Jump to content

Unidentified file: rwywubay.dat

Guest Larry Kahm

By Guest Larry Kahm
in Windows XP

 Share

Recommended Posts

Guest Larry Kahm

Guest Larry Kahm

Posted
Posted

Customer complained of a problem - couldn't connect to the internet, desktop

didn't display, no response.

 

I'm running a SysClean scan and there is one file, rwywubay.dat, that

couldn't be deleted from the C:\Documents and Settings\UserName\Local

Settings\Temp folder. The file was currently in use, despite being logged

on in Safe Mode as Administrator.

 

I can't find any reference to this file anywhere.

 

Has anyone ever heard of this?

 

Thanks!

 

Larry

  • Replies 6
  • Created
  • Last Reply

Popular Days

Popular Days

Guest philo

Guest philo

Posted
Posted

Re: Unidentified file: rwywubay.dat

 

 

"Larry Kahm" <lkahm@nospam_heliotropicsystems.com> wrote in message

news:enEdESkLJHA.1304@TK2MSFTNGP02.phx.gbl...

> Customer complained of a problem - couldn't connect to the internet,

desktop

> didn't display, no response.

>

> I'm running a SysClean scan and there is one file, rwywubay.dat, that

> couldn't be deleted from the C:\Documents and Settings\UserName\Local

> Settings\Temp folder. The file was currently in use, despite being logged

> on in Safe Mode as Administrator.

>

> I can't find any reference to this file anywhere.

>

> Has anyone ever heard of this?

>

> Thanks!

>

> Larry

>

>

 

 

It looks like malware to me.

 

I'd probably slave the drive to a Linux machine

and delete the file from there...

or maybe use a Knoppix cd

Guest PA Bear [MS MVP]

Guest PA Bear [MS MVP]

Posted
Posted

Re: Unidentified file: rwywubay.dat

 

Unexplained computer behavior may be caused by deceptive software

http://support.microsoft.com/kb/827315

 

Run a /thorough/ check for hijackware, including posting your hijackthis log

to an appropriate forum.

 

Checking for/Help with Hijackware

http://aumha.org/a/parasite.htm

http://aumha.org/a/quickfix.htm

http://aumha.net/viewtopic.php?t=5878

http://wiki.castlecops.com/Malware_Removal_and_Prevention:_Introduction

http://mvps.org/winhelp2002/unwanted.htm

http://inetexplorer.mvps.org/data/prevention.htm

http://inetexplorer.mvps.org/tshoot.html

http://www.mvps.org/sramesh2k/Malware_Defence.htm

http://defendingyourmachine2.blogspot.com/

http://www.elephantboycomputers.com/page2.html#Removing_Malware

 

When all else fails, HijackThis v2.0.2

(http://aumha.org/downloads/hijackthis.exe) is the preferred tool to use (in

conjuction with some other utilities). HijackThis will NOT fix anything on

its own, but it will help you to both identify and remove any

hijackware/spyware with assistance from an expert. **Post your log to

http://spywarehammer.com/simplemachinesforum/index.php?board=10.0,

http://forums.spybot.info/forumdisplay.php?f=22,

http://aumha.net/viewforum.php?f=30, or another appropriate forum for review

by an expert in such matters, not here.**

 

If the procedures look too complex - and there is no shame in admitting this

isn't your cup of tea - take the machine to a local, reputable and

independent (i.e., not BigBoxStoreUSA or Geek Squad) computer repair shop.

--

~Robear Dyer (PA Bear)

MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002

AumHa VSOP & Admin http://aumha.net

DTS-L http://dts-l.net/

 

Larry Kahm wrote:

> Customer complained of a problem - couldn't connect to the internet,

> desktop

> didn't display, no response.

>

> I'm running a SysClean scan and there is one file, rwywubay.dat, that

> couldn't be deleted from the C:\Documents and Settings\UserName\Local

> Settings\Temp folder. The file was currently in use, despite being logged

> on in Safe Mode as Administrator.

>

> I can't find any reference to this file anywhere.

>

> Has anyone ever heard of this?

Guest Jim

Guest Jim

Posted
Posted

Re: Unidentified file: rwywubay.dat

 

 

"Larry Kahm" <lkahm@nospam_heliotropicsystems.com> wrote in message

news:enEdESkLJHA.1304@TK2MSFTNGP02.phx.gbl...

