1 Alarm: RegVal Trace: Worm.Opasoft

Discussion in 'Trojan Defence Suite' started by berg, Nov 11, 2004.

Thread Status:
Not open for further replies.
  1. berg

    berg Registered Member

    Joined:
    Nov 9, 2004
    Posts:
    2
    Hiya,
    I have run TDS-3 and it has come up with the above alarm. In addition:-
    Name: HKEY_LOCAL_MACHINE
    File: Software\microsoft\windows\Current Version\Run [mask=c:\windows\mstask.exe]

    I have carried out searches for this file and can not find it. Also I did this after ensuring all files and folders were to be seen.

    Question: Does any one know if this is a threat to the security of my system?

    Appreciate anyone that can help me get to the bottom of this?
    best, mike
     
  2. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
  3. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,449
    Location:
    North Carolina, USA
    I may be wrong but I believe that the legitimate mstask.exe is located in the c:\windows\system32 directory. If you have a mstask.exe in the c:\windows\ directory, it is usually a sign of a WORM_OPASERV.N infection. More details HERE . I do not have mstask.exe on my system (Win XP Pro with all updates and patches) so I could not double check this.
     
  4. berg

    berg Registered Member

    Joined:
    Nov 9, 2004
    Posts:
    2
    hiya Pilli, yep I was kinda aware that this was to do with the task scheduler and I had presiously checked in system32 folder and found the file mstask.dll. I did do a full search (several) and could not locate this file (mstask.exe) even though it and its path with noted after doing the TDS-3 scan.

    hiya puff-m-d, nope I had checked c:\windows\ directory and it was not found. Is the tsk scheduler an .exe file or as I have in the system32 folder a .dll file?
    Also the alarm came up as RegVal Trace: Worm.Opasoft and not as WORM_OPASERV.N I am 99% sure of so is this another infection all together? I tried to download the scanner to check for the OPASERV worm but it refused to and kept bombing out with the patch.exe file that could not be downloaded and kept coming up with an error message.

    Not sure where to go from here-any other idea's lads?
    best, mike
     
  5. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,449
    Location:
    North Carolina, USA
    I have XP Pro with all updates and do not have a mstask.exe on my machine anywhere. What I do have is the mstask.dll in the c:\windows\system32 directory. I believe a reg trace does not mean that you still have the file on your system, but you do have a registry key referencing the file. Hopefully someone more knowledgeable than me on this will jump in and help.
     
  6. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi, I assume that when you did your search for the mstask.exe that you had allow hidden system files to be shown and show hidden files and folders, if so it is almost certainly a reg trace, in which case, if there is no .exe it will probaly be best to delete that key, then rescan.

    Pilli
     
  7. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    That is a registry trace, and your AV detected the file as well ? removed it ?

    Just press CTRL-A in TDS to get the Autostart Explorer and check if you still have this entry

    mask = c:\windows\mstask.exe

    If so, right-click and delete. Its only a leftover :)
     
Thread Status:
Not open for further replies.