Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows Update Modified Firefox?


  • Please log in to reply
2 replies to this topic

#1 Ladonowiz

Ladonowiz

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:28 PM

Posted 22 April 2010 - 04:20 PM

Hello, this forum has always been of major assistance in helping me with various computer issues, and was wondering if someone here could again be of assistance. I was torn between posting this here on in the Windows XP help section, but from what I gathered it may potentially be an attack on my computer and I decided not to take the chance.

Today, I discovered some odd temporary files created within C:\Documents and Settings\(My Name)\Local Settings\temp that I had no idea where they came from. All were 0kb, and here are the date and time they were created.

9g02FD.tmp - Today, April 21, 2010, 2:09:08 PM
09i2FF.tmp - Today, April 21, 2010, 2:09:27 PM
59h283.tmp - Today, April 21, 2010, 12:51:24 PM
83x310.tmp - Today, April 21, 2010, 2:11:32 PM
gtg285.tmp - Today, April 21, 2010, 12:52:36 PM
k46287.tmp - Today, April 21, 2010, 12:53:03 PM
quh261.tmp - Today, April 21, 2010, 12:47:06 PM
vjr272.tmp - Today, April 21, 2010, 12:49:43 PM

I decided that no good could come from whatever they might have been, and used Spybot's file shredder to promptly remove them.

From there I went to my prefetch folder and had a look at the files modified today to see if I could trace the files back to one program. The only program running near the times was wuauclt.exe (The windows updater) running at 2:05 PM. Searching all files modified on that date, I found files in the Software Distribution folder (edb.chk and such) modified at about 2:09 to 2:10 and it seemed to fit the bill that this was a Windows update. Wishing to clarify, I decided to pull open the Event Log to confirm my suspicions.

In event log however, I noticed a variety of odd entries (none reappearing at dates other than today) at the times of those temporary files. There are over 10 over all, but there are two general entries.

A change has been made to the Windows Firewall port exception list.

Change type: Add
New Settings:
Name: Windows Media Format SDK (firefox.exe)
Port number: 2841 (*Also as 2844,2840,2832,2833,2833,2834,2835)
Protocol: UDP
State: Enabled
Scope: All subnets
Old Settings:
Name: -
Port number: -
Protocol: -
State: -
Scope: -


A change has been made to the Windows Firewall port exception list.

Policy origin: Local Policy
Profile changed: Standard
Interface: All interfaces
Change type: Remove
New Settings:
Name: -
Port number: -
Protocol: -
State: -
Scope: -
Old Settings:
Name: Windows Media Format SDK (firefox.exe)
Port number: 2834 (*And the exact same numbers as above)
Protocol: UDP
State: Enabled
Scope: All subnets

While this did seem to correspond with the Windows update, I did not think the updates related in anyway to Firefox, and was confused by this. I'm not sure if this is an attempt by a foreign presence to change my firewall settings or simply some glitch. Hopefully some kind user can provide the answers.

Thanks again.

BC AdBot (Login to Remove)

 


#2 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:12:28 AM

Posted 22 April 2010 - 05:35 PM

I would do a scan with the following: http://www.malwarebytes.org/mbam.php and http://www.superantispyware.com and post the results. You are probably infected.

#3 Ladonowiz

Ladonowiz
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:28 PM

Posted 22 April 2010 - 05:47 PM

I'm running the scans now and posting from another computer. Do you perhaps have any idea what might be the infection or cause of infection, I really only use that computer for a few tasks. It seemed odd also that it corresponded with the Windows Update, and from how I interpreted it, it seemed to have created an exception for those ports and then reset it back to normal seconds later - It had a pattern of two entries with the first thing I posted (The Add Entry) and then two with the remove entry for the exact same ports.

I also haven't experienced any issues with that computer so far either; I usually do a scan for files created at the end of every day to see if anything unusual slips by, and haven't seen anything other than the usual (disregarding the .tmp files in the first post) that isn't normal.

EDIT: Ran both scans, no infections found in either. I've included the logs if you wish to have a look at anything. I'm going to try to fit in a GMER scan tonight (just to be safe) and I'll see what will come of that.

Attached Files


Edited by Ladonowiz, 22 April 2010 - 08:04 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users