Link to home
Start Free TrialLog in
Avatar of pearsonpartners
pearsonpartners

asked on

Upon bootup, Windows Installer attempted to install "XMPDLIB.exe" -- what is this???

Hello, Experts!

This morning when my computer booted up, the Windows Installer launched and began to install "XMPDLIB.exe". Wary of spyware, etc., I cancelled the install. When I search on Google, et al, I cannot find a single mention of this file. I would think if it were an auto-update from Windows, there'd be some mention of it somewhere.

I had not been in the middle of installing anything when I shut down. I had chosen to hard-reboot (using the power button) because my computer had become unresponsive during normal operation. My son had been using my computer earlier in the evening to look for PSP cheat codes on a site called "gamespot.com", which is why I was especially concerned about some kind of drive-by malware install. But it's strange that there's not a single instance of that file anywhere on the internet that I can find. For what it's worth, that web site came up clean on my SiteAdvisor.

BTW, the system is WinXP Pro with both IE and FireFox installed, so I'm not sure which my son was using. FF is the default but I may have had an IE window open that he used... if that even matters.

Any help is appreciated. Thanks!

Jill
Avatar of Jonvee
Jonvee

Jill,
You could try downloading and running this free version of Ewido anti-malware, designed with Win XP in mind.    Update first, then scan in Safe mode:  
http://www.ewido.net/en/download/
Have you already checked for viruses?    
If no, you could try at least two of these four, free virus scanners, as no one scanner can guarantee finding & fixing everything.  The AVG (grisoft) is particularly good:
http://www.grisoft.com/us/us_dwnl_free.php
http://www.pandasoftware.com/activescan/com/activescan_principal.htm
http://housecall.trendmicro.com
http://www.avast.com/i_kat_207.php?lang=ENG
Have you run any of these three tools, Adaware, Spybot, and a-squared Free?  
Highly recommended for Malware if you still have the problem.  First check for New updates then download them before scanning.  Post back if you have further queries:

Ad-Aware SE Personal v1.06: http://www.majorgeeks.com/Ad-Aware_SE_Personal_d506.html
Spybot-Search & Destroy 1.4: http://www.majorgeeks.com/SpyBot-Search_&_Destroy_d2471.html
a-squared Free: http://www.emsisoft.com/en/software/free/
Have similarly been unable as yet to find anything on "XMPDLIB.exe", it does seem we're on the right track!
In the unlikely event of 1 or 2 of the scanners above not removing the "problem" we can resort to HijackThis, and give you the appropriate advice.
I think the easy way is to use msconfig.exe first, try to see what kind of unkonwn service is running, and what kind of unkonwn program is launching, if so, please remove and stop it.
Second, try to uninstall SP2 and reinstall it again.
Avatar of pearsonpartners

ASKER

Thanks, everyone, for such fast and helpful responses!

I actually have both SpybotSD and Adaware installed and running, as well as NIS2004 (NAV updated with latest definitions on 7/1/06), and even SiteAdvisor (on both IE and FF) which helps to point out "dangerous" web sites (though not foolproof since it's a volunteer comment system, as you probably know.) With all that running, I'd be really disappointed if I picked up something along the way.

Nevertheless, I did run a manual scan using Spybot, Adaware and NIS.

- SpybotSD came up with DSOExploit, which I "fixed". I've seen this before and believe it's just warning me about a security hole in    WinXP. (?)
- Adaware came up with nothing.
- NIS/NAV came up with adware.medload, specifically amm06.ocx. Clicking the link leads to a page describing this as a popup launcher. I "fixed" that also using NAV.

Nothing came up related to that XMPDLIB.exe. Whatever it was, perhaps I thwarted it by cancelling the install right away?

So weird that there's no mention of it anywhere. I'm positive I got the name right because I typed it into notepad right away while the install dialog box was open.

I'll leave this open for a little while longer in case anyone has heard of this particular file.

Do you still recommend that I run any of the other programs mentioned above, and/or HijackThis?
Well it took me so long to write the above message that I crossed with wolfteeth.

I checked msconfig and nothing unfamiliar is running, either as a startup item or as a service (same thing with my running processes using ctrl-alt-del.)

