FoMoCo
466 C.I.D.
join:2001-01-10
Grand Rapids, MI
| Strange nav pop up
I installed the new windows defender to night to give it a try.While I let it scan nav pops up with what you see in the pic.I have gotten the pop up before while surfing and nav always killed it but never seen it in C:\Program Files\Windows Media Player\wmplayer.exe.tmp.Question is did nav seen the activity on this file because defender was scanning it?Have not been *infected* in 5 years and pc was running great so this kind of suprised me.Btw the tmp folder nav said this was in is not there.
--
When life becomes a drag - floor it - Galaxie 500 |
|
amysheehan
Premium,VIP,MVM
join:1999-12-21
Huntington Beach, CA
 ·RoadRunner Cable
| said by FoMoCo  :I installed the new windows defender to night to give it a try.While I let it scan nav pops up with what you see in the pic.I have gotten the pop up before while surfing and nav always killed it but never seen it in C:\Program Files\Windows Media Player\wmplayer.exe.tmp.Question is did nav seen the activity on this file because defender was scanning it?Have not been *infected* in 5 years and pc was running great so this kind of suprised me.Btw the tmp folder nav said this was in is not there. The alert from NAV states the file has been deleted from the computer. You can get more information in the logs about the file and the event.
 |
|
planet
join:2001-11-05
Olmsted Falls, OH | There might be a backup of the file made by NAV as well. |
|
amysheehan
Premium,VIP,MVM
join:1999-12-21
Huntington Beach, CA
·RoadRunner Cable
| reply to FoMoCo
Google-ing 'wmplayer.exe.tmp'
»www.google.com/search?hl=en&q=wm···e+Search
you'll find this file has been positively ID'd by the major AV vendors all with different 'names' for the 'virus'.
You would be wise to follow thru the steps here: »Security Cleanup FAQ »Mandatory Steps Before Requesting Assistance and if you find more malware that you can not remove begin a new topic in the Security Cleanup forum »Security Cleanup but only after following the pre-cleanup rules.
Good luck.
|
|
FoMoCo
466 C.I.D.
join:2001-01-10
Grand Rapids, MI
| reply to FoMoCo
Thats the weird thing about this and it is why I posted,my system is and has been clean.Not new to security and run nav,ad aware,spybot,script defender,crap cleaner and zone alarm pro behind a nat.Something could have been hidding from me so I will go through it again but I haven't see any odd things happening at all.
--
When life becomes a drag - floor it - Galaxie 500 |
|
jbob
Reach Out and Touch Someone
Premium
join:2004-04-26
Little Rock, AR
·Comcast
 ·AT&T Southwest
| reply to FoMoCo
This could be one of those times when your AV, in the past, has not been able to detect whatever you've got. Traditionally AV apps have been less capable of detecting Trojan type infections. When I first read this I was curious of the .tmp extension that showed being deleted. As Amy posted there is evidence that this could indeed be some sort of Trojan infection. It's possible that this has been on your computer for some time however your AV was either not capable of detecting it yet or perhaps you never did a full system scan for it to scan the file. I suppose what happened is that when you ran the new version of Windows Defender it scanned the file, which while it was being scanned by WD, your NAV then had a chance to scan it and now detected it.
It's possible NAV was updated and now was able to detect it or you're using a newer version of NAV that is better capable of detecting Trojan like activity.
One other thing is NAV typically uses a quarantine to store deleted files. You might check there of the NAV logs to see where the file might be. That is why it no longer showed in the tmp folder because it has been deleted from there.
Perhaps now is a good time to do a full system scan, all files, with NAV. I'd also download the free Ewido and A2 scnanners and give them a try as well. Might try some of the free online scans as well. |
|
amysheehan
Premium,VIP,MVM
join:1999-12-21
Huntington Beach, CA
·RoadRunner Cable
| reply to FoMoCo
Here's a write up from CounterSpy which includes the file wmplayer exe tmp :
»72.14.203.104/search?q=cache:kTj···lnk&cd=6
Because this threat 'may' disable security software you should consider running the Symantec Auto-Fix tool just to be sure your AV is in working order.
Link: »https://www-secure.symantec.com/techsupp···ndex.jsp
|
|
FoMoCo
466 C.I.D.
join:2001-01-10
Grand Rapids, MI
| reply to FoMoCo
Always thought of myself as being pretty good about security but I guess things can get by anyone.I have a clone of this drive which depending on how long this was on there may be on that.I'll hook it up as a slave and see just what it is.Thanks for your input guys/gals.
--
When life becomes a drag - floor it - Galaxie 500 |
|
FoMoCo
466 C.I.D.
join:2001-01-10
Grand Rapids, MI
| reply to FoMoCo
Well after looking in the back up of nav and seeing the time stamp on what was going on I had a talk with my kid.Knows to tell me if/when nav or anything else pops up but *forgot*.System is clean thankfully now time for retraining of the kid.
--
When life becomes a drag - floor it - Galaxie 500 |
|
jbob
Reach Out and Touch Someone
Premium
join:2004-04-26
Little Rock, AR
·Comcast
·AT&T Southwest
| said by FoMoCo :Well after looking in the back up of nav and seeing the time stamp on what was going on I had a talk with my kid.Knows to tell me if/when nav or anything else pops up but *forgot*.System is clean thankfully now time for retraining of the kid. I wouldn't be to sure. According to the NAV popup dialog you posted the offending file was in the C:\Program Files\Window Media Player\ folder. If your kid had seen that popup warning before, and you had NAV set to auto delete any nasties, then the file should have been removed from that location. As the dialog you posted showed it is not in a quarantined location.
Of course your kid could have told NAV to not do anything to the file when it popped up a dialog when he first saw it.
Again I do not know all the facts or how your system is setup but just in case!  |
|
FoMoCo
466 C.I.D.
join:2001-01-10
Grand Rapids, MI | The file was in quarantine. |
|
planet
join:2001-11-05
Olmsted Falls, OH
2 edits | Sorry, never mind. |
|
