Thanks, this is terrific information that I did not know - it is being filed
for future reference.
For those who are interested, I was able to resolve the problem in about two
hours; here's how:
1. Booted into Safe Mode and turned off System Restore.
2. Deleted all of the users' Temporary Internet files and as many Temp files
as possible.
3. Rebooted into Safe Mode with Command prompt and was able to delete
rwywubay.dat from the user's temp folder. I was also able to delete
c:\windows\system32\drivers\vusiugyh.dat.
4. Launched Task Manager, clicked File, New Task (run) and opened Regedit.
I deleted the "bad" key in the controlset for services that was involved
with this garbage.
5. Deleted all of the .pf files in the c:\windows\Prefetch folder (there
were dozens of YUR*.EXE files).
6. Deleted the folders for MicroAv and MS Antivirus.
7. Rebooted into Safe Mode and invoked Avast to scan in boot mode - this
found several more trojans that were deleted.
8. Finally rebooted into Windows and, after a couple of anxious minutes, was
able to move around the desktop.
9. Installed and ran Spybot Search and Destroy, which eliminated still more
garbage from the system.
10. Turned System Restore back on.
Told the very relieved customer that already downloaded and patiently
waiting Win XP SP2 updates should be installed immediately.
Larry
MowGreen said:
http://www.microsoft.com/protect/support/default.mspx
No charge support
• Call 1-866-PCSafety or 1-866-727-2338
This phone number is for virus and other security-related support. It is
available 24 hours a day for the U.S. and Canada. For phone numbers
outside of the U.S. and Canada, select your region.
http://support.microsoft.com/common/international.aspx?rdpath=4
The malware appears to be either rootkit-like or an actual RK.
Suggest contacting MS for *no-charge* assistance in determining what the
malware is and removing it. MS is *good* at removing RKs.
MowGreen [MVP 2003-2009]
===============
*-343-* FDNY
Never Forgotten
===============
Larry said:
Discovered that there is a registry key,
HKLM\System\ControlSet\Services\tratuvgp, that includes this file along
with a pointer to system32\drivers\vusiugyh.dat - which is listed as
"Boot Bus Extender".
Avast identified a trojan in the rwywubay.dat file, but hasn't gotten to
the other one yet.
Getting rid of this is going to be a pita!
Thanks!
Larry