24 replies to this topic

[elbowpipe]

Hi Nina,

 

that's weird, there's no folder at C:\windows\system32\drivers and a search on whole computer for ryiqzhck.sys doesn't come up with anything? (corrected the file location)

 

HijackThis Fix completed successfully

Edited by elbowpipe, 04 April 2014 - 01:10 AM.

[Satchfan]

The path is C:\WINDOWS\system32\Drivers, not C:\WINDOWS\Drivers.
 

[Satchfan]

As ComboFix seems to be the only thing that sees it, we’ll get ComboFix to get rid of it.

Open ComboFix

Please do the following:

• close any open browsers.
• close/disable all anti virus and anti malware programs so that they do not interfere with the running of ComboFix.
• open notepad and copy/paste the text in the codebox below into it:

File::
c:\windows\system32\drivers\ryiqzhck.sys
Driver::
ryiqzhck

Save this as "CFScript.txt", and as  Type: All Files (*.*) in the same location as ComboFix.exe



Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it produces a log at C:\ComboFix.txt.  Post the contents of Combofix.txt in your next reply and tell me if there are any remaining problems. If all is well, I’ll send instructions to tidy up.

Thanks

Satchfan

[elbowpipe]

Hi Nina,

 

ComboFix Log below:

 

ComboFix 14-04-03.01 - Simona 04/04/2014  18:10:11.3.4 - x86

Microsoft Windows 7 Ultimate   6.1.7601.1.1252.44.1033.18.2732.1712 [GMT 1:00]

Running from: c:\users\Simona\Desktop\ComboFix.exe

Command switches used :: c:\users\Simona\Desktop\CFscript.txt

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

 * Created a new restore point

.

FILE ::

"c:\windows\system32\drivers\ryiqzhck.sys"

.

.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

.

(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

-------\Service_ryiqzhck

.

.

(((((((((((((((((((((((((   Files Created from 2014-03-04 to 2014-04-04  )))))))))))))))))))))))))))))))

.

.

2014-04-04 17:15 . 2014-04-04 17:15 62576 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{145B79B8-F020-4CBD-B039-DE36F3933BCA}\offreg.dll

2014-04-02 14:41 . 2014-03-17 09:16 7969936 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{145B79B8-F020-4CBD-B039-DE36F3933BCA}\mpengine.dll

2014-04-01 22:02 . 2014-04-04 17:16 107736 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys

2014-04-01 22:01 . 2014-03-05 08:26 51416 ----a-w- c:\windows\system32\drivers\mwac.sys

2014-04-01 22:01 . 2014-03-05 08:26 73432 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys

2014-04-01 22:01 . 2014-03-05 08:26 23256 ----a-w- c:\windows\system32\drivers\mbam.sys

2014-04-01 22:01 . 2014-04-01 22:01 -------- d-----w- c:\program files\Malwarebytes Anti-Malware

2014-04-01 22:01 . 2014-04-01 22:01 -------- d-----w- c:\programdata\Malwarebytes

2014-04-01 17:15 . 2012-02-17 05:34 919040 ----a-w- c:\windows\system32\rdpcorets.dll

2014-04-01 17:15 . 2012-02-17 05:34 826880 ----a-w- c:\windows\system32\rdpcore.dll

2014-04-01 17:15 . 2012-02-17 04:14 183808 ----a-w- c:\windows\system32\drivers\rdpwd.sys

2014-04-01 17:15 . 2012-02-17 04:13 24576 ----a-w- c:\windows\system32\drivers\tdtcp.sys

2014-04-01 17:09 . 2012-06-02 22:19 53784 ----a-w- c:\windows\system32\wuauclt.exe

2014-04-01 17:09 . 2012-06-02 22:19 45080 ----a-w- c:\windows\system32\wups2.dll

2014-04-01 17:09 . 2012-06-02 22:19 1933848 ----a-w- c:\windows\system32\wuaueng.dll

2014-04-01 17:09 . 2012-06-02 22:12 2422272 ----a-w- c:\windows\system32\wucltux.dll

2014-04-01 17:09 . 2012-06-02 22:19 35864 ----a-w- c:\windows\system32\wups.dll

2014-04-01 17:09 . 2012-06-02 22:19 577048 ----a-w- c:\windows\system32\wuapi.dll

2014-04-01 17:09 . 2012-06-02 22:12 88576 ----a-w- c:\windows\system32\wudriver.dll

2014-04-01 17:09 . 2012-06-02 14:19 171904 ----a-w- c:\windows\system32\wuwebv.dll

2014-04-01 17:09 . 2012-06-02 14:12 33792 ----a-w- c:\windows\system32\wuapp.exe

2014-04-01 14:53 . 2014-04-01 14:53 -------- d-----w- c:\users\Simona\AppData\Roaming\Systweak

2014-04-01 14:50 . 2014-04-01 14:51 -------- d-----w- C:\AdwCleaner

2014-03-17 22:11 . 2014-03-17 22:11 -------- d-----w- c:\users\Simona\AppData\Roaming\CBS Interactive

2014-03-05 17:56 . 2014-03-05 17:56 -------- d-----w- c:\users\Simona\AppData\Local\Skype

2014-03-05 17:55 . 2014-03-05 17:55 -------- d-----w- c:\program files\Common Files\Skype

.

