Jump to content

Another victim of the wmcagent virus


Recommended Posts

Hello! Unfortunately I too got the wmcagent virus. It's a tough bugger to get rid of (and I think a pretty new virus?), luckily I found a few threads about it already and have followed instructions. Like this other thread here :https://forums.malwarebytes.com/topic/226706-wmcagent-malware-problem/

So following the instructions, here is my first desktop scan of FRST64:

Quote

Fix result of Farbar Recovery Scan Tool (x64) Version: 12.05.2018
Ran by MainX (15-05-2018 23:05:41) Run:1
Running from C:\Users\MainX\Desktop
Loaded Profiles: MainX (Available Profiles: MainX)
Boot Mode: Normal
==============================================

fixlist content:
*****************
CMD: bcdedit.exe /set {bootmgr} displaybootmenu yes
CMD: bcdedit.exe /set {default} recoveryenabled yes

*****************


========= bcdedit.exe /set {bootmgr} displaybootmenu yes =========

The operation completed successfully.

========= End of CMD: =========


========= bcdedit.exe /set {default} recoveryenabled yes =========

The operation completed successfully.

========= End of CMD: =========


==== End of Fixlog 23:05:42 ====

Then as instructed, I boot into Windows Repair mode and ran FRST64.exe from a usb drive, I will attach that file. Also ran MalwareBytes after I restarted, I will attach that log as well. I quarantined all found items and restarted. Next I will run AdwCleaner and RogueKiller. Will that be the end of it or will there be another step? I see other people got a personal fix file they could use with FRST.exe

FRST.txt

malwarebytesscan.txt

Link to post
Share on other sites

  • Staff

***This is an automated reply***

Hi,

Thanks for posting in the Malware Removal for Windows Help forum. Being infected is not fun and can be very frustrating to resolve, but don't worry because we have a team of experts here help you!!

Note: Please be patient. When the site is busy it can take up to 48 hours before a malware removal helper can assist you. If no one has replied to your new topic after 48 hours please contact a Moderator or Administrator to let them know.

 

First, if you haven't done so, please run a Threat Scan with the latest version of Malwarebytes. This may resolve your malware infection issue without the need for additional support. Click "Reveal Hidden Contents" below for details:

Spoiler

Malwarebytes can detect and remove most malware with no further actions required for free.

If you do not have Malwarebytes, please download it here and install. Be sure to post back the log as shown below.

  1. Open Malwarebytes for Windows
  2. To the left, click Scan > Scan Types.
    image.png
  3. Select Threat Scan. Threat Scan is the most thorough and recommended scan method available.
    image.png
  4. Click Start Scan

Next, if you're still experiencing issues after running Malwarebytes, then technical logs will be required to assist you. Click "Reveal Hidden Contents" below and follow the instructions to run the Farbar Recovery Scan Tool:

Spoiler

Don't use any temporary file cleaners unless requested - this can cause data loss and make a recovery difficult.

Please download the Farbar Recovery Scan Tool here and save it to your desktop. Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

  1. Double-click to run it. When the tool opens click Yes to the disclaimer.
  2. Press the Scan button.
    _frst_scan.jpg.d10e66dc03e35ede4fdcba12b
  3. It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  4. The first time the tool is run, it also makes another log (Addition.txt). If you've run it before it may not and you may need to select it manually.

Finally, attach the Malwarebytes Threat Scan, FRST.txt and Additional.txt logs to your reply and Follow this topic to get notified when an expert has replied. Click "Reveal Hidden Contents" below for details.

Note: If you are unable to attach files, please copy and past the contents of the requested files in your Reply instead. 

Spoiler

To save attachments, please click the link as shown below. You can click and drag the files to this bar or you can click the choose files, then browse to where your files are located, select them and click the Open button.

_mb_attach.jpg.a0465aaafd6cae688aa38ab16

 

After posting your new post, make sure you click the Follow button near the top right of this page, and select the option "An email when new content is posted Change how the notification is sent" so that you're alerted by email when someone has replied to your post.

_mb_follow.jpg.7868cc281f66ac22e919c2c48

_mb_follow_options.jpg.dcb79fc10aa35beb0

Please Note the Following:

  • One of our expert helpers will give you one-on-one assistance when one becomes available.
  • Refrain from making any further changes to your computer (such as Install/Uninstall programs, using special fix tools, delete files, edit the registry, etc...) unless advised by a malware removal helper. Doing so can result in system changes which may hinder the attempts by a helper to clean your machine.
  • Do not 'bump' or add a reply to your topic once it is started. Topics which appear to have replies are considered to have a helper assisting them and may be overlooked, resulting in a longer waiting period for help
  • If you're using Peer 2 Peer software such as uTorrent or similar, please completely disable it from running while being assisted here.

