1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

OhMiOhMy Thread and trkwksvc.exe

Discussion in 'Virus & Other Malware Removal' started by ChezJfrey, Nov 2, 2007.

Thread Status:
Not open for further replies.
  1. ChezJfrey

    ChezJfrey Thread Starter

    Nov 2, 2007
    I couldn't post a reply and apparently I can't PM either (new member restriction?) so I'm creating this new thread.

    OhMiOhMy's connection problem may very well be C:\WINDOWS\trkwksvc.exe.

    I found this on two computers with intermittent connection problems due to flooding the NIC with outgoing activity. Windows 2000 SP 4 - C:\WINNT and Windows XP SP2 - C:\WINDOWS.

    The file I believe to be malware, trkwksvc.exe, is listed at Symantec's web site, but with completely different symptoms and this particular version was not detectable with SAV, scan engine, definition files from 10/31/2007 rev. 16.

    I found the culprit when I ran the SysInternals.com tools - Process Explorer and File Monitor. Crazy thing...when either of these tools are launched, they are terminated and their executable file is deleted from the file system. However, the malware is not clever enough to figure out these tools are running if you simply rename procexp.exe and filemon.exe to something like pr.exe and fm.exe.

    The File Monitor showed me what process was deleting the procexp and filemon files and sure enough, it was trkwksvc.exe. Kill that process with Process Explorer. Delete trkwksvc.exe from your file system.

    You will find entries in your registry for this that show it as "NET Service" - you'll find this listed in services.msc also, but you will likely be unable to edit or modify anything there. Search your registry for trkwksvc.exe and delete all instances of it and delete all keys for "NET Service".

    This may solve your connectivity problems as you will no longer be plagued by the overwhelming network activity this things causes. I've also sent the file and my findings to Symantec, so hopefully they will soon provide virus definition files to combat this thing.
  2. ChezJfrey

    ChezJfrey Thread Starter

    Nov 2, 2007
    Just a quick follow up:

    I just found this web site: www.virustotal.com

    Looks to be virus, but was missed by a few of the big ones. I ran the file and here are the results:

    File trkwksvc.exe received on 11.02.2007 21:26:20 (CET)
    Result: 14/32 (43.75%)

    Antivirus Version Last Update Result
    AhnLab-V3 2007.11.3.0 2007.11.02 -
    AntiVir 2007.11.02 Worm/SdBot.162304.6
    Authentium 4.93.8 2007.11.02 -
    Avast 4.7.1074.0 2007.11.02 Win32:SdBot-gen44
    AVG 2007.11.02 Generic8.OTL
    BitDefender 7.2 2007.11.02 Generic.Sdbot.55442D59
    CAT-QuickHeal 9.00 2007.11.02 (Suspicious) - DNAScan
    ClamAV 0.91.2 2007.11.02 -
    DrWeb 2007.11.02 -
    eSafe 2007.10.28 Suspicious File
    eTrust-Vet 31.2.5262 2007.11.02 -
    Ewido 4.0 2007.11.02 -
    FileAdvisor 1 2007.11.02 -
    Fortinet 2007.10.19 -
    F-Prot 2007.11.02 -
    F-Secure 6.70.13030.0 2007.11.02 -
    Ikarus T3.1.1.12 2007.11.02 -
    Kaspersky 2007.11.02 Heur.Trojan.Generic
    McAfee 5155 2007.11.02 -
    Microsoft 1.2908 2007.11.02 Backdoor:Win32/Rbot.gen!A
    NOD32v2 2634 2007.11.02 probably a variant of Win32/Genetik
    Norman 5.80.02 2007.11.02 -
    Panda 2007.11.02 W32/Gaobot.QAN.worm
    Prevx1 V2 2007.11.02 Heuristic: Suspicious Backdoor
    Rising 2007.11.02 -
    Sophos 4.23.0 2007.11.02 -
    Sunbelt 2.2.907.0 2007.11.02 VIPRE.Suspicious
    Symantec 10 2007.11.02 -
    TheHacker 2007.10.27 -
    VBA32 2007.11.02 suspected of Malware.Agent.23 (paranoid heuristics)
    VirusBuster 4.3.26:9 2007.11.01 -
    Webwasher-Gateway 6.6.1 2007.11.02 Worm.SdBot.162304.6
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/646880

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice