Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

rkinner


  • Please log in to reply

#16
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,797 posts
  • MVP
The task with the funny name is a hidden system file so you need to have windows let you see them. I've never worked on a 2003 but assume it is like XP:


Close all programs so that you are at your desktop.
Double-click on the My Computer icon.
Select the Tools menu and click Folder Options.
After the new window appears select the View tab.
Put a checkmark in the checkbox labeled Display the contents of system folders.
Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
Remove the checkmark from the checkbox labeled Hide protected operating system files.
Press the Apply button and then the OK button and exit My Computer.
Now your computer is configured to show all hidden files.


If it's like Vista/Win 7:
Close all programs so that you are at your desktop.
Open the Control Panel menu and click Folder Options.
After the new window appears select the View tab.
Put a checkmark in the checkbox labeled Display the contents of system folders.
Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
Remove the checkmark from the checkbox labeled Hide protected operating system files.
Press the Apply button and then the OK button and exit My Computer.
Now your computer is configured to show all hidden files.

I'm pretty sure the file is there. You can always look via a command prompt:

cd  \windows\tasks

attrib  -r  -h  -s  *.job

dir  /a


In XP you can also see Hidden tasks:

Click Start, click Run, type control schedtasks in the Open box, and then click OK.
On the Advanced menu, click View Hidden Tasks.


I don't know where 05194209.sys is hiding. OTL doesn't say but the default location is C:\windows\system32\drivers\. The other file should be C:\WINDOWS\TEMP\190.tmp

Any time you can't find a file, one way to make sure it is not hiding is to try to create a directory in the same location with the same name.

cd  \windows\tasks

mkdir  Vutpeoho.job

If that works then the file is really not there. You can remove the directory:
rmdir  Vutpeoho.job

  • 0

Advertisements


#17
Troy

Troy

    Tech Staff

  • Topic Starter
  • Technician
  • 8,841 posts
Sorry for the delay mate, hope your Easter break was good. Mine was great.

For the Vutpeoho.job file, it definitely is there. Following your instructions for the command prompt:
cd  \windows\tasks

attrib  -r  -h  -s  *.job

dir  /a
When I type the attrib line it gives me the error:

Access denied - C:\WINDOWS\Tasks\Vutpeoho.job

However it does not show up if I open an Explorer Window, even with all hidden and system files set to be shown... Extremely weird. So how would I go about removing this file?

Also I have applied your instructions to search for the other files but nothing is showing up at all for the 05194209.sys and 190.tmp files.

Cheers
  • 0

#18
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,797 posts
  • MVP
Sent you OTL and CFScript scripts to try. One ought to work but either will need to reboot. The OTL script will also cleanup the searchscopes, some deadwood and what looks like malware.

I would normally use


:processes
killallprocesses


in the OTL and


Killall::

in the CFScript but with MalwareBytes running they won't work.

Send me an OTL, Quickscan when finished.
  • 0

#19
Troy

Troy

    Tech Staff

  • Topic Starter
  • Technician
  • 8,841 posts
I have done the OTL script and emailed you the log again.

Kind regards,

Troy
  • 0

#20
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,797 posts
  • MVP
How is it running after the OTL fix?

Any problems? Firefox looks a bit different this time. Not sure why.

This ugly entry is still there:

DRV - File not found [Kernel | Unavailable | Unknown] -- C:\WINDOWS\TEMP\190.tmp -- (wqvtpuxyitqfuyc)

The Combofix script should take it out but you might be able to use sc to delete it:

From a command prompt type:

sc  delete  wqvtpuxyitqfuyccan

You can also edit the registry to remove it.

It will usually be at:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\wqvtpuxyitqfuyc

or if you don't want to edit the registry direcly you can use regseeker:

http://www.hoverdesk.net/freeware.htm
The download is where it says:
DOWNLOAD RegSeeker 1.55 (>20 languages included !)
It's a zip file so you have to save it then right click on it and Extract All then run regseeker.exe.

Select Find in Registry then have it look for wqvtpuxyitqfuyc . You can then select all and then right click and delete selected. It puts a copy of the stuff it removes in the backups folder which it creates below the folder it is in so if it doesn't work you can go back and replace it.

