Strange system service names YQDASL and BOPRVULM?

I am having some blue-screen trouble after starting a HW update from Windows Update for my Soudblaster Audigy. In researching how to get back to square one with that, I noticed two very strange "services: in MSCONFIG Services tab. The names are just YQDASL and BOPRVULM.

Does anyone have any idea what these are? Google doesn't and searhing these forums hasn't turned up anything either. Are these malware items?

Any info appreciated.

dinogeek

 

OK, I've just done that whole process last week so I am familiar with it. I will do it again but it will be quite a while until it's done. This machine has a boatload of software loaded so the scans take a long time.

I'll be back when it's done. Thanks for the advice.

dinogeek

 

At the time I did not have a problem anymore. The virus or trojan or whatever it was no longer had my machine by the throat. It started again this morning after an MS update from Win Update pages for a sound driver (SB Audigy).

Now I have a worse problem. After running CCLeaner on primary userid and one of three secondary userid's, I now get a bluescreen STOP X'0000007E' on any regular boot. I can boot to safe mode or safe mode with networking, but not any regular boot. No driver is mentioned as the source of the X'7E' stop problem.

Where do I go from here? Spyware scans in safe mode?

Any advice greatly appreciated.

dinogeek

 

OK, I'm up to some research and RTFM, but please tell me where to start.

dinogeek

 

I ran CCLeaner in my primary userid exactly as specified in the instructions, windows tab only, no changes to the options. Then I logged off and ran it in the second userid, then I logged off and got a bluescreen before I could login to the third userid. I rebooted and got the STOP X'7E' bluescreen every time since them on a regular boot.

I booted into safe mode and ran CCLeaner in the Administrator userid and then in the third regular userid (also in safe mode).

I can boot into safe mode or safe mode with networking. I am currently running Superantispyware on my primary userid in safe mode with networking, with the network connection unplugged.

dinogeek

 

I am going to let the Superantispyare run overnight, I am falling asleep and need to get to work in the morning. I will post again in about 18-20 hours with an update when I get home from work.

Thanks for your prompt responses. Talk to you again soon.

Peter

 

Yes. It turns out the bluescreens were caused by a bad re-install of the sound drivers for my SB Audigy2 LZ sound card. I have uninstalled them again and now I can do a normal boot. No sound, but I can boot.

It's not a coincidence that this whole mess started with an MS Update change to a "sound driver" (kb/920872) that I blindly allowed to be applied.

While in Safe mode w/networking last night I did run Superantispyware (unplugged from the network, as instructed, but it found nothing) and Spybot S&D this morning before work (found only old RegClean logs and Windows Security turned off by Norton 2008).

Now that I have a regular boot back I'm going back to step one and will run SAS again in normal mode overnight. I'll report back after I finish the rest of the read-me steps.

The reason I think I still have a malware problem is that before the bluescreens started, when I logged into the second userid on this system to run CCLeaner, I could not run Win Task manager. I got the same message that I got a few weeks ago when I was first infected: "Task Manager has been disabled by your administrator". I certainly didn't do that, so I'm thinking it's more malware.

I'll post my logs if I can't find and fix whatever this is.

Thanks again for the help and advice, and for the well-written instructions.

Bye for now.

dinogeek

 

Attaching first three log files, fourth to follow.

dinogeek

 

Fourth log file.

Will reboot and check secondary userid's while you look at these logs.

Again, many thanks for your patience and help.

dinogeek

 

Both secondary userid's on this machine have the "Task manager disabled by your administrator" problem. They also take an extraordinarily long time to get the internet connection activated. Taskbar has a solid hourglass and cannot be accessed until the connection is activated.

Internet connection is wired ethernet to router to cable modem.

Primary userid does not seem to have these problems.

Minor problem: The AM/PM time format was not restored after Combofix, I have to go to regional settings to restore it.

I will await your reply and will not try to restore the sound drivers (which caused those bluesceeen problems earlier) until I have heard back from you.

Thanks for your help.

Peter

 

I found some registry entries with the names mentioned in the title of this post (though I mis-spelled one, it is really YPQDASL not YQDASL).

Text file of registry entries attached for your review. It looks like at least YPQDASL was at one time an executable in my LocalSettings/temp directory, if that means anything. It is no longer there.

dinogeek

 

Sorry about missing the Viewpoint uninstall, I guess my eyes just glazed over it.

I can and will uninstall the J2SE Runtime Environment 5.0 Update 4 (I should have installed 6.0 already anyway), but I can't uninstall the Java 2 Runtime Environment, SE v1.4.2_06 because I also use this machine for my employer's work, and they have said in the past that software I must use for work that they supply won't work with any more recent version. I haven't checked with the company PC support folk recently though, so I'll check with them tomorrow if I can uninstall it. Unlike you and I, they don't work nights...