Troubleshooting Tips

Link to post
Share on other sites

Hello ropeadope and welcome to Malwarebytes...

You seem to have made a good job of removing smartservice infection, there will however be remnants that need to be moved with FRST.

Run the following:

Download Farbar Recovery Scan Tool and save it to your desktop.

Alternative download option: http://www.techspot.com/downloads/6731-farbar-recovery-scan-tool.html

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way...

Be aware FRST must be run from an account with Administrator status...
 
  • Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.)
  • Make sure Addition.txt is checkmarked under "Optional scans"
    user posted image
     
  • Press Scan button to run the tool....
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The tool will also make a log named (Addition.txt) Please attach that log to your reply.

Thanks,

Kevin..

Link to post
Share on other sites

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file when running FRST fix"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

Next,

Download Microsoft's " Malicious Software Removal Tool" and save direct to the desktop

Ensure to get the correct version for your system....

https://www.microsoft.com/en-gb/download/malicious-software-removal-tool-details.aspx


Right click on the Tool, select “Run as Administrator” the tool will expand to the options Window
In the "Scan Type" window, select Quick Scan
Perform a scan and Click Finish when the scan is done.


Retrieve the MSRT log as follows, and post it in your next reply:

1) Select the Windows key and R key together to open the "Run" function
2) Type or Copy/Paste the following command to the "Run Line" and Press Enter:

notepad c:\windows\debug\mrt.log

The log will include log details for each time MSRT has run, we only need the most recent log by date and time....

Let me see those logs, also let me know if thee are any remaining issues or concerns...

Thank you,

Kevin

fixlist.txt

Edited by kevinf80
Link to post
Share on other sites

Thanks again for the step by step instructions. Attached below are the requested log files. Not sure how to tell if I am completely virus/malware free, even when I had the virus my computer ran mostly fine, although it was probably running in the background doing shady things.

Fixlog.txt

mrt.log

Edited by ropeadope
Link to post
Share on other sites

We can check your system again with FRST, that will give full overview and let us know if your system is clean. I`ve got to go out shortly, will be back online in 2 to 3 hours..

Run FRST one more time, ensure all boxes are checkmarked under "Whitelist" but only Addition.txt under "Optional scan" Select scan, when done post the new logs. "FRST.txt" and "Addition.txt"


Thanks,

Kevin

Link to post
Share on other sites

Those logs are clean, continue with the following:

Right click on FRST here: C:\FRST3\FRST64.exe and rename to uninstall.exe when complete right click on uninstall.exe and select "Run as Administrator"

If you do not see the .exe appended that is because file extensions are hidden, in that case just rename FRST64 to uninstall

That action will remove FRST and all created files and folders...

Next,

Read the following links to fully understand PC Security and Best Practices, you may find them useful....

Answers to Common Security Questions and best Practices

Do I need a Registry Cleaner?

Take care and surf safe

Kevin... user posted image
Link to post
Share on other sites

Awesome. Thanks Kevin! That was scary stuff! 

I've got one more issue...when I first got the Virus I ran a bunch of virus scans and programs like malware bytes, hoping I got rid of the problems, and then backed up my entire hard drive (C:) to an external USB hard drive, which was a dumb idea, because now the virus likely is on that hard drive as well. I don't suppose I could just boot into safe mode, plug in the external drive, and delete the entire backup folder? I'm afraid to plug in the external hard drive, that the virus might spread back.

Edited by ropeadope
Link to post
Share on other sites

Download and install USB Vaccine by Panda, install that software. That should protect your system when you plug in your USB devices. You can now format the external hard drive.... Using Format option will remove all data on the external HD....

https://www.pandasecurity.com/uk/homeusers/downloads/usbvaccine/

One other command that needs to be reset back:

Click on Start > All Programs > Accessories:

Right-click on the Command Prompt entry and select "Run as Administrator" accept the UAC prompt - the Elevated Command Prompt window should pop up.

At the Command prompt, type or copy/paste:

bcdedit /set {bootmgr} displaybootmenu no
Exit

hit the Enter key after each command.

Let me know if there are any remaining issues or concerns...

Thanks,

Kevin...

 

 

 
 

 

Edited by kevinf80
added external link.
Link to post
Share on other sites

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread.

Thanks

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.