Does anyone know what these letters mean or where in the world did they come from?
At first i thought it was a virus but i did a virus scan via avast and it found absolutely nothing. Btw i re installed windows couple of days ago.
Thanks
[IMG]Uploaded with ImageShack.us[/IMG]
Looks like some type of downloaded item seen as a result of media playback and retrieving content from the web. The options for WMP allow you to uncheck the automatically retrieve item to prevent download of jpeg image for album covers, etc.
You'll notice the ArtG818 folder name under "C:\users\" was created for WMP. Disabling that item checking off the box there and disabling the automatic download option in WMP should clear that up for you.
The garbled name and mfr are often associated with malware - character sets don't always translate well.
It isn't ticked now, but it must have been enabled at some time.
Run a full scan with Malwarebytes
What AV do you use? Make sure it's up to date, running real-time and scheduled to scan. Check for any exlcusions - normally none.
That can't be ruled out especially seeing the "WMPlayerd.exe" file under the user account instead of simply finding wmplayer.exe in the "C:\Program Files(x86)\Windows Media Player folder where it belongs. The only thing found as far as any malware however is a worm that substitutes itself for the original exe file not the one seen under users. wmplayer.exe (Agobot-Bm Worm) – Details
When you did the clean install of Windows was that before or after you ran the scan with Avast? If you were hit by a bug and were seeing the usual problems and decided to perform a clean install it seems like you were unaware of why you were having them beforehand and now should be able to manually delete that particular item. Once removed you can then use the MSConfig Cleanup Utility. to see that item removed from the list of startup items. MsConfig_Cleanup_Utility
Looks like it may be malware to me as well (manufacturer's name shouldn't get discombobulated like that either).
I'd try uploading to VirusTotal for a quick check: https://www.virustotal.com/
The "wmplayerd" noting the D part would seem to make that look supicious. But there are some other things to know as well.
Finding Windows Media Player folder under the users folder isn't unusual if you had elected to install the older version of WMP like 9 for example. That would be seen as it is there under "C:\users\ArtG818\Windows Media Player\" and not something else like "C:\users\users\Windows Media Player" as one source outlined the Fake Windows Media Player virus back in 2011.
For getting some web protection on since Avast isn't cutting it however you can start off with the WOT(Web Of Trust) free addon for IE, FireFox, and other browsers is another item that offers privacy ratings on sites when running a search. That won't be an additional toolbar however but an icon seen on the upper right corner of the browser window.
Nighthawk: I also found this on SpywareRemove
The WMPlayerd.exe file is installed and associated with Worm:Win32/Rebhip.A. This entry has been reported 9 times.It, whatever it is, doesn't seem to be very prevalent. The search results for wmplayerd was only a few items.
I normally don't depend on any "spyware" sites as they tend to be fluff, marketing, or are as bad as malware. Information is fine. The major vendors are the best sources for protection and removal.
I agree that the file should beremovedisolated (rename wmplayerd.exe wmplayerd_X.ex0 in a command prompt), but unless the bug is squashed, the file and startup item might return ("Spoc you state the obvious!")
Follow F5ing's advice and or get and run WDO. Once you know your system is free of bugs, you can sleep better.
Bill
.
That was one reason for wanting to research the alterred file name before shouting any bug alert initially to see just what was going on there. The presence of this particular media player with the D added into the wmplayer.exe name would have to determined as a downloaded "bug in disguise" as many are shows the system was infected when going to download the fake player.
Just like many scam wares the initial user interaction is required before the snare is reveiled. When you click on the wrong link and get slammed with something you then know it was just that a snare of some type. This type of worm is more of a bombshell rather then the self replicating I-Worm type however where only one Windows install ends up being trashed.
This is why I was waiting to ask ArtG818 if he remembered going for any media players before or after the reinstall or repair of Windows since if this was before that the Upgrade to Repair would be what kept the entry in the msconfig over a totally fresh install with a new registry and no bug to report except for it being left sitting on the drive idle.
Removing it as well as seeing a different level of protection put on the system would be the move now. If he wants ArtG818 can dump Avast and try out the 30 day trial of VIPRE Internet Security 2013 which includes web filtering to avoid the type of sites this bug came from as part of the active firewall protection. Free Antivirus Trial and Antivirus Download | VIPRE Antivirus
Alll you do there is provide the email address to receive the 30 day key to run the full version which will remove all sorts of bugs even any hidden inside zip and rar files on any second storage drive. It runs in the background with any scheduled scans and you won't even notive it on.
When I posted yesterday I neglected to include what I had found on SpywareRemove.com. Guess I could've at least mentioned it, but it's a site I've not really developed any trust for. As Slartybart mentions the info provided can be useful even if you know or suspect the site to be somewhat shady, but typically I'll try to confirm its validity against other sources. In this case I could find no other info about that filename.
Even so, I think it's best to consider it as malware until you can confirm otherwise. That requires some action on your part. To start with you can follow the advice already posted and report your findings here in this thread.
ArtG818, Nighthawk & F5ing:
I guess I should throttle back the information I post, especially re: viruses or suspected viruses. I try to qualify the information, but people with less computer experience might not understand. As you said, F5ing, try to confirm with other sources.
Anyway, I'm sorry if I put you in panic mode Art. I think everyone posting here is saying "It might be a bug, or it might not be a bug" Hawk gives some good advice, as does F5.
I'll make this promise.
If I think it's a dangerous bug, I'll speak up with something like
The sky is falling, the sky is falling
no wait.... that won't work, that was a false alarm in the story.
You can use cCleaner to remove that entry from your startup list. This won't rename or remove the odd file from your Appdata\Roaming\Windows Media Player\ folder. It only removes the name of the item from the Startup list.
You should still take action on the file. Does WMPlayerd.exe still exist?
.
Quote