Solved

Upon bootup, Windows Installer attempted to install "XMPDLIB.exe" -- what is this???

Posted on 2006-07-08
28
1,254 Views
Last Modified: 2008-01-09
Hello, Experts!

This morning when my computer booted up, the Windows Installer launched and began to install "XMPDLIB.exe". Wary of spyware, etc., I cancelled the install. When I search on Google, et al, I cannot find a single mention of this file. I would think if it were an auto-update from Windows, there'd be some mention of it somewhere.

I had not been in the middle of installing anything when I shut down. I had chosen to hard-reboot (using the power button) because my computer had become unresponsive during normal operation. My son had been using my computer earlier in the evening to look for PSP cheat codes on a site called "gamespot.com", which is why I was especially concerned about some kind of drive-by malware install. But it's strange that there's not a single instance of that file anywhere on the internet that I can find. For what it's worth, that web site came up clean on my SiteAdvisor.

BTW, the system is WinXP Pro with both IE and FireFox installed, so I'm not sure which my son was using. FF is the default but I may have had an IE window open that he used... if that even matters.

Any help is appreciated. Thanks!

Jill
0
Comment
Question by:pearsonpartners
  • 13
  • 12
  • +2
28 Comments
 
LVL 27

Expert Comment

by:Jonvee
Comment Utility
Jill,
You could try downloading and running this free version of Ewido anti-malware, designed with Win XP in mind.    Update first, then scan in Safe mode:  
http://www.ewido.net/en/download/
0
 
LVL 27

Expert Comment

by:Jonvee
Comment Utility
Have you already checked for viruses?    
If no, you could try at least two of these four, free virus scanners, as no one scanner can guarantee finding & fixing everything.  The AVG (grisoft) is particularly good:
http://www.grisoft.com/us/us_dwnl_free.php
http://www.pandasoftware.com/activescan/com/activescan_principal.htm
http://housecall.trendmicro.com
http://www.avast.com/i_kat_207.php?lang=ENG
0
 
LVL 27

Expert Comment

by:Jonvee
Comment Utility
Have you run any of these three tools, Adaware, Spybot, and a-squared Free?  
Highly recommended for Malware if you still have the problem.  First check for New updates then download them before scanning.  Post back if you have further queries:

Ad-Aware SE Personal v1.06: http://www.majorgeeks.com/Ad-Aware_SE_Personal_d506.html
Spybot-Search & Destroy 1.4: http://www.majorgeeks.com/SpyBot-Search_&_Destroy_d2471.html
a-squared Free: http://www.emsisoft.com/en/software/free/
0
 
LVL 27

Expert Comment

by:Jonvee
Comment Utility
Have similarly been unable as yet to find anything on "XMPDLIB.exe", it does seem we're on the right track!
In the unlikely event of 1 or 2 of the scanners above not removing the "problem" we can resort to HijackThis, and give you the appropriate advice.
0
 
LVL 3

Expert Comment

by:wolfteeth
Comment Utility
I think the easy way is to use msconfig.exe first, try to see what kind of unkonwn service is running, and what kind of unkonwn program is launching, if so, please remove and stop it.
Second, try to uninstall SP2 and reinstall it again.
0
 

Author Comment

by:pearsonpartners
Comment Utility
Thanks, everyone, for such fast and helpful responses!

I actually have both SpybotSD and Adaware installed and running, as well as NIS2004 (NAV updated with latest definitions on 7/1/06), and even SiteAdvisor (on both IE and FF) which helps to point out "dangerous" web sites (though not foolproof since it's a volunteer comment system, as you probably know.) With all that running, I'd be really disappointed if I picked up something along the way.

Nevertheless, I did run a manual scan using Spybot, Adaware and NIS.

- SpybotSD came up with DSOExploit, which I "fixed". I've seen this before and believe it's just warning me about a security hole in    WinXP. (?)
- Adaware came up with nothing.
- NIS/NAV came up with adware.medload, specifically amm06.ocx. Clicking the link leads to a page describing this as a popup launcher. I "fixed" that also using NAV.

Nothing came up related to that XMPDLIB.exe. Whatever it was, perhaps I thwarted it by cancelling the install right away?

