Posted 21 May 2005 - 12:01 AM
Last night I visted a website and picked up something called vuuqlf.exe. Ad-Aware alerted me it was trying to write to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, which I blocked. I went to my system32 folder on a hunch it would be there, and yes, it and an accompanying .dll was there, but I couldn't delete it until I booted into safe mode. After returning to normal windows, I ran Ad-Aware, and Spybot, and both came up clean. Then I ran HJT and found a couple of things that weren't giving me trouble, but removed them anyway as they were residuals from an uninstall. I noticed that there was something from a Trusted Site, it was www.neededware.com, which I ignored for this scan until I could get more info.
When I opened IE, Sygate PFW alerted me that wmplayerndw30102lib.dll had been changed or was new (sorry, can't recall if it was new or changed). I chose not to allow and closed the browser, but then everything I tried to open after that, like my messengers (so I could enlist a friend's help to do some research), brought the same alert from Sygate regarding the same .dll. I am trying to recall which order this happened, but at some point, Ad-Aware alerted me that the .dll I mentioned wanted to write to the registry (the same place vuuqlf.exe wanted to go). The only way I could get anywhere was to allow it and the .dll to load just so I could open a browser to find info and get help. Incidentally, no search engine had any results for that .dll or for vuuqlf.exe.
After allowing all this, I ran another set of scans, nothing from AA, or SBSD. HJT showed the wmplayer.exe in the start\run section where vuuqlf.exe had tried to write to (which I knew would be there because I had to allow it). From some info I read, I knew that the Trusted Site www.neededware.com had to go, so I went to the IE Internet Options, removed the site from the trusted list, and then had HJT fix the entry for it. Thinking I would be ok overnight, I went to bed. (ebil laughter commences)
This morning when I came back to the pc to renew my efforts, I discovered that IE (which was closed when I went to bed) had been started in the background and had been trying to connect to several websites, some of which were neededware.com, ncontextmedia.com, and there were two more I didn't catch the name of. I ran a set of scans, nothing from AA or SPSD, and HJT revealed the trusted site again, so I fixed it, again...and then went to IE options and removed it from the list...again, but thought I'd get smart and add it and the other websites to the restricted list this time.
So this is where I am in the stage. When I close IE and the system goes idle, after a few minutes, IE opens in the background and tries to connect to these sites, yet I can't find anything about them on my system, or what the parent baddie is. I don't know if vuuqlf.exe and neededware are bundled, or if they're seperate. This wmplayerndw30102lib.dll doesn't seem right, and even though I did remove it from the start\run part of the registry, Ad-Aware said it wanted to write to it again, and I have blocked it, but the .dll is in the system32 folder and I can't delete it until I go to safe mode. I'm not sure if I need to, or if this is a ligit file, as nothing came up about it in a search.
What should I do? In other topics that came up from this forum's search feature, it seems that all the replies for help start with downloading this Ewido application. I went to the dl page to get info on it, but it was vague, sounds like just another scanner to me. Any help here would be great, and thanks for reading my novel length post lol.