Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Windows Workstation Service


  • Please log in to reply

#1
Dorian-Blue

Dorian-Blue

    New Member

  • Member
  • Pip
  • 4 posts
I'm still cleaning up my laptop after being victimized by a variation of the sdbot worm. I have an automatic service called "Windows Workstation Service." Is this a legitimate service (my laptop is used occasionally on a large enterprise network) or is this service always a backdoor exploit?

By the way, I have completed all of the tasks for handling a suspected malware infection as mentioned above and quite frankly the suggestions saved my career (my laptop provides my income). Everything is running normal now except for IE 6 which is being blocked from some sites (such as Symantec and McAfee) as if something has created an exception to these sites.
  • 0

Advertisements


#2
gerryf

gerryf

    Retired Staff

  • Retired Staff
  • 11,365 posts
there is a "workstation service" but not something called "windows workstation service"

If something is blocking your access, it could be a setting in your host file, did you check there?
  • 0

#3
dsenette

dsenette

    Je suis Napoléon!

  • Administrator
  • 26,019 posts
  • MVP
http://castlecops.com/StartupList.html <-- the windows workstation service is Added by a variant of the W32/SDBOT WORM!
  • 0

#4
Dorian-Blue

Dorian-Blue

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Thanks for the reply, Gerry. I'm going to take the risk and delete all the entries I have in registry for "Windows Workstation Service" since they are all calling a file that is a known malicious program (wkssvc.exe).

I indeed checked out the etc\hosts file (thanks to your suggestion) and HOLY SMOKES!!!!

Here are the entries I found there:

80.117415 www.symantec.com
80.117415 securityresponse.symantec.com
80.117415 symantec.com
80.117415 pandasoftware.com
80.117415 www.pandasoftware.com
80.117415 www.sophos.com
80.117415 sophos.com
80.117415 www.mcafee.com

and a bunch of other antivirus sites. I'm not a network expert but I believe these entries cause me to go down a port that gives me the error. Luckily, I do have a firewall installed that has this port blocked.

Interestingly, if I copy this file to another computer as a text file (I wanted to copy and paste it here), the McAfee VirusScan on the second computer alerts and wipes out the entries from the file. Also, on the infected computer if I delete the lines and save the file and then reopen it, the entries are back. I had to delete the hosts file and build a new one to keep it clean.

It looks like I have more files to find that were causing this behavior.

One last thing worthy of mentioning, the last two lines in the infected file read:

#Start of entries inserted by Spybot - Search & Destroy
#End of entries inserted by Spybot - Search & Destroy

It looks like Search & Destroy tried to do its job but was defeated.

Thanks again for the help,
Dorian
  • 0

#5
dsenette

dsenette

    Je suis Napoléon!

  • Administrator
  • 26,019 posts
  • MVP
Please go to the malware forum in my signature and follow the instructions at the top....Especially the CLICK HERE .

That will give you several steps that will help you clean up 70 percent of all problems by yourself. If at the end of the process you are still having difficulty--and you may not be-- then post a hijackthis log in THAT forum.

If you are still having problems after getting a clean bill of health from the malware expert, please return to this thread.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP