What is "winkhtq.exe" and why is it on my computer? 2

[Violinist]

One of our agents has this program (winkhtq.exe) in the c:\windows\system directory.

He is using a 1 year old Gateway PIII, and Win98 for an OS.

Unchecking this selection in msconfig seems to do nohing as it is rechecked at next boot. I have found 3 entries in the registry for this, but before I remove them I would like to know more about what I am removing.

Is this harmless, necessary, or what. Any assistance would be appreciated.

 

[frosty423]

Unfortunately, your agent has the Klez and Elkern viruses. Pesky things, keeps coming back if it isn't cleaned correctly.

You might want to download this removal tool from Symantec.

http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.removal.tool.html

The removal tool will clean and remove both viruses.

 

[mscallisto]

Frosty is absolutely correct.

Klez is one of the worst viruses around and sometimes difficult to get rid if.

If Frosty's cure dosen't work I can supply more info just ask.

Much luck!
sam

 

[SESaskDFC]

frosty423 and mscallisto

Just wondering where you came up with that file being associated with Klez and Elkern??

I went to the Norton site and there is absolutely NOTHING in there anywhere related to "winkhtq.exe" especially in the Klez or Elkern info pages..

A search using Google and Dogpile found zilch as well..

Quite interested where you got your info from!!

Murray

 

[mscallisto]

I got my info from McAfee but a google search on klez should give you droves of info

 

[mscallisto]

In addition you most likely will se wink reference in your registry.

Start
run
regedit

go to:
HKEY_LOCAL_MACHINE
Software
Microsoft
Windows
Current version
run

highlight and remove lines that contain:
Wink or
WQK
close rededit

There is more but let's see where you take it from here

 

[SESaskDFC]

I know all about klez..

From McAffee..

Search Results
We found no records matching the following criteria:
Virus name containing "winkhtq.exe".
Please try narrowing your search by using fewer characters.

Search Results
We found 3 record(s) matching the following criteria:
Virus name containing "wink".
TROJ_WINKILL.A (Trend) TROJ_WINKILLER.A
Winkiller

We found no records matching the following criteria:
Virus name containing "WQK".
Please try narrowing your search by using fewer characters.

It would appear McAffee has nothing on this file either that has to do with Klez..


VIOLINIST:

I suggest you go to

http://www.antivirus.com

and use their online scanner.. I have a feeling you got stuck with some spyware and NOT a virus..

Murray

 

[Marcs41]

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_KLEZ.H

If the solution is out there, let us know it was helpful, so others can benefit from it as well..

 

[Violinist]

This was my first time to participate in this kind of site. I am impressed.

Now for the rest of the story.

Our system is behind a Watchguard(tm) firewall with a fully functional and up-to-date Nortons AV protecting it.

This feeds a W2K file server and NT5 exchange server for our email. Both units use Nortons Corporate Edition and are using the latest definition files.

I scan the system twice weekly and manually whenever something unusual appears. So far - nothing. The system messages are constantly informing me of quarantines and rejected email (etc...) so I feel relatively safe.

All the agents have their own protection plus the protection offered by their connection tot he network. All email comes through the watchguard firewall, through the Exchange server to their personal computers. No one gets around the system.

The computer in question is in this configuration.

I too looked in Google for "Winkhtq" and its variations, and as most of you found - no returns. When I get to the office in the morning I will run the K*L*E*Z* removal tool from Norton's as was suggested.

Results in the morning - thanks for the assistance.

Violinist (only because I am terrible at nicknames, but really am one)

 

[Marcs41]

While you're at the office tom. right click that file - properties - Version tab. Check all the fields, like company, comments ... that may give you a clue If the solution is out there, let us know it was helpful, so others can benefit from it as well..

 

[PCLine]

Hi,
McAfee does have info on the above file in relation to Klez.

Randomly/oddly named files on network shares, as described above.
Reference to a WINKxxx.EXE file ("xxx" looks random) in a Registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run


From link;

http://vil.mcafee.com/dispVirus.asp?virus_k=99455

search engines don't have all the answers - you've got to dig a little deeper. Given the lead from the two guys above you should have found the info.

 

[Violinist]

Problem Solved.

I downloaded the "FixKlez" file from Symantec and ran it three times. The first time it reported that one file could not be removed. The second time, I followed the instructions and went ot Safe Mode before running the Fix. The third time it returned a "Not Found" message

106 files were deleted, 12 were repaired, and one registry entry was fixed.

By further discussion I was able to determine that the agent has used a floppy disk from home several times.

What I can say is that our system performed as expected. The worm was isolated to his computer. Our system stops infected email both in and out. The messages I have received from the system should have indicated that to me. The messages however, do not identify the sender or intended recipient, just the cold fact that the worm was quarantined or stopped at the gate.

To be on the safe side, Ad-Aware and SpyBot were both run on that unit with perdictable results. He had been compromised that way as well.

Now the "Winkhtq" file and reference to it in msconfig stays unchecked and his computer is performing as new, until the next time.

A Great Big thank-you for all the help

The Violinist

 

[SESaskDFC]

Thanks guys.. I had a heck of a time finding anything related to that file and Klez.. Now, if it turns up on anything, I will know what it is.. Hopefully Norton will catch it ahead of time but who knows !!

Murray