Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Fake Windows Security Malware

  • Please log in to reply
3 replies to this topic

#1 mark12


  • Members
  • 2 posts
  • Local time:09:48 AM

Posted 06 April 2008 - 05:58 PM

I am experiencing a VERY troublesome trojan, malware. Symptoms include:

No access to TASK MANAGER
User wallpaper changed to "warning screen"
intermittant pop up of MS looking fake adds for spyware removal (with warning icon at lower left)
SLOW computer
Taking much internet resources
Process keep returning

I am suspecious of WMSDKNSE.EXE and some folders called 180search assistant that keep returning.
I recently upgraded

Here is the log file:
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 3.00GHz
Percentage of Memory in Use: 19%
Physical Memory (total/avail): 2559.48 MiB / 2061.09 MiB
Pagefile Memory (total/avail): 4453.04 MiB / 4035.67 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1936.65 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 74.53 GiB total, 37.62 GiB free.
D: is CDROM (No Media)
E: is Removable (No Media)
S: is Fixed (NTFS) - 149.05 GiB total, 147.68 GiB free.

\\.\PHYSICALDRIVE1 - ST3160811AS - 149.05 GiB - 1 partition
\PARTITION0 - Installable File System - 149.05 GiB - S:

\\.\PHYSICALDRIVE0 - WDC WD800LB-60DNA1 - 74.53 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 74.53 GiB - C:

\\.\PHYSICALDRIVE2 - HP Photosmart 3210 USB Device

-- Security Center -------------------------------------------------------------

AUOptions is set to notify before install.
Windows Internal Firewall is disabled.

AntiVirusDisableNotify is set.
FirewallDisableNotify is set.

FW: McAfee Personal Firewall v (McAfee)
AV: McAfee VirusScan v (McAfee)


"C:\\Program Files\\Microsoft Games\\Halo Trial\\halo.exe"="C:\\Program Files\\Microsoft Games\\Halo Trial\\halo.exe:*:Enabled:Halo"
"C:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqtra08.exe"="C:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqtra08.exe:*:Enabled:hpqtra08.exe"
"C:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqste08.exe"="C:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqste08.exe:*:Enabled:hpqste08.exe"
"C:\\Program Files\\Hp\\Digital Imaging\\bin\\hpofxm08.exe"="C:\\Program Files\\Hp\\Digital Imaging\\bin\\hpofxm08.exe:*:Enabled:hpofxm08.exe"
"C:\\Program Files\\Hp\\Digital Imaging\\bin\\hposfx08.exe"="C:\\Program Files\\Hp\\Digital Imaging\\bin\\hposfx08.exe:*:Enabled:hposfx08.exe"
"C:\\Program Files\\Hp\\Digital Imaging\\bin\\hposid01.exe"="C:\\Program Files\\Hp\\Digital Imaging\\bin\\hposid01.exe:*:Enabled:hposid01.exe"
"C:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqscnvw.exe"="C:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqscnvw.exe:*:Enabled:hpqscnvw.exe"
"C:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqkygrp.exe"="C:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqCopy.exe"="C:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqCopy.exe:*:Enabled:hpqcopy.exe"
"C:\\Program Files\\Hp\\Digital Imaging\\bin\\hpfccopy.exe"="C:\\Program Files\\Hp\\Digital Imaging\\bin\\hpfccopy.exe:*:Enabled:hpfccopy.exe"
"C:\\Program Files\\Hp\\Digital Imaging\\bin\\hpzwiz01.exe"="C:\\Program Files\\Hp\\Digital Imaging\\bin\\hpzwiz01.exe:*:Enabled:hpzwiz01.exe"
"C:\\Program Files\\Hp\\Digital Imaging\\Unload\\HpqPhUnl.exe"="C:\\Program Files\\Hp\\Digital Imaging\\Unload\\HpqPhUnl.exe:*:Enabled:hpqphunl.exe"
"C:\\Program Files\\Hp\\Digital Imaging\\Unload\\HpqDIA.exe"="C:\\Program Files\\Hp\\Digital Imaging\\Unload\\HpqDIA.exe:*:Enabled:hpqdia.exe"
"C:\\Program Files\\Hp\\Digital Imaging\\bin\\hpoews01.exe"="C:\\Program Files\\Hp\\Digital Imaging\\bin\\hpoews01.exe:*:Enabled:hpoews01.exe"
"C:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqnrs08.exe"="C:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqnrs08.exe:*:Enabled:hpqnrs08.exe"
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"="C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe:*:Enabled:McAfee Network Agent"
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"

