Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91680 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Laptop freezes and internet surfing causes ad popups [Solved]


  • This topic is locked This topic is locked
24 replies to this topic

#16 elbowpipe

elbowpipe

    Authentic Member

  • Authentic Member
  • PipPip
  • 72 posts
  • Interests:Trad Irish and Scottish music, Gaelic song, reading fiction/non-fiction (Cormac McCarthy and Alice Munroe current faves), creative writing.

Posted 04 April 2014 - 12:48 AM

Hi Nina,

 

that's weird, there's no folder at C:\windows\system32\drivers and a search on whole computer for ryiqzhck.sys doesn't come up with anything? (corrected the file location)

 

HijackThis Fix completed successfully


Edited by elbowpipe, 04 April 2014 - 01:10 AM.

    Advertisements

Register to Remove


#17 Satchfan

Satchfan

    SuperHelper

  • Malware Team
  • 6,286 posts
  • Interests:LFC, music, more LFC, more music

Posted 04 April 2014 - 01:14 AM

The path is C:\WINDOWS\system32\Drivers, not C:\WINDOWS\Drivers.
 


NINA - Proud graduate of the WTT Classroom

Member of UNITE

The help you receive here is free but if you feel I have helped, you may consider making a Donation.

#18 Satchfan

Satchfan

    SuperHelper

  • Malware Team
  • 6,286 posts
  • Interests:LFC, music, more LFC, more music

Posted 04 April 2014 - 02:37 AM

As ComboFix seems to be the only thing that sees it, we’ll get ComboFix to get rid of it.

Open ComboFix

Please do the following:

  • close any open browsers.
  • close/disable all anti virus and anti malware programs so that they do not interfere with the running of ComboFix.
  • open notepad and copy/paste the text in the codebox below into it:
File::
c:\windows\system32\drivers\ryiqzhck.sys
Driver::
ryiqzhck

Save this as "CFScript.txt", and as  Type: All Files (*.*) in the same location as ComboFix.exe

CFScriptB-4.gif

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it produces a log at C:\ComboFix.txt.  Post the contents of Combofix.txt in your next reply and tell me if there are any remaining problems. If all is well, I’ll send instructions to tidy up.

Thanks

Satchfan


NINA - Proud graduate of the WTT Classroom

Member of UNITE

The help you receive here is free but if you feel I have helped, you may consider making a Donation.

#19 elbowpipe

elbowpipe

    Authentic Member

  • Authentic Member
  • PipPip
  • 72 posts
  • Interests:Trad Irish and Scottish music, Gaelic song, reading fiction/non-fiction (Cormac McCarthy and Alice Munroe current faves), creative writing.

Posted 04 April 2014 - 11:19 AM

Hi Nina,

 

ComboFix Log below:

 

