Endpoint Protection

 View Only
Expand all | Collapse all
  • 1.  winsta.exe

    Posted Jul 02, 2010 01:45 AM
    Recently we have got problem with file winsta.exe located in c:\windows\system32 folder. It is getting way too big and eats up all the free space of C: drive. We delete it manually, however it comes back in time. We checked it with different antiviruses but however couldn't find any viruses or source of problem. We have now about 140 computers infected with this process. Please, help.


  • 2.  RE: winsta.exe

    Posted Jul 02, 2010 01:47 AM
    Submit the same file to symatec .
    Also try this article
    Online Virus and Behavioural Scan Engines



  • 3.  RE: winsta.exe

    Broadcom Employee
    Posted Jul 02, 2010 01:52 AM
    its not a threat file, however as to confirm submit the file to symantec.

    You can use the WinStation Monitor tool (Winsta.exe) to monitor the status of all users who are logged on to a Windows 2000-based Terminal Services server.


    http://support.microsoft.com/kb/320190


  • 4.  RE: winsta.exe

    Posted Jul 02, 2010 04:09 AM
    I cannot submit winsta.exe. It eats free space of c drive. It size varies between 25-200 GB depending of computers free space. And it is not I think WinStation Monitor tool. As our systems are not Windows 2000, but Windows XP. Such a file shouldn' exist in windows xp.


  • 5.  RE: winsta.exe

    Posted Jul 02, 2010 04:12 AM
    Download and run this tool and submit suspected files to symantec
    The Symantec Endpoint Protection Support Tool


  • 6.  RE: winsta.exe

    Posted Jul 02, 2010 05:31 AM
    RUn Sysinternals Autoruns and find out what are the other Files and location,drivers,services. of this maybe Virus.Delete all of them and submit any suspicious files.


  • 7.  RE: winsta.exe

    Posted Jul 02, 2010 10:19 AM

    What AV product are you running? Try downloading the latest Rapid release files, then run a full scan in Safe-mode.
    http://www.symantec.com/business/security_response/definitions/download/detail.jsp?gid=rr

    If that fails to find anything, try running the SERT tool. to detect this threat.
    http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/201004151546434

    Please keep us posted on your progress.

    Thomas


  • 8.  RE: winsta.exe

    Posted Jul 05, 2010 02:45 AM
      |   view attached
    Downloaded and run SysInternals Autorun. You may see result in file attached. Coul you please have a look at it?

    Attachment(s)

    zip
    SysInternals.zip   80 KB 1 version


  • 9.  RE: winsta.exe

    Posted Jul 06, 2010 12:27 PM
     
    Dear Bakili,

    I am facing same problem. Around 32 machine having this issue. Symantec said Contact Microsoft. (case ID-412-428-218)
    I can see one file in your log file. just open this file c:\windows\winsta.bat in notepad. send this file to symantec security response team.

    Warm Regards,
    Ajeet

     


  • 10.  RE: winsta.exe
    Best Answer

    Posted Jul 06, 2010 01:55 PM
    In C:\Windows\Winsta.bat there is job file that is set as scheduled task
    Delete that..and temporarity Disable Task Scheduler service.

    From
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    Delete msnmsgr

    From
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    Delete Services


  • 11.  RE: winsta.exe

    Posted Jul 09, 2010 01:23 PM

    Please contact  Microsoft for this issue-Symantec

    Try this batch file, I have stopped winsta.exe through this batch file.
     

     
    				@echo off
    del /f c:\windows\system32\winsta.exe
    rem rd c:\windows\system32\winsta.exe
    md c:\windows\system32\winsta.exe
    attrib +r +h +s c:\windows\system32\winsta.exe


  • 12.  RE: winsta.exe

    Posted Jul 14, 2010 08:54 AM

    AjeetKumar thanks for the batch file. It stops virus and let people work. However of course it doesn't cure it.
    Microsoft and Kaspersky has already detected virus connected with winsta.exe. Its name is Trojan-Dropper.Win32.Stuxnet.e (Kaspersky Lab, detected July 14) and TrojanDropper:Win32/Stuxnet.A (Microsoft, detected July7).My question is to Symantec, when will they release something against this virus. I have more than 200 computers infected with this virus.



  • 13.  RE: winsta.exe

    Posted Jul 14, 2010 10:53 AM

    Symantec detects this as Trojan.Gen - http://www.threatexpert.com/report.aspx?md5=74ddc49a7c121a61b8d06c03f92d0c13

    Latest Daily Certified version July 14, 2010 revision 002
    Latest Rapid Release version July 14, 2010 revision 009

    http://www.symantec.com/security_response/writeup.jsp?docid=2010-022501-5526-99


  • 14.  RE: winsta.exe

    Posted Jan 13, 2011 06:46 AM

    I had this problem, and this file prevent me from using my network

    I've solve this error by using avast 4.8 with latest update

    I've scheduled a boot scan task for c:\ drive

    then after booting the pc - avast started scanning, found the file winsta.exe and deleted

    I'm fine now