Unidentified file: rwywubay.dat

L

Larry Kahm

Customer complained of a problem - couldn't connect to the internet, desktop
didn't display, no response.

I'm running a SysClean scan and there is one file, rwywubay.dat, that
couldn't be deleted from the C:\Documents and Settings\UserName\Local
Settings\Temp folder. The file was currently in use, despite being logged
on in Safe Mode as Administrator.

I can't find any reference to this file anywhere.

Has anyone ever heard of this?

Thanks!

Larry
 
P

philo

Larry Kahm said:
Customer complained of a problem - couldn't connect to the internet, desktop
didn't display, no response.

I'm running a SysClean scan and there is one file, rwywubay.dat, that
couldn't be deleted from the C:\Documents and Settings\UserName\Local
Settings\Temp folder. The file was currently in use, despite being logged
on in Safe Mode as Administrator.

I can't find any reference to this file anywhere.

Has anyone ever heard of this?

Thanks!

Larry
Click to expand...


It looks like malware to me.

I'd probably slave the drive to a Linux machine
and delete the file from there...
or maybe use a Knoppix cd
 
P

PA Bear [MS MVP]

Unexplained computer behavior may be caused by deceptive software
http://support.microsoft.com/kb/827315

Run a /thorough/ check for hijackware, including posting your hijackthis log
to an appropriate forum.

Checking for/Help with Hijackware
http://aumha.org/a/parasite.htm
http://aumha.org/a/quickfix.htm
http://aumha.net/viewtopic.php?t=5878
http://wiki.castlecops.com/Malware_Removal_and_Prevention:_Introduction
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/data/prevention.htm
http://inetexplorer.mvps.org/tshoot.html
http://www.mvps.org/sramesh2k/Malware_Defence.htm
http://defendingyourmachine2.blogspot.com/
http://www.elephantboycomputers.com/page2.html#Removing_Malware

When all else fails, HijackThis v2.0.2
(http://aumha.org/downloads/hijackthis.exe) is the preferred tool to use (in
conjuction with some other utilities). HijackThis will NOT fix anything on
its own, but it will help you to both identify and remove any
hijackware/spyware with assistance from an expert. **Post your log to
http://spywarehammer.com/simplemachinesforum/index.php?board=10.0,
http://forums.spybot.info/forumdisplay.php?f=22,
http://aumha.net/viewforum.php?f=30, or another appropriate forum for review
by an expert in such matters, not here.**

If the procedures look too complex - and there is no shame in admitting this
isn't your cup of tea - take the machine to a local, reputable and
independent (i.e., not BigBoxStoreUSA or Geek Squad) computer repair shop.
 
J

Jim

Larry Kahm said:
Customer complained of a problem - couldn't connect to the internet,
desktop didn't display, no response.

I'm running a SysClean scan and there is one file, rwywubay.dat, that
couldn't be deleted from the C:\Documents and Settings\UserName\Local
Settings\Temp folder. The file was currently in use, despite being logged
on in Safe Mode as Administrator.

I can't find any reference to this file anywhere.

Has anyone ever heard of this?

Thanks!

Larry
Click to expand...
Process Explorer can tell you which application has a handle to the file.
Jim
 
L

Larry Kahm

Discovered that there is a registry key,
HKLM\System\ControlSet\Services\tratuvgp, that includes this file along with
a pointer to system32\drivers\vusiugyh.dat - which is listed as "Boot Bus
Extender".

Avast identified a trojan in the rwywubay.dat file, but hasn't gotten to the
other one yet.

Getting rid of this is going to be a pita!

Thanks!

Larry
 
M

MowGreen [MVP]

http://www.microsoft.com/protect/support/default.mspx
No charge support
• Call 1-866-PCSafety or 1-866-727-2338

This phone number is for virus and other security-related support. It is available 24 hours a day
for the U.S. and Canada. For phone numbers outside of the U.S. and Canada, select your region.
http://support.microsoft.com/common/international.aspx?rdpath=4
Click to expand...

The malware appears to be either rootkit-like or an actual RK.
Suggest contacting MS for *no-charge* assistance in determining what the
malware is and removing it. MS is *good* at removing RKs.

MowGreen [MVP 2003-2009]
===============
*-343-* FDNY
Never Forgotten
===============
 
L

Larry Kahm

Thanks, this is terrific information that I did not know - it is being filed
for future reference.

For those who are interested, I was able to resolve the problem in about two
hours; here's how:

1. Booted into Safe Mode and turned off System Restore.
2. Deleted all of the users' Temporary Internet files and as many Temp files
as possible.
3. Rebooted into Safe Mode with Command prompt and was able to delete
rwywubay.dat from the user's temp folder. I was also able to delete
c:\windows\system32\drivers\vusiugyh.dat.
4. Launched Task Manager, clicked File, New Task (run) and opened Regedit.
I deleted the "bad" key in the controlset for services that was involved
with this garbage.
5. Deleted all of the .pf files in the c:\windows\Prefetch folder (there
were dozens of YUR*.EXE files).
6. Deleted the folders for MicroAv and MS Antivirus.
7. Rebooted into Safe Mode and invoked Avast to scan in boot mode - this
found several more trojans that were deleted.
8. Finally rebooted into Windows and, after a couple of anxious minutes, was
able to move around the desktop.
9. Installed and ran Spybot Search and Destroy, which eliminated still more
garbage from the system.
10. Turned System Restore back on.

Told the very relieved customer that already downloaded and patiently
waiting Win XP SP2 updates should be installed immediately.

Larry

MowGreen said:
http://www.microsoft.com/protect/support/default.mspx
No charge support
• Call 1-866-PCSafety or 1-866-727-2338

This phone number is for virus and other security-related support. It is
available 24 hours a day for the U.S. and Canada. For phone numbers
outside of the U.S. and Canada, select your region.
http://support.microsoft.com/common/international.aspx?rdpath=4
Click to expand...

The malware appears to be either rootkit-like or an actual RK.
Suggest contacting MS for *no-charge* assistance in determining what the
malware is and removing it. MS is *good* at removing RKs.

MowGreen [MVP 2003-2009]
===============
*-343-* FDNY
Never Forgotten
===============



Larry said:
Discovered that there is a registry key,
HKLM\System\ControlSet\Services\tratuvgp, that includes this file along
with a pointer to system32\drivers\vusiugyh.dat - which is listed as
"Boot Bus Extender".

Avast identified a trojan in the rwywubay.dat file, but hasn't gotten to
the other one yet.

Getting rid of this is going to be a pita!

Thanks!

Larry
Click to expand...
Click to expand...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Attn: Rock or anyone else that can help 1
can't get rid of file 9
Cookie, History & Temp Internet File Folders not found 8
Temporary Internet Files 1
Cannot delete 0 byte file 9
Inbox Repair Tool, can't find .pst file to scan 2
Cannot Delete Temporary Files 1
What is this file? 5

Top