-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\EoL\Application Data
CLASSPATH=.;C:\Program Files\QuickTime\QTSystem\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
HOMEPATH=\Documents and Settings\EoL
Path=C:\Program Files\Internet Explorer;;C:\WINNT\system32;C:\WINNT;C:\WINNT\system32\WBEM;C:\Program Files\ATI Technologies\ATI.ACE\;C:\Program Files\QuickTime\QTSystem\
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 9, GenuineIntel
ProgramFiles=C:\Program Files
QTJAVA=C:\Program Files\QuickTime\QTSystem\QTJava.zip
USERPROFILE=C:\Documents and Settings\EoL

-- User Profiles ---------------------------------------------------------------

EoL (admin)
Cathy (admin)
Guest (guest)

-- Add/Remove Programs ---------------------------------------------------------

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINNT\INF\PCHealth.inf
123 DVD Converter --> "C:\Program Files\123 DVD Converter\unins000.exe"
Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Acrobat Reader 3.0 --> C:\WINNT\uninst.exe -fC:\Acrobat3\Reader\DeIsL1.isu
Adobe Anchor Service CS3 --> MsiExec.exe /I{90176341-0A8B-4CCC-A78D-F862228A6B95}
Adobe Asset Services CS3 --> MsiExec.exe /I{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}
Adobe Bridge CS3 --> MsiExec.exe /I{9C9824D9-9000-4373-A6A5-D0E5D4831394}
Adobe Bridge Start Meeting --> MsiExec.exe /I{08B32819-6EEF-4057-AEDA-5AB681A36A23}
Adobe Camera Raw 4.0 --> MsiExec.exe /I{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C}
Adobe CMaps --> MsiExec.exe /I{A2B242BD-FF8D-4840-9DAA-9170EABEC59C}
Adobe Color - Photoshop Specific --> MsiExec.exe /I{A2D81E70-2A98-4A08-A628-94388B063C5E}
Adobe Color Common Settings --> MsiExec.exe /I{DADD7B8A-BCB0-44F5-967A-ECB6B4F2ECD9}
Adobe Color EU Extra Settings --> MsiExec.exe /I{51846830-E7B2-4218-8968-B77F0FF475B8}
Adobe Color JA Extra Settings --> MsiExec.exe /I{DD7DB3C5-6FA3-4FA3-8A71-C2F2940EB029}
Adobe Color NA Recommended Settings --> MsiExec.exe /I{95655ED4-7CA5-46DF-907F-7144877A32E5}
Adobe Default Language CS3 --> MsiExec.exe /I{B9B35331-B7E4-4E5C-BF4C-7BC87856124D}
Adobe Device Central CS3 --> MsiExec.exe /I{8D2BA474-F406-4710-9AE4-D4F22D21F0DD}
Adobe Dreamweaver CS3 --> C:\Program Files\Common Files\Adobe\Installers\7328fdfcb73660ec8b11d5a3d5c6232\Setup.exe
Adobe Dreamweaver CS3 --> MsiExec.exe /I{7C10F5C7-F00F-4BD3-A110-C7D240D2DD25}
Adobe ExtendScript Toolkit 2 --> MsiExec.exe /I{C2D69781-F392-4118-A5A7-C7E9C38DBFC2}
Adobe Extension Manager CS3 --> MsiExec.exe /I{BE5F3842-8309-4754-92D5-83E02E6077A3}
Adobe Flash CS3 --> MsiExec.exe /I{6B52140A-F189-4945-BFFC-DB3F00B8C589}
Adobe Flash CS3 Professional --> C:\Program Files\Common Files\Adobe\Installers\c3c7fe8b09d497ab2b3fd91c9353390\Setup.exe
Adobe Flash Player 9 ActiveX --> C:\WINNT\system32\Macromed\Flash\FlashUtil9c.exe -uninstallUnlock
Adobe Flash Player 9 ActiveX --> MsiExec.exe /X{BC4F8E84-5E29-49EC-B4E7-E6F9CB50986C}
Adobe Flash Player 9 Plugin --> MsiExec.exe /X{88D422DB-E9C7-4E16-9D80-2999F4FD6AD9}
Adobe Flash Player Plugin --> C:\WINNT\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Flash Video Encoder --> MsiExec.exe /I{2EFFFC71-1E66-454E-A6E6-CEEC800B96D2}
Adobe Fonts All --> MsiExec.exe /I{6ABE0BEE-D572-4FE8-B434-9E72A289431B}
Adobe Help Viewer CS3 --> MsiExec.exe /I{04AF207D-9A77-465A-8B76-991F6AB66245}
Adobe Linguistics CS3 --> MsiExec.exe /I{54793AA1-5001-42F4-ABB6-C364617C6078}
Adobe PDF Library Files --> MsiExec.exe /I{D2559B88-CC9D-4B48-81BB-F492BAA9C48C}
Adobe Photoshop CS3 --> C:\Program Files\Common Files\Adobe\Installers\2ac78060bc5856b0c1cf873bb919b58\Setup.exe
