Jump to content

WMCAgent Malware and Rootkit


Recommended Posts

I downloaded a program from a third party website and now I have what I believe is a rootkit that I can't delete from my computer. I've uninstalled everything possible, scanned with Malwarebytes and Norton and they remove everything except a file called wmcagent.exe  and some folders with weird names like snoteku. It is in my User/Appdata/Local folder. I cannot delete it or a few folders I believe are associated with it. It only says access is denied. I've used the Malwarebytes AdwCleaner and Anti-rootkit and the Norton variants and it can't remove it, or don't detect it. There are two programs running in task manager called "client" and I can't end them, or they just restart later. I even reinstalled Chrome and double checked all my browsers to make sure it's not an extension.

I followed some of the steps from this because I believe this is the same problem. However I am not sure and would rather not go through some of the complicated steps toward the end if I don't have to. Towards the end of the guide, they use the FRST executable, and paste the text inside and click fix. His does not work and mine does, the rest of the guide is dedicated to finishing his problem; however it is not clear if they ever fixed the problem. Any advice?
5af3c18d5979e_Taskmanager.PNG.239e69679362cc476d55f0bcc9dbeacf.PNG5af3c1d6ce0e4_Taskmanagerprocess.PNG.6500a984c27b683bf63c0ef892ffcf72.PNGAppdata.thumb.PNG.db833a79052439a14a8fad835472b169.PNG
Attached is a few files from the guide that might be helpful to look at. 

 

FRST.txt

Addition.txt

Fixlog.txt

Link to post
Share on other sites

  • Staff

***This is an automated reply***

Hi,

Thanks for posting in the Malware Removal for Windows Help forum. Being infected is not fun and can be very frustrating to resolve, but don't worry because we have a team of experts here help you!!

Note: Please be patient. When the site is busy it can take up to 48 hours before a malware removal helper can assist you. If no one has replied to your new topic after 48 hours please contact a Moderator or Administrator to let them know.

 

First, if you haven't done so, please run a Threat Scan with the latest version of Malwarebytes. This may resolve your malware infection issue without the need for additional support. Click "Reveal Hidden Contents" below for details:

Spoiler

Malwarebytes can detect and remove most malware with no further actions required for free.

If you do not have Malwarebytes, please download it here and install. Be sure to post back the log as shown below.

  1. Open Malwarebytes for Windows
  2. To the left, click Scan > Scan Types.
    image.png
  3. Select Threat Scan. Threat Scan is the most thorough and recommended scan method available.
    image.png
  4. Click Start Scan

Next, if you're still experiencing issues after running Malwarebytes, then technical logs will be required to assist you. Click "Reveal Hidden Contents" below and follow the instructions to run the Farbar Recovery Scan Tool:

Spoiler

Don't use any temporary file cleaners unless requested - this can cause data loss and make a recovery difficult.

Please download the Farbar Recovery Scan Tool here and save it to your desktop. Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

  1. Double-click to run it. When the tool opens click Yes to the disclaimer.
  2. Press the Scan button.
    _frst_scan.jpg.d10e66dc03e35ede4fdcba12b
  3. It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  4. The first time the tool is run, it also makes another log (Addition.txt). If you've run it before it may not and you may need to select it manually.

Finally, attach the Malwarebytes Threat Scan, FRST.txt and Additional.txt logs to your reply and Follow this topic to get notified when an expert has replied. Click "Reveal Hidden Contents" below for details.

Note: If you are unable to attach files, please copy and past the contents of the requested files in your Reply instead. 

Spoiler

To save attachments, please click the link as shown below. You can click and drag the files to this bar or you can click the choose files, then browse to where your files are located, select them and click the Open button.

_mb_attach.jpg.a0465aaafd6cae688aa38ab16

 

After posting your new post, make sure you click the Follow button near the top right of this page, and select the option "An email when new content is posted Change how the notification is sent" so that you're alerted by email when someone has replied to your post.

