Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

winkpba.exe

  • 30-07-2002 11:17am
    #1
    Registered Users, Registered Users 2 Posts: 4,400 ✭✭✭


    samba received himself an e-mail with said proggy as an attachment. It has placed a little icon for itself in msconfig and apparently it's in c:\windows\system, funnily enough if I go there and try to delete it in dos or otherwise it's not there.

    I think someone is trying to poach valuable customer info from his computer as it holds some information about the family business (albeit not much, but enough for him to be a tad worried)

    I can't find out what winpba.exe is, if you uncheck it's box to load with windows, upon next reboot it will still be there, re-checked as if you never did anything.

    Any idea's pls? :o


Comments

  • Registered Users, Registered Users 2 Posts: 55,571 ✭✭✭✭Mr E


    Get a rolled up newspaper, and hit this samba person across the head a few times for running an exe received by email!

    In the topic you called it winkbpa, while in the post you called it winpba. Which is it ??

    That said, I don't think its spyware. I had a look around some anti-spyware sites, and none of them mention it.

    Run msconfig.exe, click on the startup tab. Uncheck it to stop it loading at startup. Now go into the process manager (CTRL/ALT/DEL, Task Manager, Processes) and kill that sucker if its running. Finally, go into the system dir and RENAME it (don't delete it just in case its actually needed for something).

    If after a couple of days, nothing is broken, then you can safely delete it.

    Hope that helps,
    Dave.


  • Registered Users, Registered Users 2 Posts: 125 ✭✭tmcd


    Its the Klez virus, I have a lot of dealings with this one,
    go to http://housecall.antivirus.com and do the online virus scan. It will pick it up fairly quick.

    Copied from this page
    http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_KLEZ.E

    WORM_KLEZ.E


    Risk rating:
    Virus type: Worm
    Destructive: Yes

    Aliases:
    W32.Klez.E@mm, KLEZ

    Description:
    This destructive mass-mailing worm propagates copies of itself across network drives. Upon execution, it drops two executable files, WINK*.EXE and WQK.EXE, in the Windows System folder. It also creates registry entries that allow it to run at system startup.

    This worm terminates processes, and occasionally deletes files associated with certain antivirus programs. On the sixth (6) day of every odd-numbered month (January, March, May, July, September, November) it overwrites files with the following extensions:

    TXT
    HTM
    HTML
    WAB
    DOC
    XLS
    CPP
    C
    PAS
    MPEG
    MPG
    BAK
    MP3
    JPG
    Read more about these variants.

    Solution:
    Automatic Removal Instructions


    Please download and run the fix_worm_klez_4.21.zip fix tool. If you have a MD5 signature checker, the MD5 hash of this tool is FA9CF3DBD75A412E2753927DAB789DFE.
    Trend Micro requests that all users download and read the readme_worm_klez_4.21.txt text before using this tool.
    Manual Removal


    Restart the system in Safe mode. Except Windows NT, all Windows system can be restarted.
    For Windows 95 systems, this could be done with the following instructions:
    Restart the computer.
    Press the F8 key when you see the message "Starting Windows 95".
    For Windows 98/Me systems, please follow these steps:
    Restart the computer.
    Hold down the Ctrl key until the Windows 98 startup menu appears.
    Choose the Safe Mode option and press the Enter key.
    For Windows XP systems, please follow the following instructions:
    Restart the computer.
    When prompted, press the F8 key. If Windows XP Professional starts without the “Press select operating system to start” menu, restart the computer. Press F8 again after the Power-On Self Test is done.
    Choose the Safe Mode option from the Windows Advanced Options Menu.
    For Windows 2000 systems, please follow these steps:
    Restart the computer.
    Press the F8 key, when you see the Starting Windows bar at the bottom of the screen.
    Choose the Safe Mode option from the Windows 2000 Advanced Options Menu.
    Scan your system with Trend antivirus and note any WORM_KLEZ.E infected file named WINK*.EXE (* is a random number of random characters).
    Click Start, and then click on Run.
    After the Run dialog box appears, type regedit on the input box provided and press the Enter key.
    As soon as the Registry Editor window’s appears, locate the following key:
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\Run
    In the right pane, look for the following values:
    ”Wink*” = ”%System%\Wink*.exe”
    ”WQK” = “%System%\Wqk.exe”
    Note: * is any random characters
    Click on these values if they exist and press the DEL key to delete them.
    Now locate the following key if they exist:
    HKEY_LOCAL_MACHINE\System\CurrentControl
    Set\Services
    Under the Services key, look for the subkey Wink* and delete it if it exists.
    Close the Registry Editor.
    Restart the system.
    Do a scan of the system again and delete any files detected with WORM_KLEZ.E.
    Using your notes in step 2, delete all values in the right panel that have the same name as those files detected/deleted by your Trend Micro antivirus.
    Since this worm makes use of a vulnerability in HTTP-based email clients like Microsoft Outlook and Outlook Express, please apply the latest patch:
    Update to Internet Explorer 5.01 SP2
    Update to IE 5.5 SP2
    Update to IE 6.0
    Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network or home PC.


  • Registered Users, Registered Users 2 Posts: 8,148 ✭✭✭Ronan|Raven




  • Registered Users, Registered Users 2 Posts: 4,400 ✭✭✭TacT


    thanks lads, yes I slapped him thoroughly, I never new the times could be so good!


Advertisement