MediaPlayerClassic ... doing a STRANGE thing... any ideas ?

[halsboss]

I've had significant PC infection trouble recently, good programs suddenly connecting to sites in the US, one by one more of them trying to change settings to preload dlls in prior to all programs, etc. An example attempted connect as reported by my firewall - source port 1596 dest IP 205.234.175.175 dest port 80 which resolves to vip1.anycast.cachefly.com ( by a purchased program, manufacturer confirmed this is completely invalid behaviour). Pity neither TREND nor Microsoft OneCare free scan ever detected anything - even though it was DEFINITELY infected.

The only thing that fixed it - after a lot of backtracking and work - was a bios reset/upgrade and a low-level disk format (using manufacturers tool) which blew away the MBR and partition table, and then re-install a fresh XP from scratch being careful to be disconnected from the internet and putting in place stringent firewall rules and antivirus etc first before installing any programs.

The PC/router were quite locked down (very much so) to start with, and I'm in the IT game, so don't put it down to too much lack of knowledge.

Anyway, I re-downloaded programs I use (including MPC) and installed them and then started to run them from a non-admin account, and the only one I had obvious trouble with was the fresh copy of MPC from sourceforge.

Not saying it was the causal factor as yet. But I will say that a fully-updated TREND 2009 with settings-protection turned on blocks it with an error message "Program Library Injection" and it is trying to "configure windows so that a DLL is automatically loaded by some or all of your applications". If I deny the injection, it still appears to run so the library wouldn't appear to be needed for it to function. If I hadn't had settings change detection turned on in TREND I would never have known.

No other programs that I have used over many years do this and certainly no others in the current set do.

Hmm, any ideas why MPC would try to reconfigure Windows ? I'd thought part of it's beauty was it was standalone, no install.

[guns1inger]

Have you considered that Trend might not be right ? False positives are a common happening in our over-zealous, underwelmingly gutless new age.

[halsboss]

Only that it's consistent and then the behaviour starts to spread to other programs which says something.

Perfectly good programs starting to try to connect to websites (when it isn't their function to use the web) also says something

No, Trend IS detecting anomalous behaviour.

I wouldn't equate intestinal fortitude with being happy with an infected PC at this point. Give me your credit card and bank account PIN numbers ... I think you see the point.

[guns1inger]

So it has started to spread again since the re-format/install, or only MPC is still doing it ?

[halsboss]

Thanks for enquiring, no spread just yet, only MPC and I'm blocking the injection. It was doing that just prior to the increasingly drastic actions to mitigate it, resulting in the reinstall.

Prior to that I'd dumbly allowed "yes" to permit it. For example, it got at HCenc which started wanting to inject a library too (and now it doesn't since a fresh download and the XP reinstall). Other programs too, eg VideoReDo gained the same behaviour before and after VideoReDo doesn't really need to connect to vip1.anycast.cachefly.com either

[guns1inger]

Kill it, and try downloading an older version from Baldrick's personal library -> https://www.videohelp.com/tools/Media_Player_Classic/old-versions#download or try MPC HC

[halsboss]

OK.

Now, there's a funny thing. Even mplayerc_20080127.zip does it as does MPC HC.

Not saying it's a culprit, it's just unusual that it does try to inject a dll to be loaded by windows prior to other programs - no other program does it that I've come across. And that, later on, other programs start to do that too (see above).

[halsboss]

I don't think it may be the culprit necessarily, on the basis of what I thought I saw with another app, on whether msvcp71.dll and msvcr71.dll are pre-loaded by another application or not...

Is there any way to determine from an .exe what it's DLL dependencies are without running it ?

[halsboss]

Well, after a lot for reformatting and re-installing, it appears that not installing ffdshow (from the ffdshow tryouts in sourceforge) in the first place gets rid of the "library injection" error in MPC and HCenc etc... Went back to using the plain (new) xvid and other individual reliable codecs.

Not saying it's the cause of the infection issue I had - causing programs to connect to foreign web sites - however it does at least do away with the "library injection" matter.