What's this file??

  • Thread starter Thread starter barrowhill
  • Start date Start date
B

barrowhill

Running Lenovo/IBM Thinkpad Z60t with XP Pro installed.......

Can anyone tell me what the file...........vtclrg41.tmp........is or belongs
to ??? malware or not ???

It resides in c:\windows\temp folder and cannot be deleted. I've used
various recommended utilities but it always comes back.
 
You can use a SysInternals application Filemon, to determine what
process on the system is using/accessing the temporary file. You'll
need to let the app run for a while ( 1-2 Minutes ) and then scroll
though the history log looking for your .tmp workspace file. Lots of
applications make use of temporary or workspace files and each
setup has various ones depending on what applications are installed
on the computer.

As to whether the temp file is part of a Malware infection, I'd use an
online scan of a different vendor from your permanent security app
as a redundancy check:

FileMon found here:
http://technet.microsoft.com/en-us/sysinternals/bb896642.aspx

Eset Online Scan:
http://www.eset.com/onlinescan/
Ewido Online Scan:
http://www.ewido.net/en/onlinescan/
 
Thanks for feedback.......

If run Panda On-line Active Scan and nothing found. Run adware/malware
scanners and ditto. I'm suspecting something to do with Lenovo/IBM as this
file only appears on net search relating to Thinkpad
 
Run FileMon. Filtered on C:\windows\temp and ran Ashampoo WinOptimizer 5 to
generate activity on the file. Sample result.....
..
..
6822 3:16:35 PM WO5.exe:5476 QUERY INFORMATION
C:\WINDOWS\TEMP\vtclrg41.tmp SUCCESS Attributes: A
6823 3:16:35 PM WO5.exe:5476 OPEN
C:\WINDOWS\TEMP\vtclrg41.tmp SUCCESS Options: Open Access: 00030080
6824 3:16:35 PM WO5.exe:5476 OPEN
C:\WINDOWS\TEMP\ SUCCESS Options: Open Directory Access: 00100000
6825 3:16:35 PM WO5.exe:5476 QUERY INFORMATION C:\WINDOWS\TEMP\vtclrg41.tmp
SUCCESS FileAttributeTagInformation
6826 3:16:35 PM WO5.exe:5476 DELETE
C:\WINDOWS\TEMP\vtclrg41.tmp CANNOT DELETE
6827 3:16:35 PM WO5.exe:5476 CLOSE
C:\WINDOWS\TEMP\vtclrg41.tmp SUCCESS
..
..
All it tells me is that it cannot delete the file.!?!
 
You need to check the "Process" column for any vtclrg41.tmp entries.
It's the process field that will identify what is accessing the file.
 
Checked file properties but says nothing other than where it is -
c:\windows\temp . Summary tab gives no info.

Uploaded file to bothe Jotti and VirusTotal and clean response from both.

Only conclusion I can come to is that the file is related to the IBM ThinPad
or their ThinkAdvantgae range. If it is, then putting the file into the
c:\windows\temp folder wasn't the best choice seeing as it appears undeletable

If anyone knows what the file is/does I'd be interested in knowing.

Thanks for everyone's help
 
barrowhill said:
Checked file properties but says nothing other than where it is -
c:\windows\temp . Summary tab gives no info.

Uploaded file to bothe Jotti and VirusTotal and clean response from both.

Only conclusion I can come to is that the file is related to the IBM ThinPad
or their ThinkAdvantgae range. If it is, then putting the file into the
c:\windows\temp folder wasn't the best choice seeing as it appears undeletable

If anyone knows what the file is/does I'd be interested in knowing.

Thanks for everyone's help
Click to expand...

Have you tried Crap Cleaner? Get it at www.ccleaner.com Try the clean up
first and, if that doesn't work, use the Issues feature but only tick
the file in question if it appears. Leave anything else it finds unticked.

Alias
 
barrowhill said:
Running Lenovo/IBM Thinkpad Z60t with XP Pro installed.......

Can anyone tell me what the file...........vtclrg41.tmp........is or
belongs to ??? malware or not ???

It resides in c:\windows\temp folder and cannot be deleted. I've used
various recommended utilities but it always comes back.
Click to expand...

