WTF is fwriyuog.sys?

Discussion in 'malware problems & news' started by cmangle, Nov 17, 2011.

Thread Status:
Not open for further replies.
  1. cmangle

    cmangle Registered Member

    Joined:
    Jan 3, 2011
    Posts:
    16
    apologies for putting this in wrong forum but the spyware forum was closed.

    anyhow can someone shed some light on this??

    my compurter running win 7 ult os started acting goofy! It boots to a blank screen and stops or goes to my desktop background with no icons and no start bar and stops!

    A number of spyware proggies and registry proggies and gmer found this, and gmer says it's a rootkit !

    I did a google and came up with NOTHING NO WHERE !! you try it!

    WHAT THE ~ Snipped as per TOS ~ IS THIS?

    thanks chris

    this is registry entry:
    [HKEY_LOCAL_MACHINE] \SYSTEM\ControlSet001\services\fwriyuog\\ImagePath
     

    Attached Files:

    Last edited by a moderator: Nov 17, 2011
  2. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
  3. cmangle

    cmangle Registered Member

    Joined:
    Jan 3, 2011
    Posts:
    16
    tried tdsskiller and nfg that was my first thought, will try hitmanpro though, thanks!
     
  4. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    I've had a FP from GMER before. Are you on Win7 32bit or 64bit?
     
  5. cmangle

    cmangle Registered Member

    Joined:
    Jan 3, 2011
    Posts:
    16
    win7 32 bit on a dell vostro 420 qith an intel dual core Q6600 cpu 4 gig ram

    It looks like I'm not out of the woods yet!!

    Just getting ready to leave this guys house and I do a hard reboot, and it's back !! Even though I've found the original offending program and deleted/uninstalled it, the rootkit it contained and installed, is still present and active!

    Checked the registry and sure enough . . .

    [HKEY_LOCAL_MACHINE] \SYSTEM\ControlSet001\services\fwriyuog\\ImagePath

    . . . is in the registry. I removed it and did a registry search for fwriyuog and it shows up in Legacy entries which I CAN'T remove!

    Now how the sam hill did it return? I deleted the above program earlier, where did it return from?

    Did a system restore back three software installs, and still at boot up, in normal mode, blank screen and lockup! Safe mode boots fine!

    Now I'm thinking this rootkit is in a separate partition on the HARD drive and it's still active. So after deleting all partitions and reformatting the largest one (440gb) I will reinstall win 7 ultimate tomorrow!

    getting some sleep, it's been a long day!

    thanks all
     
  6. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    Yeah... reinstall Win7. Format before you do.
     
  7. cmangle

    cmangle Registered Member

    Joined:
    Jan 3, 2011
    Posts:
    16
    OK here's an update, first ESET HAS been my AV of choice for 3+ years now NOTHING holds a candle to it!

    Second, on to the problem(s) at hand

    Now I not only re-formatted the whole drive I also bought a new 1TB drive as a damage control item (in case I throw the original out the window) !

    After reformatting ad re-installing Win7Ult 32 bit I don't have the same problem but yet they are similar! Go figure! (I also tried Win7Ult 64 bit and the new WD 1TB 7200 drive)

    After a successful install, randomly at boot up, it might go fine or it can go black or it can go to a Win7 light blue screen with the 4 color MS Flag logo and then freeze! If it does boot up ok and go to the desktop WITH all of the Icons, if it goes to sleep it will come back with the light blue Win7 screen with the MS logo/flag and be locked/froze!

    An F8 at boot up (SAFE MODE with Networking) ALWAYS brings you to the desk top with ICONS!

    I tried going back to a Windows XP Pro install and got an install error!

    So at this point I'm reloading Win7Ult 64bit and will run it in safe mode!

    What I've tried to solve this . . .

    2 different hard drives both fresh,re-formatted with NOTHING on them! nfg

    I tried swapping and eliminating ram modules to ensure there's no memory problem! nfg

    Cleared CMOS. nfg

    Tried proper shutdowns (versus yanking the power plug after a successful bootup) nfg

    Looked for overheating issues nfg (air blew dust out of everywhere including my ears)

    One thing I am REALLY curious about with this DELL Vostro 420 is the CPU! It is a Intel Q6600 2.4ghz that is a supposed 64 bit cpu but yet dell shipped it with a 32 bit Win XP OS!

    How is that possible? You can't load Win7 32 bit OS on to a current Intel I3, I5, I7 or any other current 64 bit cpu cause it will tell you that you have the wrong OS Architecture and halt the install!

    Not with this cpuo_O

    So at this point I'm stumped, the rootkit is gone (was it EVER there?) according to Gmer and the funky file name "fwriyuog" it was. But that can't be the issue now!

