Trojan piggybacking WindowsUpdate?

Hello.
Has anybody come across a Trojan (if it is) like this?
There are a bunch of traps in my AtGuard's log that started appearing after I installed a recent security patch for Win2K SP3.
The traps come always in pairs and the process is always mstask32.exe.
The first is always an HTTP call to Microsoft. Either WindowsUpdate.Microsoft.com or something like 65.54.249.62 (also Microsoft).
The second call is to one of various sites and always at port 29374.
These sites are the IPs for Florida State University, UCLA campus, Louisiana University and some places called getdirty1.27south.com, westside1.27south.com and such.
What gives?
Is that some trojan or just Microsoft tricks?
How do you go about finding what starts up the mstask32.exe?
Nothing shows in the startup or running processes, services, and wherever else I looked at.
All the tools I have run haven't detected anything either. Kaspersky AVP, The Cleaner, Trojan Remover, Ad-aware, Trojan Trap.
Any ideas?
Thanks in advance.

 

Thanks for the pointers.
I didn't have any other detectors around the office so I just deleted mstask32.exe from the running processes, hard disk and registry reference.
The annoying outgoing calls stopped.
That program was identified as an MS program (v.2.0.0.232) with an original filename of HOTFIX_q30098EN_i386.exe.
It probably came as part of the security fix with same name I had installed a few days ago.
When I got home, I found it on my own machine too (same patch was applied but I don't reboot that often so it wasn't activated earlier).
Again none of my scanners picked it up except TDS which I just reinstalled.
It identified it as RAT.Protoss (as you already mentioned). Suspicious Microsoft-tagged exe built with a Borland compiler.
I deleted the relevant entries and so far so good.
Interesting though. I'm sure thousands of people picked it up. The Hotfix was made available in a few sites (but I can't remember where I got it from).
Thank you again for the help.

 

Hello.
The file didn't come from an attachment. I never bother reading mail from unknown sources and delete them on the spot.
It was small enough too and didn't bother to use Flashget so there's nothing in Flashget's history either.
I cleaned up the registry. In the process, I found the 3271.com trojan too -- the cnsmin.dll one -- and got rid of that too. That's another one that just appeared and I might have picked it up at the same site. I'll keep an eye out for them and maybe I can find the web site that passes them on.
For the 3271.com one, there are some instructions on Usenet that I picked up. They basically go: delete the registry RUN entry that starts it up, reboot in DOS and delete its files, reboot in Win and clear the registry.
The first step is not really needed. If you delete the RUN entry, it gets reproduced on the spot under another name.
Start with rebooting in DOS instead and delete its files (it's in a hidden directory and if you don't know the name -- c:\Winnt\downlo~1\ actually, a utility like the old LiST will get you there), reboot in Win (you get a message about the dll file missing) and clean up the registry. That should take care of it.
Thanks for your time.

 

Hmmm. Just noticed this thread. I don't install a lot of the hotfixes because half the time they are just another M$ trojan.
It has been my experience that most of the time when hotfixes are posted at security sites, they link back to M$s website for download. I wouldn't think there are too many sites around that host the hotfix themselves, so maybe you can find that site without too much searching.
Good reaction by using your head kanenas. Its really easy to just start deleting stuff when you find you are infected with something only to find later, you wish you would have written some details down for further investigation.
Sure hope this isn't a new trend in social engineering by the bad guys. It could be very effective.

 

Keylog.GPKeyspy uses MsTask32.exe by default, TDS-3 will detect many if not all variants by Memory Object, Memory Space Scan, and as far as I can see, many will be detected by File signature as well

 

I just installed all the updates from Windows update, because I had to reinstal the Windows CD after all my stuff was eaten up by a dialer, and afterwards my system started running slow and freezing up. After reading the above, I checked startup and found these...Mxtask, Rnaapp,Wh_exec and Mxecp16. I hadn't noticed them before, but novice as I am, I wouldn't have noticed.
Is there something here I should be concerned about?



I'll be glad when my knowledge catches up with my curiosity.

 

3721.com Chinese Keywords browser Spyware
http://www.gladiator-secure.de/forum/index.php?act=ST&f=6&t=183&s=d98d42e2fab70049a2fc55eaae4566c7

 

Lowwatermark...
1)A quick question, how exactly were you looking at these? Was this from doing a single Ctrl/Alt/Del and seeing the running tasks or by looking elsewhere?

2)As far as possible infections on your system, if you did a clean install of Windows 98 SE from your systems install CDs, then installed the Ontrack's System Suite, followed by going out to Windows Update, I don't think you should have any malware yet. Did you install anything else at all?

3)For your virus scanning, does System Suite provide you with a means to download the latest virus definitions so that you are scanning with up to date information? You need to run that update feature often to stay current.

1) Yes...I just checked to see what was running fron startup.
2) I have installed all updates, including security, patches and tools for IE 5.5. Also winamp,media player7...and the patch for media player. Nothing else yet, I'm loking for a free program that will tell me if something tries to get in.. trying to stop trojans, dialers etc. w/o limiting access.
3) Yes. System suite has auto update, I go when it tells me to.

Thanks1