Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

1 Process Just Wont Go Away ( Trkwkss.exe )


  • This topic is locked This topic is locked
2 replies to this topic

#1 pfk505

pfk505

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:04:35 AM

Posted 04 May 2008 - 09:11 PM

Hello everyone

Your help would be greatly appreciated. I recently caught a bit of malware which is usually no big deal but I've yet to find a way to get rid of this particular process (in bold below). It tries to connect to random IP's over port 8080. I have it blocked with Sygate but HJT, Combofix, various AV's wont find it or fix it. Looking forward to getting some help!

here is the DSS log

Deckard's System Scanner v20071014.68
Run by Administrator on 2008-05-04 19:08:42
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:08:43 PM, on 5/4/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINNT\trkwkss.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\PROGRA~1\AVG7\avgrssvc.exe
C:\WINNT\system32\svchost.exe
C:\PROGRA~1\AVG7\avgamsvr.exe
C:\PROGRA~1\AVG7\avgupsvc.exe
C:\PROGRA~1\AVG7\avgrssvc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINNT\Explorer.EXE
C:\internet\dumeter\DUMeter.exe
C:\WINNT\SOUNDMAN.EXE
C:\WINNT\SYSTEM32\ATIPTAXX.EXE
C:\PROGRA~1\AVG7\avgcc.exe
C:\temp\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\ADMINI~1.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\Updreg.exe
O4 - HKLM\..\Run: [DU Meter] C:\internet\dumeter\DUMeter.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\WINNT\SYSTEM32\ATIPTAXX.EXE
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\AVG7\avgcc.exe /STARTUP
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1209877328406
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1133393739437
O20 - Winlogon Notify: avgwlntf - C:\WINNT\SYSTEM32\avgwlntf.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\AVG7\avgrssvc.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

--
End of file - 4078 bytes

-- Files created between 2008-04-04 and 2008-05-04 -----------------------------

2008-05-04 18:55:03 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_3ac.dat
2008-05-04 18:43:37 68096 --a------ C:\WINNT\zip.exe
2008-05-04 18:43:37 49152 --a------ C:\WINNT\VFind.exe
2008-05-04 18:43:37 212480 --a------ C:\WINNT\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-05-04 18:43:37 136704 --a------ C:\WINNT\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-05-04 18:43:37 161792 --a------ C:\WINNT\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-05-04 18:43:37 98816 --a------ C:\WINNT\sed.exe
2008-05-04 18:43:37 80412 --a------ C:\WINNT\grep.exe
2008-05-04 18:43:37 73728 --a------ C:\WINNT\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-05-04 09:44:49 0 d-------- C:\Documents and Settings\Administrator\Application Data\Uniblue
2008-05-04 09:44:45 0 d-------- C:\Program Files\Uniblue
2008-05-04 09:35:55 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_384.dat
2008-05-04 08:44:29 0 dr-h----- C:\$VAULT$.AVG
2008-05-04 08:33:52 0 d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2008-05-04 08:33:48 0 d-------- C:\Documents and Settings\Default User\Application Data\AVG7
2008-05-04 08:33:26 0 d-------- C:\Program Files\AVG7
2008-05-04 08:33:26 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-05-04 08:33:26 0 d-a------ C:\Documents and Settings\All Users\Application Data\avg7
2008-05-04 00:43:03 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_36c.dat
2008-05-04 00:27:03 0 d-------- C:\Documents and Settings\Default User\Application Data\Mozilla
2008-05-03 22:33:27 0 d-------- C:\WINNT\system32\Windows Media
2008-05-03 22:33:06 0 d--h---c- C:\WINNT\$NtUpdateRollupPackUninstall$
2008-05-03 22:33:04 0 d-------- C:\WINNT\msiinst.tmp
2008-05-03 22:31:08 0 d--h---c- C:\WINNT\$SQLUninstallMDAC25SP3-KB927779-x86-ENU$
2008-05-03 22:28:31 0 d-------- C:\WINNT\mui
2008-05-03 22:25:17 171280 --a------ C:\WINNT\system32\jit.dll <Not Verified; Microsoft Corporation; Microsoft® Windows ® Operating System>
2008-05-03 22:25:17 139536 --a------ C:\WINNT\system32\javaee.dll <Not Verified; Microsoft Corporation; Microsoft® Windows ® Operating System>
2008-05-03 22:25:17 313856 --a------ C:\WINNT\system32\dx3j.dll <Not Verified; Microsoft Corporation; Microsoft® DirectX for Java>
2008-05-03 22:25:17 46352 --a------ C:\WINNT\setdebug.exe <Not Verified; Microsoft Corporation; Microsoft® Windows ® Operating System>
2008-05-03 22:25:17 6550 --a------ C:\WINNT\jautoexp.dat
2008-05-03 22:25:14 113 --a------ C:\WINNT\system32\zonedon.reg
2008-05-03 22:25:14 113 --a------ C:\WINNT\system32\zonedoff.reg
2008-05-03 22:25:13 171792 --a------ C:\WINNT\system32\wjview.exe <Not Verified; Microsoft Corporation; Microsoft® Windows ® Operating System>
2008-05-03 22:25:13 286992 --a------ C:\WINNT\system32\vmhelper.dll <Not Verified; Microsoft Corporation; Microsoft® Windows ® Operating System>
2008-05-03 22:25:13 21264 --a------ C:\WINNT\system32\msjdbc10.dll <Not Verified; Microsoft Corporation; Microsoft® Windows ® Operating System>
2008-05-03 22:25:13 947472 --a------ C:\WINNT\system32\msjava.dll <Not Verified; Microsoft Corporation; Microsoft® Windows ® Operating System>
2008-05-03 22:25:13 154384 --a------ C:\WINNT\system32\msawt.dll <Not Verified; Microsoft Corporation; Microsoft® Windows ® Operating System>
2008-05-03 22:25:13 172304 --a------ C:\WINNT\system32\jview.exe <Not Verified; Microsoft Corporation; Microsoft® Windows ® Operating System>
2008-05-03 22:25:13 15120 --a------ C:\WINNT\system32\jdbgmgr.exe <Not Verified; Microsoft Corporation; Microsoft® Windows ® Operating System>
2008-05-03 22:25:12 404752 --a------ C:\WINNT\system32\javart.dll <Not Verified; Microsoft Corporation; Microsoft® Windows ® Operating System>
2008-05-03 22:25:12 63248 --a------ C:\WINNT\system32\javaprxy.dll <Not Verified; Microsoft Corporation; Microsoft® Windows ® Operating System>
2008-05-03 22:25:12 187152 --a------ C:\WINNT\system32\javacypt.dll <Not Verified; Microsoft Corporation; Microsoft® Windows ® Operating System>
2008-05-03 22:25:11 49424 --a------ C:\WINNT\system32\clspack.exe <Not Verified; Microsoft Corporation; Microsoft® Windows ® Operating System>
2008-05-03 22:02:51 0 d-------- C:\WINNT\system32\SoftwareDistribution
2008-05-03 21:55:53 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_400.dat
2008-05-03 21:53:17 21075 --a------ C:\WINNT\system32\drivers\wpsdrvnt.sys <Not Verified; Sygate Technologies, Inc.; wpsdrvnt>
2008-05-03 21:53:17 59472 --a------ C:\WINNT\system32\drivers\Teefer.sys <Not Verified; Sygate Technologies, Inc.; Sygate Teefer Driver>
2008-05-03 21:53:11 0 d-------- C:\Program Files\Sygate
2008-05-03 20:50:45 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_364.dat
2008-05-03 20:07:37 213504 -r-hs---- C:\WINNT\trkwkss.exe <Not Verified; Microsoft® Windows Trkwks Service; Microsoft® Windows® Operating System>
2008-05-03 20:07:31 79 --a------ C:\WINNT\system32\i
2008-05-03 19:55:47 0 --a------ C:\adware.exe
2008-05-03 19:54:21 63 --a------ C:\WINNT\system32\x
2008-04-14 23:54:34 47360 --a------ C:\WINNT\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
2008-04-14 23:54:34 47360 --a------ C:\Documents and Settings\Administrator\Application Data\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
2008-04-14 23:45:02 0 d-------- C:\Documents and Settings\Administrator\Application Data\Vso
2008-04-14 23:44:55 626688 --a------ C:\WINNT\system32\vp7vfw.dll <Not Verified; On2.com; On2_VP70>
2008-04-14 23:44:55 217127 --a------ C:\WINNT\system32\drv43260.dll <Not Verified; RealNetworks, Inc.; RealVideo 9 (32-bit)>
2008-04-14 23:44:55 208935 --a------ C:\WINNT\system32\drv33260.dll <Not Verified; RealNetworks, Inc.; RealVideo 8 (32-bit)>
2008-04-14 23:44:55 176165 --a------ C:\WINNT\system32\drv23260.dll <Not Verified; RealNetworks, Inc.; RealVideo G2 (32-bit)>
2008-04-14 23:44:55 65602 --a------ C:\WINNT\system32\cook3260.dll <Not Verified; RealNetworks, Inc.; RealPlayer 10>
2008-04-14 23:44:53 0 d-------- C:\Program Files\VSO
2008-04-14 23:33:38 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_270.dat
2008-04-05 08:37:34 0 d-------- C:\Program Files\TVAnts