    Any thoughts?

    thanks
     
    Last edited: Nov 18, 2011
  8. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,978
    @ cmangle

    What a nightmare :(

    Just a thought, "might" some of your problems be with your Motherboard ?

    Hope you get it sorted :thumb:

    Interesting, if anyone knows :)
     
    Last edited: Nov 18, 2011
  9. TheKid7

    TheKid7 Registered Member

    Joined:
    Jul 22, 2006
    Posts:
    3,571
    I would also run memory test(s) from bootable media just to be sure that there are no memory problems.
     
  10. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    Yes you can.
     
  11. wat0114

    wat0114 Guest

    Hungryman's right. It's the other way around, where you can't install 64 bit Windows on 32 bit hardware. Just wondering, why would a rootkit install in the user's temp directory?
     
  12. siljaline

    siljaline Registered Member

    Joined:
    Jun 29, 2003
    Posts:
    6,618
  13. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    23,935
    Location:
    UK
    Last edited: Nov 19, 2011
  14. cmangle

    cmangle Registered Member

    Joined:
    Jan 3, 2011
    Posts:
    16
    Apologies gentlemen if this was an incorrect posting but . . . success!

    What I had was multiple problems occurring at multiple times!

    Talk about a test from geek computer god!

    Initially, the rootkit WAS the problem! As time and frustration progressed other mitigating factors came into play!

    Of two dvd/cd rom drives (one a blu-ray) only one worked consistently, the regular cd/dvd burner! The blu-ray for some reason did not like the Win XP install CD nor either of the Win 7 Ult 32/64 install DVD's! Even after burning new fresh copies of ALL of the above at the slowest possible speed 4x!

    Then we have the mysterious Intel Q6600 64/32 bit CPU. Try and install a 32 bit OS on ANY desktop laptop with a 64 bit CPU and it won't happen! Not with this CPU either installs fine.
    (Not so much as a problem more as a confusing factor to sidetrack my mind!)

    Last and foremost either of the Win7 Ult installs, 32 or 64 bit, did not like the ATI Radeon HD video card. Even after d/ling the LATEST Win 7 drivers random video errors occurred. Blank screen, Desktop lockup, even if a good bootup ocurred as soon as screen saver initiated you had lockup NOTHING functioned except power down!

    It was the safe mode operation that pointed the way . . . why did the box work fine when no drivers were loaded? I was thinking the rootkit had returned when in actuality it was the change of OS to Win7 that was causing the similar symptoms. Do a Google and you will see this is a common problem with Win 7 Ult installs! But who would Google this if you thought the rootkit had returned?. After reformatting the old drive and then installing a new one, where the hell was the rootkit hiding to return from?

    The final cure was to disable the ATI device in hardware and let the Dell run on generic drivers!

    I believe a new video card is on my friends agenda! Although not necessary as the box is running fine and he is not a gamer needing 3D and such!

    Whewwwwwww!
     
  15. jdd58

    jdd58 Registered Member

    Joined:
    Jan 30, 2008
    Posts:
    556
    Location:
    Sonoran Desert
    It seems now you could have an AHCI issue. XP does not support AHCI natively and requires a driver to be installed using F6 during setup. Dell has a driver to be used during the OS install for 32 bit 7 here also: http://www.dell.com/support/drivers...rFileFormats?DriverId=FPWCC&FileId=2731109927

    For future reference you can delete legacy registry entries as shown in post 3 here: https://www.wilderssecurity.com/showthread.php?t=141555

    Edit: I see you have made progress. Do you have your hard drives and optical drives set to IDE or AHCI in the bios?

    A 32 bit OS installs just fine on a 64 bit CPU.
     
    Last edited: Nov 19, 2011
  16. cmangle

    cmangle Registered Member

    Joined:
    Jan 3, 2011
    Posts:
    16
    ok and i have been informed that a 32 bit os CAN go into a 64 bit cpu system.

    i stand corrected
     
  17. jdd58

    jdd58 Registered Member

    Joined:
    Jan 30, 2008
    Posts:
    556
    Location:
    Sonoran Desert
    I believe you are right, it's a driver issue, but not the video drivers. If your bios is set to run the drives in AHCI instead of IDE mode and you installed the OS without providing the driver during the install you will get the symptoms you are talking about. It also could possibly explain why your Blue Ray drive is not working.

    For an experiment, if the bios was set to AHCI switch it to IDE then restart and try ATI's drivers. If it works you can leave it that way, or switch the bios back to AHCI mode and reinstall the OS using the driver i linked to in the post above.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.