Of the two of us I’m the designated geek, but I’m pretty Mac-centric. I know enough to be concerned but not enough to know how to rule out malware on her system.
The Presenting Symptom: She’s working in a browser (IE) which happens to have the Google toolbar thingie installed with popup blocker enabled. Also running: FileMaker, Eudora, Word, Excel, Lotus 123. All us a sudden the Microsoft Security alert thingie flashes to the front asking her permission to download some samples of the “best games on the internet” from NetPalOffers.com - ?? You know, the kind of alert you usually see only if you click a link to download an executable installer or something. She hadn’t clicked any such thing. The site she was browsing was an About.com message board, and About.com is heavily stuffed with popup ads and etc but not (to my knowledge) known for trying to INSTALL stuff. The security alert said the Certificate passes muster. This has happened several times in the last few days.
The Environment: XP Pro, DSL connection to internet (non-static IP), one Microsoft security patch behind at this point (::sigh::), no Kazaa (ever), no instant messaging (ever), no Outlook usage (ever), she doesn’t open attachments from unknown people, file extensions are set to be displayed at all times. Suspicious processes running (things I don’t recognize): CDAC11BA.exe; NIlaunch.exe; lsass.exe; csrss.exe; smss.exe; nvsvc32.exe
(don’t laugh at me if some of these are normal or essential XP services or processes)
Hmmm, doesn’t appear to be anything out of the ordinary.
Those darn pop ups to install a web service are annoying. Does this happen on her machine ONLY? Or would anyone going to that site have the same problem? (Can you provide a link to test?).
You may want to install adware (google it) and see if it finds anything.
I sometimes get the gator install BS on certain sites I try to avoid thereafter.
It does sounds like spyware. I can only recommend downloading Ad-Aware and Spybot S&D (both available from download.com) and running them. Of those processes running, CDAC11BA.exe may be unnecessary but doesn’t seem to be spyware (related to a company Macromedia acquired some years ago), NIlaunch.exe may be dubious, but may be perfectly valid (“Net-It” web publishing software), and the others listed are completely valid.
If you are concerned about a virus, you should download Mc-Afee’s free virus scanner. It might not be the best out there, but it is the best for the money. You can get that here: http://us.mcafee.com/
I wonder if these two programs could be added to the FAQ or as a sticky post. Many people ask about this, and the answer is always the same.
CDAC11BA.exe: Background task which is an integral part of MacroVision’s SafeCast copy protection software (software which enables other software manufacturers to protect their products from illegal copying). SafeCast is used in many products such as Intuit’s TurboTax (from version 2002 onward) and quite a few games.
NIlaunch.exe: ?
lsass.exe: Windows NT4/2000/XP only. LSASS is the Local Security Authentication Server. It verifies the validity of user logons to your PC/Server (in technical jargon : it generates the process that is responsible for authenticating users for the Winlogon service).
csrss.exe: Windows NT4//2000/XP only. CSRSS is the Client Server Runtime SubSystem. CSRSS is started by SMSS. When the user application makes a Win32 API call, it is usually CSRSS which communicates with the operating system’s Kernel to execute the API call. CSRSS is also known as the Win32 Subsystem.
smss.exe: Windows NT4/2000/XP only. SMSS is the Session Manager SubSystem. SMSS’s purpose is to start, manage, and delete user sessions (or client sessions under Terminal Server). Under Terminal Server the management part includes dealing with the different subsystems (OS/2, Win32, POSIX) which a client session may wish to run.
nvsvc32.exe: NVIDIA Driver Helper Service which gets installed under Windows NT4/2000/XP by the NVIDIA drivers for some of their graphics cards (or graphics cards based on an NVIDIA chipset). We do not at this stage know what this process does except consume memory ! And we also have no idea as to what a “Driver Helper Service” is supposed to do !!
from: http://www.answersthatwork.com/Tasklist_pages/tasklist.htm
Yes, sounds like she’s picked up something, probably a trojan/spyware of some kind. Find it with Ad-Aware and/or Spyboy (as above), take it out and install Zone Alarm pronto – she really can’t wander around the Internet without at least a Firewall.
It sure sounds like the MS Messenger service hole being exploited to me. Just turn it off. (And install all the anti-spyware, anti-virus programs anyway.)