Jump to content
ripclaw90000

Yelloader WMCagent folder

Recommended Posts

Hi, I recently started using malwarebytes when my gaming PC started taking 1 minute to open Firefox.

Following the scan, I have 1 virus, Trojan-yelloader. I tried to quarantine it but it failed.

I attempted to delete the file as well but it was unable to.

I have also lost access to removing certain processes in task manager.

I attempted to fix it myself with FRST and, although my computer is running better, I still cannot remove the files.
Attached is the most recent logs. Thank you.

Addition.txt

FRST.txt

Share this post


Link to post
Share on other sites

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 11/6/18
Scan Time: 4:35 PM
Log File: f0d8e15e-e20b-11e8-8e68-bcee7b5cc544.json

-Software Information-
Version: 3.6.1.2711
Components Version: 1.0.482
Update Package Version: 1.0.7723
License: Trial

-System Information-
OS: Windows 10 (Build 16299.431)
CPU: x64
File System: NTFS
User: DESKTOP-SIO2AUK\Chris Upton

-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 353745
Threats Detected: 1
Threats Quarantined: 0
Time Elapsed: 41 min, 37 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 1
Trojan.Yelloader, C:\USERS\CHRIS UPTON\APPDATA\LOCAL\wmcagent, No Action By User, [2690], [521697],1.0.7723

File: 0
(No malicious items detected)

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)


(end)

Share this post


Link to post
Share on other sites

Hello ripclaw90000 and :welcome: Forums.
I'm Android 8888 and I'll be helping you with your computer issues. Please ask questions if anything is unclear.

 

Your computer is infected with a Smart Service Rootkit which is a very nasty infection but with the correct procedures we'll get your computer clean.

 

For now, please DO NOT run any tools by yourself unless asked to do so.

 

First, move FRST64 to your computer Desktop.

In Normal Mode do this please:

Right click on the FRST64 icon and select Run as administrator to start the tool;
Highlight and copy the following text and paste it inside the 'Search' box area of FRST;

Start::
CMD: bcdedit.exe /set {bootmgr} displaybootmenu yes
CMD: bcdedit.exe /set {default} recoveryenabled yes
End::


Once done, click on the Fix button. A file called Fixlog.txt should appear in the same location as FRST64;
Please attach it in your next reply and wait for further instructions.

I will need to review your logs and will get back with more instructions as soon as possible.

Thank you.

Android8888

Share this post


Link to post
Share on other sites

Hello @ripclaw90000

Thank you for your time and patience.

 

Please read carefully the following instructions and if you don't understand something, please STOP and ask before proceed.


First you will need to have access to a uninfected computer and a USB Flash Drive (4 GB size will do).

 

Please note: The USB Flash Drive can only be inserted in the infected computer if it is either shutdown, or in the Windows RE (Recovery Environment). Otherwise, the infection will mess with the files on the USB.
 

Preparing the USB Flash Drive --- on a clean computer

  • Plug-in the USB Flash Drive on a clean computer and format it before using it ('Quick Format' is enough).
  • Access the Internet, download FRST 64-bit and save it to the USB Flash Drive (Don't use the FRST64.exe file used from the infected computer):
  • Download the attached fixlist.txt file at the bottom of this post and save it in the same location the FRST64 is saved in the flash drive.

 

Boot in the Recovery Environment (RE) --- on the infected computer

  • To enter the Recovery Environment with Windows 10, follow the instructions in this tutorial on TenForums
    Note: If you can't access the Recovery Environment using the method above, you'll need to create a Windows installation or repair media. It can be made on the computer itself or another one running the same version of Windows as the one you plan to use it on. For more information, check out this tutorial on TenForums.


Note: Once in the Windows RE, plug the USB Flash Drive in the computer.


You will have to reach and select the Command Prompt icon in Advanced Options in the Recovery Environment.
 
 
Once in the Command Prompt

  • In the command prompt, type notepad and press on Enter;
  • Notepad will open. Click on the File menu and select Open;
  • Click on Computer/This PC, find the letter for your USB Flash Drive, then close the window and Notepad;
  • In the command prompt, type e:\frst.exe (for the x64 version, type e:\frst64.exe and press on Enter;
  • Note: Replace the letter e with the drive letter of your USB Flash Drive;
  • FRST will open;
  • Click on Yes to accept the disclaimer;
  • Click on the Scan button and wait for the scan to complete; That will deactivate the rootkit. Once the scan is finished, press the Fix button;
    These actions will make two files, a FRST.txt and a Fixlog.txt in the flash drive.
  • Please attach both (FRST.txt and Fixlog.txt) files in your next reply.

 

Once finished in the Recovery Environment, restart the computer in Normal Mode.

 
Delete the current FRST64.exe file from the infected computer.
Please download FRST 64-bit and save it to the Desktop.

  • Double-click to run it and accept the UAC warning that may appear. When the tool opens click Yes to disclaimer.
  • Make sure that under Optional Scans, there is a check-mark on Addition.txt.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The tool will also produce another log (Addition.txt ). Please attach it to your reply.


