Jump to content
EliteKiller

wmsdkns.exe trojan

By EliteKiller, in General Questions

Recommended Posts

EliteKiller   

EliteKiller
Posted

I've been seeing a lot of people infected with the wmsdkns.exe trojan since Apr. 5., and I wasn't sure if you've added it to the definitions yet.

Prevx info:

http://www.prevx.com/filenames/X3204800 ... S.EXE.html

Here's a HJT log from spywareinfo:

http://forums.spywareinfo.com/index.php ... ntry628529

Primary Symptoms:

-Receiving False Security Alerts every few minutes

-Receiving False Security Popups, generally claiming to be Windows Security Center system warnings (pic: http://vil.nai.com/images/143406_vil_wi ... center.gif)

-Receiving IE Popups leading to http://livesecuritycenter.com which quickly changes the address to 'about security' and offers Spymaxx and/or AntiSpyStorm 2008

-Desktop Background image has been replaced by a HTML file called "default" which announces that a spyware threat has been detected; click here to scan your PC for spyware

-Access to Task Manager "has been disabled by Administrator"

-General computer slowdown...

Culprits:

C:\WINDOWS\system32\wmsdkns.exe

UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wmsdkns.exe

Multiple entries: O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)

I also noticed three folders related to 180Solutions, Zango, and a couple of random folders that started with an S. When I ran SAS 4.0.1154 on an infected pc Sunday afternoon it did not pick up the infection. Unfortunately I was in a hurry and did not upload it to you for a sample. I used Unlocker 1.86 to delete the file (HJT misc. tools < delete file on reboot should work as well), and after a reboot all of the symptoms above were resolved.

Share this post

Link to post
Share on other sites

EliteKiller   

EliteKiller
Posted
Unfortunately I was in a hurry and did not upload it to you for a sample.

:oops:

I'll remote into the customer's pc and send it to you later this afternoon if it's still available.

Share this post

Link to post
Share on other sites

SUPERAntiSpy   

SUPERAntiSpy
Posted
Unfortunately I was in a hurry and did not upload it to you for a sample.

:oops:

I'll remote into the customer's pc and send it to you later this afternoon if it's still available.

Ok thanks! When in doubt, always grab the samples :)

Share this post

Link to post
Share on other sites

Pandato   

Pandato
Posted

If your scan was last week, you should update your definitions and scan again. Be sure to reboot if asked to do so. You may need to scan in safe mode if you cannot do so in normal mode. Be sure to send any malware detected but not removed to samples at superantispyware.com. :)

Share this post

Link to post
Share on other sites

Mankind   

Mankind
Posted

:shock: even i didnt think any reply would be this quick...

im gonna reinstall this program after ive passed out with lack of sleep but i do keep any/all anti spyware/virus programs updated weekly if not dailys to be sure there able to catch new stuff...

an i will say this which is AVG and spyware terminator all free anti spyware/virus programs have also been unluckly to fix this...

also them folders which get installed if my records anything to go by are

1x 180 soulution folders

1x zango folder

2x 180 search assistant folders but two different spellings

1x seekmo folder

1x stc folder

1x Sysmnt folder

there the only folders i no which are spyware so i hope that helps you guys out befor ei reinstall SAS

p.s.. thnaks for the speedy gonzalas responce!

*mankind wanders to the nearist shop selling comfy bed to hybernated for a light year* loll

Share this post

Link to post
Share on other sites

Mankind   

Mankind
Posted

We have updated our definitions each day - make sure you are scanning with the latest definitions - make sure they match those here:

https://www.superantispyware.com/definitions.html

If you still have a problem, submit a support request here:

https://www.superantispyware.com/support.html

beatchawowa 2 speedy replies thnaks also to you mr admin!

i shalll be sure to double check the definitions match your above recommendations before i runa full scan and i will post after its done to keep youguys informaed

Share this post

Link to post
Share on other sites

Mankind   

Mankind
Posted

hi with the SAS all up to date with the definitions i was able to clear all them annoying folders i posted before on here and that was without needing to reboot in safe mode :D

however when i do get more time i will do the safe full scan to see if that removes all the other issues posted below...

