Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

WMCAgent Yelloader


  • This topic is locked This topic is locked
9 replies to this topic

#1 nadknub

nadknub

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:57 PM

Posted 27 May 2018 - 09:12 PM

WMCAgent  Yelloader detected by malwarebytes. Quarantine seems ineffective. malwarebytes chameleon  cannot kill process.

3 processes for WMCAgent running in Process Explorer. One of these processes lists the parent as "sehotgasvc.exe", without the quotes. sehotgasvc.exe is constantly running in Task Manager.  Emisoft regularly blocks and quarantines "WMCAgent.exe" and "nvdpxkc.exe"  as Trojan Downloaders.  The only symptoms that I notice are intermittent radio transmissions, usually 5 to10 seconds long, overlapping any audio that I am playing on pc. They sound like   radio advertisements.  When this occurs,  the cpu activity of sehotgasvc.exe increases.  Windows Defender  states that it is  turned on, but FRST Addition. txt.  states that it is turned off.  Any rootkiller processes that I have downloaded fail to open.  I am barely computer literate, so I apologize for any butchering of terminology.  I would appreciate if you would take that (the idiot factor) into consideration when detailing any solutions that you might provide.  Thanks.

Attached Files



BC AdBot (Login to Remove)

 


#2 Gary R

Gary R

    MRU Admin


  • Malware Response Team
  • 835 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:57 AM

Posted 28 May 2018 - 02:33 AM

Looking over your logs, back soon.



#3 Gary R

Gary R

    MRU Admin


  • Malware Response Team
  • 835 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:57 AM

Posted 28 May 2018 - 02:56 AM

The following lines from your FRST.txt log show that you have one of the "Smart Service" variants ....
 

() C:\Users\dan\AppData\Local\nvdpxkc\wmnouhv.exe
() C:\Users\dan\AppData\Local\nvdpxkc\wmnouhv.exe
() C:\Users\dan\AppData\Local\nvdpxkc\wmnouhv.exe
() C:\Users\dan\AppData\Local\nvdpxkc\wmnouhv.exe
() C:\Users\dan\AppData\Local\nvdpxkc\wmnouhv.exe
HKLM\SYSTEM\CurrentControlSet\Services\wmgvezt <==== ATTENTION (Rootkit!)
C:\Windows\system32\drivers\wmbhknru.sys -> Access Denied <======= ATTENTION


.... and there's a couple of ways we can deal with it ....
  • We can reset your computer to factory condition (in which case you'll lose any files you don't have backed up)
  • We can attempt to clean the infection (some variants of this infection have been known to cause "incidental damage" which can sometimes be difficult to rectify)
The choice of which option to take I leave up to you.

If you wish to try and clean your machine, we need to be able to boot into Recovery Environment, so please can you answer me the following questions ....
  • Are you able to access the Advanced Startup Options menu ? (just try options one & two)
  • If you can't access the Advanced Startup Options, do you have a USB drive available of at least 32GByte capacity, and do you have access to another uninfected Windows 10 machine ? (so we can create a Recovery Drive and use Option Four)


#4 nadknub

nadknub
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:57 PM

Posted 28 May 2018 - 03:29 PM

Hi Gary R.  I was able to access Advanced Startup Options , through power button/F8,  and I have reset my pc.  Thank you for  the insight and the quick response



#5 Gary R

Gary R

    MRU Admin


  • Malware Response Team
  • 835 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:57 AM

Posted 29 May 2018 - 02:11 AM

OK, can you run a new scan with FRST please, and post me the new logs, so that we can be sure the reset has effectively removed your infection.



#6 nadknub

nadknub
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:57 PM

Posted 29 May 2018 - 08:48 PM

Sorry for the delay,  but I don't understand how to attach  the FRST files to this post. 



#7 Gary R

Gary R

    MRU Admin


  • Malware Response Team
  • 835 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:57 AM

Posted 30 May 2018 - 12:27 AM

Open the post editor, and click on more reply options to open the full editor.

 

Now scroll down to below the posting field, and click on the browse button below where it says Attach files.

 

Browse to the FRST.txt file, and double click on it to select it, then click on Attach this file button.

 

Repeat for the Addition.txt file.

 

When both files are attached hit the Add Reply button to submit your post.



#8 nadknub

nadknub
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:57 PM

Posted 30 May 2018 - 01:04 AM

Thanks

Attached Files



#9 Gary R

Gary R

    MRU Admin


  • Malware Response Team
  • 835 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:57 AM

Posted 30 May 2018 - 02:53 AM

Latest logs do not show any signs of "Smart Service", so looks like the reset has done the job.

How's your computer running now ?



#10 Gary R

Gary R

    MRU Admin


  • Malware Response Team
  • 835 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:57 AM

Posted 03 June 2018 - 04:32 PM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users