Adobe Photoshop CS3 --> MsiExec.exe /I{0046FA01-C5B9-4985-BACB-398DC480FC05}
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe Setup --> MsiExec.exe /I{0650BB10-BCF4-400A-85EE-04097E3046C6}
Adobe Setup --> MsiExec.exe /I{D1BB4446-AE9C-4256-9A7F-4D46604D2462}
Adobe Setup --> MsiExec.exe /I{FFC1ADE3-944B-4231-894E-3903C37271D2}
Adobe Shockwave Player --> C:\WINNT\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINNT\system32\Macromed\SHOCKW~1\Install.log
Adobe Stock Photos CS3 --> MsiExec.exe /I{29E5EA97-5F74-4A57-B8B2-D4F169117183}
Adobe Type Support --> MsiExec.exe /I{8E6808E2-613D-4FCD-81A2-6C8FA8E03312}
Adobe Update Manager CS3 --> MsiExec.exe /I{E69AE897-9E0B-485C-8552-7841F48D42D8}
Adobe Version Cue CS3 Client --> MsiExec.exe /I{D0DFF92A-492E-4C40-B862-A74A173C25C5}
Adobe WinSoft Linguistics Plugin --> MsiExec.exe /I{184CE391-7E0E-4C63-9935-D7A10EDFD3C6}
Adobe XMP Panels CS3 --> MsiExec.exe /I{802771A9-A856-4A41-ACF7-1450E523C923}
Apple Mobile Device Support --> MsiExec.exe /I{44734179-8A79-4DEE-BB08-73037F065543}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
ATI - Software Uninstall Utility --> C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Catalyst Control Center --> MsiExec.exe /I{445AB6DD-2E38-4B0C-8CDD-2F0BA074D08B}
ATI Display Driver --> rundll32 C:\WINNT\System32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
ATI HYDRAVISION --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3EA9D975-BFDC-4E8E-B88B-0446FBC8CA66}\setup.exe"
ATI Parental Control & Encoder --> MsiExec.exe /I{36CDA33B-909B-4719-97D1-C4B99309BDC7}
AVIVO Codecs --> MsiExec.exe /X{C941F1F1-25B3-4DF5-83E6-888C51A1AAB6}
Bat --> "C:\Program Files\Bat\un_BatSetup_15041.exe"
BioShock --> C:\Program Files\InstallShield Installation Information\{E280923D-C5D9-4728-8C79-AC9A0DC75875}\Setup.exe -runfromtemp -l0x0009 -removeonly
Broadcom NetXtreme Ethernet Controller --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{BE6890C7-31EF-478C-812E-1E2899ABFCA9} /l1033
Comcast Toolbar --> C:\Program Files\ComcastToolbar\uninstall.exe
DVDx --> "C:\Program Files\DVDx\unins000.exe"
EH103 Wireless G USB Adapter --> C:\WINNT\system32\unwlsdrv.exe SiS163u
Fraps --> "C:\Fraps\uninstall.exe"
Frets On Fire --> "C:\Program Files\Frets on Fire\Uninstall.exe"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for MDAC 2.53 (KB927779) --> "C:\WINNT\$SQLUninstallMDAC25SP3-KB927779-x86-ENU$\spuninst\spuninst.exe"
HP Customer Participation Program 7.0 --> C:\Program Files\HP\Digital Imaging\ExtCapUninstall\hpzscr01.exe -datfile hpqhsc01.dat
HP Document Viewer 7.0 --> C:\Program Files\HP\Digital Imaging\DocumentViewer\hpzscr01.exe -datfile hpqbud04.dat
HP Driver Diagnostics --> MsiExec.exe /I{16BE87BC-69F5-4D36-8CF0-E1CB3ACD5ED3}
HP Imaging Device Functions 7.0 --> C:\Program Files\HP\Digital Imaging\DeviceManagement\hpzscr01.exe -datfile hpqbud01.dat
HP Photosmart Premier Software 6.5 --> C:\Program Files\HP\Digital Imaging\uninstall\hpzscr01.exe -datfile hpqscr01.dat
HP Photosmart, Officejet and Deskjet 7.0.A --> C:\Program Files\HP\Digital Imaging\{BDBE2F3E-42DB-4d4a-8CB1-19BA765DBC6C}\setup\hpzscr01.exe -datfile hposcr11.dat
HP Software Update --> MsiExec.exe /X{BB85ED9C-AFC9-43BD-B8DC-258C3C7DF72E}
HP Solution Center 7.0 --> C:\Program Files\HP\Digital Imaging\eSupport\hpzscr01.exe -datfile hpqbud05.dat
Intel® Extreme Graphics 2 Driver --> RUNDLL32.EXE C:\WINNT\system32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2572
Internet Speed Monitor --> C:\Program Files\ISM\Uninstall.exe
iTunes --> MsiExec.exe /I{80FD852F-5AAC-4129-B931-06AAFFA43138}