.

.

((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown 

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DAEMON Tools Ultra Agent"="d:\daemon tools ultra\DTAgent.exe" [2013-06-25 3128352]

"Skype"="c:\program files\Skype\Phone\Skype.exe" [2014-02-10 20922016]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2012-02-03 142616]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2012-02-03 177432]

"Persistence"="c:\windows\system32\igfxpers.exe" [2012-02-03 177944]

"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2011-07-12 10754664]

"ETDCtrl"="c:\program files\Elantech\ETDCtrl.exe" [2012-06-07 2199376]

"BTMTrayAgent"="c:\program files\Intel\Bluetooth\btmshell.dll" [2011-10-18 9894160]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-01-04 37296]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"aux"=wdmaud.drv

.

R2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [2013-10-23 172192]

R3 AMPPALP;Intel® Centrino® Wireless Bluetooth® 3.0 + High Speed Protocol;c:\windows\system32\DRIVERS\amppal.sys [2011-12-05 141312]

R3 Bluetooth Media Service;Bluetooth Media Service;c:\program files\Intel\Bluetooth\mediasrv.exe [2011-10-18 1354064]

R3 Disc Soft Bus Service;Disc Soft Bus Service;d:\daemon tools ultra\DiscSoftBusService.exe [2013-06-25 632352]

R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-20 62464]

R3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;c:\program files\Intel\WiFi\bin\PanDhcpDns.exe [2011-12-08 241936]

R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 15872]

R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [2010-11-20 77184]

R3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys [2010-11-20 25600]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]

R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-20 27264]

R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [2010-11-20 112640]

R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]

S2 AMPPALR3;Intel® Centrino® Wireless Bluetooth® 3.0 + High Speed Service;c:\program files\Intel\BluetoothHS\BTHSAmpPalService.exe [2011-12-05 509440]

S2 Bluetooth Device Monitor;Bluetooth Device Monitor;c:\program files\Intel\Bluetooth\devmonsrv.exe [2011-10-18 936272]

S2 Bluetooth OBEX Service;Bluetooth OBEX Service;c:\program files\Intel\Bluetooth\obexsrv.exe [2011-10-18 1001808]

S2 BTHSSecurityMgr;Intel® Centrino® Wireless Bluetooth® 3.0 + High Speed Security Service;c:\program files\Intel\BluetoothHS\BTHSSecurityMgr.exe [2011-12-05 104208]

S2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes Anti-Malware\mbamscheduler.exe [2014-03-05 1809720]

S2 MBAMService;MBAMService;c:\program files\Malwarebytes Anti-Malware\mbamservice.exe [2014-03-05 857912]

S2 Mobile Broadband HL Service;Mobile Broadband HL Service;c:\programdata\MobileBrServ\mbbservice.exe [2012-06-28 233344]

S2 Skype C2C Service;Skype C2C Service;c:\programdata\Skype\Toolbars\Skype C2C Service\c2c_service.exe [2013-09-16 3273088]

S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files\Intel\Intel® Management Engine Components\UNS\UNS.exe [2011-05-05 2656536]

S2 ZeroConfigService;Intel® PROSet/Wireless Zero Configuration Service;c:\program files\Intel\WiFi\bin\ZeroConfigService.exe [2011-12-08 722704]

S3 AMPPAL;Intel® Centrino® Wireless Bluetooth® 3.0 + High Speed Virtual Adapter;c:\windows\system32\DRIVERS\AMPPAL.sys [2011-12-05 141312]

S3 btmaux;Intel Bluetooth Auxiliary Service;c:\windows\system32\DRIVERS\btmaux.sys [2011-08-29 43008]

S3 btmhsf;btmhsf;c:\windows\system32\DRIVERS\btmhsf.sys [2011-10-10 230912]

S3 dtscsibus;DAEMON Tools Virtual SCSI Bus;c:\windows\system32\DRIVERS\dtscsibus.sys [2013-07-18 24704]

S3 ETD;Samsung PS/2 Port Input Device;c:\windows\system32\DRIVERS\ETD.sys [2012-06-07 254800]

S3 iBtFltCoex;iBtFltCoex;c:\windows\system32\DRIVERS\iBtFltCoex.sys [2011-10-11 47104]

S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2011-08-23 270336]

S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2014-03-05 23256]

S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\MBAMSwissArmy.sys [2014-04-04 107736]

S3 MBAMWebAccessControl;MBAMWebAccessControl;c:\windows\system32\drivers\mwac.sys [2014-03-05 51416]

S3 MEI;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECI.sys [2010-10-20 41088]

S3 NETwNs32;___ Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\DRIVERS\NETwNs32.sys [2011-12-02 10299904]

.

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - MBAMSWISSARMY

*NewlyCreated* - MBAMWEBACCESSCONTROL

.

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]

2014-03-15 21:04 1150280 ----a-w- c:\program files\Google\Chrome\Application\33.0.1750.154\Installer\chrmstp.exe

.