In your next reply I will need to see:

FRST.txt produced in the Recovery Environment;
Fixlog.txt produced in the Recovery Environment;
FRST.txt produced in Normal Mode;
Addition.txt produced in Normal Mode.

fixlist.txt

Share this post


Link to post
Share on other sites

@ripclaw90000

Thank you for the logs, patience and time. We have a bit more work to do yet.


The next step is to read the instructions on the link below and enable your System Restore now.
How to Turn On System Restore in Windows 10


Now re-run Malwarebytes and perform a new scan.
When the scan completes if potential threats are detected, ensure to check-mark all the listed items, and click the Quarantine Selected button.
While still on the Scan tab, click the View Report button, and in the window that opens click the Export button, select Text file (*.txt), give it a name and save it to your Desktop.
The log can also be viewed by clicking the log to select it, then clicking the View Report button.
Please attach that log in your next reply.

 

Next, re-run AdwCleaner and perform a new scan.
Let the scan complete. Once it's done, make sure that every item listed is checked and click on the Clean & Repair button;
Click on the Clean & Restart Now button;
After the restart, a log will open when logging in.
Please attach that log in your next reply.


Next,
Go to this site https://www.adlice.com/download/roguekiller/ and scroll down on the webpage until you reach the 'Download' box with 3 green download buttons. Then click on the DOWNLOAD green button for the Portable 64 bits version of RogueKiller by Tigzy and save it to your computer Desktop.

  • Now close all programs and Internet browsers and disconnect any USB or external drives from the computer before you run this scan!
  • Right-click on the file RogueKiller_portable64.exe and select Run as administrator to start the tool;
  • Click Yes to accept the User Account Control security warning that may appear;
  • Once the tool is open, click the 'Scan' tab menu and the click the Start Scan button;
  • Wait until the scan has finished. Note: This scan may take some time to complete;
  • Once finished the results will be displayed;
  • Check every single entry (threat found), and click on the Remove Selected button;
    Click on the Open Report button. It will open a new window.
  • Click Export TXT to export the report as a text file, give a name to the file such as RKlog.txt and save it to your computer Desktop.
  • Close RogueKiller.


Please attach the RKlog.txt to your next reply.


Next, you will run another script fix using Farbar Recovery Scan Tool (FRST).

NOTE: This fix will ask for a reboot and will run a 'System File Check' and a 'Disk Check'. Please let it complete both and DO NOT interrupt it under any circumstances.

  • Download the attached fixlist.txt file at the bottom of this post, and save it on your Desktop (or wherever your FRST64.exe executable is located); DO NOT open or modify that file!
  • Right-click on the FRST64 icon and select Run as Administrator;
  • Click on the Fix button;
  • On completion, a message will come up saying that the fix has been completed and it'll open a log in Notepad;
  • Please attach the Fixlog.txt in your next reply;


In summary, I will need to see the following logs attached in your reply:
Malwarebytes log.
AdwCleaner clean log. The log can be found in C:\AdwCleaner\AdwCleaner[Cxx].txt (where xx is a number, the highest number is the most recent and is the one I want to see).
RogueKiller clean log.
Fixlog.txt

 

How is the system running now?

Thank you.

Android8888

fixlist.txt

Share this post


Link to post
Share on other sites

Sorry for the delay. It seems my Primary hard drive has failed. My system no longer recognizes the SSD that I use to boot my computer.

I am unable to find it in diskpart, BIOS, or as an option when installing a fresh copy of windows.

It seems that I am forced to buy a new hard drive and start with a clean computer. If you have any ideas feel free to let me know.\

Thanks for all of your support up to this point. 

Share this post


Link to post
Share on other sites

Hello @ripclaw90000

 

13 hours ago, ripclaw90000 said:

Thanks for all of your support up to this point. 

You're welcome.

 

13 hours ago, ripclaw90000 said:

Sorry for the delay. It seems my Primary hard drive has failed. My system no longer recognizes the SSD that I use to boot my computer.

I am unable to find it in diskpart, BIOS, or as an option when installing a fresh copy of windows.

That's odd. Since when is the SSD installed on the computer? Is it to old? Can you turn off the PC, then access your SSD and try to disconnect it and reconnect it again?

 

Please keep me posted.

Android8888

Share this post


Link to post
Share on other sites

Hello @ripclaw90000

Do you still need assistance with your computer?

Share this post


Link to post
Share on other sites

The SSD was several years old. I did manage to talk the company into replacing it on warranty. I will be reinstalling windows to a clean copy, moving essential files to a clean hard drive, and purging everything else. Any malicious programming should be wiped out. 

I shouldnt he needing any more assistance but if I do, I will make a new thread. I really appreciate you help you are are good person. Thank you 

Share this post


Link to post
Share on other sites

Hi,

Thanks for letting me know.

Regards,

Android8888

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.