So weird that there's no mention of it anywhere. I'm positive I got the name right because I typed it into notepad right away while the install dialog box was open.

I'll leave this open for a little while longer in case anyone has heard of this particular file.

Do you still recommend that I run any of the other programs mentioned above, and/or HijackThis?
0
 

Author Comment

by:pearsonpartners
Comment Utility
Well it took me so long to write the above message that I crossed with wolfteeth.

I checked msconfig and nothing unfamiliar is running, either as a startup item or as a service (same thing with my running processes using ctrl-alt-del.)

I'll reboot and see if this thing comes up again. Thanks much, in the meantime.

Jill

0
 
LVL 27

Accepted Solution

by:
Jonvee earned 400 total points
Comment Utility
Good regarding SpybotSD and Adaware.
  >perhaps I thwarted it by cancelling the install right away?<       Yes, it's possible.
  >I'll leave this open for a little while longer<                             Ok, that's fine.

Another idea is to download and run the small utility Process Explorer version 10.0 to show a list of your currently active processes, monitoring them throughout the whole period, and hopefully spotting XMPDLIB.exe *if* it still exists.
It has been described as an advanced process management utility that picks up where Task Manager leaves off:
http://www.sysinternals.com/ntw2k/freeware/procexp.shtml

You may at this point wish to hold off with the virus scanners, but *if* you've seen XMPDLIB (above) and you feel comfortable about using HijackThis, it would be a good idea to use it.

A little 'advice' >>
Download, install and run HijackThis ( v1.99.0 ) from here, instructions included:
http://www.majorgeeks.com/download3155.html

You may like to confirm whether you have used HijackThis before?  If no, it's worth following the guidelines below as it's a rather powerful tool.
You should create a folder where you would like the HijackThis file to reside, and run it from there, not from the Desktop or a temp folder. It is important that you download this file to its own folder as this folder will be used when HijackThis makes backups. Temp folders get deleted, taking with them HJT's 'backups' of items that were 'fixed'.

Run Hijackthis scan, save the log file, then copy and paste the logfile to the site below and select 'analyze'.  
http://www.hijackthis.de/
Wait a minute or so for the analysis, then scroll to the bottom of that page and you'll see "save analysis". Click it, and the address you require is in your top Address bar. If you've used HijackThis before you'll know what to fix, but if you wish us to advise, copy and post that address here, and not the log please as it's too lengthy.
0
 
LVL 27

Expert Comment

by:Jonvee
Comment Utility
 >SpybotSD came up with DSOExploit<
For your information >   "What is DSO Exploit? ":
http://www.pchell.com/support/dsoexploit.shtml
0
 

Author Comment

by:pearsonpartners
Comment Utility
OK. I have spent the better part of the last six hours working on this. So much was awry this morning that it will take forever to read this – so sorry that this is so long!!

It all would seem to point to Windows doing an automatic update overnight, but control panel and security center are both telling me that the last windows update was 6/15/06.

I'll put a few things here in case others are searching for similar problems. I’m not asking for answers to any of these specifically – just posting as an overall picture of the problem(s).

When I came to the computer this morning, it was off. The computer had shut down overnight. When I turned it on, it said system had been shut down due to thermal failure and due to fan failure. I turned it back on. That’s when all the funny stuff started:

