Jump to content

wmcagent got a hold of my laptop and I need some help.

lewis896
 Share

Recommended Posts

lewis896

lewis896

Posted
  • Author
Posted

This is a screenshot with both my wireless mouse dongle in the 2.0 port, and USB drive in one of the 3.0 drives.  Neither shows up.  When taking the wireless dongle out and using the thumb drive in the 2.0 port, the results are exactly the same.

IMG_1725.jpg.fff0e548560850bf58aa2a5c93b1b099.jpg

Link to post
Share on other sites
  • Replies 74
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Posted Images

lewis896

lewis896

Posted
  • Author
Posted

Kevin,

I have no earthly idea.  My sick laptop, in normal mode, shows Acer as my C drive, Data as my D drive, and the DVD drive as my E drive.  There is no and never was a recovery drive.  I have an ACER recovery disc that came with the laptop that I only wanted to use as a last resort.

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted

Boot your sick PC back to normal windows, plug a USB stick into port 2.0 and port 3.0

Click on Start > All Programs > Accessories:

Right-click on the Command Prompt entry and select "Run as Administrator" accept the UAC prompt - the Elevated Command Prompt window should pop up.

At the Command prompt type or copy/paste diskpart hit enter key

At diskpart type or copy/paste list volume hit enter key

attach an image of the cmd window with volumes listed...

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted

Hiya Mark,

Can you boot to the Recovery Options Menu again, you should see the following options:

Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt


From the list select "System Restore" follow the prompts to restore your system to a date before this issue with smartservice began....

Let me know if that completes successfully...

Thanks,

Kevin...

Link to post
Share on other sites
lewis896

lewis896

Posted
  • Author
Posted

Kevin, it says "no system restore points have been created on your computer's system drive.  To create a point open 'system protection'."

So now I'm afraid if I hit that it will start overwriting desktop/music/important documents/etc., on my system.  Are we to the point of system restore?   If we are, I'm afraid of backing up my files via a 1TB storage drive because I don't want to carry the virus over.  You ever seen anything like this?

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted

smartservice has been around a couple of months, a lot of work was done to create a fix that has been working up to now. Your biggest problem is we cannot use a flashdrive via recovery environment to make the intial fix to kill the protective rootkit. For some reason your USB ports are not usable via the RE, that is the only way to break through...

I`m really not sure if the infection has created this problem, it does however seem very strange as i`ve never came across this issue before...  Looking at the partitions on your system the one listed as 5 is 33GB, is hidden and healthy, it is however listed under Fs (file system) as "raw" that usually means the file system is corrupt or there is no file system, either NTFS or Fat32.

That volume would probably been the recovery partition for a factory reset, why it is now listed as "raw" is a mystery, unless you know of a reason... We could clean, format and try to use that partition via the RE to attempt a fix with FRST, to be honest i`m not sure what will happen... Any thoughts...?

Link to post
Share on other sites
lewis896

lewis896

Posted
  • Author
Posted

Kevin, unfortunately, I know nothing of this subject (largely).  My fear is losing every file on my sick laptop, and the only (semi) good thing is that it still allows me to browse, look through my computer, etc.  I’ve cleaned enough of it up to where I can at least be functional with it.  It just leaves these two “client” processes on task manager that are un-endable.  It looks like I’m going to have to wipe clean and look to you as to how I should set this thing up initially so that it doesn’t happen again.  Like I said, I have a 1TB hard drive that I planned on backing everything up with, but will wmcagent leak onto the hard drive, thus me replanting it back onto the (now) healthy laptop?  I’m willing to do whatever it takes, this was my last resort I wanted to use.  Seems like I have been the first to have such an affliction—your thoughts?

Link to post
Share on other sites
lewis896

lewis896

Posted
  • Author
Posted

It’s definitely “smart”, I can’t turn win defender on, I can’t even turn web protection on on the latest version of malwarebytes.  It’s almost leaving me no choice, which is hard to believe.  I think malwarebytes should prioritize this bug over nearly anything else going on in the scene, it could get bad.

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted

There is no available program to defeat smartservice infection, usual programs remove rootkits as the system reboots before windows loads. smartservice renames itself as the system boots down, hence a newly named rootkit loads with windows...

FRST is the only tool available to kill the infection protective rootkit via a flashdrive from the recovery environment. in your case we cannot use a flashdrive as there is no USB available in RE... This could be the latest change made by the writers who created smartservice infection

Reboot your sick PC to the Recovery Options list, from there select "Command Prompt"

At the prompt type or copy paste set devmgr_show_nonpresent_devices=1 then hit enter key

Plug flashdrives into port 2.0 and port 3.0

At the command prompt type or copy/paste diskpart then hit enter key

At diskpart prompt type or copy/paste list volume then hit enter key

Do the usb devices now show..?

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted
From your sick PC booted to Normal mode

Click on Start > All Programs > Accessories:

Right-click on the Command Prompt entry

Select "Run as Administrator" accept the UAC prompt - the Elevated Command Prompt window should pop up.

At the Command prompt, type or copy/paste diskpart hit enter key

At diskpart prompt, type or copy/paste list volume hit enter key

List of volumes should populate.