I'll reboot and see if this thing comes up again. Thanks much, in the meantime.

Jill

ASKER CERTIFIED SOLUTION
Avatar of Jonvee
Jonvee

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
 >SpybotSD came up with DSOExploit<
For your information >   "What is DSO Exploit? ":
http://www.pchell.com/support/dsoexploit.shtml
OK. I have spent the better part of the last six hours working on this. So much was awry this morning that it will take forever to read this – so sorry that this is so long!!

It all would seem to point to Windows doing an automatic update overnight, but control panel and security center are both telling me that the last windows update was 6/15/06.

I'll put a few things here in case others are searching for similar problems. I’m not asking for answers to any of these specifically – just posting as an overall picture of the problem(s).

When I came to the computer this morning, it was off. The computer had shut down overnight. When I turned it on, it said system had been shut down due to thermal failure and due to fan failure. I turned it back on. That’s when all the funny stuff started:

•      Immediately upon bootup, it said the same "installing XMPDLib.exe". That ran quickly before I could catch it to cancel. I immediately hit ctrl-alt-delete and that application was running (the install.) I hit "go to process" and it highlighted msiexec.exe. Searching for that said it's windows' built in installer program, which makes sense, though I still have no idea what it was installing.
•      Also running as the first-listed process was "wuaudt.exe", which google says "deals with instigating automatic updates for Windows." (Hmmm...)
•      Immediately a box opened that said “Setting up personalized settings for: Themes Settings”
•      Then I noticed all my desktop icons were showing, which had previously been set to not display. This is when I noticed that all kinds of basic windows settings had been reset to factory state
•      Opened IE. Win Update page came up immediately asking if I want to check for updates. (Hmmm…)
•      When I viewed windows update history, it says last update was 6/15/06
•      IE home page reset to MSN.com (Hmmmm….)
•      IE search page reset to msn’s search page (Hmmm…)
•      Control panel set back to XP category view
•      None of my Start menu shortcuts were there
•      MS Office shortcut bar not there. When I clicked in the Programs menu to launch it, it went through the initial install process prior to launching.
•      IE asked me if I want to turn on Auto-Complete
•      Most alarming: the contents of  My Documents, My Pictures and My Music were all EMPTY on the start menu shortcuts – causing more than a momentary panic, until I realized that the shortcuts had been reset to their default locations on C, whereas I had long ago relocated them to a second D hard drive. (whew)
•      Balloon opened in task bar saying “Take a tour of the new Windows XP”
•      When I clicked on Windows Media Player (Adaware had an option to launch a sound when it found a problem, so I clicked to hear the sound) – it said “Welcome to the New Windows Media Player 10” and asked me to go through the initial setup. [Could this all be due to an automatic update of WMP??]
•      New “click” noise every time I open a menu or a folder. I fixed this in Sounds, and see that it had been reset to default sounds (“windows xp menu command” sound)
•      Went to d/l Hijack This on MajorGeeks' site, per your suggestions above, and it automatically downloaded it without asking me for permission or location

Over the next two hours I ran Hijack This, Adaware (again), SpyBot SD (again), NAV (again) and installed and ran Spyware Blaster (per AdAware’s suggestion.) Posted my HT log to the site that MajorGeeks recommended (the german site) which didn’t highlight anything “nasty” only a few “unknown” which I recognize and the site visitors marked as safe (such as gotomypc, turbopasswords, acrobat, etc.)

AdAware came up this time with MediaMotor and Windupdates (after nothing last night.) I “fixed” both. However – when I click on Statistics, it shows that it came up with 4 instances of Zango,  0 removed. Scanned again and same thing. Zango doesn’t come up in the scan, but shows up in the detailed statistics. (What’s that about?)

SpyBot came up with MediaMotor and two instances alerting me that I had disabled Windows’ automatically notifying me of no firewall or antivirus (I use Norton.) I fixed MediaMotor.

NAV came up with nothing today, since the amm06.ocx had already been fixed by AdAware today.

Ran all four programs again and everything is coming up clean.

I set a system restore point to the post-clean point just in case.

