[MartianEconomics]

Hello, this forum has been of major assistance in helping me with various computer issues, and was wondering if someone here could again be of assistance. I was torn between posting this here on in the Windows XP help section, but from what I gathered it may potentially be an attack on my computer and I decided not to take the chance.

Today, I discovered some odd temporary files created within C:\Documents and Settings\(My Name)\Local Settings\temp that I had no idea where they came from. All were 0kb, and here are the date and time they were created.

9g02FD.tmp - Today, April 21, 2010, 2:09:08 PM
09i2FF.tmp - Today, April 21, 2010, 2:09:27 PM
59h283.tmp - Today, April 21, 2010, 12:51:24 PM
83x310.tmp - Today, April 21, 2010, 2:11:32 PM
gtg285.tmp - Today, April 21, 2010, 12:52:36 PM
k46287.tmp - Today, April 21, 2010, 12:53:03 PM
quh261.tmp - Today, April 21, 2010, 12:47:06 PM
vjr272.tmp - Today, April 21, 2010, 12:49:43 PM

I decided that no good could come from whatever they might have been, and used Spybot's file shredder to promptly remove them.

From there I went to my prefetch folder and had a look at the files modified today to see if I could trace the files back to one program. The only program running near the times was wuauclt.exe (The windows updater) running at 2:05 PM. Searching all files modified on that date, I found files in the Software Distribution folder (edb.chk and such) modified at about 2:09 to 2:10 and it seemed to fit the bill that this was a Windows update. Wishing to clarify, I decided to pull open the Event Log to confirm my suspicions.

In event log however, I noticed a variety of odd entries (none reappearing at dates other than today) at the times of those temporary files. Here are the two events, one begins with a change of a port and the other removes the port. The pattern this goes in that two of the ports were added and then both of the same ports were subsequently removed. The Event ID for all of these is 852, for which I can find next to no information.

A change has been made to the Windows Firewall port exception list.

Change type: Add
New Settings:
Name: Windows Media Format SDK (firefox.exe)
Port number: 2841 (*Also as 2844,2840,2832,2833,2833,2834,2835)
Protocol: UDP
State: Enabled
Scope: All subnets
Old Settings:
Name: -
Port number: -
Protocol: -
State: -
Scope: -


A change has been made to the Windows Firewall port exception list.

Policy origin: Local Policy
Profile changed: Standard
Interface: All interfaces
Change type: Remove
New Settings:
Name: -
Port number: -
Protocol: -
State: -
Scope: -
Old Settings:
Name: Windows Media Format SDK (firefox.exe)
Port number: 2834 (*And the exact same numbers as above)
Protocol: UDP
State: Enabled
Scope: All subnets

While this did seem to correspond with the Windows update, I did not think the updates related in anyway to Firefox, and was confused by this. I'm not sure if this is an attempt by a foreign presence to change my firewall settings or simply some glitch. Hopefully some kind user can provide the answers.

I have posted this on another forum where the answer I received was that I may be infected by a virus or otherwise program with intent to harm my computer. As I post this I am running MalwareBytes Anti-Malware, but I have had no symptoms that would indicate any infection. The computer that these logs appear on is used mainly for work and light browsing. I personally check all files created at the end of every day to see if anything gets by, and generally believe that I keep a tight security.

Thanks again.

[Advertisements]

Please clarify
TODAY posted at 0031hrs - TODAY I found.
Then from the temp files in Docs and Settings TODAY April 21
I realise that TODAY in your post means the 22nd but is the Date correct in Windows.
If I am not mistaken and I maybe Microsoft have just issued a Security Update for WMP.
I would check the Updates installed, in Add/Remove Programs - show Updates and/or on the your update history on the Microsoft Update Site.
I would then uninstall the ones that apply at this time and then go back and reinstall them.

HOWEVER I would having now found that you have posted and are actually AT THIS TIME working with a solution on another forum, that has also been a great help to you, wait and see what the result of that forum is

Edited by Macboatmaster, 22 April 2010 - 07:20 PM.

