DrummerBoy's is an UPX compressed
executable with unknown purpose.
DrummerBoy is also known as Downloader-EV and Mendware. It
is trying to hide from the user inside %AppData% using random filenames and registry keys making it look much like the
Peper trojan. DrummerBoy is extremely hard to detect,
Bazooka will try, but will most likely fail.
Note: %AppData% is a variable (?). By default, this is 'C:\WINDOWS\Profiles\%UserName%\Application Data\' or 'C:\WINDOWS\Application Data\' (Windows 95/98/Me) or 'C:\Documents and Settings\%UserName%\Application Data\' (Windows NT/2000/XP).
Note: %UserName% is a variable (?). This is set to your username.
A sign of DrummerBoy running on your system is
a four character long executable trying to connect to 22.214.171.124 - owned by
Clickspring, LLC, a well known ad serving company.
DrummerBoy seems to report back to its controlling servers when it is
installed on the user's system and when DrummerBoy crash. The following URL
found in DrummerBoy's code:
It is unknown how DrummerBoy reaches the end user's systems.
ttuh.exe, dpep.exe, BNSH.EXE, iebs.exe, ssuu.exe, ESCN.EXE, iroo.exe, rlnr.exe,
tpoa.exe, iuea.exe, urod.exe, asri.exe, wtr.exe, brmn.exe, ewra.exe, uppe.exe, rcea.exe, ctsc.exe, demu.exe, ttwc.exe,
ohco.exe, aods.exe, SNOA.EXE, aean.exe, aatu.exe, dwtn.exe, rew.exe, oahs.exe, esma.exe, rtrr.exe, aort.exe
If you have any of the files related to DrummerBoy on your system,
please send them
for additional analysis. Generally, I have only analysed a
few versions for each software component listed at this web site. With your help I
will be able to look at both old and more recent versions of the DrummerBoy software.
Thank you very much for your time!
Log 57 Log 69
Log 80 Log 81
Log 82 Log 102
Clickspring, LLC (?) whois
Bazooka Adware and Spyware Scanner detects DrummerBoy.
Bazooka is freeware and detects spyware, adware, foistware, trojan horses, viruses, worms and
other potentially unwanted applications.
Read more »
Uninstall DrummerBoy with FreeFixer
I'm working on a general purpose tool for removing unwanted software.
The tool is called FreeFixer
and can help you remove unwanted Browser Helper Objects, Internet Explorer toolbars
and software that starts automatically when you reboot your computer, so it can offer some
assistance while uninstalling DrummerBoy. The manual removal instructions
listed below will help you to identify what to delete with
Read more about FreeFixer.
Please follow the instructions below if you would like to remove DrummerBoy manually. Please
notice that you must follow the instructions very carefully and delete everything that is mentioned. In most
cases the removal will fail if one single item is not deleted. If DrummerBoy remains on your system
after stepping through the removal instructions, please double-check by stepping through them again.
Start your computer in safe mode.
Start the registry editor. This is done by clicking Start then Run.
(The Run dialog will appear.) Type regedit and click OK. (The registry editor will open.)
- Browse to the key:
'HKEY_CURRENT_USER \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run'
- In the right pane, look for a value with four characters, beginning with an upper-case letter
and then three lower-case letters. Remember the file (*) it is pointing to. Delete the value.
- Exit the registry editor.
Start Windows Explorer and delete:
the file (*) mentioned above
Problems uninstalling? Click here.
I'm looking for your help!
Thank you for using my site, I hope you find it useful. I'm looking
for help from all users, please read more.
Contact information for DrummerBoy's vendor
In order to provide correct, accurate and updated information about DrummerBoy
I encourage the vendor to contact me if any part of this write-up
needs a revision.
Bazooka - Free scan for spyware, adware, trojan horses, keyloggers, etc. Detects more than 500 potentially unwanted applications. Freeware!
The File Database - Search the file database for more information. Free!
PopUp Blocker Test - Find out if your pop-up killer can handle all pop-ups. Free!
Kephyr Labs - Find out what is going on at Kephyr. Try products in an early stage of development.