I recently started a job repairing pc's for a major pc manufacturer. And this afternoon, I ran across a winxp home system that the users complaint was "Sluggish". A p4 1.4 with 128mb ram shouldn't be slow with the apps the commoners run. So after i booted up the system it was indeed slow. I tried to bring up the task manager so i could see the processes and memory and such. I found that it would appear breifly (if it started at all) then disappear. After a couple dozen tries i was actually able to get some screen shots of the process list. I found that a "winkdr.exe" was using 98% of the processor. I was then able to get the process killed with some quick fingers and an accurate mouse. As soon as the process was killed, the system became very responsive. I then went looking for this exe file to find what it was associated with. 1st off, the file did not actually exist on the filesystem. 2nd it was listed in the registry as a service. 3rd i found that it was indeed in the service applet set to start automatically. I then went to another system and searched google for "winkdr.exe" and came up empty. Now i'm assuming that the actual exe renames the process to winkdr.exe once it's run...

But due to time constraints and an inability to remove media from the work place, i was unable to save anything to have it "checked out". Add the fact that i wasn't able to find the file before i had to fdisk format and reinstall the os.

So, my question is.. has anyone else seen this?

oh, if i put this in the wrong forum, let me know, or move it, whatever.. i'll understand.

I have checked and found nothing about your problem.. Ashame to say do I not have any computer with XP Home edition so I can't tell if its OS related or if you had a "bug" of any kind in your system.

winkdr.exe seems familiar though, but I can't remember when I have stumbled over the name earlier. Maybe from a similiar and sluggish system you got your hands on :)

It does not have to be a virus, it may also be a bad driver or application needed by some specifik hardware or program you use. It would have helped if you had the faulty system intact for thorough examination :).

I wish that I could be of better help, maybe someone else do know more ?

~micael
----
Edit: Your subject line seemed a bit faulty. If it's the path to winkdr.exe you have there you have searched for wrong file. c:\windows\system32.exe \winkdr.exe is probably not a valid path and you should probably have searched for system32.exe.

System32.exe is a known virus file and amongst several viruses does the worm W32/Mari@MM (http://vil.nai.com/vil/content/v_99131.htm) use this file and does also run as a hidden service.

question did he have kazaa on the system or B3d projector? there is a file thats ran when you start up win. where it allocates your extra ram to dedicated server for there needs, basically there stealing your extra speed and makes your system slow or even thrashing your speed.

The file wink(randomchars).exe is part of the klez worm. VERY nasty! Try going to the symantec website and finding their klez remover. I had to remove this from someones machine a while ago and it turned out to be a real bitch. Closes processes just after they have been opened (which you said was happening), edits kernel32 along with over 300 other system files.

Micael said: "winkdr.exe seems familiar though.."



The file wink(randomchars).exe is part of the klez worm.


So obvious that I should not have forgott it :(.
Time for me to change occupation, pos. for heads up :).

um first off if you have a p4 1.4 with 128, you need more ram. plain and simple. if it's sdram, then you need shot. just reninstall with a regular os cd. non hp compaq gateway, what have you.

-havanger

Plain and simple he doen not need more ram. 128 is fine for a p4 1.4.

Home XP can be a little slow with only 128 but the problem is exactly what omin said.
Go to the symantec website and use the klez remover.

That is your problem.

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=#post) by g00n
But due to time constraints and an inability to remove media from the work place, i was unable to save anything to have it "checked out". Add the fact that i wasn't able to find the file before i had to fdisk format and reinstall the os .

So, my question is.. has anyone else seen this?

oh, if i put this in the wrong forum, let me know, or move it, whatever.. i'll understand.


Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=#post) by nebuluswonderer
Plain and simple he doen not need more ram. 128 is fine for a p4 1.4.

Home XP can be a little slow with only 128 but the problem is exactly what omin said.
Go to the symantec website and use the klez remover.

That is your problem.

It was the problem :)

If I read g00n's post correct is the computer already fixed with fdisk & formatting. But the answer is probably that the Klez virus had infected the computer g00n was working with and that was the question to be answered.

~micael

thanks guys, just the info i needed. Concerned though that norton didn't pick it up.. especially since their site has info on klez. ah well.. that'll teach the morons to download crap from the internet. You got no clue how many HDD's i get to format each day from viruses alone. And at $80/cd for us to do backups and $40 to clean viruses... this company has got to be rakin it in just from the warranty work alone. not to mention the fact that it's $80 to get this warranty in the first place..

why buy it when you can build it!!!!

and I JUST realized that i made it system32.exe\winkdr.exe when i had meant to type system32\winkdr.exe

and i did search for winkdr.exe... and even went to the system32 directory and looked by hand... hoping I could see it or it was an L or somthing... no luck... but thanks guys.. answered my question.

If you are on a LAN, you many also want to keep a lookout for this problem on other PCs. Klez spreads via network shares.

I had a user recieve this via e-mail and she opened it.
There was a problem with her pc reaching the antivirus server so the defs. were not up to date and it wasn't caught right then.
As soon as it tried to spread over the network, I caught it. I was lucky in that situation.

Phishphreek80

"dr" is just 2 random characters that the worm adds to its name to throw you off, thats what omin meant by "wink(randomchars).exe ". read this then you'll understand:

http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.h@mm.html