I’ve never had a virus or spyware, so I’m not sure if all the above is classic behavior in such an instance. Any thoughts?

I also would think that Microsoft wouldn’t install a major update that would cause all of the above without a) my permission or b) at least informing me that an update had been installed – either with a dialog box or an entry in my Windows Updates history log. Now that I think of it, I do recall that there had been a yellow “updates waiting” icon in my task bar a few days ago, but it’s no longer there. (Hmmmm…)

For the past hour the computer is running OK. I've upgraded to the pro versions of all of my various virus / adware / spyware / MSware (kidding) programs to continually monitor for future problems.

Thanks for listening. If any of this saga sounds familiar to anyone, I’d appreciate hearing your thoughts!

Jill
I should add that I just tried to open Outlook, and it has reverted to first-install state. It's asking me to set up Outlook, email accounts, etc. I've lost all my settings, signature, folder shortcuts, etc. I'm also getting that nasty "3rd party app trying to access your outlook mailbox" -- when I click on new message.

Now I'm wondering if MSOffice updated itself?
Thanks for the comprehensive report.  
   >4 instances of Zango<  
Still pondering over this one, having found a reference to "Adware.ZangoSearch".  
Not yet sure if this is the problem and it's being studied at this moment:

http://www.symantec.com/avcenter/venc/data/adware.zangosearch.html
Thanks, Jonvee. Keep me posted if you figure out anything. I had run a search of the registry earlier and found no instances of any of the zango-related files listed in the various removal pages I found on the internet. Perhaps the "statistics" page is citing a previous finding of Zango files that it subsequently had removed. (Even though it says 0 removed... maybe it quarantined them?)

Jill
Reference previous article, what happens if you follow the instructions in sub-heading 4. To delete the value from the registry.  ?

Click Start > Run and type   regedit          Click ok.
   
Does the registry actually open for editing ?  Please do *not* attempt any deletions, this is simply to confirm if the registry editor can be opened.  The text in the above article explains why.
If it opens, you may like to navigate to subkey, to see if the values compare with those quoted in 4d.  Repeat, do *not* delete anything.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Hi, Jonvee. None of those files exist in my registry. That's why I think it was already deleted or quarantined by one of my programs. Silly that one has to run 5 different programs to catch all these little buggers.

Thanks for your continued helpfulness!!
That's good news, and yes i agree with your later comments but guess that's the way that progress has taken us!
Incidently if you go to Control panel > Add/Remove progs, is there any reference to "Zango search tool"?      For this see sub-heading  2. To uninstall the security risk.     Thanks.
Nope, there's not. I don't see it anywhere in my programs, in my installed (add/remove) programs, in my registry, in my "manage add-ins" in IE, and it's no longer coming up in any of my scanning programs. Weird.
 
I probably should have mentioned that it's not in msconfig or in my processes, either.
Ok.   Well again it's well past the midnight hour out here.  Need some sleep.  Will check back in here in the morning.
Suggest you continue monitoring and consider a further rescan(s).
 
If the problem returns(or remains unresolved?) and you get no further useful comments here, one idea is for you to post a pointer question (worth 20 points) in the "Windows Security Resource Channel" topic area, with a link to this thread number WinXP/Q_21912540.html.   This will give you input from 'anti-virus/malware experts' active in that other area. You could get a quicker response, and if successful have your 20 points returned later.
If you still have a problem and it's present each time you reboot, it's conceivable you have a persistent rootkit associated with malware.  
RootkitRevealer is an advanced rootkit detection utility.  Full details included.  You may wish to install, run and test it:
http://www.sysinternals.com/Utilities/RootkitRevealer.html

If nothing is seen, another suggestion is to download and run Autoruns.
Quoted as a utility which has the most comprehensive knowledge of auto-starting locations of any startup monitor.  
If you don't want an entry to activate the next time you boot or login you can either disable or delete it.
You could see if it locates any references to a "Zango search tool" or any 'unknown' exe file.
Straightforward to operate, it has a brief Help file:
http://www.sysinternals.com/Utilities/Autoruns.html
Hi, Jonvee. Well, the day aft\er all of the above, my computer totally fried. Literally. It completely froze in the middle of working, and I couldn't even bring up the task manager w/ control alt delete. So I turned it off with the power button, then back on. When it powered on, during the dos boot it said Alert: fan failure, Alert: thermal failure, Alert: voltage failure, press F1 to continue (which I did.) About ten minutes later, suddenly it shut off and I smelled a burning smell. The box was not hot or even unusually warm. Then it would not power on at all.... no lights, no noise, nothing.

