1 Alarm: RegVal Trace: Worm.Opasoft

Hiya,
I have run TDS-3 and it has come up with the above alarm. In addition:-
Name: HKEY_LOCAL_MACHINE
File: Software\microsoft\windows\Current Version\Run [mask=c:\windows\mstask.exe]

I have carried out searches for this file and can not find it. Also I did this after ensuring all files and folders were to be seen.

Question: Does any one know if this is a threat to the security of my system?

Appreciate anyone that can help me get to the bottom of this?
best, mike

 

Hi berg, mstask is a standard windows file. Read here for more info:
http://www.liutilities.com/products/wintaskspro/processlibrary/mstask/

HTH Pilli.

 

I may be wrong but I believe that the legitimate mstask.exe is located in the c:\windows\system32 directory. If you have a mstask.exe in the c:\windows\ directory, it is usually a sign of a WORM_OPASERV.N infection. More details HERE . I do not have mstask.exe on my system (Win XP Pro with all updates and patches) so I could not double check this.

 

hiya Pilli, yep I was kinda aware that this was to do with the task scheduler and I had presiously checked in system32 folder and found the file mstask.dll. I did do a full search (several) and could not locate this file (mstask.exe) even though it and its path with noted after doing the TDS-3 scan.

hiya puff-m-d, nope I had checked c:\windows\ directory and it was not found. Is the tsk scheduler an .exe file or as I have in the system32 folder a .dll file?
Also the alarm came up as RegVal Trace: Worm.Opasoft and not as WORM_OPASERV.N I am 99% sure of so is this another infection all together? I tried to download the scanner to check for the OPASERV worm but it refused to and kept bombing out with the patch.exe file that could not be downloaded and kept coming up with an error message.

Not sure where to go from here-any other idea's lads?
best, mike

 

I have XP Pro with all updates and do not have a mstask.exe on my machine anywhere. What I do have is the mstask.dll in the c:\windows\system32 directory. I believe a reg trace does not mean that you still have the file on your system, but you do have a registry key referencing the file. Hopefully someone more knowledgeable than me on this will jump in and help.

 

Hi, I assume that when you did your search for the mstask.exe that you had allow hidden system files to be shown and show hidden files and folders, if so it is almost certainly a reg trace, in which case, if there is no .exe it will probaly be best to delete that key, then rescan.

Pilli

 

That is a registry trace, and your AV detected the file as well ? removed it ?

Just press CTRL-A in TDS to get the Autostart Explorer and check if you still have this entry

mask = c:\windows\mstask.exe

If so, right-click and delete. Its only a leftover