•      Immediately upon bootup, it said the same "installing XMPDLib.exe". That ran quickly before I could catch it to cancel. I immediately hit ctrl-alt-delete and that application was running (the install.) I hit "go to process" and it highlighted msiexec.exe. Searching for that said it's windows' built in installer program, which makes sense, though I still have no idea what it was installing.
•      Also running as the first-listed process was "wuaudt.exe", which google says "deals with instigating automatic updates for Windows." (Hmmm...)
•      Immediately a box opened that said “Setting up personalized settings for: Themes Settings”
•      Then I noticed all my desktop icons were showing, which had previously been set to not display. This is when I noticed that all kinds of basic windows settings had been reset to factory state
•      Opened IE. Win Update page came up immediately asking if I want to check for updates. (Hmmm…)
•      When I viewed windows update history, it says last update was 6/15/06
•      IE home page reset to MSN.com (Hmmmm….)
•      IE search page reset to msn’s search page (Hmmm…)
•      Control panel set back to XP category view
•      None of my Start menu shortcuts were there
•      MS Office shortcut bar not there. When I clicked in the Programs menu to launch it, it went through the initial install process prior to launching.
•      IE asked me if I want to turn on Auto-Complete
•      Most alarming: the contents of  My Documents, My Pictures and My Music were all EMPTY on the start menu shortcuts – causing more than a momentary panic, until I realized that the shortcuts had been reset to their default locations on C, whereas I had long ago relocated them to a second D hard drive. (whew)
•      Balloon opened in task bar saying “Take a tour of the new Windows XP”
•      When I clicked on Windows Media Player (Adaware had an option to launch a sound when it found a problem, so I clicked to hear the sound) – it said “Welcome to the New Windows Media Player 10” and asked me to go through the initial setup. [Could this all be due to an automatic update of WMP??]
•      New “click” noise every time I open a menu or a folder. I fixed this in Sounds, and see that it had been reset to default sounds (“windows xp menu command” sound)
•      Went to d/l Hijack This on MajorGeeks' site, per your suggestions above, and it automatically downloaded it without asking me for permission or location

Over the next two hours I ran Hijack This, Adaware (again), SpyBot SD (again), NAV (again) and installed and ran Spyware Blaster (per AdAware’s suggestion.) Posted my HT log to the site that MajorGeeks recommended (the german site) which didn’t highlight anything “nasty” only a few “unknown” which I recognize and the site visitors marked as safe (such as gotomypc, turbopasswords, acrobat, etc.)

AdAware came up this time with MediaMotor and Windupdates (after nothing last night.) I “fixed” both. However – when I click on Statistics, it shows that it came up with 4 instances of Zango,  0 removed. Scanned again and same thing. Zango doesn’t come up in the scan, but shows up in the detailed statistics. (What’s that about?)

SpyBot came up with MediaMotor and two instances alerting me that I had disabled Windows’ automatically notifying me of no firewall or antivirus (I use Norton.) I fixed MediaMotor.

NAV came up with nothing today, since the amm06.ocx had already been fixed by AdAware today.

Ran all four programs again and everything is coming up clean.

I set a system restore point to the post-clean point just in case.

I’ve never had a virus or spyware, so I’m not sure if all the above is classic behavior in such an instance. Any thoughts?

I also would think that Microsoft wouldn’t install a major update that would cause all of the above without a) my permission or b) at least informing me that an update had been installed – either with a dialog box or an entry in my Windows Updates history log. Now that I think of it, I do recall that there had been a yellow “updates waiting” icon in my task bar a few days ago, but it’s no longer there. (Hmmmm…)

For the past hour the computer is running OK. I've upgraded to the pro versions of all of my various virus / adware / spyware / MSware (kidding) programs to continually monitor for future problems.

Thanks for listening. If any of this saga sounds familiar to anyone, I’d appreciate hearing your thoughts!

Jill
0
 

Author Comment

by:pearsonpartners
Comment Utility
I should add that I just tried to open Outlook, and it has reverted to first-install state. It's asking me to set up Outlook, email accounts, etc. I've lost all my settings, signature, folder shortcuts, etc. I'm also getting that nasty "3rd party app trying to access your outlook mailbox" -- when I click on new message.

Now I'm wondering if MSOffice updated itself?
0
 
LVL 27

Expert Comment

by:Jonvee
Comment Utility
Thanks for the comprehensive report.  
   >4 instances of Zango<  
Still pondering over this one, having found a reference to "Adware.ZangoSearch".  
Not yet sure if this is the problem and it's being studied at this moment:

http://www.symantec.com/avcenter/venc/data/adware.zangosearch.html
0
 

Author Comment

by:pearsonpartners
Comment Utility
Thanks, Jonvee. Keep me posted if you figure out anything. I had run a search of the registry earlier and found no instances of any of the zango-related files listed in the various removal pages I found on the internet. Perhaps the "statistics" page is citing a previous finding of Zango files that it subsequently had removed. (Even though it says 0 removed... maybe it quarantined them?)