Primary Symptoms:

-Receiving False Security Alerts every few minutes

-Receiving False Security Popups, generally claiming to be Windows Security Center system warnings (pic: http://vil.nai.com/images/143406_vil_wi ... center.gif)

-Receiving firefox mozilla Pop ups for some Anti-spider software program w

-Desktop Background image has been replaced by a HTML file called "default" which announces that a spyware threat has been detected; click here to scan your PC for spyware

-Access to Task Manager "has been disabled by Administrator"

-General computer slowdown...

so it seems like its 2 types of spyware blended together...

but tonight is my night off because i have a big date with tons of beer at my female anti christ sisters birthday drink up! and i doubt i will be in any fit state to even work my pc after that :roll:

so first it beer brain blowing then human recovering in safe mode for me :lol: then when if im not to hungover :shock: its pc's time for a a medical checkup again :D:D

will once again keep you guys updated so you no how it goes and for anyone else suffering with these issues on there pc's!

p.s. glad your company invented a free SASprogram!!!!!! 8)

Share this post

Link to post
Share on other sites

Llomero   

Llomero
Posted

i am also having the same problem posted by mankind with all those folders as trojans. they get deleted with SUPERAntiSpyware but when i reboot they are back. i've updated the definitions to the most current one 4-22-08 i believe. and still they comeback.

Share this post

Link to post
Share on other sites

SUPERAntiSpy   

SUPERAntiSpy
Posted
i am also having the same problem posted by mankind with all those folders as trojans. they get deleted with SUPERAntiSpyware but when i reboot they are back. i've updated the definitions to the most current one 4-22-08 i believe. and still they comeback.

Submit a support request here and we can run a custom diagnostic :

https://www.superantispyware.com/support.html

Share this post

Link to post
Share on other sites

Mankind   

Mankind
Posted

good news im finally free from all the spyware!

i got a feeling it was somehow prgramed to stop after a certain time, not sure if thats possible but thats just my opinion.

thanks for the help though guys! :D

p.s. to anyone whos just found this topic, these people do no what there doing so dont be afraid to ask for help :)

Share this post

Link to post
Share on other sites

Bobfish   

Bobfish
Posted

I was/still am infected with the wmsdkns.exe virus as well, and it's been a nightmare fighting back against it. I *THINK* i'm close to success but i was hoping you might be able to help me confirm it.

First of all, THANK YOU! SAS was the only program that was able to successfully remove most / (all?) of the infection - while SpyDoctor, Ad-Aware, Norton Ati-virus, and Spybot S&D all failed. I am extremely impressed. SAS helped me regain permanent control of my task manager (although I had found a temporary workaround through the 'Run' command line), and also eliminated the fake Internet security popups.

HOWEVER: while SAS now gives me a clean report when I run a scan, Spybot S&D still detects the Smitfraud-c virus (which i understand is linked to the wmsdkns trojan) whenever the computer restarts, as well as a bunch of entries from Zango, 180Solutions, etc. Needless to say, Spybot fails to delete them permanently.

ALSO: HijackThis still detects the wmsdkns.exe virus in its scan, located in the windows/system32 folder.

Since none of the main symptoms are manifesting themselves, I'm assuming the virus is either dormant or effectively crippled, but i would have a lot more peace of mind if you could help me confirm this and/or remove it once and for all.

Given SAS' success on my computer so far, I'm extremely encouraged. Thank you in advance!

Share this post

Link to post
Share on other sites

Mankind   

Mankind
Posted

its well worth fully updateing SAS then rebooting into safe mode and running a full system scan. i did that and im finally free from all the hassle i went threw for days.

as for the file appearing in systems32 folder, that i cant even offer help with, but im sure someone else on here will be able to help on that side of things.

Share this post

Link to post
Share on other sites

SUPERAntiSpy   

SUPERAntiSpy
Posted
I used SAS and it detected the .exe and quarantined it. However I still cannot access my task manager. Any ideas?

Cheers.

Under the SUPERAntiSpyware Preferences->Repairs->Enable Task Manager :)

Share this post

Link to post
Share on other sites

The Dalton   

The Dalton
Posted

My little cousin downloaded this on my moms computer yesterday.. thinking she got it from a link off myspace. Anyways I just wanted to say that I'm downloading your program right now...

I just found out how to get the task manager and registry editor working again to find the process, so hopefully this software picks it up. If so, I just wanted to say thanks.. if not.. help!

Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Go To Topic Listing General Questions
×