ComboFix 14-04-03.01 - Simona 04/04/2014  18:10:11.3.4 - x86
Microsoft Windows 7 Ultimate   6.1.7601.1.1252.44.1033.18.2732.1712 [GMT 1:00]
Running from: c:\users\Simona\Desktop\ComboFix.exe
Command switches used :: c:\users\Simona\Desktop\CFscript.txt
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
.
FILE ::
"c:\windows\system32\drivers\ryiqzhck.sys"
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_ryiqzhck
.
.
(((((((((((((((((((((((((   Files Created from 2014-03-04 to 2014-04-04  )))))))))))))))))))))))))))))))
.
.
2014-04-04 17:15 . 2014-04-04 17:15 62576 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{145B79B8-F020-4CBD-B039-DE36F3933BCA}\offreg.dll
2014-04-02 14:41 . 2014-03-17 09:16 7969936 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{145B79B8-F020-4CBD-B039-DE36F3933BCA}\mpengine.dll
2014-04-01 22:02 . 2014-04-04 17:16 107736 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-04-01 22:01 . 2014-03-05 08:26 51416 ----a-w- c:\windows\system32\drivers\mwac.sys
2014-04-01 22:01 . 2014-03-05 08:26 73432 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-04-01 22:01 . 2014-03-05 08:26 23256 ----a-w- c:\windows\system32\drivers\mbam.sys
2014-04-01 22:01 . 2014-04-01 22:01 -------- d-----w- c:\program files\Malwarebytes Anti-Malware
2014-04-01 22:01 . 2014-04-01 22:01 -------- d-----w- c:\programdata\Malwarebytes
2014-04-01 17:15 . 2012-02-17 05:34 919040 ----a-w- c:\windows\system32\rdpcorets.dll
2014-04-01 17:15 . 2012-02-17 05:34 826880 ----a-w- c:\windows\system32\rdpcore.dll
2014-04-01 17:15 . 2012-02-17 04:14 183808 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2014-04-01 17:15 . 2012-02-17 04:13 24576 ----a-w- c:\windows\system32\drivers\tdtcp.sys
2014-04-01 17:09 . 2012-06-02 22:19 53784 ----a-w- c:\windows\system32\wuauclt.exe
2014-04-01 17:09 . 2012-06-02 22:19 45080 ----a-w- c:\windows\system32\wups2.dll
2014-04-01 17:09 . 2012-06-02 22:19 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2014-04-01 17:09 . 2012-06-02 22:12 2422272 ----a-w- c:\windows\system32\wucltux.dll
2014-04-01 17:09 . 2012-06-02 22:19 35864 ----a-w- c:\windows\system32\wups.dll
2014-04-01 17:09 . 2012-06-02 22:19 577048 ----a-w- c:\windows\system32\wuapi.dll
2014-04-01 17:09 . 2012-06-02 22:12 88576 ----a-w- c:\windows\system32\wudriver.dll
2014-04-01 17:09 . 2012-06-02 14:19 171904 ----a-w- c:\windows\system32\wuwebv.dll
2014-04-01 17:09 . 2012-06-02 14:12 33792 ----a-w- c:\windows\system32\wuapp.exe
2014-04-01 14:53 . 2014-04-01 14:53 -------- d-----w- c:\users\Simona\AppData\Roaming\Systweak
2014-04-01 14:50 . 2014-04-01 14:51 -------- d-----w- C:\AdwCleaner
2014-03-17 22:11 . 2014-03-17 22:11 -------- d-----w- c:\users\Simona\AppData\Roaming\CBS Interactive
2014-03-05 17:56 . 2014-03-05 17:56 -------- d-----w- c:\users\Simona\AppData\Local\Skype
2014-03-05 17:55 . 2014-03-05 17:55 -------- d-----w- c:\program files\Common Files\Skype
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Ultra Agent"="d:\daemon tools ultra\DTAgent.exe" [2013-06-25 3128352]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2014-02-10 20922016]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2012-02-03 142616]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2012-02-03 177432]
"Persistence"="c:\windows\system32\igfxpers.exe" [2012-02-03 177944]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2011-07-12 10754664]
"ETDCtrl"="c:\program files\Elantech\ETDCtrl.exe" [2012-06-07 2199376]
"BTMTrayAgent"="c:\program files\Intel\Bluetooth\btmshell.dll" [2011-10-18 9894160]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-01-04 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
R2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [2013-10-23 172192]
R3 AMPPALP;Intel® Centrino® Wireless Bluetooth® 3.0 + High Speed Protocol;c:\windows\system32\DRIVERS\amppal.sys [2011-12-05 141312]
R3 Bluetooth Media Service;Bluetooth Media Service;c:\program files\Intel\Bluetooth\mediasrv.exe [2011-10-18 1354064]
R3 Disc Soft Bus Service;Disc Soft Bus Service;d:\daemon tools ultra\DiscSoftBusService.exe [2013-06-25 632352]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-20 62464]
R3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;c:\program files\Intel\WiFi\bin\PanDhcpDns.exe [2011-12-08 241936]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 15872]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [2010-11-20 77184]
R3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys [2010-11-20 25600]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-20 27264]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [2010-11-20 112640]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
S2 AMPPALR3;Intel® Centrino® Wireless Bluetooth® 3.0 + High Speed Service;c:\program files\Intel\BluetoothHS\BTHSAmpPalService.exe [2011-12-05 509440]
S2 Bluetooth Device Monitor;Bluetooth Device Monitor;c:\program files\Intel\Bluetooth\devmonsrv.exe [2011-10-18 936272]
S2 Bluetooth OBEX Service;Bluetooth OBEX Service;c:\program files\Intel\Bluetooth\obexsrv.exe [2011-10-18 1001808]
S2 BTHSSecurityMgr;Intel® Centrino® Wireless Bluetooth® 3.0 + High Speed Security Service;c:\program files\Intel\BluetoothHS\BTHSSecurityMgr.exe [2011-12-05 104208]
S2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes Anti-Malware\mbamscheduler.exe [2014-03-05 1809720]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes Anti-Malware\mbamservice.exe [2014-03-05 857912]
S2 Mobile Broadband HL Service;Mobile Broadband HL Service;c:\programdata\MobileBrServ\mbbservice.exe [2012-06-28 233344]
S2 Skype C2C Service;Skype C2C Service;c:\programdata\Skype\Toolbars\Skype C2C Service\c2c_service.exe [2013-09-16 3273088]
S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files\Intel\Intel® Management Engine Components\UNS\UNS.exe [2011-05-05 2656536]
S2 ZeroConfigService;Intel® PROSet/Wireless Zero Configuration Service;c:\program files\Intel\WiFi\bin\ZeroConfigService.exe [2011-12-08 722704]
S3 AMPPAL;Intel® Centrino® Wireless Bluetooth® 3.0 + High Speed Virtual Adapter;c:\windows\system32\DRIVERS\AMPPAL.sys [2011-12-05 141312]
S3 btmaux;Intel Bluetooth Auxiliary Service;c:\windows\system32\DRIVERS\btmaux.sys [2011-08-29 43008]
S3 btmhsf;btmhsf;c:\windows\system32\DRIVERS\btmhsf.sys [2011-10-10 230912]
S3 dtscsibus;DAEMON Tools Virtual SCSI Bus;c:\windows\system32\DRIVERS\dtscsibus.sys [2013-07-18 24704]
S3 ETD;Samsung PS/2 Port Input Device;c:\windows\system32\DRIVERS\ETD.sys [2012-06-07 254800]
S3 iBtFltCoex;iBtFltCoex;c:\windows\system32\DRIVERS\iBtFltCoex.sys [2011-10-11 47104]
S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2011-08-23 270336]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2014-03-05 23256]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\MBAMSwissArmy.sys [2014-04-04 107736]
S3 MBAMWebAccessControl;MBAMWebAccessControl;c:\windows\system32\drivers\mwac.sys [2014-03-05 51416]
S3 MEI;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECI.sys [2010-10-20 41088]
S3 NETwNs32;___ Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\DRIVERS\NETwNs32.sys [2011-12-02 10299904]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MBAMSWISSARMY
*NewlyCreated* - MBAMWEBACCESSCONTROL
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2014-03-15 21:04 1150280 ----a-w- c:\program files\Google\Chrome\Application\33.0.1750.154\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2014-04-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-07-18 22:35]
.
2014-04-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-07-18 22:35]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.0.1
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WLANExt.exe
c:\windows\system32\conhost.exe
c:\windows\system32\taskhost.exe
c:\program files\Intel\WiFi\bin\EvtEng.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\program files\Malwarebytes Anti-Malware\mbam.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\conhost.exe
c:\program files\Intel\Intel® Management Engine Components\LMS\LMS.exe
c:\windows\system32\sppsvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Completion time: 2014-04-04  18:18:34 - machine was rebooted
ComboFix-quarantined-files.txt  2014-04-04 17:18
ComboFix2.txt  2014-04-02 22:08
ComboFix3.txt  2014-04-02 21:55
.
Pre-Run: 67,012,034,560 bytes free
Post-Run: 67,719,823,360 bytes free
.
- - End Of File - - 43EC23E4109FBBAD63210C5E31099690
A36C5E4F47E84449FF07ED3517B43A31