I have Dell on their way to repair it. They were out yesterday but the power supply they sent was defective. All it did was race the fan and burn itself out in a matter of seconds, including the motherboard. The technician, luckily, was at the helm as all of this happened. They're coming out again on Monday.

I have no idea if this is related to my problems -- didn't think anything software-related (such as virus, etc.) could affect hardware, but maybe it can control the operation of the fan, and other thermal related things, thus causing an overheat???

I'll keep you posted in a few days.

Thanks again for all of your help,

Jill
Thanks for the comprehensive report, sorry to hear about your computer mishap.  
Maybe coincidently a fan failure had caused CPU (or PSU) to fail, in turn taking out the fuse(s).  Was there perhaps any *slight* overheating smell when your computer first became unresponsive on 07/08, or was there any grinding sounds(fan bearing) ?
 
  >power supply they sent was defective<  
May well have been that damage to the mobo or some other 'hefty component' took out Dell's new replacement PSU, rather than the new PSU being faulty on arrival.  
Hopefully the techie can give you a final report?

Good luck on Monday, it would be useful if you could report back again after the Dell guy has completed.

After repair, and should you wish to monitor CPU or any other temperature(s), or driver details, or even get advice on driver updates, an ideal utility is the Lavalys "EVEREST Free Edition 2.20", from here:
http://www.majorgeeks.com/EVEREST_Free_Edition_d4181.html
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Thanks, Dave. In this era of virus and spyware paranoia, it's surprising that a program manufacturer would have an installation set up like that, to install a component automatically upon reboot, with no warning as to what the component was related to. I had indeed been forced to uprade Napster when I tried to launch it one day. Still no search results for XMPDLib, other than a few pointing to this question thread.

Jonvee, thanks so much for all of your help. I am awaiting a replacement system from Dell after they had technicians out three times without being able to repair the problem(s). I'll be busy reinstalling programs and resurrecting data for quite some time, I'm sure!

Take care,

Jill
Jill

Have only just logged on after five days off-line.   Thanks for reporting back, you certainly have had problems!
Good luck recovering your data.   And for that unexpected award, thank you!

Jonvee
Well you took so much time to help me, and were so thorough, I thought you deserved it!

Thanks,

Jill
So I guess it's ok to let this install run? I also have napster and just got the update. I've been following this thread since its the only one that comes up on google. I also noticed today that someone asked about it on yahoo answers but with all the details you get here. They also tracked it back to napster and since I just updated mine before getting the XMPDLib install, it looks like that really is the cause.

It sounds like it's legit. I'd rather not let it run, but napster doesn't open without it. So I guess the problem is solved, no need to be worried?
FW -- I believe that my problems were probably always there. When I saw the XMPDLib trying to self-install, not remembering that I had recently updated Napster, my spyware-paranoia kicked in. Then when I started running all these many spyware/adware/malware programs and saw many things being identified, I was off on a journey of uninstalling, cleaning, and removing things that were probably there all along and I hadn't noticed them.

I am not an expert on this subject [experts, chime in here!] but I wouldn't expect that Napster would install anything dangerous (if indeed the XMPDLib is part of the recent Napster upgrade.)

I don't think my hardware issues were related, and just came along at a coincidental time. Such is life with computers these days! The Dell technician said my fan had gone bad. Thankfully, despite the faulty fan burning out the motherboard and processor, my hard drives were unaffected and all of my data is intact. Lesson learned: back up nightly!!!! I had gotten lazy and my last backup was two months ago.

Just to be on the safe side, if I were you, I'd call Napster and ask them to confirm that this XMPDLib is a part of their installation package.

Jill