Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I think I'm infected: msa.exe, maybe more;


  • Please log in to reply
1 reply to this topic

#1 Gerk123

Gerk123

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:01 PM

Posted 04 February 2010 - 09:17 AM

Hello,

I recently installed Vuze and tried to download some videos. The first video I tried to download had me try to install some Codec's for Windows Media Player. Or at least that is what it said. I proceeded and now things are acting weird. I was never able to get the video to play and now my system is acting funny.

I have an MSA.EXE process which explodes in memory and CPU usage when I'm connected to the internet. I currently am in lockdown with McAfee Anti-virus/Firewall and I am sending this from another computer. Doing a full scan with McAfee now, but I have a feeling this virus is too smart for McAfee.

I am running Windows XP Home Edition, SP3.

Other weird things I am seeing.
1. McAfee appears to be automatically disabling on startup/reboot.
2. I began doing research on the internet for this problem from the same computer and when I would clicking on links from a google search (to this website as I was looking up and reading about msa.exe), it would send me instead to somewhere in never-never land.
3. The MSA.EXE will restart when I am connected to the internet after I disable it from the Task Manager.
4. MSA.EXE uses less resources after lockdown but appearis to periodically be checking for an internet connection with limited resources. During lockdown it uses 18-19MB of memory and occaasionly about 10% of CPU resources. When I open the firewall, I've seen it over 250MB and 50-70 percent of processor speed.

I think I installed a hellacious trojan program. Need Help. And McAfee isn't going to be able to fix it quickly. I have not tried calling them yet.

5. There is also a KCD.EXE that may be involved in this too. That one I have not seen come back after ending it.

Please help when you can.
Dave

Edited by Gerk123, 04 February 2010 - 09:22 AM.


BC AdBot (Login to Remove)

 


#2 Gerk123

Gerk123
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:01 PM

Posted 04 February 2010 - 09:29 AM

UPDATES: (I will add to this secondary post as I continue my troubleshooting).

I did a search for MSA.EXE and found a 177KB application in WinNT folder.
I scanned with McAfee, it did not find a problem.
FULL SCAN is in progress.

UPDATE 8:36 a.m. CST: McAfee is pausing the scan on its own. (or the virus is pausing it). Trying to restart again.

UPDATE 10:20 a.m: KCD.EXE and MSA.EXE continue starting on their own. KCD.EXE is located in a Temp Folder so I am going to delete it. MSA.EXE is in WINNT folder. Think I am going to delete this. But if these programs are being started when I am connected to the internet, is someone/some other computer starting them through a back door? KCD.EXE is 178KB.
Is deleting this files typically enough? Do I still have a backdoor open to my computer?

Update 12:20 p.m. (CST): McAfee Virus Scan completed without finding anything. MSA.EXE started up again on it's own. I took McAfee's Firewall out of "Auto" mode and tried to block MSA. But MSA appeared to keep working, growing in memory and processor utilization. (Is it utilizing my internet browser to communicate?) Used Task Manager to stop the MSA process. Deleted MSA.EXE. Also went into MSConfig and turned KCD and MSA off. There was also a third strange program in the Startup list without a name, disabled that. What else should I do? Am I safe or am I likely still compromised? I rebooted after all this and everything seems normal again.

Edited by Gerk123, 04 February 2010 - 01:25 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users