Why not delete it in Safe Mode?
 
That was first option tried. The file won't delete. Renamed file using
MoveOnBoot. Can delete renamed file but original file gets restored.
Haven't found a way to delete that's why I'm thinking it's key file for IBM
ThinkPad
 
That was first option tried. The file won't delete. Renamed file
using MoveOnBoot. Can delete renamed file but original file gets
restored. Haven't found a way to delete that's why I'm thinking it's
key file for IBM ThinkPad
Click to expand...

If you're determined, you can try the method discussed here:

http://articles.techrepublic.com.com/5100-22_11-5288922.html

But I'll bet you'll get a replacement!

Another page you might find helpful:

http://www.pchell.com/support/undeletablefiles.shtml

Have you tried using Ccleaner?
 
Thanks for links. Performed operations as detailed but"Access denied"
message when trying to delete via command window.

Tried CCleaner but not impressed. Looking at results of detected files it
doesn't (or didn't) even look at c:\windows\temp folder. If it did, it
didn't find anything to delete though I'd checked to see there were files
(including vtclrg41.tmp) to delete. There were.
 
Thanks for feedback. See response to Daave

Alias said:
Have you tried Crap Cleaner? Get it at www.ccleaner.com Try the clean up
first and, if that doesn't work, use the Issues feature but only tick
the file in question if it appears. Leave anything else it finds unticked.

Alias
Click to expand...
 
barrowhill said:
Thanks for links. Performed operations as detailed but"Access denied"
message when trying to delete via command window.
Click to expand...

Have a look at "How to take ownership of a file or folder in Windows
XP":

http://support.microsoft.com/kb/308421
Tried CCleaner but not impressed. Looking at results of detected
files it doesn't (or didn't) even look at c:\windows\temp folder. If
it did, it didn't find anything to delete though I'd checked to see
there were files (including vtclrg41.tmp) to delete. There were.
Click to expand...

CCleaner *does* look at the C:\Windows\Temp folder. But note that there
is an advanced option to "only delete files in Windows temp folders
older than 48 hours."
 
Thanks for info. Details specified in link followed but unable to delete.

I should of looked at CC options. The file is over 48 hours old. but I
unchecked anyway. After running, report shows all files deleted in
c:\windows\temp folder (I must of missed it on last execution!). I didn't
show vtclrg41.tmp as having been deleted.. Check actual location and sure
enough, only file in the folder.
 
Thanks for input. I've downloaded and ran but to be honest can;t see
anything remotely related to the file vtclrg41.tmp. II've tried to view
ProcessExplorer activity as I try and delete fie to see which, if any,
process "fires up". Nothing apparent
 
You need to click on the find button (binoculars) and enter the file name
into the search box. It will then show which processes are using the file.
Click on the file name in the results window and it will highlight the
process that is using it.
Louis
 
barrowhill said:
That was first option tried. The file won't delete. Renamed file
using MoveOnBoot. Can delete renamed file but original file gets
restored. Haven't found a way to delete that's why I'm thinking it's
key file for IBM ThinkPad
Click to expand...

I just re-read this post. :-)

Apparently, you *can* delete the file, although it involves the
workaround using MoveOnBoot.

And anytime the file gets deleted, a new one gets created; this is by
design.

If you still want to play around with it, perhaps you can use the
"Delete protected file" function of Malwarebytes' Anti-Malware:

http://www.malwarebytes.org/mbam.php

Or you could just leave it alone. :-)
 
Thanks very much for additional feedback - just the ticket!

Followed your instructions and the file in question (vtclrg41.tmp) is used
by two processess - winlogon.exe and vtserver.exe.

Winlogon not the issue as we know what that does, the relevant one is
vtserver.exe. The is a Passport Server Module from UPEK inc belobging to IBM
fingerprint authentication software. The laptop has fingerprint recognition.

It's just a pity that IBM chose to use C:\windows\temp to store the file.
Running Ashampoo Winoptimzer scans this folder and assumes, as a "temp"
folder, that all is for removal which in the case of this file, it's not.

At least my orginal question has been answered. Thanks to all those who
responded and to you for putting the final nail in the coffin. Most grateful.
 
Back
Top