-- Find3M Report ---------------------------------------------------------------

2008-05-04 18:52:30 24 --a------ C:\WINNT\system32\DVCStateBkp-{00000000-00000000-00000008-00001102-00000004-00511102}.dat
2008-05-04 18:52:30 24 --a------ C:\WINNT\system32\DVCState-{00000000-00000000-00000008-00001102-00000004-00511102}.dat
2008-05-04 18:50:38 741892 ---h----- C:\WINNT\ShellIconCache
2008-05-04 09:48:11 0 d-------- C:\Program Files\EphPod
2008-05-04 08:32:58 0 d-------- C:\Program Files\Symantec AntiVirus
2008-05-03 22:25:21 0 d-a------ C:\Program Files\Common Files
2008-05-03 21:53:34 0 d-------- C:\Documents and Settings\Administrator\Application Data\uTorrent
2008-05-03 21:53:04 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-27 01:14:43 0 d-------- C:\Documents and Settings\Administrator\Application Data\Adobe
2008-04-22 15:41:27 0 d-------- C:\Documents and Settings\Administrator\Application Data\OpenOffice.org2
2008-04-15 01:29:44 668 --a------ C:\Documents and Settings\Administrator\Application Data\vso_ts_preview.xml
2008-04-14 23:55:08 97 --a------ C:\Documents and Settings\Administrator\Application Data\pcouffin.log
2008-04-14 23:54:34 1144 --a------ C:\Documents and Settings\Administrator\Application Data\pcouffin.inf
2008-04-14 23:54:34 7887 --a------ C:\Documents and Settings\Administrator\Application Data\pcouffin.cat
2008-04-14 23:50:34 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-04-01 14:49:07 0 d-------- C:\Documents and Settings\Administrator\Application Data\ZoomBrowser EX
2008-02-15 17:43:24 24 --a------ C:\WINNT\popcinfo.dat
2008-02-10 08:55:31 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_298.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdReg"="C:\WINNT\Updreg.exe" [05/11/00 02:00a]
"DU Meter"="C:\internet\dumeter\DUMeter.exe" [02/01/05 08:28p]
"SoundMan"="SOUNDMAN.EXE" [01/08/04 11:54a C:\WINNT\SOUNDMAN.EXE]
"ATIPTA"="C:\WINNT\SYSTEM32\ATIPTAXX.EXE" [08/30/05 07:05p]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [06/30/04 04:56p]
"AVG7_CC"="C:\PROGRA~1\AVG7\avgcc.exe" [05/04/08 08:33a]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"=C:\PROGRA~1\AVG7\avgw.exe /RUNONCE

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsHistory"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
avgwlntf.dll 05/04/08 08:33a 9216 C:\WINNT\system32\avgwlntf.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\FDCENT.SYS"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HideFilesAndFolders_S"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@="Driver"

*Newly Created Service* - IPNAT
*Newly Created Service* - RASAUTO
*Newly Created Service* - SHAREDACCESS



-- End of Deckard's System Scanner: finished at 2008-05-04 19:09:01 ------------


TIA!

BC AdBot (Login to Remove)

 


m

#2 pskelley

pskelley

  • Staff Emeritus
  • 1,487 posts
  • OFFLINE
  •  
  • Local time:07:35 AM

Posted 06 May 2008 - 07:43 PM

Welcoming to Bleeping Computer, please be sure you have read and followed the
Preparation Guide For Use Before Posting A Hijackthis Log, Instructions for receiving help in cleaning your computer http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/
All advice given is taken at your own risk.

From the DSS log:
2008-05-03 20:07:37 213504 -r-hs---- C:\WINNT\trkwkss.exe

http://www.ss64.com/ntsyntax/services.html
Distributed Link Tracking Client TrkWks Services.exe or svchost.exe Send notification of files moving between NTFS volumes in a network domain. Automatic
Can be set to manual if you don't need this function.

It looks like that is a Microsoft file, check the properties if you have any doubt, it should say "Microsoft Corporation"
Here are some good free scanners if you ever want information about a file:

http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/

Thanks
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#3 pskelley

pskelley

  • Staff Emeritus
  • 1,487 posts
  • OFFLINE
  •  
  • Local time:07:35 AM

Posted 13 May 2008 - 08:13 AM

There has been no response to this topic in a week
This topic is closed

Thanks...pskelley
BleepingComputer
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users