Solved

Mysterious process running on Windows 7 machine

Posted on 2013-10-24
12
228 Views
Last Modified: 2013-10-28
I have a Startup Item (in MSCONFIG) called “Xyoquhifydyr” from an unknown manufacturer that runs the command C:\Users\username\AppData\Roaming\Riyrqe\taywle.exe located in HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.

Has anyone seen this before or know what it might be?  Task Manager shows three or four instances of taywle.exe running at any given time.  When I end any of those instances, they restart almost immediately.
0
Comment
Question by:PankowIT
  • 5
  • 2
  • 2
  • +3
12 Comments
 
LVL 12

Expert Comment

by:David Paris Vicente
ID: 39599044
Hi.

I never see that. If i were you disable it, and see if on your daily basis some program report errors, if not remove it.

It´s my opinion

Regards
0
 
LVL 1

Accepted Solution

by:
DidUReboot earned 250 total points
ID: 39599055
Typically any time you have something running in appdata that has random naming like that is malicious. 9 times out of 10 if you have something running that has a somewhat random looking name, you can google it and something will come up. I would advise getting malwarebytes, security essentials or something like that and doing a full scan of your computer. Another piece of software that I've found useful is rogue killer.  You may also want to run CCleaner first to make sure it clears out temp files before scanning or the scans will take quite a bit longer. You can also use CCleaner to stop startup processes instead of using msconfig and having to reboot afterward. When using CCleaner, I typically open it and go directly to Options -> Advanced and uncheck "Only delete files in Windows Temp folders older than 24 hours" and "Only delete files in Recycle bin older than 24 hours". Then back to the Cleaner tab and "Run Cleaner". Then scan your computer for malware. As far as malwarebytes goes, I would go ahead and enable the trial and do a flash scan. Make sure though to Right click the icon in your task bar by your clock and uncheck Start with Windows, Website Blocking and File checker.

CCleaner: https://www.piriform.com/ccleaner/download/standard
Malwarebytes: http://www.bleepingcomputer.com/download/malwarebytes-anti-malware/?1
Security Essentials: http://windows.microsoft.com/en-us/windows/security-essentials-download
RogueKiller (32 and 64 bit)http://tigzy.geekstogo.com/roguekiller.php
0
 
LVL 24

Assisted Solution

by:aadih
aadih earned 250 total points
ID: 39599064
Malware it is.

Scan with:

(1) Malwarebytes antimalware, and

(2) TDSSKiller.
0
 
LVL 20

Expert Comment

by:CompProbSolv
ID: 39599141
The responses indicating it is malware are correct, so I will just add a bit to that.  I would make the file inactive before doing the scans.  Boot to Safe Mode and delete the Riyrqe file, then boot to normal mode and run the scans that were suggested.  My presumption is that the program will not be running in Safe Mode (generally, but not always the case) and it will make it MUCH easier for the anti-malware programs to clean it up.
0
 
LVL 28

Expert Comment

by:jhyiesla
ID: 39600070
While the supposition that the malware most likely won't be active or at least fully functional in safe mode may very well be correct, if you can run MWB or other antimalware programs in normal mode that is usually better. You're running these programs to delete the malware and they will probably do a "better" job while running in normal mode and with the malware doing it's thing.  Having said that, there are times when the malware will keep programs such as MWB from doing it's thing in normal mode and in those cases I first boot to safe mode, run the antimalware program(s) and then reboot into normal mode and run them again. Sometimes I'lll even run MWB in a full scan mode. Typically that will take care of things.
0
 
LVL 24

Expert Comment

by:aadih
ID: 39600168
Suggesting running MBAM (in another thread) in safe mode was frowned upon by a "topic advisor" there.  Such a post was deleted. :-(

Could the "topic advisor" here share her (his) view or E-E's view on running MBAN from the safe mode? Please. :-)
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 28

Expert Comment

by:jhyiesla
ID: 39600184
While I was not the topic advisor, I'll chime in with what I've heard. MWB is really meant to be run from normal mode. It's how it was designed and where it works best.  As I've mentioned in my most, that is my preferred method of running it. However, there are times when the infection will not even let in be installed let alone be run and in those situations, if you really want to run MWB, going to safe mode is about the only option.
0
 
LVL 24

Expert Comment

by:aadih
ID: 39600188
jhyiesla, That has been my understanding also.

Waiting for an official word.  :-)

[Note:  my objection to deleted post was also promptly deleted.  :-(]
0
 
LVL 20

Expert Comment

by:CompProbSolv
ID: 39601142
RE: MWB in Safe Mode
I will often run MWB in Safe Mode and then run it after a normal boot.  Other than the fact that this takes additional time, are you suggesting that MWB may not be as effective in this manner?
0
 
LVL 24

Expert Comment

by:aadih
ID: 39601164
I am not suggesting anything. I am saying I was chided for saying the same thing here in another thread by a "topic advisor." That' all.

So, I'd like to hear E-E's position on it, so I don't make the same mistake again.

Simple, not complex. :-)
0
 

Author Closing Comment

by:PankowIT
ID: 39607069
The diagnosis of malware was indeed correct.  Full scans with Microsoft Security Essentials and MalwareBytes Pro did the trick.  I ran MalwareBytes in safe mode and in regular mode just to be sure.

thanks to all for your comments.
0
 
LVL 24

Expert Comment

by:aadih
ID: 39607321
Great. You got it working. :-)
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

by Nathan Brom/Bromy2004 Introduction There are numerous websites out there for any different type of program you can imagine.  Of those, you'll need to decide which ones are legitimate and aren't trying to steal your money or infect your comput…
Have you ever had a hard drive that you can't boot into, but need to change the registry? Here is the solution! This article guides you through accessing and editing a registry of a non-primary drive. To read registry information on a non-prim…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now