Jill
0
 
LVL 27

Expert Comment

by:Jonvee
Comment Utility
Reference previous article, what happens if you follow the instructions in sub-heading 4. To delete the value from the registry.  ?

Click Start > Run and type   regedit          Click ok.
   
Does the registry actually open for editing ?  Please do *not* attempt any deletions, this is simply to confirm if the registry editor can be opened.  The text in the above article explains why.
If it opens, you may like to navigate to subkey, to see if the values compare with those quoted in 4d.  Repeat, do *not* delete anything.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 

Author Comment

by:pearsonpartners
Comment Utility
Hi, Jonvee. None of those files exist in my registry. That's why I think it was already deleted or quarantined by one of my programs. Silly that one has to run 5 different programs to catch all these little buggers.

Thanks for your continued helpfulness!!
0
 
LVL 27

Expert Comment

by:Jonvee
Comment Utility
That's good news, and yes i agree with your later comments but guess that's the way that progress has taken us!
Incidently if you go to Control panel > Add/Remove progs, is there any reference to "Zango search tool"?      For this see sub-heading  2. To uninstall the security risk.     Thanks.
0
 

Author Comment

by:pearsonpartners
Comment Utility
Nope, there's not. I don't see it anywhere in my programs, in my installed (add/remove) programs, in my registry, in my "manage add-ins" in IE, and it's no longer coming up in any of my scanning programs. Weird.
 
0
 

Author Comment

by:pearsonpartners
Comment Utility
I probably should have mentioned that it's not in msconfig or in my processes, either.
0
 
LVL 27

Expert Comment

by:Jonvee
Comment Utility
Ok.   Well again it's well past the midnight hour out here.  Need some sleep.  Will check back in here in the morning.
Suggest you continue monitoring and consider a further rescan(s).
 
If the problem returns(or remains unresolved?) and you get no further useful comments here, one idea is for you to post a pointer question (worth 20 points) in the "Windows Security Resource Channel" topic area, with a link to this thread number WinXP/Q_21912540.html.   This will give you input from 'anti-virus/malware experts' active in that other area. You could get a quicker response, and if successful have your 20 points returned later.
0
 
LVL 27

Expert Comment

by:Jonvee
Comment Utility
If you still have a problem and it's present each time you reboot, it's conceivable you have a persistent rootkit associated with malware.  
RootkitRevealer is an advanced rootkit detection utility.  Full details included.  You may wish to install, run and test it:
http://www.sysinternals.com/Utilities/RootkitRevealer.html

If nothing is seen, another suggestion is to download and run Autoruns.
Quoted as a utility which has the most comprehensive knowledge of auto-starting locations of any startup monitor.  
If you don't want an entry to activate the next time you boot or login you can either disable or delete it.
You could see if it locates any references to a "Zango search tool" or any 'unknown' exe file.
Straightforward to operate, it has a brief Help file:
http://www.sysinternals.com/Utilities/Autoruns.html
0
 

Author Comment

by:pearsonpartners
Comment Utility
Hi, Jonvee. Well, the day aft\er all of the above, my computer totally fried. Literally. It completely froze in the middle of working, and I couldn't even bring up the task manager w/ control alt delete. So I turned it off with the power button, then back on. When it powered on, during the dos boot it said Alert: fan failure, Alert: thermal failure, Alert: voltage failure, press F1 to continue (which I did.) About ten minutes later, suddenly it shut off and I smelled a burning smell. The box was not hot or even unusually warm. Then it would not power on at all.... no lights, no noise, nothing.

I have Dell on their way to repair it. They were out yesterday but the power supply they sent was defective. All it did was race the fan and burn itself out in a matter of seconds, including the motherboard. The technician, luckily, was at the helm as all of this happened. They're coming out again on Monday.

I have no idea if this is related to my problems -- didn't think anything software-related (such as virus, etc.) could affect hardware, but maybe it can control the operation of the fan, and other thermal related things, thus causing an overheat???

I'll keep you posted in a few days.

Thanks again for all of your help,

Jill
0
 
LVL 27

Expert Comment

by:Jonvee
Comment Utility
Thanks for the comprehensive report, sorry to hear about your computer mishap.  
Maybe coincidently a fan failure had caused CPU (or PSU) to fail, in turn taking out the fuse(s).  Was there perhaps any *slight* overheating smell when your computer first became unresponsive on 07/08, or was there any grinding sounds(fan bearing) ?
 