I'll get to the rest of your steps this evening and post the logs later.

Thanks for all your help.

dinogeek

 

That's a *great* argument for me to make when I speak to them, so thanks for that.

I didn't get to the other steps you gave me yet because I had a nasty BSOD to get around first. It turned out to be a failed sound card. When I pulled that card I could boot to normal mode again. It's now late night again and I have to go to work in the morning, so I will run through your instructions tomorrow evening and send back the logs.

Thanks once again for your patient and generous help.

Bye for now.

dinogeek

 

New logs attached. The registry update was successful, but I haven't tried the secondary userid's yet.

Last remaining problem is that the wired internet connection takes an *extraordinarily* lo-o-o-ong time to come up. Like 10-15 minutes or more. I have to walk away from the machine and come back later, so I don't have exact timings, but it's a *long* time. All the other taskbar tasks come up reasonably quickly (under 3 minutes).

I'll report back again after I check out the secondary userid's.

dinogeek

[Edit] The secondary userid's still cannot run Task Manager, only the primary userid. It takes about 5 minutes (it really did seem longer than 5 mins on the primary userid, I'll re-verify that in a minute) for the wired internet connection to come up on the *first* user to login after power-up, but for subsequent logoff/logins to any other userid the connection comes up quickly (under 2 mins).

 

Sorry for the double post, but the site wouldn't let me edit the prior message again.

Primary userid only takes 5 minutes to bring up the wired internet, consistent with the other userid's. I guess time is relative when you're staring at a screen waiting for something to happen.

So the last remaining problem seems to be the inability to run task manager on the secondary userid's. This worries me. Should I be worried or not?

dinogeek

P.S. -- I'm about ready to uninstall that old Java release regardless of my employer's needs and deal with the consequences later. If that's your advice, I will do it.

 

Another problem seems to have cropped up. I cannot plug in a USB-key drive and have it recognized, and the system doesn't recognize any of the partitions on the external USB drive that I use to boot (the boot is a Linux grub boot, defaulting to WinXP for the prmary OS on the internal SATA drive). Since I can boot, I know the hardware is working. There are several FAT and FAT32 partitions on that external drive.

The HW device USB Mass Storage is also not working in the Hardware Manager, device driver USBSTOR.SYS.

Ths only USB-connected "drive" that is seen is the media-card reader integrated into my printer (HP Photosmart 1218).

Did any of these procedures modify or delete a file or service that would disable regognition of USB drives? I'm especially curious about the "svchost" that was deleted, was that relevant to this USB problem?

dinogeek

 

You're right, I should have read that first. I was just trying to provide information, not bump. I'll wait for a response in the future.

OK, it's good to know the first account is clean, but do I understand you correctly -- I need to run the whole READ ME process again on both of the secondary userid's on this machine?

I will give that a try after the cleanup of the other accounts. Please let me know soonest if I understand you correctly about the cleanup process.

dinogeek

[Edit] Thanks also for the answers to my other questions. I won't reply separately to that one so that I don't bump myself. [/Edit]

 

Logs for second user of three attached.

Things not right with the second user:

1) It took literally 30 minutes to activate the wired internet connection tonight. I *think* this is mainly due to many non-working parts of the sound system (lots of yellow triangles in the Hardware Manager). I suspect but can't yet prove that the system's trying and retrying those drivers delays the wired internet connection extensively.

2) Obviously, no sound available (primary user doesn't have any either).

3) Cannot run Task Manager ("... disabled by your administrator").

4) Internet Explorer screen scrolling is quite "jerky", not smooth like it was before the malware infection and cleanup (same problem with primary user as well).

5) When turning off the system, "Stand By" is greyed out and cannot be selected. Only "Turn Off" and "Restart" can be selected (primary user also has this problem).

One other item I forgot to mention yesterday is that after the last cleaning of the primary user, now Windows Explorer comes up every time the primary user logs on, displaying the C:\Windows\system32 directory. I can just close it without any further problems, but it's really quite annoying, and just a little worrisome. Is something evil trying to start itself, or perform some other bad thing?

Thanks again for all of your help.

dinogeek

 

Thank you, it is good to know that it isn't more malware. I will address the driver issues separately.

No, I got this result when I ran it:

'\cscript.exe' is not recognized as an internal or external command,
operable program or batch file.

Please reboot your machine

Press any key to exit

Thanks again for your advice on all three of those issues and for your help with this infection. I will indeed address the driver issues and proceed from there.

dinogeek

 

Followup about SeDebug-Restore.exe -- the messages seemed to indicate it did not work, but in fact I *can* now bring up Task Manager on the secondary userid, so whatever it did actually worked.

Thanks again for your help

dinogeek