[Macboatmaster]

Please clarify
TODAY posted at 0031hrs - TODAY I found.
Then from the temp files in Docs and Settings TODAY April 21
I realise that TODAY in your post means the 22nd but is the Date correct in Windows.
If I am not mistaken and I maybe Microsoft have just issued a Security Update for WMP.
I would check the Updates installed, in Add/Remove Programs - show Updates and/or on the your update history on the Microsoft Update Site.
I would then uninstall the ones that apply at this time and then go back and reinstall them.

HOWEVER I would having now found that you have posted and are actually AT THIS TIME working with a solution on another forum, that has also been a great help to you, wait and see what the result of that forum is

Edited by Macboatmaster, 22 April 2010 - 07:20 PM.

[diabillic]

Take a visit over to the malware forum. If something is creating files and firewall rules without your knowledge, I would lean towards that as the issue.

Follow this guide here first: http://www.geekstogo...uide-t2852.html

If that doesnt work, post a topic here: http://www.geekstogo...emoval-f37.html

[MartianEconomics]

Please clarify
TODAY posted at 0031hrs - TODAY I found.
Then from the temp files in Docs and Settings TODAY April 21
I realise that TODAY in your post means the 22nd but is the Date correct in Windows.
If I am not mistaken and I maybe Microsoft have just issued a Security Update for WMP.
I would check the Updates installed, in Add/Remove Programs - show Updates and/or on the your update history on the Microsoft Update Site.
I would then uninstall the ones that apply at this time and then go back and reinstall them.

HOWEVER I would having now found that you have posted and are actually AT THIS TIME working with a solution on another forum, that has also been a great help to you, wait and see what the result of that forum is

Did not mean to offend by posting this on another forum, I had acquired help here a month of two back on a different account that I couldn't remember regarding a rootkit that I posted in the Virus Removal Forum and received great help. I've also generally received good help at the other forums I posted on as well.

To clarify with the dates, I found the files the date they were created, on the 21st, I had written up this message the previous night.

Checking with the Windows Updates, I found no evidence of an update on the 21st, but is there anywhere that Windows keeps a log of its updates that I might be able to check?

With the Malware, I ran MalwareBytes and Super Anti Spyware to find nothing. I'm hesitant in believing it is Malware, because no symptoms or modifications have occurred since, and even in opening the ports, the Event Log indicates they were opened and then closed within the span of 1 second.

[Macboatmaster]

I would check the Updates installed, in Add/Remove Programs - show Updates and/or on the your update history on the Microsoft Update Site.
I would then uninstall the ones that apply at this time and then go back and reinstall them

If you follow either of these it will list the updates and the date installed.
More to the point Microsoft Updates will also list any failures.

[MartianEconomics]

Thanks for the help as always. I had a look where you said and couldn't find any updates on that date. Digging deeper I again searched for any files modified during the 21st at the time these events were happening, and found that two files were also modified at the same time.

C:\Documents and Settings\(My Name)\Local Settings\Application Data\Microsoft\Media Player\CurrentDatabase_219.wmdb
C:\Documents and Settings\(My Name)\Local Settings\Application Data\Microsoft\Windows Media\WMSDKNS.xml

I'm going to assume the WMSDKN is the Windows Media Player SDK Format in the logs above. Yet, the puzzling thing is I see no updates to Windows Media player.

Edited by MartianEconomics, 23 April 2010 - 02:21 PM.

[Macboatmaster]

The WMSDKNS.xml file is the Windows Media Player file system for streaming video etc amongst other things.
Open Windows Media Player, click Tools, click Options, does Options Open and are the protocls shown in the Network tab.
If not, that file is corrupted.
If it is I suggest you follow post 3. advice.

[MartianEconomics]

Options worked, and all the protocols are there. I'll run the stuff and make a post in the Virus Help forum then.