> Customer complained of a problem - couldn't connect to the internet,

> desktop didn't display, no response.

>

> I'm running a SysClean scan and there is one file, rwywubay.dat, that

> couldn't be deleted from the C:\Documents and Settings\UserName\Local

> Settings\Temp folder. The file was currently in use, despite being logged

> on in Safe Mode as Administrator.

>

> I can't find any reference to this file anywhere.

>

> Has anyone ever heard of this?

>

> Thanks!

>

> Larry

>

>

Process Explorer can tell you which application has a handle to the file.

Jim

Guest Larry Kahm

Guest Larry Kahm

Posted
Posted

Re: Unidentified file: rwywubay.dat

 

Discovered that there is a registry key,

HKLM\System\ControlSet\Services\tratuvgp, that includes this file along with

a pointer to system32\drivers\vusiugyh.dat - which is listed as "Boot Bus

Extender".

 

Avast identified a trojan in the rwywubay.dat file, but hasn't gotten to the

other one yet.

 

Getting rid of this is going to be a pita!

 

Thanks!

 

Larry

 

 

"Jim" <j.n@invalid.invalid> wrote in message

news:uasKzTlLJHA.5164@TK2MSFTNGP04.phx.gbl...

>

> "Larry Kahm" <lkahm@nospam_heliotropicsystems.com> wrote in message

> news:enEdESkLJHA.1304@TK2MSFTNGP02.phx.gbl...

>> Customer complained of a problem - couldn't connect to the internet,

>> desktop didn't display, no response.

>>

>> I'm running a SysClean scan and there is one file, rwywubay.dat, that

>> couldn't be deleted from the C:\Documents and Settings\UserName\Local

>> Settings\Temp folder. The file was currently in use, despite being

>> logged on in Safe Mode as Administrator.

>>

>> I can't find any reference to this file anywhere.

>>

>> Has anyone ever heard of this?

>>

>> Thanks!

>>

>> Larry

>>

>>

> Process Explorer can tell you which application has a handle to the file.

> Jim

>

Guest MowGreen [MVP]

Guest MowGreen [MVP]

Posted
Posted

Re: Unidentified file: rwywubay.dat

 

http://www.microsoft.com/protect/support/default.mspx

> No charge support

> • Call 1-866-PCSafety or 1-866-727-2338

>

> This phone number is for virus and other security-related support. It is available 24 hours a day

> for the U.S. and Canada. For phone numbers outside of the U.S. and Canada, select your region.

> http://support.microsoft.com/common/international.aspx?rdpath=4

 

The malware appears to be either rootkit-like or an actual RK.

Suggest contacting MS for *no-charge* assistance in determining what the

malware is and removing it. MS is *good* at removing RKs.

 

MowGreen [MVP 2003-2009]

===============

*-343-* FDNY

Never Forgotten

===============

 

 

 

Larry Kahm wrote:

> Discovered that there is a registry key,

> HKLM\System\ControlSet\Services\tratuvgp, that includes this file along with

> a pointer to system32\drivers\vusiugyh.dat - which is listed as "Boot Bus

> Extender".

>

> Avast identified a trojan in the rwywubay.dat file, but hasn't gotten to the

> other one yet.

>

> Getting rid of this is going to be a pita!

>

> Thanks!

>

> Larry

>

>

> "Jim" <j.n@invalid.invalid> wrote in message

> news:uasKzTlLJHA.5164@TK2MSFTNGP04.phx.gbl...

>

>>"Larry Kahm" <lkahm@nospam_heliotropicsystems.com> wrote in message

>>news:enEdESkLJHA.1304@TK2MSFTNGP02.phx.gbl...

>>

>>>Customer complained of a problem - couldn't connect to the internet,

>>>desktop didn't display, no response.

>>>

>>>I'm running a SysClean scan and there is one file, rwywubay.dat, that

>>>couldn't be deleted from the C:\Documents and Settings\UserName\Local

>>>Settings\Temp folder. The file was currently in use, despite being

>>>logged on in Safe Mode as Administrator.

>>>

>>>I can't find any reference to this file anywhere.

>>>

>>>Has anyone ever heard of this?