At diskpart prompt type or copy/paste select volume 5 hit enter key

volume 5 should be confirmed...

At diskpart type or copy/paste attributes volume clear hidden hit enter key

unhidden should be confirmed.
 
At diskpart prompt type or copy/paste exit
 
Re-boot your system to Normal mode, check if windows has attributed a letter to the 33GB volume..
Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted

If you have a recovery DVD that will make a fresh install of windows I suppose we can format the volume with "raw" status. I want to try and get that volume active, if we make no progress then a fresh install is probably the only option left.. help available here: https://www.acer.com/ac/en/US/content/support

At diskpart prompt type or copy/paste select volume 5 hit enter key.

At diskpart prompt type or copy/paste format fs=ntfs label=data hit enter key

Does that work...?

 

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted (edited)

Hiya Mark,

Thanks for the update with volume 5, now I want to unhide that volume, then assign an id letter......

Open an elevated command prompt (administrator status), next...

At the prompt type or copy/paste diskpart then hit enter key

At the diskpart prompt prompt type or copy/paste list volume then hit enter key

List of volumes will populate....

At the diskpart prompt prompt type or copy/paste select volume 5 then hit enter key

At the diskpart prompt prompt type or copy/paste volume clear hidden then hit enter key

At the diskpart prompt prompt type or copy/paste assign letter=F then hit enter key

If we are successful unhiding and attributing id letter I want to try using that partition to run FRST...

Next,

From your spare PC download, unzip fixme.zip to a flashdrive so you have fixme.exe that is frst renamed.

Next,

With sick PC in normal mode Transfer fixme.exe from flashdrive to volume now reassigned as F:\

Next,

We now can try running frst (renamed fixme) from recovery environment....

For sick PC with Windows 7 enter System Recovery Options as follows.

Enter System Recovery Options I give two methods, use whichever is convenient for you.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select Your Country as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.


To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select Your Country as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.


On the System Recovery Options menu you may get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
 
  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type F:\fixme64. Press Enter
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.


Thanks,

Kevin...

 

 

fixme.zip

Edited by kevinf80
Link to post
Share on other sites
lewis896

lewis896

Posted
  • Author
Posted

Kevin, could you clarify at the beginning of your posts whether or not I'm supposed to be in RE  or not?  I just opened command prompt running as administrator (in normal mode), and the setting went back to "RAW".  So I had to retype that command that reformats it to NTFS and I successfully did. 

But now it seems that "hidden" isn't a real command, per the attached.  I ALMOST tried to use the "convert" command but i was too scared to.  It wouldn't accept "hidden", so, what now?  It did let me assign letter to F, but the partition remains hidden.

hidden command.pdf

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted

Hello Mark,

Apologies if my instructions were not concise, yes I did mean to run the commands with system in Normal mode, not RE... I want to try and clear the hidden value of volume 5 and assign letter F. If we can complete those commands successfully I want to try and run FRST via that volume in Recovery mode...

Open an elevated command prompt (administrator status) with system booted to Normal mode, next...

At the prompt type or copy/paste diskpart then hit enter key

At the diskpart prompt prompt type or copy/paste list volume then hit enter key

List of volumes will populate....

At the diskpart prompt prompt type or copy/paste select volume 5 then hit enter key

At the diskpart prompt prompt type or copy/paste attributes volume clear hidden then hit enter key

At the diskpart prompt prompt type or copy/paste assign letter=F then hit enter key.

type or copy/paste exit then hit enter key, that should close cmd window...

Next,

If we are successful unhiding and attributing id letter I want to try using that partition to run FRST... 

Next,

From your spare PC download, unzip fixme.zip to a flashdrive so you have fixme.exe that is frst renamed.

Next,

With sick PC in normal mode Transfer fixme.exe from flashdrive to volume now reassigned as F:\

Next,

We now can try running frst (renamed fixme) from recovery environment....

For sick PC with Windows 7 enter System Recovery Options as follows.

Enter System Recovery Options I give two methods, use whichever is convenient for you.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select Your Country as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.


To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select Your Country as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.


On the System Recovery Options menu you may get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
 
  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type F:\fixme64. Press Enter
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.


Thanks,

Kevin...

 

fixme.zip

Link to post
Share on other sites
lewis896

lewis896

Posted
  • Author
Posted

Kevin, first off, thanks for hangin in there. 

It will let me do nearly everything except change the attribute from hidden to whatever the other option would be.  I've attached 3 attachments sort of chronologizing what I see as I attempt it all.  It seems that after I make it an  F drive, even though command prompt says it's 33gb full of 'something', when I right click on it in my computer it's showing precisely zero bytes.   so strange man.

unrecognized format.pdf

volume attributes.pdf

F drive properties.pdf

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted (edited)

Hiya Mark,

Download and install Aomei Partition Assistant Standard from this link: https://www.aomeitech.com/pa/standard.html

Once installed open Aomei PAS select the partition in question, yours is the one 33GB in size, from lefthand tools list select "Unhide" from the menu bar select "Apply" when complete reboot and check if that partition is named and now unhidden...
 
Thanks,
 
Kevin...

Part1.JPG

Edited by kevinf80
Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.