K-Lite Mega Codec Pack 1.52 Beta --> "C:\Program Files\K-Lite Codec Pack\unins000.exe"
Kaspersky Online Scanner --> C:\WINNT\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
Macromedia Dreamweaver 3 --> C:\WINNT\IsUninst.exe -f"C:\Program Files\Macromedia\Dreamweaver 3\Uninst.isu"
Macromedia Flash 5 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4C93C363-414E-11D4-9756-00C04F8EEB39}\Setup.exe" UNINSTALL
McAfee SecurityCenter --> C:\Program Files\McAfee\MSC\mcuninst.exe
Microsoft Halo Trial --> "C:\Program Files\Microsoft Games\Halo Trial\UNINSTAL.EXE" /runtemp /addremove
Microsoft Office 2000 SR-1 Professional --> MsiExec.exe /I{00010409-78E1-11D2-B60F-006097C998E7}
Microsoft Office Excel MUI (English) 2007 --> MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Home and Student 2007 --> MsiExec.exe /X{91120000-002F-0000-0000-0000000FF1CE}
Microsoft Office Home and Student 2007 Trial --> "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall HOMESTUDENTR /dll OSETUP.DLL
Microsoft Office OneNote MUI (English) 2007 --> MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007 --> MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007 --> MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007 --> MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007 --> MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007 --> MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007 --> MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007 --> MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Web Publishing Wizard 1.52 --> RunDll32 ADVPACK.DLL,LaunchINFSection C:\WINNT\INF\wpie4x86.inf,WebPostUninstall
Movica --> MsiExec.exe /I{7BE99992-1B34-432D-8325-FFC3FF877E9D}
Mozilla Firefox ( --> C:\PROGRA~1\Mozilla Firefox\uninstall\helper.exe
OCR Software by I.R.I.S 7.0 --> C:\Program Files\HP\Digital Imaging\OCR\hpzscr01.exe -datfile hpqbud11.dat
PADI Encyclopedia of Recreational Diving --> C:\WINNT\Unwise.exe C:\PROGRA~1\PADI\ERD\ERD.LOG "PADI Encyclopedia of Recreational Diving"
PADI Instructor Manual 2007 --> MsiExec.exe /X{1A0878DE-BE3A-44C4-A775-A13A078D0578}
PADI Knowledge Workbook --> C:\WINNT\Unwise.exe C:\PROGRA~1\PADI\KNOWLE~1\KWINST.LOG "PADI Knowledge Workbook"
PDF Settings --> MsiExec.exe /I{AC5B0C19-D851-42F4-BDA0-410ECF7F70A5}
Photo Viewer 2.4 --> "C:\Program Files\Photo Viewer\uninstall.exe"
Prevx CSI --> "C:\Program Files\PrevxCSI\\PrevxCSI.exe" /prop UNINSTALL=Y
QuickTime --> MsiExec.exe /I{BFD96B89-B769-4CD6-B11E-E79FFD46F067}
QuickTime 3.0 --> C:\WINNT\uninst.exe -f"C:\Program Files\QuickTime\DeIsL1.isu" -c"C:\WINNT\system32\QTUninst.dll
Realtek Wireless LAN Utility v3.5.0.6 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{01558B00-3F19-4E26-8B56-11CA9F97E81C}\Setup.exe" -l0x9
Shockwave --> C:\WINNT\system32\Macromed\SHOCKW~2\UNWISE.EXE C:\WINNT\system32\Macromed\SHOCKW~2\INSTALL.LOG
SoundMAX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\Setup.exe"
The Print Shop 12 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3DD1FE66-5536-41E3-B786-70068887B3F4}\setup.exe" -l0x9 anything
Uninstall Photo Viewer --> "C:\Program Files\JL2004C\unins000.exe"
Video Converter --> "C:\WINNT\Video Converter\uninstall.exe" "/U:C:\Program Files\Video Converter\Uninstall\uninstall.xml"
Virtual VCR --> "C:\Program Files\Virtual VCR\Uninstall.exe" "C:\Program Files\Virtual VCR\install.log"
WinVorbis v1.60 --> "C:\Program Files\Frets on Fire\data\translations\WinVorbis\unins000.exe"
WolfQuest Amethyst Mtn --> MsiExec.exe /I{1E9E4260-772D-4527-B8F3-EC13279417F8}
World of Warcraft --> C:\Program Files\Common Files\Blizzard Entertainment\World of Warcraft\Uninstall.exe