_mb_follow.jpg.7868cc281f66ac22e919c2c48

_mb_follow_options.jpg.dcb79fc10aa35beb0

Please Note the Following:

  • One of our expert helpers will give you one-on-one assistance when one becomes available.
  • Refrain from making any further changes to your computer (such as Install/Uninstall programs, using special fix tools, delete files, edit the registry, etc...) unless advised by a malware removal helper. Doing so can result in system changes which may hinder the attempts by a helper to clean your machine.
  • Do not 'bump' or add a reply to your topic once it is started. Topics which appear to have replies are considered to have a helper assisting them and may be overlooked, resulting in a longer waiting period for help
  • If you're using Peer 2 Peer software such as uTorrent or similar, please completely disable it from running while being assisted here.

Troubleshooting Tips

Link to post
Share on other sites

Hello WayneLouisville and welcome to Malwarebytes,

Logs indicate smartservice infection, you will need access to a known clean PC and a USB Flashdrive 4gb or above:

Plug USB Flash Drive into spare PC, navigate to that drive and Right click on it directly, select > Format. The quick option is adequate.

When the format completes download Farbar Recovery Scan Tool from here:

http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/

save it to a USB flash drive. Ensure to get the correct version for your system, 32 bit or 64 bit.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

Do NOT plug the Flash drive into the sick PC untill booted to the Recovery Environment

If you are using Vista or Windows 7 enter System Recovery Options as follows.

Enter System Recovery Options I give two methods, use whichever is convenient for you.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select Your Country as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.


To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select Your Country as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.


On the System Recovery Options menu you may get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt

 
  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type E:\frst64 or E:\frst depending on your version. Press Enter Note: Replace letter E with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.


Next,

Boot back to Normal Windows, now run Malwarebytes as follows:

Open Malwarebytes Anti-Malware.
 
  • On the Settings tab > Protection Scroll to and make sure the following are selected:
    Scan for Rootkits
    Scan within Archives
     
  • Scroll further to Potential Threat Protection make sure the following are set as follows:
    Potentially Unwanted Programs (PUP`s) set as :- Always detect PUP`s (recommended)
    Potentially Unwanted Modifications (PUM`s) set as :- Alwaysdetect PUM`s (recommended)
     
  • Click on the Scan make sure Threat Scan is selected,
  • A Threat Scan will begin.
  • When the scan is complete if anything is found make sure that the first checkbox at the top is checked (that will automatically check all detected items), then click on the Quarantine Selected Tab
  • If asked to restart your computer to complete the removal, please do so
  • When complete click on Export Summary after deletion (bottom-left corner) and select Copy to Clipboard.
  • Wait for the prompt to restart the computer to appear, then click on Yes.
  • After the restart once you are back at your desktop, open MBAM once more to retrieve the log.


To get the log from Malwarebytes do the following:
 
  • Click on the Reports tab > from main interface.
  • Double click on the Scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have two options:
    Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
    Text file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply

     
  • Use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…


Let me see those two logs in your reply..

Thank you,

Kevin.
Link to post
Share on other sites

Following your steps, I tried to use the Command F:\FRST64 but it says the disk isn't ready. The file is on the USB, and when I type anything else it isn't recognized so I know it recognizes the file. I made sure the settings were as listed on Malwarebytes and scanned but it didn't recognize the wmcagent. The file for the scan is attached.

 

Scan 05.10.18.txt

Edited by WayneLouisville
Uploaded wrong file
Link to post
Share on other sites

Did you format the USB Flash drive on a spare PC and load FRST from same PC....?

Also do the the following on the sick PC before booting to Recovery Environment:

Click on Start > All Programs > Accessories:

Right-click on the Command Prompt entry

Select "Run as Administrator" accept the UAC prompt - the Elevated Command Prompt window should pop up.

At the prompt either type or copy/paste the following commands, select enter after each command:

bcdedit.exe /set {bootmgr} displaybootmenu yes
bcdedit.exe /set {default} recoveryenabled yes
exit

Thank you,

Kevin..

 

Link to post
Share on other sites

I executed frst64 from the spare pc and it generated a folder. I followed the instructions and executed the commands, then went back into recovery mode and tried again. This time the drive was G, the was no folder from the last time I ran it. Then I got FRST64 to open from the command prompt and scanned, and it said it generated a text document that would be placed in the same place as the program. It opened for me but it didn't seem to have much content, only one line that included the date. However, I tried to access the file from the spare computer and it doesn't exist as well as that folder it generated. How strange, by the way thanks so much for your help so far. I will donate once we get to the end of the problem. 