#20 Satchfan

Satchfan

    SuperHelper

  • Malware Team
  • 6,286 posts
  • Interests:LFC, music, more LFC, more music

Posted 04 April 2014 - 01:33 PM

Any outstanding problems?


NINA - Proud graduate of the WTT Classroom

Member of UNITE

The help you receive here is free but if you feel I have helped, you may consider making a Donation.

#21 elbowpipe

elbowpipe

    Authentic Member

  • Authentic Member
  • PipPip
  • 72 posts
  • Interests:Trad Irish and Scottish music, Gaelic song, reading fiction/non-fiction (Cormac McCarthy and Alice Munroe current faves), creative writing.

Posted 04 April 2014 - 01:41 PM

Hi Nina,

 

nothing I'm aware of :)



#22 Satchfan

Satchfan

    SuperHelper

  • Malware Team
  • 6,286 posts
  • Interests:LFC, music, more LFC, more music

Posted 04 April 2014 - 03:10 PM

Hi Duncan

 

Your friend's computer appears to be clean.

Now that it's free from malware, as long as the computer seems to be running well, please follow these simple steps to tidy up and decrease the likelihood of it getting infected again:

Uninstall Combofix

Follow these steps to uninstall Combofix

  • click START then RUN
  • now type Combofix /uninstall in the runbox and click OK.