-- Application Event Log -------------------------------------------------------

Event Record #/Type67711 / Warning
Event Submitted/Written: 04/06/2008 03:19:49 PM
Event ID/Source: 32068 / Microsoft Fax
Event Description:
The outgoing routing rule is not valid because it cannot find a valid device. The outgoing faxes that use this rule will not be routed. Verify that the targeted device or devices (if routed to a group of devices) is connected and installed correctly, and turned on. If routed to a group, verify that the group is configured correctly.
Country/region code: '*'
Area code: '*'

Event Record #/Type67710 / Warning
Event Submitted/Written: 04/06/2008 03:19:49 PM
Event ID/Source: 32026 / Microsoft Fax
Event Description:
Fax Service failed to initialize any assigned fax devices (virtual or TAPI).
No faxes can be sent or received until a fax device is installed.

Event Record #/Type67704 / Error
Event Submitted/Written: 04/06/2008 03:18:26 PM
Event ID/Source: 2004 / PerfNet
Event Description:
Unable to open the Server service. Server performance data
will not be returned. Error code returned is in data DWORD 0.

Event Record #/Type67650 / Warning
Event Submitted/Written: 04/06/2008 01:15:13 PM
Event ID/Source: 32068 / Microsoft Fax
Event Description:
The outgoing routing rule is not valid because it cannot find a valid device. The outgoing faxes that use this rule will not be routed. Verify that the targeted device or devices (if routed to a group of devices) is connected and installed correctly, and turned on. If routed to a group, verify that the group is configured correctly.
Country/region code: '*'
Area code: '*'

Event Record #/Type67649 / Warning
Event Submitted/Written: 04/06/2008 01:15:13 PM
Event ID/Source: 32026 / Microsoft Fax
Event Description:
Fax Service failed to initialize any assigned fax devices (virtual or TAPI).
No faxes can be sent or received until a fax device is installed.

-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.

-- System Event Log ------------------------------------------------------------

Event Record #/Type12948 / Warning
Event Submitted/Written: 04/06/2008 03:31:08 PM
Event ID/Source: 3019 / MRxSmb
Event Description:
The redirector failed to determine the connection type.

Event Record #/Type12947 / Warning
Event Submitted/Written: 04/06/2008 03:31:05 PM
Event ID/Source: 3019 / MRxSmb
Event Description:
The redirector failed to determine the connection type.

Event Record #/Type12946 / Error
Event Submitted/Written: 04/06/2008 03:30:48 PM
Event ID/Source: 29 / W32Time
Event Description:
The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 14 minutes.
NtpClient has no source of accurate time.

Event Record #/Type12945 / Error
Event Submitted/Written: 04/06/2008 03:30:48 PM
Event ID/Source: 17 / W32Time
Event Description:
Time Provider NtpClient: An error occurred during DNS lookup of the manually
configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15
The error was: A socket operation was attempted to an unreachable host. (0x80072751)

Event Record #/Type12944 / Error
Event Submitted/Written: 04/06/2008 03:30:48 PM
Event ID/Source: 1000 / Dhcp
Event Description:
Your computer has lost the lease to its IP address on the
Network Card with network address 000E2E6D6AFB.

-- End of Deckard's System Scanner: finished at 2008-04-06 15:45:25 ------------

BC AdBot (Login to Remove)


#2 boopme


    To Insanity and Beyond

  • Global Moderator
  • 73,490 posts
  • Gender:Male
  • Location:NJ USA
  • Local time:12:48 PM

Posted 06 April 2008 - 07:50 PM

Hello mark12 and welcome. Please do this and post back the scan Log.

Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opers browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.

Please ask any needed questions,post log and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 mark12

  • Topic Starter

  • Members
  • 2 posts
  • Local time:09:48 AM

Posted 07 April 2008 - 09:23 PM

I now believe the suspect file is:C:\WINNT\System32\wmsdkns.exe.
I did what you told me and it revealed alot of 'bad stuff' that I was thankful to get rid of!
However, it did not completely solve my problem with the fake Window Security mal-ware. I still could not access my task manager and the pop-ups continued.
I suspect that the file at the top is also part of my problem: ... wmsdkns.exe. Have you heard anything about this?
Thank you for your continued help with this aggravating problem.

Here is my log:
SUPERAntiSpyware Scan Log

Generated 04/07/2008 at 06:45 PM

Application Version : 4.0.1154

Core Rules Database Version : 3432
Trace Rules Database Version: 1424

Scan type : Complete Scan
Total Scan Time : 01:36:25

Memory items scanned : 184
Memory threats detected : 0
Registry items scanned : 5883
Registry threats detected : 9
File items scanned : 106631
File threats detected : 169

Transponder Variant BHO
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00000250-0320-4dd4-be4f-7566d2314352}

Unclassified.Unknown Origin
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{15651c7c-e812-44a2-a9ac-b467a2233e7d}

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4e1075f4-eec4-4a86-add7-cd5f52858c31}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4e7bd74f-2b8d-469e-92c6-ce7eb590a94d}

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5dafd089-24b1-4c5e-bd42-8ca72550717b}