>>>

>>>Thanks!

>>>

>>>Larry

>>>

>>>

>>

>>Process Explorer can tell you which application has a handle to the file.

>>Jim

>>

>

>

>

Guest Larry Kahm

Guest Larry Kahm

Posted
Posted

Re: Unidentified file: rwywubay.dat - resolved

 

Re: Unidentified file: rwywubay.dat - resolved

 

Thanks, this is terrific information that I did not know - it is being filed

for future reference.

 

For those who are interested, I was able to resolve the problem in about two

hours; here's how:

 

1. Booted into Safe Mode and turned off System Restore.

2. Deleted all of the users' Temporary Internet files and as many Temp files

as possible.

3. Rebooted into Safe Mode with Command prompt and was able to delete

rwywubay.dat from the user's temp folder. I was also able to delete

c:\windows\system32\drivers\vusiugyh.dat.

4. Launched Task Manager, clicked File, New Task (run) and opened Regedit.

I deleted the "bad" key in the controlset for services that was involved

with this garbage.

5. Deleted all of the .pf files in the c:\windows\Prefetch folder (there

were dozens of YUR*.EXE files).

6. Deleted the folders for MicroAv and MS Antivirus.

7. Rebooted into Safe Mode and invoked Avast to scan in boot mode - this

found several more trojans that were deleted.

8. Finally rebooted into Windows and, after a couple of anxious minutes, was

able to move around the desktop.

9. Installed and ran Spybot Search and Destroy, which eliminated still more

garbage from the system.

10. Turned System Restore back on.

 

Told the very relieved customer that already downloaded and patiently

waiting Win XP SP2 updates should be installed immediately.

 

Larry

 

"MowGreen [MVP]" <mowgreen@nowandzen.com> wrote in message

news:eRf4OHwLJHA.1500@TK2MSFTNGP06.phx.gbl...

> http://www.microsoft.com/protect/support/default.mspx

>

>> No charge support

>> • Call 1-866-PCSafety or 1-866-727-2338

>>

>> This phone number is for virus and other security-related support. It is

>> available 24 hours a day for the U.S. and Canada. For phone numbers

>> outside of the U.S. and Canada, select your region.

>> http://support.microsoft.com/common/international.aspx?rdpath=4

>

> The malware appears to be either rootkit-like or an actual RK.

> Suggest contacting MS for *no-charge* assistance in determining what the

> malware is and removing it. MS is *good* at removing RKs.

>

> MowGreen [MVP 2003-2009]

> ===============

> *-343-* FDNY

> Never Forgotten

> ===============

>

>

>

> Larry Kahm wrote:

>

>> Discovered that there is a registry key,

>> HKLM\System\ControlSet\Services\tratuvgp, that includes this file along

>> with a pointer to system32\drivers\vusiugyh.dat - which is listed as

>> "Boot Bus Extender".

>>

>> Avast identified a trojan in the rwywubay.dat file, but hasn't gotten to

>> the other one yet.

>>

>> Getting rid of this is going to be a pita!

>>

>> Thanks!

>>

>> Larry

>>

>>

>> "Jim" <j.n@invalid.invalid> wrote in message

>> news:uasKzTlLJHA.5164@TK2MSFTNGP04.phx.gbl...

>>

>>>"Larry Kahm" <lkahm@nospam_heliotropicsystems.com> wrote in message

>>>news:enEdESkLJHA.1304@TK2MSFTNGP02.phx.gbl...

>>>

>>>>Customer complained of a problem - couldn't connect to the internet,

>>>>desktop didn't display, no response.

>>>>

>>>>I'm running a SysClean scan and there is one file, rwywubay.dat, that

>>>>couldn't be deleted from the C:\Documents and Settings\UserName\Local

>>>>Settings\Temp folder. The file was currently in use, despite being

>>>>logged on in Safe Mode as Administrator.

>>>>

>>>>I can't find any reference to this file anywhere.

>>>>

>>>>Has anyone ever heard of this?

>>>>

>>>>Thanks!

>>>>

>>>>Larry

>>>>

>>>>

>>>

>>>Process Explorer can tell you which application has a handle to the file.

>>>Jim

>>>

>>

>>

 Share
Go to topic listing
×
×
  • Create New...