Tech Support Forum banner

anyone recognize these two?

899 Views 3 Replies 2 Participants Last post by  tetonbob
Old-school pc user, new around here. XP Home sp3

While attempting to clean a computer (relatively speaking) I ran into a few weird things that I was going to see if anyone could put a name to. Note: I am planning to reformat so this is really just for curiosities sake. I found more issues than these two but between being on dial-up and not being exactly sure what to search for, I found little nfo on these 2 in particular...

1. I got Process Explorer and sure enough, I had a few bad processes running. I killed them and deleted files in safe mode but here is what puzzled me. The processes and files were named after other files found in that directory tree, specifically .wav files (I am a musician.)
etc as opposed to the original HardHit.and wav FloorHit.wav files (these were cymbal sounds from a free sound set) Anyway, I had no clue how to research these because of course HardHit.exe etc all returned no search hits in Google or Altavista.

Of course now I am very sorry that I did ANYTHING before coming here btw!!

2. This one I could not seem to get any ground on. The original symptoms were that if I tried to play any video or mp3 file I got 3 successive pop-ups, each the same. It is a (I believe) Vista style window titled "Program Compability Assistant" yeah it is spelled wrong in the window, here is a screen shot of it...

Anyway, I didn't click the Download button. They came up in all 3 of my viewers, Media Player, Irfanview, and Nero Showtime.
My searches found a few similar cases but no resolutions. Often, people reply "you need to update your codecs" lol. After my (again sorry?!?) tinkering now the pop ups only come up for video files whereas mp3s get the real "missing codec" message in Media Player but actually play now in Irfanview. But the malware has also begun acting like shell extensions or something? Now when I just put my mouse over a video file, it will usually trigger the pop-ups without even clicking a button.
I was surprised not to see more more forum posts in Google searches etc about this as it seems pretty specific?!?

I also have the wdmaud.drv thing, the file for which I was able to delete for good in safe mode but I'm guessing there is still a dropper etc somewhere, not that that will matter for long. Got rid of Desktop Security 2010 and some others. Everything went south when a young girl was playing a Facebook game and apparently decided to try some clicking. The account got closed by Facebook and well, the fun began on this pc immediately following :(

Thanks in at advance for any help. I am on dial-up so my reformat is going to be a drag. I used to do it about once every year or so but with XP sp3, ugh.
See less See more
Not open for further replies.
1 - 4 of 4 Posts
Without seeing detailed logs from the machine before you started removals, it's hard to say what was present, but those processes' naming convention reminds me of some autorun worms which created an exe in many system folders, using the folder name as the executable name. If the files are still present, you can upload them to VirusTotal or Jotti File Scan and see what the vendors have to say about them.

The image you've shown is consistent with a rogue such as the one you named and said you've removed.

If you're going to format, you may wish to consider building a slipstream installation disk which includes SP3. This assumes you're using an original MS Windows XP installation disk which already includes SP1 or SP2. That way, any future formats/reinstalls will not have the pain of the SP download over dialup.

Slipstream XP

Another option is to order the SP3 disk from Microsoft. It's available for a nominal fee.

North America:
Many thanks for the fast reply. Unfortunately the only file I copied was the wdmaud.drv file. I added .bak to it to see if it would cease but it immediately re-wrote a new wdmaud.drv file. I was surprised that deleting it in Safe Mode overcame the re-write but I assumed that the problem was bigger than just that file.

I am still getting those popups. I even uploaded an avi from a camera and as soon as the mouse cursor went over it, up they came. So I guess the removal was only partial.

Many thanks also for the Slipstream tip. I have the original XP disc and a friend gave me sp1 and sp2 on two more discs. Maybe that will allow me to avoid the big download. Definitely need to order one of those to keep with this pc!
Cheers, glad to help.

wdmaud.drv is a legit file in Windows XP, should be in \system32 Windows File Protection likely replaced it. There are some infections which hijack the registry loading point for that file, but we've not seen much activity with that infection of late.

Perhaps you'd like to try to clean the machine. If you do, follow the instructions here:

After running through all the steps, please post the requested logs in the Virus/Trojan/Spyware Help forum, not here.

If you have trouble with one of the steps, simply move on to the next one, and make note of it in your reply.

Please note that the Virus/Trojan/Spyware Help forum is extremely busy, and it may take a while to receive a reply.
See less See more
1 - 4 of 4 Posts
Not open for further replies.