Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trouble with wmcagent / Detrahere


  • Please log in to reply
11 replies to this topic

#1 arucabox

arucabox

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:42 AM

Posted 29 June 2018 - 06:08 PM

Hello, I've ran into some trouble with some dreadful viruses. After initially encountering them, a great many changes seem to have been made to my computer. At one point, Windows Defender was even disabled through group permissions, with a troubling sound effect loop being played and the PC suddenly restarting often.

 

I've restored some point of normalcy to this computer, but there's still further troubles that I cannot remove.

 

Windows Defender detects a "Detrahere" but is unable to remove it.

 

Malware Bytes Anti-Rootkit detects a "wmcagent" but is also unable to remove it.

 

I've ran Malware Bytes, adwcleaner, and Hitman Pro a few times. They removed quite a bit of things. At this point, they no longer detect anything further.

 

The Windows 10 options of "Reset this PC" and "start fresh with a clean installation of windows" do not work and seem to be disabled. I have a CD of Windows 8.1 but am unable to boot from it, strangely.

 

Attached are the logs from Malwarebytes Anti-Rootkit and Farbar.

 

Hope someone can help!

 

Thanks.

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,497 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:42 AM

Posted 30 June 2018 - 09:23 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

I have identified a bad SmartService infection.

Later you will need access to a spare PC and a USB flash drive that has not been in contact with the sick PC...

I need to know first if you can enable the Recovery Environment...

Open FRST on the compromised computer:

copy/paste the following inside the text area of FRST. Once done, click on the Fix button. A file called fixlog.txt should appear on your desktop. Attach it in your next reply.

Start::
CMD: bcdedit.exe /set {bootmgr} displaybootmenu yes
CMD: bcdedit.exe /set {default} recoveryenabled yes
End::

http://i121.photobucket.com/albums/o239/kevinf80/Farbar%20Tools/frst%20b.jpg&key=98f8e4fa906452a8ed54423fd0407a3d120fe6064437244ca29c06ed5f968755]

On completion, a message will come up saying that the fix has been completed and it'll open a log in Notepad
Copy and paste its content in your next reply.

Wait for further instructions.
<<<>>>

#3 arucabox

arucabox
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:42 AM

Posted 30 June 2018 - 01:58 PM

Thanks. Ran the fix, here's the log.

 

Can I use a Mac computer to create the image on the flashdrive?

 

 

Attached Files


Edited by arucabox, 30 June 2018 - 02:44 PM.


#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,497 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:42 AM

Posted 01 July 2018 - 08:50 AM

Hi,

We do not have to create an image on the Flash drive.
If the Flash drive you have has been formatted on a Mac then you will need a new new one or one which has been formatted on a Windows PC.

Lets proceed:

Preparing the USB Flash Drive

Boot up your spare Mac and plug in the Flash drive. If you see it the then try this.

Download FRST64.exe from https://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/ and save directly to the Flash Drive.

Do not plug Flash Drive into sick PC until booted to Recovery Environment.

===

Boot the compromised PC to Recovery Environment, if you are unsure of that action have a read at the following link, maybe bookmark for future reference...

To enter the Recovery Environment with Windows 10, follow the instructions in this tutorial on TenForums https://www.tenforums.com/tutorials/2294-boot-advanced-startup-options-windows-10-a.html

From the Windows 10 Tutorial you should get access to the Advanced Startup Options at boot for Windows 10

Select in this order
"Troubleshoot" > "Advance Options" > "Command Prompt"


Once in the command prompt

Plug your USB Flash Drive in the infected computer

In the command prompt, type notepad and press on Enter
Notepad will open. Click on the File menu and select Open
Click on Computer/This PC, find the letter for your USB Flash Drive, then close the window and Notepad
In the command prompt, type e:\frst.exe (for the x64 version, type e:\frst64.exe and press on Enter
Note: Replace the letter e with the drive letter of your USB Flash Drive
FRST will open
Click on Yes to accept the disclaimer
Click on the Scan button and wait for the scan to complete
A log called FRST.txt will be saved on your USB Flash Drive. Attach it in your next reply.

p.s.
If at any time you need additional information please ask before proceeding.

Wait for further instructions.

#5 arucabox

arucabox
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:42 AM

Posted 01 July 2018 - 02:19 PM

Cannot enter the recovery environment. Restarting, even normally, gives me a prompt to choose an operating system - even though only Windows 10 is installed. From there, I went under F8 Advanced Options and attempted to enter the recovery environment but encountered an error.

 

Also, after restarting normally a "repairing drive" message is briefly shown before booting into the OS. Weird.

 

Attached is the error message I received.

Attached Files



#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,497 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:42 AM

Posted 02 July 2018 - 06:37 AM

Hi,

Do you see any of the images on this page.
https://www.tenforums.com/tutorials/2294-boot-advanced-startup-options-windows-10-a.html

#7 arucabox

arucabox
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:42 AM

Posted 02 July 2018 - 07:56 AM

No. Haven't seen anything close to those tutorial images. Tried to access advanced startup using a couple of those methods. Doesn't work, I still end up in the same "choose your operating system" menu as in the images I attached.



#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,497 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:42 AM

Posted 03 July 2018 - 07:05 AM

Hi,


In post no 3 the fixlog.txt shows that the Recovery Envronment is available.

Start::
CMD: bcdedit.exe /set {bootmgr} displaybootmenu yes
CMD: bcdedit.exe /set {default} recoveryenabled yes
End::


Something is missing.

Navigate to this page and execute these instructions.

Fix: Unable to open Diagnostic options WinRE Windows 10
http://www.troubleshootwindows.com/windows-10/fix-unable-to-open-diagnostic-options-winre-windows-10/

Can you now open the RE.

Post any error message you get.

#9 arucabox

arucabox
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:42 AM

Posted 03 July 2018 - 09:04 AM

Scan didn't find anything. Attached is the results of the scan, with a new  "repair drive errors" message that began appearing today. Restarted and tried to enter the recovery environment again, still getting the same error as before.

Attached Files



#10 nasdaq

nasdaq

  • Malware Response Team
  • 39,497 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:42 AM

Posted 04 July 2018 - 06:21 AM

Hi,

Boot your sick PC to Recovery Environment, once you are at the System Recovery Options menu select "Command Prompt"
 

To enter the Recovery Environment with Windows 10, follow the instructions in this tutorial on TenForums
https://www.tenforums.com/tutorials/2294-boot-advanced-startup-options-windows-10-a.html


Now plug in your USB flashdrive.

At the command prompt type or copy/paste diskpart hit enter key.

At diskpart prompt type or copy/paste list volume hit enter key.

You should now see a list of available drives, also if available removable drives (usb)

Can you post the screen shot?

Or type and copy to your next post the exact lines that start with Volume

#11 arucabox

arucabox
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:42 AM

Posted 04 July 2018 - 09:50 AM

Still cannot enter Recovery Environment, still getting the same error.

 

 

Attached Files



#12 nasdaq

nasdaq

  • Malware Response Team
  • 39,497 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:42 AM

Posted 04 July 2018 - 01:26 PM

Hi,

If you do not have the Installation software to reinstall windows as suggested on the message contact the Manufacture.

Explain that you cannot get into the Recovery Environment.

What can they supply you with to get to the RE or an installation disk that would protect your installed programs and files.

I will leave this topic open until you return.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users