RegSeeker also has a registry cleaner but I don't really trust registry cleaners so I'd rather you didn't use it.
  • 0

#21
Troy

Troy

    Tech Staff

  • Topic Starter
  • Technician
  • 8,841 posts
Yes all of the users are reporting that it runs fine. This after I enabled everyone's desktops again from within the registry. They haven't noticed any difference between before and after... Other than once I took the bulk of it out and they could use the desktop again.

The command prompt sc to remove the service failed "Does not exist" but I removed it from the registry successfully (manually). It had a subkey relating to the 190.tmp file within it, I deleted the whole lot.

Users haven't reported any issues with Firefox. I could uninstall and reinstall if need be but if they aren't complaining and you can't see any traces of malware then I'll leave it.

So everything's looking good? You want another log to finalise anything?

Cheers
  • 0

#22
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,797 posts
  • MVP
No I think we are good to go. Cleanup time:

We need to clean up System Restore.

Copy the following:

:Commands
[CLEARALLRESTOREPOINTS]
[Reboot]

Run OTL. In the Custom Scans/Fixes box at the bottom, paste in the copied text (Ctrl + v) and then hit Run Fix.

You can uninstall or delete any tools we had you download and their logs.
To uninstall combofix, copy the next line:

"%userprofile%\Desktop\combofix.exe" /Uninstall

Start, Run, cmd, OK then right click, Paste, then hit Enter.

OTL has a cleanup tab so if you run it again and select cleanup it will remove itself and its backup files.

To hide hidden files again (If you do not run OTL cleanup):

XP

# Close all programs so that you are at your desktop.
# Double-click on the My Computer icon.
# Select the Tools menu and click Folder Options.
# After the new window appears select the View tab.
# Uncheck the checkbox labeled Display the contents of system folders.
# Under the Hidden files and folders section select the 'Hide protected operating system files (recommended)' option.
# Check the checkbox labeled Hide protected operating system files.
# Press the Apply button and then the OK button and exit My Computer.


Also make sure you have the latest versions of any adobe.com products you use like Shockwave, Flash or Acrobat.

Whether you use adobe reader, acrobat or fox-it to read pdf files you need to disable Javascript in the program. There is an exploit out there now that can use it to get on your PC. For Adobe Reader: Start, All Programs, Adobe Reader, Edit, Preferences, Click on Javascript in the left column and uncheck Enable Acrobat Javascript. OK Close program. It's the same for Foxit reader except you uncheck Enable Javascript Actions.

To help keep your programs up-to-date you should download and run the UpdateChecker:
http://www.filehippo.../updatechecker/
(You don't need to download Betas and if there is a program you don't use you can just uninstall it rather than update it. You can right click on the updatechecker icon (looks like a downward green arrowhead) and select Settings and tell it no betas. If you don't use MSN Messenger I would not upgdate it. MS installs a bunch of stuff when you do. You can tell the program to not show you that update.)
If you use Firefox or Chome then get the AdBlock Plus Add-on. WOT (Web of Trust) is another you might want to try.
The equivalent to AdBlock Plus for IE is called Simple Adblock and you should install it too: Adhttp://simple-adblock.com/

If Firefox is slow loading make sure it only has the current Java add-on. Then download and run Speedy Fox.
http://www.crystalidea.com/speedyfox . Click on Speedup my Firefox. When it finishes click on Exit.

Be warned: If you use Limewire, utorrent or any of the other P2P programs you will almost certain be coming back to the Malware Removal forum. If you must use P2P then submit any files you get to http://virustotal.com before you open them.

If you have a router, log on to it today and change the default password! If using a Wireless router you really should be using encryption on the link. Use the strongest (newest) encryption method that your router and PC wireless adapter support especially if you own a business. See http://www.king5.com...-120637284.html and http://www.seattlepi...ted-1344185.php for why encryption is important. If you don't know how, visit the router maker's website. They all have detailed step by step instructions or a wizard you can download.

Ron
  • 0

#23
Troy

Troy

    Tech Staff

  • Topic Starter
  • Technician
  • 8,841 posts
System restore isn't enabled on this server and I didn't use Combofix, only OTL. I will remove the directory I created for these tools.

Thanks very much Ron, I appreciate it.

Troy
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP