Solved

Mysterious process running on Windows 7 machine

Posted on 2013-10-24
12
231 Views
Last Modified: 2013-10-28
I have a Startup Item (in MSCONFIG) called “Xyoquhifydyr” from an unknown manufacturer that runs the command C:\Users\username\AppData\Roaming\Riyrqe\taywle.exe located in HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.

Has anyone seen this before or know what it might be?  Task Manager shows three or four instances of taywle.exe running at any given time.  When I end any of those instances, they restart almost immediately.
0
Comment
Question by:PankowIT
  • 5
  • 2
  • 2
  • +3
12 Comments
 
LVL 12

Expert Comment

by:David Paris Vicente
ID: 39599044
Hi.

I never see that. If i were you disable it, and see if on your daily basis some program report errors, if not remove it.

It´s my opinion

Regards
0
 
LVL 1

Accepted Solution

by:
DidUReboot earned 250 total points
ID: 39599055
Typically any time you have something running in appdata that has random naming like that is malicious. 9 times out of 10 if you have something running that has a somewhat random looking name, you can google it and something will come up. I would advise getting malwarebytes, security essentials or something like that and doing a full scan of your computer. Another piece of software that I've found useful is rogue killer.  You may also want to run CCleaner first to make sure it clears out temp files before scanning or the scans will take quite a bit longer. You can also use CCleaner to stop startup processes instead of using msconfig and having to reboot afterward. When using CCleaner, I typically open it and go directly to Options -> Advanced and uncheck "Only delete files in Windows Temp folders older than 24 hours" and "Only delete files in Recycle bin older than 24 hours". Then back to the Cleaner tab and "Run Cleaner". Then scan your computer for malware. As far as malwarebytes goes, I would go ahead and enable the trial and do a flash scan. Make sure though to Right click the icon in your task bar by your clock and uncheck Start with Windows, Website Blocking and File checker.

CCleaner: https://www.piriform.com/ccleaner/download/standard
Malwarebytes: http://www.bleepingcomputer.com/download/malwarebytes-anti-malware/?1
Security Essentials: http://windows.microsoft.com/en-us/windows/security-essentials-download
RogueKiller (32 and 64 bit)http://tigzy.geekstogo.com/roguekiller.php
0
 
LVL 24

Assisted Solution

by:aadih
aadih earned 250 total points
ID: 39599064
Malware it is.

Scan with:

(1) Malwarebytes antimalware, and

(2) TDSSKiller.
0
Networking for the Cloud Era

Join Microsoft and Riverbed for a discussion and demonstration of enhancements to SteelConnect:
-One-click orchestration and cloud connectivity in Azure environments
-Tight integration of SD-WAN and WAN optimization capabilities
-Scalability and resiliency equal to a data center

 
LVL 21

Expert Comment

by:CompProbSolv
ID: 39599141
The responses indicating it is malware are correct, so I will just add a bit to that.  I would make the file inactive before doing the scans.  Boot to Safe Mode and delete the Riyrqe file, then boot to normal mode and run the scans that were suggested.  My presumption is that the program will not be running in Safe Mode (generally, but not always the case) and it will make it MUCH easier for the anti-malware programs to clean it up.
0
 
LVL 28

Expert Comment

by:jhyiesla
ID: 39600070
While the supposition that the malware most likely won't be active or at least fully functional in safe mode may very well be correct, if you can run MWB or other antimalware programs in normal mode that is usually better. You're running these programs to delete the malware and they will probably do a "better" job while running in normal mode and with the malware doing it's thing.  Having said that, there are times when the malware will keep programs such as MWB from doing it's thing in normal mode and in those cases I first boot to safe mode, run the antimalware program(s) and then reboot into normal mode and run them again. Sometimes I'lll even run MWB in a full scan mode. Typically that will take care of things.
0
 
LVL 24

Expert Comment

by:aadih
ID: 39600168
Suggesting running MBAM (in another thread) in safe mode was frowned upon by a "topic advisor" there.  Such a post was deleted. :-(

Could the "topic advisor" here share her (his) view or E-E's view on running MBAN from the safe mode? Please. :-)
0
 
LVL 28

Expert Comment

by:jhyiesla
ID: 39600184
While I was not the topic advisor, I'll chime in with what I've heard. MWB is really meant to be run from normal mode. It's how it was designed and where it works best.  As I've mentioned in my most, that is my preferred method of running it. However, there are times when the infection will not even let in be installed let alone be run and in those situations, if you really want to run MWB, going to safe mode is about the only option.
0
 
LVL 24

Expert Comment

by:aadih
ID: 39600188
jhyiesla, That has been my understanding also.

Waiting for an official word.  :-)

[Note:  my objection to deleted post was also promptly deleted.  :-(]
0
 
LVL 21

Expert Comment

by:CompProbSolv
ID: 39601142
RE: MWB in Safe Mode
I will often run MWB in Safe Mode and then run it after a normal boot.  Other than the fact that this takes additional time, are you suggesting that MWB may not be as effective in this manner?
0
 
LVL 24

Expert Comment

by:aadih
ID: 39601164
I am not suggesting anything. I am saying I was chided for saying the same thing here in another thread by a "topic advisor." That' all.

So, I'd like to hear E-E's position on it, so I don't make the same mistake again.

Simple, not complex. :-)
0
 

Author Closing Comment

by:PankowIT
ID: 39607069
The diagnosis of malware was indeed correct.  Full scans with Microsoft Security Essentials and MalwareBytes Pro did the trick.  I ran MalwareBytes in safe mode and in regular mode just to be sure.

thanks to all for your comments.
0
 
LVL 24

Expert Comment

by:aadih
ID: 39607321
Great. You got it working. :-)
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction: I have always been a big fan of Windows but my liking towards it is slowly being eroded by the variety of other Applications that I encounter, when I browse the Web. Most of the software available is free and maybe Open Source too. …
This article describes how to set permissions to allow a limited-permissions user to start and stop a particular System Service.   It is always best to give users only the permissions that they need to perform their job, so tweaking particular permi…
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question