Please Help !

[noeleon]

A worm or virus-how to remove wkmst.exe
It run a service named *windows update

Please help...i have used all the virus remover nothing is detected Xp Home... The file wkmst.exe is nowhere to find. Not in system32 folder I have viewed hidden/unhidden
but can't finds it. Any idea will be a gift from heaven...


Thanks

 

[linney]

What program is notifying you or how are you picking up on wkmst.exe?

Make sure any virus definitions are updated.

Removing adware & spyware
faq608-4650

Microsoft (GIANT Antispyware) Beta available
Thread779-979113

http://www.diamondcs.com.au/index.php?page=products

 

[noeleon]

The wkmsta.exe is always checking itself back in the startup it also rewrite itself in the 04-*windows update - wkmst.exe in the hijackthis log file. I even deleted some registry kays that runs and points to this file but it keeps coming back. It points to Windows\system32\wkmst.exe but its not there tried in safe mode but no joy. Thanks linney.

 

[eyec]

you did disable your restore point after getting rid of it and before re-booting, right?

 

[noeleon]

I havent disable restore do you think it causes it? I am not running system restore. But you know why can't i find wkmst.exe in system32 folder? I changed folder option already and its not there. Can i find it in dos mode using what command? Thanks

 

[eyec]

when you get rid of a virus (in ME or XP) you should disable the restore point so that when you reboot it does not re-infect your machine.

do you have enable system & hidden files active?

 

[linney]

In Safe Mode create a dummy file and call it wkmst.exe, make it read only, and place it in the System32 folder, reboot and see if that action generates an error message or other reaction from the process that is creating this file?
Delete the dummy file afterward.

If you Google for wkmst.exe there are no English hits but several other language mentions.

You can also look at this thread about hard to clean infections and try that procedure, if you like.

http://www.lavasoftsupport.com/index.php?showtopic=54511&st=0

It is a misconception that System Restore restores files on a reboot, it will only restore a file if you tell it to and only when you actually run System Restore. However any exe from a infection you may remove or delete will end up in System Restore, so you must remove it from there too by cleaning the restore points, which can be done with Disk Cleanup (create a new clean restore point first and then use the More Options tab) or by turning System Restore off then back on.

 

[noeleon]

Thank you for all the tips...I'll try this thing tomorrow.
Thanks Linney and Eyec I really appreciated your effort.

 

[LloydSev]

Have you noticed any new network shares recently?

I believe what you may have is called Win32.Rbot

http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?ID=39437

Via Other Malware

Some Rbot variants can also infect remote systems through backdoors created by other malware:

* Win32.Bagle worm (TCP port 2745)
* Win32.Mydoom worm (TCP port 3127)
* Win32.OptixPro trojan (TCP port 3410)
* Win32.NetDevil trojan (TCP port 903)
* Win32.Kuang trojan (TCP port 17300)
* Win32.SubSeven trojan (TCP port 27347)

Computer/Network Technician
CCNA

 

[noeleon]

Hi LloydSev;

Thanks but I am returning to my client tomorrow and I'll be looking for that. Anyway what particular procedure is needed to remove the wkmst.exe? Please give some idea. Thanks again.

noeleon

 

[noeleon]

Hi LloydSev, Linney, Eyec;


Thanks a lot to you guys. I got the wkmst.exe gone forever.
It's actually a sdbot trojan. Thanks again for all the support. I like tek-tips. It's great to be a member.

noeleon

 

[bcastner]

Welcome.