Suspected worm created mstask32.exe and causing lsass.exe, svchost.exe to enter net

  • Thread starter Thread starter borveaux
  • Start date Start date
B

borveaux

Boy did I open the wrong file. My wife and daughter were talking
about this Hillery Duff girl on the Disney channel and so when I saw
the name on the net I thought I was opening a picture of her. No
picture opened but something happened. Then I noticed my firewall
was reporting that mstask32.exe was entering the internet. Later
lsass.exe and svchost.exe started doing it. Now mstask32.exe has
dissappeared from task manager. And sometimes I show data being sent
to and from the net when I did nothing and my machine slows to a
non-workable crawl.

Would anybody have any ideas? Did I get a worm? I've scanned for
viruses with the latest updates, screened the system with Spybot
Search and Destroy, scanned for trojans with Trojanscan and came up
with nothing.

Any help would be greatly appreciated.
 
Well you got something. First I would make sure that you have the latest updates for
SpyBot. It currently should scan for about 12,460 items. You can go to their website
and download the update file since the built in update downloaded does not seem to
work so well. You can also use SpyBot in advanced mode/tools to view startup
programs and processes. You can disable startup programs and kill processes but you
need to be careful in not disabling or killing something important, though I don't
think it kills the process for good and a reboot will get everything running again.
You would want to look at the processes for anything suspicious, particularly that
maps to a folder that does not look right [which may be hard for a novice]. You could
also use TCPView from SysInternals to view network processes/connections in much the
same way to see if you can pinpoint what process is related to network traffic that
is not justified. If you find the offending process you may have to simply delete the
associated folder/file except do not delete anything in the system folder structure
under \winnt unless you absolutely know what you are doing as many critical system
files live there. See the link below on parasites and methods to deal with them and
how to increase security for IE to reduce chances of future incidents. Be sure to go
to Windows Upddate to make sure you are current on critical updates ASAP also. ---
Steve

http://www.sysinternals.com/ntw2k/source/tcpview.shtml
http://mvps.org/winhelp2002/unwanted.htm#
http://www.microsoft.com/security/protect/
http://securityadmin.info/faq.asp#virustoc -- tips from the FAQ on infections.
 
Back
Top