Contents of the 'Scheduled Tasks' folder

.

2014-04-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2013-07-18 22:35]

.

2014-04-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2013-07-18 22:35]

.

.

------- Supplementary Scan -------

.

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

TCP: DhcpNameServer = 192.168.0.1

.

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\WLANExt.exe

c:\windows\system32\conhost.exe

c:\windows\system32\taskhost.exe

c:\program files\Intel\WiFi\bin\EvtEng.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe

c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe

c:\program files\Malwarebytes Anti-Malware\mbam.exe

c:\windows\system32\wbem\unsecapp.exe

c:\windows\system32\conhost.exe

c:\program files\Intel\Intel® Management Engine Components\LMS\LMS.exe

c:\windows\system32\sppsvc.exe

c:\program files\Windows Media Player\wmpnetwk.exe

.

**************************************************************************

.

Completion time: 2014-04-04  18:18:34 - machine was rebooted

ComboFix-quarantined-files.txt  2014-04-04 17:18

ComboFix2.txt  2014-04-02 22:08

ComboFix3.txt  2014-04-02 21:55

.

Pre-Run: 67,012,034,560 bytes free

Post-Run: 67,719,823,360 bytes free

.

- - End Of File - - 43EC23E4109FBBAD63210C5E31099690

A36C5E4F47E84449FF07ED3517B43A31

[Satchfan]

Any outstanding problems?

[elbowpipe]

Hi Nina,

 

nothing I'm aware of

[Satchfan]

Hi Duncan

 

Your friend's computer appears to be clean.

Now that it's free from malware, as long as the computer seems to be running well, please follow these simple steps to tidy up and decrease the likelihood of it getting infected again:

Uninstall Combofix

Follow these steps to uninstall Combofix

• click START then RUN
• now type Combofix /uninstall in the runbox and click OK.

Note the space between the X and the /, it needs to be there.

• please follow the prompts to uninstall Combofix.
• once it's finished uninstalling itself you will receive a message saying Combofix was uninstalled successfully.

===================================================

Uninstall OTL

• double-click OTL.exe
• click the CleanUp! button.
• select Yes when the Begin cleanup Process? prompt appears.
• if you are prompted to reboot during the cleanup, select Yes.
• the tool will delete itself once it finishes, if not delete it by yourself.

NOTE: If you receive a warning from your firewall or other security programs regarding OTL attempting to contact the internet, please allow it to do so.

===================================================

Uninstall AdwCleaner

• double click on adwcleaner.exe to run the tool
• click on Uninstall
• confirm with Yes.

You can delete all other logs and programs we’ve used that are on your desktop. Just click on them and press Delete.

===================================================

Antivirus

You have no active antivirus on your computer. If you use the Internet without an antivirus your computer will certainly become infected again. It is also imperative that you update your Antivirus software at least once a week, (even more if you wish). If you do not update it, it will not be able to catch any of the new variants of malware that come out on a daily basis.

Do NOT install more than one or they will fight against each other and render both ineffective.

Here are some of the better AV products.

Download and install one of these free antivirus programs:

Free Avast Home Edition
Avira AntiVir® Personal Edition Classic
Microsoft Security Essentials
 

===================================================

Windows updates

I notice that Windows updates are waiting to be installed. Click here for information on how to get the latest Windows updates:

===================================================

Update installed programs

Your version of Adobe Reader is out-of-date and need to be removed and updated.

Having the latest updates ensures there are no security vulnerabilities in your system.

Uninstall the following program:

Adobe Reader 9

• click Start, Control Panel, Programs, Programs and Features.
• click on Adobe Reader 9 and then Uninstall.

If you are prompted for an administrator password or confirmation, type the password or provide confirmation.

Visit Adobe and download the latest version of Acrobat Reader.

===================================================

Recommended programs

SpywareBlaster. SpywareBlaster protects against bad ActiveX, it immunizes your PC against them. It blocks over 11,000 bad sites and uses no resources of your computer.

===================================================

Update and run Malwarebytes. This really is an excellent program that you should also update and run on a regular basis, probably weekly.

===================================================

It’s important to keep programs up to date so that malware doesn't exploit any old security flaws.

FileHippo Update Checker is an extremely helpful program that will tell you which of your programs need to be updated.

===================================================

MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

A couple of links with information here and here which can answer any questions you might have about installing/using it.

===================================================

I also recommend that you read the following:

How to prevent malware by miekiemoes

Help! My computer is slow! by miekiemoes

Simple and easy ways to keep your computer safe and secure on the Internet  by Lawrence Abrams

I will keep this open for 24 hours in case you have any problems, after which I’ll close the topic.

Safe computing

Satchfan

 

[elbowpipe]

Hi Nina,

 

sorry for the delay. Was in transit to Skye. That's all done now, thanks. You've been a great help.

 

Duncan

[Satchfan]

You are welcome.

 

Best wishes.

 

Nina

[Satchfan]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please follow the instructions here http://forums.whatth...ed_t106388.html
and start a New Topic.