Adware.Second Thought
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{965a592f-8efa-4250-8630-7960230792f1}

Adware.Tracking Cookie
C:\Documents and Settings\EoL\Cookies\eol@tacoda[1].txt
C:\Documents and Settings\EoL\Cookies\eol@traffic.buyservices[1].txt
C:\Documents and Settings\EoL\Cookies\eol@123count[1].txt
C:\Documents and Settings\EoL\Cookies\eol@ehg-tigerdirect2.hitbox[1].txt
C:\Documents and Settings\EoL\Cookies\eol@statcounter[1].txt
C:\Documents and Settings\EoL\Cookies\eol@www.zango[2].txt
C:\Documents and Settings\EoL\Cookies\eol@windowsmedia[1].txt
C:\Documents and Settings\EoL\Cookies\eol@doubleclick[1].txt
C:\Documents and Settings\EoL\Cookies\eol@questionmarket[1].txt
C:\Documents and Settings\EoL\Cookies\eol@advertpro.investorvillage[1].txt
C:\Documents and Settings\EoL\Cookies\eol@web-stat[1].txt
C:\Documents and Settings\EoL\Cookies\eol@server.iad.liveperson[1].txt
C:\Documents and Settings\EoL\Cookies\eol@3.adbrite[1].txt
C:\Documents and Settings\EoL\Cookies\eol@4stats[2].txt
C:\Documents and Settings\EoL\Cookies\eol@stat.onestat[1].txt
C:\Documents and Settings\EoL\Cookies\eol@burstnet[1].txt
C:\Documents and Settings\EoL\Cookies\eol@lyndacom.112.2o7[1].txt
C:\Documents and Settings\EoL\Cookies\eol@adlegend[2].txt
C:\Documents and Settings\EoL\Cookies\eol@ads.ookla[2].txt
C:\Documents and Settings\EoL\Cookies\eol@nextag[2].txt
C:\Documents and Settings\EoL\Cookies\eol@msnportal.112.2o7[1].txt
C:\Documents and Settings\EoL\Cookies\eol@ad.yieldmanager[1].txt
C:\Documents and Settings\EoL\Cookies\eol@ads.techguy[2].txt
C:\Documents and Settings\EoL\Cookies\eol@interclick[1].txt
C:\Documents and Settings\EoL\Cookies\eol@ehg-seagate.hitbox[2].txt
C:\Documents and Settings\EoL\Cookies\eol@anat.tacoda[1].txt
C:\Documents and Settings\EoL\Cookies\eol@revsci[1].txt
C:\Documents and Settings\EoL\Cookies\eol@bs.serving-sys[2].txt
C:\Documents and Settings\EoL\Cookies\eol@richmedia.yahoo[2].txt
C:\Documents and Settings\EoL\Cookies\eol@t3.trackalyzer[1].txt
C:\Documents and Settings\EoL\Cookies\eol@gigamedia.com[1].txt
C:\Documents and Settings\EoL\Cookies\eol@19078942[2].txt
C:\Documents and Settings\EoL\Cookies\eol@adbrite[2].txt
C:\Documents and Settings\EoL\Cookies\eol@kontera[2].txt
C:\Documents and Settings\EoL\Cookies\eol@zedo[1].txt
C:\Documents and Settings\EoL\Cookies\eol@adopt.specificclick[1].txt
C:\Documents and Settings\EoL\Cookies\eol@cgm.adbureau[2].txt
C:\Documents and Settings\EoL\Cookies\eol@ads.habbogroup[2].txt
C:\Documents and Settings\EoL\Cookies\eol@brightcove.112.2o7[1].txt
C:\Documents and Settings\EoL\Cookies\eol@adrevolver[2].txt
C:\Documents and Settings\EoL\Cookies\eol@ssl.clickfacts[1].txt
C:\Documents and Settings\EoL\Cookies\eol@apmebf[2].txt
C:\Documents and Settings\EoL\Cookies\eol@ehg-oreilly.hitbox[2].txt
C:\Documents and Settings\EoL\Cookies\eol@ad1.clickhype[1].txt
C:\Documents and Settings\EoL\Cookies\eol@atdmt[2].txt
C:\Documents and Settings\EoL\Cookies\eol@ad[3].txt
C:\Documents and Settings\EoL\Cookies\eol@tribalfusion[2].txt
C:\Documents and Settings\EoL\Cookies\eol@buycom.122.2o7[1].txt
C:\Documents and Settings\EoL\Cookies\eol@webreports.digitalinsight[2].txt
C:\Documents and Settings\EoL\Cookies\eol@ads.newgrounds[1].txt
C:\Documents and Settings\EoL\Cookies\eol@kaboose.112.2o7[1].txt
C:\Documents and Settings\EoL\Cookies\eol@advertising[2].txt
C:\Documents and Settings\EoL\Cookies\eol@ehg-mastercard.hitbox[2].txt