Link to post
Share on other sites

If the flash drive is connected to the sick PC before booting to Recovery Environment the infection will stop FRST from working. Plug flashdrive back to clean PC, format flash drive. Download and save FRST to flashdrive again.

Boot sick PC to Recovery Environment, when in that mode plug in flashdrive. then follow previous instructions to run FRST from command prompt...

Link to post
Share on other sites

Sorry I haven't replied in a few days, I've been trying to solve this problem for a few days, so when I try to format the USB it just says it is unsuccessful. I've tried using the default settings and other methods like using the disk partition editor (can't remember exact name)but for whatever reason it won't work. Malwarebytes did recognize the wmcagent and classified it as a trojan but it couldn't quarantine/remove it. The only thing I could thing of to do is get a new USB? 

Link to post
Share on other sites

Yeah I'm trying to format it on this clean laptop. I've never had it in the infected desktop without it being in safe mode. I think it worked the first time though, not sure why it doesn't work now. It just says format unsuccessful, sorry that's not a ton to work off of. I could send screenshots of it if necessary. 

Link to post
Share on other sites

The problem with attachments is fixed, can you re-attach fixlog.txt again..

Also boot sick PC back to normal mode, run FRST one more time and post fresh logs...

Run FRST one more time, ensure all boxes are checkmarked under "Whitelist" but only Addition.txt under "Optional scan" Select scan, when done post the new logs. "FRST.txt" and "Addition.txt"

 

Link to post
Share on other sites

Hello WayneLouisville,

The latest logs from FRST "frst.txt" and "additional.txt" do show smartservice infection is still prevalent on your system. Running the original fix must  be done again as follows:

Plug USB Flash Drive into spare PC, navigate to that drive and Right click on it directly, select > Format. The quick option is adequate.

When the format completes download Farbar Recovery Scan Tool from here:

http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/

save it to a USB flash drive. Ensure to get the correct version for your system, 32 bit or 64 bit.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

Do NOT plug the Flash drive into the sick PC untill booted to the Recovery Environment

If you are using Vista or Windows 7 enter System Recovery Options as follows.

Enter System Recovery Options I give two methods, use whichever is convenient for you.

To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select Your Country as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.



To enter System Recovery Options by using Windows installation disc:

  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select Your Country as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.



On the System Recovery Options menu you may get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt

 

  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type E:\frst64 or E:\frst depending on your version. Press Enter Note: Replace letter E with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.



Next,

Boot back to Normal Windows, now run Malwarebytes as follows:

Open Malwarebytes Anti-Malware.
 

  • On the Settings tab > Protection Scroll to and make sure the following are selected:
    Scan for Rootkits
    Scan within Archives
     
  • Scroll further to Potential Threat Protection make sure the following are set as follows:
    Potentially Unwanted Programs (PUP`s) set as :- Always detect PUP`s (recommended)
    Potentially Unwanted Modifications (PUM`s) set as :- Alwaysdetect PUM`s (recommended)
     
  • Click on the Scan make sure Threat Scan is selected,
  • A Threat Scan will begin.
  • When the scan is complete if anything is found make sure that the first checkbox at the top is checked (that will automatically check all detected items), then click on the Quarantine Selected Tab
  • If asked to restart your computer to complete the removal, please do so
  • When complete click on Export Summary after deletion (bottom-left corner) and select Copy to Clipboard.
  • Wait for the prompt to restart the computer to appear, then click on Yes.
  • After the restart once you are back at your desktop, open MBAM once more to retrieve the log.



To get the log from Malwarebytes do the following:
 

  • Click on the Reports tab > from main interface.
  • Double click on the Scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have two options:
    Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
    Text file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply

     
  • Use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…

Next,

Run FRST one more time, ensure all boxes are checkmarked under "Whitelist" but only Addition.txt under "Optional scan" Select scan, when done post the new logs. "FRST.txt" and "Addition.txt"

Let me see those two logs in your reply..

Thank you,

Kevin.

Link to post
Share on other sites

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Thanks

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.