OhMiOhMy Thread and trkwksvc.exe

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

ChezJfrey

Thread Starter
Joined
Nov 2, 2007
Messages
2
http://forums.techguy.org/malware-r...download-software.html?highlight=trkwksvc.exe
I couldn't post a reply and apparently I can't PM either (new member restriction?) so I'm creating this new thread.

OhMiOhMy's connection problem may very well be C:\WINDOWS\trkwksvc.exe.

I found this on two computers with intermittent connection problems due to flooding the NIC with outgoing activity. Windows 2000 SP 4 - C:\WINNT and Windows XP SP2 - C:\WINDOWS.

The file I believe to be malware, trkwksvc.exe, is listed at Symantec's web site, but with completely different symptoms and this particular version was not detectable with SAV 9.0.3.1000, scan engine 71.3.0.25, definition files from 10/31/2007 rev. 16.

I found the culprit when I ran the SysInternals.com tools - Process Explorer and File Monitor. Crazy thing...when either of these tools are launched, they are terminated and their executable file is deleted from the file system. However, the malware is not clever enough to figure out these tools are running if you simply rename procexp.exe and filemon.exe to something like pr.exe and fm.exe.

The File Monitor showed me what process was deleting the procexp and filemon files and sure enough, it was trkwksvc.exe. Kill that process with Process Explorer. Delete trkwksvc.exe from your file system.

You will find entries in your registry for this that show it as "NET Service" - you'll find this listed in services.msc also, but you will likely be unable to edit or modify anything there. Search your registry for trkwksvc.exe and delete all instances of it and delete all keys for "NET Service".

This may solve your connectivity problems as you will no longer be plagued by the overwhelming network activity this things causes. I've also sent the file and my findings to Symantec, so hopefully they will soon provide virus definition files to combat this thing.
 

ChezJfrey

Thread Starter
Joined
Nov 2, 2007
Messages
2
Just a quick follow up:

I just found this web site: www.virustotal.com

Looks to be virus, but was missed by a few of the big ones. I ran the file and here are the results:

File trkwksvc.exe received on 11.02.2007 21:26:20 (CET)
Result: 14/32 (43.75%)

Antivirus Version Last Update Result
AhnLab-V3 2007.11.3.0 2007.11.02 -
AntiVir 7.6.0.30 2007.11.02 Worm/SdBot.162304.6
Authentium 4.93.8 2007.11.02 -
Avast 4.7.1074.0 2007.11.02 Win32:SdBot-gen44
AVG 7.5.0.503 2007.11.02 Generic8.OTL
BitDefender 7.2 2007.11.02 Generic.Sdbot.55442D59
CAT-QuickHeal 9.00 2007.11.02 (Suspicious) - DNAScan
ClamAV 0.91.2 2007.11.02 -
DrWeb 4.44.0.09170 2007.11.02 -
eSafe 7.0.15.0 2007.10.28 Suspicious File
eTrust-Vet 31.2.5262 2007.11.02 -
Ewido 4.0 2007.11.02 -
FileAdvisor 1 2007.11.02 -
Fortinet 3.11.0.0 2007.10.19 -
F-Prot 4.4.2.54 2007.11.02 -
F-Secure 6.70.13030.0 2007.11.02 -
Ikarus T3.1.1.12 2007.11.02 -
Kaspersky 7.0.0.125 2007.11.02 Heur.Trojan.Generic
McAfee 5155 2007.11.02 -
Microsoft 1.2908 2007.11.02 Backdoor:Win32/Rbot.gen!A
NOD32v2 2634 2007.11.02 probably a variant of Win32/Genetik
Norman 5.80.02 2007.11.02 -
Panda 9.0.0.4 2007.11.02 W32/Gaobot.QAN.worm
Prevx1 V2 2007.11.02 Heuristic: Suspicious Backdoor
Rising 20.16.42.00 2007.11.02 -
Sophos 4.23.0 2007.11.02 -
Sunbelt 2.2.907.0 2007.11.02 VIPRE.Suspicious
Symantec 10 2007.11.02 -
TheHacker 6.2.9.110 2007.10.27 -
VBA32 3.12.2.4 2007.11.02 suspected of Malware.Agent.23 (paranoid heuristics)
VirusBuster 4.3.26:9 2007.11.01 -
Webwasher-Gateway 6.6.1 2007.11.02 Worm.SdBot.162304.6
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top