Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Request for advice please


  • Please log in to reply
2 replies to this topic

#1 Zamah

Zamah

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:05:54 AM

Posted 21 May 2005 - 12:01 AM

Last night I visted a website and picked up something called vuuqlf.exe. Ad-Aware alerted me it was trying to write to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, which I blocked. I went to my system32 folder on a hunch it would be there, and yes, it and an accompanying .dll was there, but I couldn't delete it until I booted into safe mode. After returning to normal windows, I ran Ad-Aware, and Spybot, and both came up clean. Then I ran HJT and found a couple of things that weren't giving me trouble, but removed them anyway as they were residuals from an uninstall. I noticed that there was something from a Trusted Site, it was www.neededware.com, which I ignored for this scan until I could get more info.

When I opened IE, Sygate PFW alerted me that wmplayerndw30102lib.dll had been changed or was new (sorry, can't recall if it was new or changed). I chose not to allow and closed the browser, but then everything I tried to open after that, like my messengers (so I could enlist a friend's help to do some research), brought the same alert from Sygate regarding the same .dll. I am trying to recall which order this happened, but at some point, Ad-Aware alerted me that the .dll I mentioned wanted to write to the registry (the same place vuuqlf.exe wanted to go). The only way I could get anywhere was to allow it and the .dll to load just so I could open a browser to find info and get help. Incidentally, no search engine had any results for that .dll or for vuuqlf.exe.

After allowing all this, I ran another set of scans, nothing from AA, or SBSD. HJT showed the wmplayer.exe in the start\run section where vuuqlf.exe had tried to write to (which I knew would be there because I had to allow it). From some info I read, I knew that the Trusted Site www.neededware.com had to go, so I went to the IE Internet Options, removed the site from the trusted list, and then had HJT fix the entry for it. Thinking I would be ok overnight, I went to bed. (ebil laughter commences)

This morning when I came back to the pc to renew my efforts, I discovered that IE (which was closed when I went to bed) had been started in the background and had been trying to connect to several websites, some of which were neededware.com, ncontextmedia.com, and there were two more I didn't catch the name of. I ran a set of scans, nothing from AA or SPSD, and HJT revealed the trusted site again, so I fixed it, again...and then went to IE options and removed it from the list...again, but thought I'd get smart and add it and the other websites to the restricted list this time.

So this is where I am in the stage. When I close IE and the system goes idle, after a few minutes, IE opens in the background and tries to connect to these sites, yet I can't find anything about them on my system, or what the parent baddie is. I don't know if vuuqlf.exe and neededware are bundled, or if they're seperate. This wmplayerndw30102lib.dll doesn't seem right, and even though I did remove it from the start\run part of the registry, Ad-Aware said it wanted to write to it again, and I have blocked it, but the .dll is in the system32 folder and I can't delete it until I go to safe mode. I'm not sure if I need to, or if this is a ligit file, as nothing came up about it in a search.

What should I do? In other topics that came up from this forum's search feature, it seems that all the replies for help start with downloading this Ewido application. I went to the dl page to get info on it, but it was vague, sounds like just another scanner to me. Any help here would be great, and thanks for reading my novel length post lol.

BC AdBot (Login to Remove)

 


#2 jgweed

jgweed

  • Members
  • 28,473 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chicago, Il.
  • Local time:04:54 AM

Posted 21 May 2005 - 12:27 AM

I would submit a HijackThis! log for our volunteer team of experts to review.
Instructions are here:

http://www.bleepingcomputer.com/forums/How...s_Log-t956.html

Regards,
John
Whereof one cannot speak, thereof one should be silent.

#3 Zamah

Zamah
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:05:54 AM

Posted 21 May 2005 - 01:24 AM

I did as you suggested. Thank you :thumbsup:


P.S. I have another question if someone would be so kind to indulge me. I know where I'm picking this stuff up from, it's a website I frequent daily. They have banner ads, and every now and then one has a nasty. I saw on this site's forum a post where someone showed a way to not display the banner ads. Here's their idea:

"Open Notepad and paste the following in there:

div.ban,div#ban {
display: none !important;
}

Save the file as neopetsadblock.css or something like that. Remeber where you put the file.

Open IE, go to Tools> Internet Options> Accessibility under the General tab. Check the "format documents using style sheet" box and browse for the file you saved as css. Press okay, and restart IE. Just do that and your done. :flowers:


I'm wondering if this is correct and works, and safe, how it will affect IE and what I see, and most importanly, will it help prevent new spyware/adware?

Thanks for your input :trumpet:

Edited by Zamah, 21 May 2005 - 01:41 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users