C:\Documents and Settings\EoL\Cookies\eol@data.coremetrics[1].txt
C:\Documents and Settings\EoL\Cookies\eol@realmedia[1].txt
C:\Documents and Settings\EoL\Cookies\eol@adserver[1].txt
C:\Documents and Settings\EoL\Cookies\eol@cgi-bin[2].txt
C:\Documents and Settings\EoL\Cookies\eol@tremor.adbureau[1].txt
C:\Documents and Settings\EoL\Cookies\eol@samsclub.112.2o7[1].txt
C:\Documents and Settings\EoL\Cookies\eol@trafficmp[2].txt
C:\Documents and Settings\EoL\Cookies\eol@leeenterprises.112.2o7[1].txt
C:\Documents and Settings\EoL\Cookies\eol@riverdeep.112.2o7[1].txt
C:\Documents and Settings\EoL\Cookies\eol@hitbox[2].txt
C:\Documents and Settings\EoL\Cookies\eol@edge.ru4[2].txt
C:\Documents and Settings\EoL\Cookies\eol@anad.tacoda[1].txt
C:\Documents and Settings\EoL\Cookies\eol@statse.webtrendslive[1].txt
C:\Documents and Settings\EoL\Cookies\eol@pro-market[1].txt
C:\Documents and Settings\EoL\Cookies\eol@casalemedia[2].txt
C:\Documents and Settings\EoL\Cookies\eol@itxt.vibrantmedia[1].txt
C:\Documents and Settings\EoL\Cookies\eol@adopt.euroclick[1].txt
C:\Documents and Settings\EoL\Cookies\eol@parentingteens.about[2].txt
C:\Documents and Settings\EoL\Cookies\eol@media6degrees[1].txt
C:\Documents and Settings\EoL\Cookies\eol@serving-sys[1].txt
C:\Documents and Settings\EoL\Cookies\eol@adbureau[1].txt
C:\Documents and Settings\EoL\Cookies\eol@ehg-vmware.hitbox[1].txt
C:\Documents and Settings\EoL\Cookies\eol@edmc.112.2o7[1].txt
C:\Documents and Settings\EoL\Cookies\eol@media.adrevolver[2].txt
C:\Documents and Settings\EoL\Cookies\eol@atwola[2].txt
C:\Documents and Settings\EoL\Cookies\eol@ads.lpnads[1].txt
C:\Documents and Settings\EoL\Cookies\eol@partner2profit[1].txt
C:\Documents and Settings\EoL\Cookies\eol@ehg-newegg.hitbox[2].txt
C:\Documents and Settings\EoL\Cookies\eol@server.cpmstar[2].txt
C:\Documents and Settings\EoL\Cookies\eol@fastclick[1].txt
C:\Documents and Settings\EoL\Cookies\eol@adinterax[1].txt
C:\Documents and Settings\EoL\Cookies\eol@xiti[1].txt
C:\Documents and Settings\EoL\Cookies\eol@adserver.incgamers[1].txt
C:\Documents and Settings\EoL\Cookies\eol@tripod[1].txt
C:\Documents and Settings\EoL\Cookies\eol@divx.112.2o7[1].txt
C:\Documents and Settings\EoL\Cookies\eol@media.zoominfo[1].txt
C:\Documents and Settings\EoL\Cookies\eol@zango[1].txt
C:\Documents and Settings\EoL\Cookies\eol@hosted.zango[2].txt
C:\Documents and Settings\EoL\Cookies\eol@gcc[1].txt
C:\Documents and Settings\EoL\Cookies\eol@collective-media[1].txt
C:\Documents and Settings\EoL\Cookies\eol@yadro[2].txt
C:\Documents and Settings\EoL\Cookies\eol@eb.adbureau[2].txt
C:\Documents and Settings\EoL\Cookies\eol@test.coremetrics[1].txt
C:\Documents and Settings\EoL\Cookies\eol@4.adbrite[1].txt
C:\Documents and Settings\EoL\Cookies\eol@2o7[1].txt
C:\Documents and Settings\EoL\Cookies\eol@semdirector.112.2o7[1].txt
C:\Documents and Settings\EoL\Cookies\eol@www.burstbeacon[1].txt
C:\Documents and Settings\EoL\Cookies\eol@ads.healthcare[1].txt
C:\Documents and Settings\EoL\Cookies\eol@eliteislandresorts[2].txt
C:\Documents and Settings\EoL\Cookies\eol@ehg-kodak.hitbox[1].txt
C:\Documents and Settings\EoL\Cookies\eol@gmgmmediaonline.112.2o7[1].txt
C:\Documents and Settings\EoL\Cookies\eol@ehg-zoom.hitbox[1].txt
C:\Documents and Settings\EoL\Cookies\eol@bravenet[2].txt
C:\Documents and Settings\EoL\Cookies\eol@ecnext.advertserve[1].txt
C:\Documents and Settings\EoL\Cookies\eol@1072725759[1].txt
