winkpba.exe

TacT

samba received himself an e-mail with said proggy as an attachment. It has placed a little icon for itself in msconfig and apparently it's in c:\windows\system, funnily enough if I go there and try to delete it in dos or otherwise it's not there.

I think someone is trying to poach valuable customer info from his computer as it holds some information about the family business (albeit not much, but enough for him to be a tad worried)

I can't find out what winpba.exe is, if you uncheck it's box to load with windows, upon next reboot it will still be there, re-checked as if you never did anything.

Any idea's pls?

Mr E

Get a rolled up newspaper, and hit this samba person across the head a few times for running an exe received by email!

In the topic you called it winkbpa, while in the post you called it winpba. Which is it ??

That said, I don't think its spyware. I had a look around some anti-spyware sites, and none of them mention it.

Run msconfig.exe, click on the startup tab. Uncheck it to stop it loading at startup. Now go into the process manager (CTRL/ALT/DEL, Task Manager, Processes) and kill that sucker if its running. Finally, go into the system dir and RENAME it (don't delete it just in case its actually needed for something).

If after a couple of days, nothing is broken, then you can safely delete it.

Hope that helps,
Dave.

tmcd

Its the Klez virus, I have a lot of dealings with this one,
go to http://housecall.antivirus.com and do the online virus scan. It will pick it up fairly quick.

Copied from this page
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_KLEZ.E

WORM_KLEZ.E


Risk rating:
Virus type: Worm
Destructive: Yes

Aliases:
W32.Klez.E@mm, KLEZ

Description:
This destructive mass-mailing worm propagates copies of itself across network drives. Upon execution, it drops two executable files, WINK*.EXE and WQK.EXE, in the Windows System folder. It also creates registry entries that allow it to run at system startup.

This worm terminates processes, and occasionally deletes files associated with certain antivirus programs. On the sixth (6) day of every odd-numbered month (January, March, May, July, September, November) it overwrites files with the following extensions:

TXT
HTM
HTML
WAB
DOC
XLS
CPP
C
PAS
MPEG
MPG
BAK
MP3
JPG
Read more about these variants.

Solution:
Automatic Removal Instructions


Please download and run the fix_worm_klez_4.21.zip fix tool. If you have a MD5 signature checker, the MD5 hash of this tool is FA9CF3DBD75A412E2753927DAB789DFE.
Trend Micro requests that all users download and read the readme_worm_klez_4.21.txt text before using this tool.
Manual Removal


Restart the system in Safe mode. Except Windows NT, all Windows system can be restarted.
For Windows 95 systems, this could be done with the following instructions:
Restart the computer.
Press the F8 key when you see the message "Starting Windows 95".
For Windows 98/Me systems, please follow these steps:
Restart the computer.
Hold down the Ctrl key until the Windows 98 startup menu appears.
Choose the Safe Mode option and press the Enter key.
For Windows XP systems, please follow the following instructions:
Restart the computer.
When prompted, press the F8 key. If Windows XP Professional starts without the “Press select operating system to start” menu, restart the computer. Press F8 again after the Power-On Self Test is done.
Choose the Safe Mode option from the Windows Advanced Options Menu.
For Windows 2000 systems, please follow these steps:
Restart the computer.
Press the F8 key, when you see the Starting Windows bar at the bottom of the screen.
Choose the Safe Mode option from the Windows 2000 Advanced Options Menu.
Scan your system with Trend antivirus and note any WORM_KLEZ.E infected file named WINK*.EXE (* is a random number of random characters).
Click Start, and then click on Run.
After the Run dialog box appears, type regedit on the input box provided and press the Enter key.
As soon as the Registry Editor window’s appears, locate the following key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run
In the right pane, look for the following values:
”Wink*” = ”%System%\Wink*.exe”
”WQK” = “%System%\Wqk.exe”
Note: * is any random characters
Click on these values if they exist and press the DEL key to delete them.
Now locate the following key if they exist:
HKEY_LOCAL_MACHINE\System\CurrentControl
Set\Services
Under the Services key, look for the subkey Wink* and delete it if it exists.
Close the Registry Editor.
Restart the system.
Do a scan of the system again and delete any files detected with WORM_KLEZ.E.
Using your notes in step 2, delete all values in the right panel that have the same name as those files detected/deleted by your Trend Micro antivirus.
Since this worm makes use of a vulnerability in HTTP-based email clients like Microsoft Outlook and Outlook Express, please apply the latest patch:
Update to Internet Explorer 5.01 SP2
Update to IE 5.5 SP2
Update to IE 6.0
Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network or home PC.

Ronan|Raven

Or use this to remove it

http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.removal.tool.html

TacT

thanks lads, yes I slapped him thoroughly, I never new the times could be so good!