Note the space between the X and the /, it needs to be there.

CFuninstall.jpg


  • please follow the prompts to uninstall Combofix.
  • once it's finished uninstalling itself you will receive a message saying Combofix was uninstalled successfully.

===================================================

Uninstall OTL

  • double-click OTL.exe
  • click the CleanUp! button.
  • select Yes when the Begin cleanup Process? prompt appears.
  • if you are prompted to reboot during the cleanup, select Yes.
  • the tool will delete itself once it finishes, if not delete it by yourself.

NOTE: If you receive a warning from your firewall or other security programs regarding OTL attempting to contact the internet, please allow it to do so.

===================================================

Uninstall AdwCleaner

  • double click on adwcleaner.exe to run the tool
  • click on Uninstall
  • confirm with Yes.

You can delete all other logs and programs we’ve used that are on your desktop. Just click on them and press Delete.

===================================================

Antivirus

You have no active antivirus on your computer. If you use the Internet without an antivirus your computer will certainly become infected again. It is also imperative that you update your Antivirus software at least once a week, (even more if you wish). If you do not update it, it will not be able to catch any of the new variants of malware that come out on a daily basis.

Do NOT install more than one or they will fight against each other and render both ineffective.

Here are some of the better AV products.

Download and install one of these free antivirus programs:


Free Avast Home Edition
Avira AntiVir® Personal Edition Classic
Microsoft Security Essentials
 

===================================================

Windows updates

I notice that Windows updates are waiting to be installed. Click here for information on how to get the latest Windows updates:

===================================================

Update installed programs

Your version of Adobe Reader is out-of-date and need to be removed and updated.

Having the latest updates ensures there are no security vulnerabilities in your system.

Uninstall the following program:

Adobe Reader 9

  • click Start, Control Panel, Programs, Programs and Features.
  • click on Adobe Reader 9 and then Uninstall.

If you are prompted for an administrator password or confirmation, type the password or provide confirmation.

Visit Adobe and download the latest version of Acrobat Reader.

===================================================

Recommended programs

SpywareBlaster. SpywareBlaster protects against bad ActiveX, it immunizes your PC against them. It blocks over 11,000 bad sites and uses no resources of your computer.

===================================================

Update and run Malwarebytes. This really is an excellent program that you should also update and run on a regular basis, probably weekly.

===================================================

It’s important to keep programs up to date so that malware doesn't exploit any old security flaws.

FileHippo Update Checker is an extremely helpful program that will tell you which of your programs need to be updated.

===================================================

MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

A couple of links with information here and here which can answer any questions you might have about installing/using it.

===================================================

I also recommend that you read the following:

How to prevent malware by miekiemoes

Help! My computer is slow! by miekiemoes

Simple and easy ways to keep your computer safe and secure on the Internet  by Lawrence Abrams

I will keep this open for 24 hours in case you have any problems, after which I’ll close the topic.

Safe computing

Satchfan

 


NINA - Proud graduate of the WTT Classroom

Member of UNITE

The help you receive here is free but if you feel I have helped, you may consider making a Donation.

#23 elbowpipe

elbowpipe

    Authentic Member

  • Authentic Member
  • PipPip
  • 72 posts
  • Interests:Trad Irish and Scottish music, Gaelic song, reading fiction/non-fiction (Cormac McCarthy and Alice Munroe current faves), creative writing.

Posted 06 April 2014 - 06:22 AM

Hi Nina,

 

sorry for the delay. Was in transit to Skye. That's all done now, thanks. You've been a great help. :)

 

Duncan



#24 Satchfan

Satchfan

    SuperHelper

  • Malware Team
  • 6,286 posts
  • Interests:LFC, music, more LFC, more music

Posted 06 April 2014 - 06:26 AM

You are welcome.

 

Best wishes.

 

Nina


NINA - Proud graduate of the WTT Classroom

Member of UNITE

The help you receive here is free but if you feel I have helped, you may consider making a Donation.

#25 Satchfan

Satchfan

    SuperHelper

  • Malware Team
  • 6,286 posts
  • Interests:LFC, music, more LFC, more music

Posted 06 April 2014 - 06:26 AM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please follow the instructions here http://forums.whatth...ed_t106388.html
and start a New Topic.

NINA - Proud graduate of the WTT Classroom

Member of UNITE

The help you receive here is free but if you feel I have helped, you may consider making a Donation.

    Advertisements

Register to Remove

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users