C:\Documents and Settings\EoL\Cookies\eol@revenue[2].txt
C:\Documents and Settings\EoL\Cookies\eol@specificclick[2].txt
C:\Documents and Settings\EoL\Cookies\eol@ads.adbrite[2].txt
C:\Documents and Settings\EoL\Cookies\eol@1070700309[1].txt
C:\Documents and Settings\EoL\Cookies\eol@sitestat.mayoclinic[1].txt
C:\Documents and Settings\EoL\Cookies\eol@ads.addynamix[1].txt
C:\Documents and Settings\EoL\Cookies\eol@perf.overture[1].txt
C:\Documents and Settings\EoL\Cookies\eol@ads.zam[2].txt
C:\Documents and Settings\EoL\Cookies\eol@eyewonder[2].txt
C:\Documents and Settings\EoL\Cookies\eol@ads.pointroll[1].txt
C:\Documents and Settings\EoL\Cookies\eol@www.eliteislandresorts[1].txt
C:\Documents and Settings\EoL\Cookies\eol@1072664518[2].txt
C:\Documents and Settings\EoL\Cookies\eol@dcsgoplte64xo24eg5ijloz0x_4d4t[1].txt
C:\Documents and Settings\EoL\Cookies\eol@mediaplex[1].txt
C:\Documents and Settings\EoL\Cookies\eol@educationmanagementllc.112.2o7[1].txt
C:\Documents and Settings\EoL\Cookies\eol@media.medhelp[1].txt
C:\Documents and Settings\EoL\Cookies\eol@1065349549[2].txt
C:\Documents and Settings\EoL\Cookies\eol@ads.treehugger[2].txt
C:\Documents and Settings\EoL\Cookies\eol@rotator.adjuggler[1].txt
C:\Documents and Settings\EoL\Cookies\eol@ehg-interactivedata.hitbox[1].txt
C:\Documents and Settings\EoL\Cookies\eol@anheuserbusch.122.2o7[1].txt
C:\Documents and Settings\EoL\Cookies\eol@sr1.ads2media[2].txt
C:\Documents and Settings\EoL\Cookies\eol@indextools[1].txt
C:\Documents and Settings\EoL\Cookies\eol@clickteam[1].txt
C:\Documents and Settings\EoL\Cookies\eol@1070001143[1].txt
C:\Documents and Settings\EoL\Cookies\eol@ehg-warnerbrothers.hitbox[2].txt
C:\Documents and Settings\EoL\Cookies\eol@dl1.ads2media[1].txt
C:\Documents and Settings\EoL\Cookies\eol@adserver.adadvance[1].txt
C:\Documents and Settings\EoL\Cookies\eol@medhelpinternational.112.2o7[1].txt
C:\Documents and Settings\EoL\Cookies\eol@oasc09.247realmedia[1].txt
C:\Documents and Settings\EoL\Cookies\eol@www.burstnet[2].txt
C:\Documents and Settings\EoL\Cookies\eol@oasc02.247realmedia[1].txt
C:\Documents and Settings\EoL\Cookies\eol@ads.monster[1].txt
C:\Documents and Settings\EoL\Cookies\eol@1070387867[1].txt
C:\Documents and Settings\EoL\Cookies\eol@toyota.112.2o7[1].txt
C:\Documents and Settings\EoL\Cookies\eol@indexstats[2].txt
C:\Documents and Settings\EoL\Cookies\eol@safeway.112.2o7[1].txt
C:\Documents and Settings\EoL\Cookies\eol@1072712049[1].txt
C:\Documents and Settings\EoL\Cookies\eol@eas.apm.emediate[1].txt
C:\Documents and Settings\EoL\Cookies\eol@adrevolver[1].txt
C:\Documents and Settings\EoL\Cookies\eol@1065526784[1].txt
C:\Documents and Settings\EoL\Cookies\eol@borders.112.2o7[1].txt

C:\Program Files\Zango\zango.exe
C:\Program Files\Zango


C:\Program Files\Seekmo\seekmohook.dll
C:\Program Files\Seekmo

C:\Documents and Settings\EoL\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk
C:\Documents and Settings\EoL\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk
C:\Documents and Settings\EoL\Start Menu\Programs\Internet Speed Monitor









#4 boopme


    To Insanity and Beyond

  • Global Moderator
  • 73,490 posts
  • Gender:Male
  • Location:NJ USA
  • Local time:12:48 PM

Posted 07 April 2008 - 10:10 PM

Run another scan please,this one is as long. That malware has many names. I am looking at it.

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Acan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users