  >power supply they sent was defective<  
May well have been that damage to the mobo or some other 'hefty component' took out Dell's new replacement PSU, rather than the new PSU being faulty on arrival.  
Hopefully the techie can give you a final report?

Good luck on Monday, it would be useful if you could report back again after the Dell guy has completed.

After repair, and should you wish to monitor CPU or any other temperature(s), or driver details, or even get advice on driver updates, an ideal utility is the Lavalys "EVEREST Free Edition 2.20", from here:
http://www.majorgeeks.com/EVEREST_Free_Edition_d4181.html
0
 
LVL 1

Assisted Solution

by:Dave-sysadm
Dave-sysadm earned 100 total points
Comment Utility

Hi, this happened to me today.   This is a result of updating Napster yesterday.   The XMDPlib.dll is in the napster folder.   It installs after reboot, hence your son shut your PC down after updated, and you booted it up, and it installs.

Hope this helps.
0
 

Author Comment

by:pearsonpartners
Comment Utility
Thanks, Dave. In this era of virus and spyware paranoia, it's surprising that a program manufacturer would have an installation set up like that, to install a component automatically upon reboot, with no warning as to what the component was related to. I had indeed been forced to uprade Napster when I tried to launch it one day. Still no search results for XMPDLib, other than a few pointing to this question thread.

Jonvee, thanks so much for all of your help. I am awaiting a replacement system from Dell after they had technicians out three times without being able to repair the problem(s). I'll be busy reinstalling programs and resurrecting data for quite some time, I'm sure!

Take care,

Jill
0
 
LVL 27

Expert Comment

by:Jonvee
Comment Utility
Jill

Have only just logged on after five days off-line.   Thanks for reporting back, you certainly have had problems!
Good luck recovering your data.   And for that unexpected award, thank you!

Jonvee
0
 

Author Comment

by:pearsonpartners
Comment Utility
Well you took so much time to help me, and were so thorough, I thought you deserved it!

Thanks,

Jill
0
 

Expert Comment

by:FWLeigh
Comment Utility
So I guess it's ok to let this install run? I also have napster and just got the update. I've been following this thread since its the only one that comes up on google. I also noticed today that someone asked about it on yahoo answers but with all the details you get here. They also tracked it back to napster and since I just updated mine before getting the XMPDLib install, it looks like that really is the cause.

It sounds like it's legit. I'd rather not let it run, but napster doesn't open without it. So I guess the problem is solved, no need to be worried?
0
 

Author Comment

by:pearsonpartners
Comment Utility
FW -- I believe that my problems were probably always there. When I saw the XMPDLib trying to self-install, not remembering that I had recently updated Napster, my spyware-paranoia kicked in. Then when I started running all these many spyware/adware/malware programs and saw many things being identified, I was off on a journey of uninstalling, cleaning, and removing things that were probably there all along and I hadn't noticed them.

I am not an expert on this subject [experts, chime in here!] but I wouldn't expect that Napster would install anything dangerous (if indeed the XMPDLib is part of the recent Napster upgrade.)

I don't think my hardware issues were related, and just came along at a coincidental time. Such is life with computers these days! The Dell technician said my fan had gone bad. Thankfully, despite the faulty fan burning out the motherboard and processor, my hard drives were unaffected and all of my data is intact. Lesson learned: back up nightly!!!! I had gotten lazy and my last backup was two months ago.

Just to be on the safe side, if I were you, I'd call Napster and ask them to confirm that this XMPDLib is a part of their installation package.

Jill
0

Featured Post

Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

Join & Write a Comment

If your system is showing symptoms of browser hijacks or 'google search redirects' check out my other article (http://rdsrc.us/u3GP7A) first and run the tool TDSSKiller (http://rdsrc.us/GDBBs4) to get rid of the infection. Once done, and if the …
Sometimes people don't understand why download speed shows differently for Windows than Linux.Specially, this article covers and shows the solution for throughput difference for Windows than a Linux machine. For this, I arranged a test scenario.I…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now