected) File: 1 Rogue.TechSupportScam, C:\USERS\{username}\DESKTOP\WMPLAYER.EXE, Delete-on-Reboot, [382], [426298],1.0.2606 Physical Sector: 0 (No malicious items detected) (end)As mentioned before the full version of Malwarebytes could have protected your computer against this threat.
We use different ways of protecting your computer(s):
- Dynamically Blocks Malware Sites & Servers
- Malware Execution Prevention