WTF is fwriyuog.sys?

Jul 17, 2011
125
0
76
My compurter running win 7 ult os started acting goofy! It boots to a blank screen and stops or goes to my desktop background with no icons and no start bar and stops!

A number of spyware proggies and registry proggies and gmer found this, and gmer says it's a rootkit !

I did a google and came up with NOTHING NO WHERE !!

WHAT THE hell IS THIS?

thanks

this is registry entry

[HKEY_LOCAL_MACHINE] \SYSTEM\ControlSet001\services\fwriyuog\\ImagePath
 

VirtualLarry

No Lifer
Aug 25, 2001
56,587
10,225
126
Yep, sounds like malware with a randomized name to try to escape detection. Time to wipe your HD with a bootable DBAN disc, and start over.
 
Jul 17, 2011
125
0
76
Deleted the entry from registry, and now my puter boots up fine and desktop back to normal!

After running a few proggies (KUDOS to Gmer, Hitmanpro, RFA, and Killbox) and all things pointed to this EVIL program!

AllMusicConverter_4.2.9-Setup.exe

I would recommend you do not download and you will save yourself 4 hours of agony!
 
Jul 17, 2011
125
0
76
It looks like I'm not out of the woods yet!!

Just getting ready to leave this guys house and I do a hard reboot, and it's back !! Even though I've found the original offending program and deleted/uninstalled it, the rootkit it contained and installed, is still present and active!

Checked the registry and sure enough . . .

[HKEY_LOCAL_MACHINE] \SYSTEM\ControlSet001\services\fwriyuog\\ImagePath

. . . is in the registry. I removed it and did a registry search for fwriyuog and it shows up in Legacy entries which I CAN'T remove!

Now how the sam hill did it return? I deleted the above program earlier, where did it return from?

Did a system restore back three software installs, and still at boot up, in normal mode, blank screen and lockup! Safe mode boots fine!

Now I'm thinking this rootkit is in a separate partition on the HARD drive and it's still active. So after deleting all partitions and reformatting the largest one (440gb) I will reinstall win 7 ultimate tomorrow!

getting some sleep, it's been a long day!

thanks all
 

VirtualLarry

No Lifer
Aug 25, 2001
56,587
10,225
126
uhm, google "DBAN". It's a bootable CD image, based on Linux, that will wipe your HDs clean, all of them, attached to a computer.
 
Jul 17, 2011
125
0
76
ah ok didn't recognize the "DBAN" flavor of linux, i've used mandrake and ubuntu and most recently Zorin.

Now I'm up to speed, a linux boot up OS can allow you to handle alot of windows problems hd and password stuff.

thanks
 

Dryfter

Member
May 17, 2007
77
0
0
"Darik's Boot and Nuke ("DBAN") is a self-contained boot disk that securely wipes the hard disks of most computers. DBAN will automatically and completely delete the contents of any hard disk that it can detect, which makes it an appropriate utility for bulk or emergency data destruction."

^From their website. Goggle DBAN if you need more info.
 

fastamdman

Golden Member
Nov 18, 2011
1,335
70
91
Your best bet would be to wipe the system and then install a good virus protection software like eset nod32. That will actually prevent malware/viruses from installing so this doesn't happen again.
 
Jul 17, 2011
125
0
76
OK here's an update, first ESET HAS been my AV of choice for 3+ years now NOTHING holds a candle to it!

Second, on to the problem(s) at hand

Now I not only re-formatted the whole drive I also bought a new 1TB drive as a damage control item (in case I throw the original out the window) !

After reformatting ad re-installing Win7Ult 32 bit I don't have the same problem but yet they are similar! Go figure! (I also tried Win7Ult 64 bit and the new WD 1TB 7200 drive)

After a successful install, randomly at boot up, it might go fine or it can go black or it can go to a Win7 light blue screen with the 4 color MS Flag logo and then freeze! If it does boot up ok and go to the desktop WIT all of the Icons, if it goes to sleep it will come back with the light blue Win7 screen with the MS logo/flag and be locked/froze!

An F8 at boot up ALWAYS brings you to the desk top with ICONS!

I tried going back to a Windows XP Pro install and got an install error!

So at this point I'm reloading Win7Ult 64bit and will run it in safe mode!

What I've tried to solve this . . .

2 different hard drives both fresh,re-formatted with NOTHING on them! nfg

I tried swapping and eliminating ram modules to ensure there's no memory problem! nfg

Cleared CMOS. nfg

Tried proper shutdowns (versus yanking the power plug after a successful bootup) nfg

Looked for overheating issues nfg (air blew dust out of everywhere including my ears)

One thing I am REALLY curious about with this DELL Vostro 420 is the CPU! It is a Intel Q6600 2.4ghz that is a supposed 64 bit cpu but yet dell shipped it with a 32 bit Win XP OS!

How is that possible? You can't load Win7 32 bit OS on to a current Intel I3, I5, I7 or any other current 64 bit cpu cause it will tell you that you have the wrong OS Architecture and halt the install!

Not with this cpu???

So at this point I'm stumped, the rootkit is gone (was it EVER there?) according to Gmer and the funky file name "fwriyuog" it was. But that can't be the issue now!

Any thoughts?

thanks
 
Last edited:

fastamdman

Golden Member
Nov 18, 2011
1,335
70
91
Go into your bios and load optimized defaults, save and exit. I would bet 100 dollars right now its the power supply failing though ;)

The stock cpu fan is clear of dust and is spinning correct? No over heating issues while in safe mode?

Could also be a driver conflict with the video card drivers but I doubt it. Sounds like a PSU issue if the rig is turning off 100%
 

VirtualLarry

No Lifer
Aug 25, 2001
56,587
10,225
126
One thing I am REALLY curious about with this DELL Vostro 420 is the CPU! It is a Intel Q6600 2.4ghz that is a supposed 64 bit cpu but yet dell shipped it with a 32 bit Win XP OS!

How is that possible? You can't load Win7 32 bit OS on to a current Intel I3, I5, I7 or any other current 64 bit cpu cause it will tell you that you have the wrong OS Architecture and halt the install!

Sure you can install 32-bit Windows onto a current CPU. Current 64-bit capable CPUs are still 32-bit compatible.
 
Jul 17, 2011
125
0
76
OK, success!

What I had was multiple problems occurring at multiple times!

Talk about a test from geek computer god!

Initially, the rootkit WAS the problem! As time and frustration progressed other mitigating factors came into play!

Of two dvd/cd rom drives (one a blu-ray) only one worked consistently! The blu-ray for some reason did not like the Win XP install CD nor either of the Win 7 Ult 32/64 install DVD's! Even after burning new fresh copies of ALL of the above at the slowest possible speed 4x!

Then we have the mysterious Intel Q6600 64/32 bit CPU. Try and install a 32 bit OS on ANY desktop laptop with a 64 bit CPU and it won't happen! Not with this CPU either installs fine.
(Not so much as a problem more as a confusing factor to sidetrack my mind!)

Last and foremost either of the Win7 Ult installs, 32 or 64 bit, did not like the ATI Radeon HD video card. Even after d/ling the LATEST Win 7 drivers random video errors occurred. Blank screen, Desktop lockup, even if a good bootup ocurred as soon as screen saver initiated you had lockup NOTHING functioned except power down!

It was the safe mode operation that pointed the way . . . why did the box work fine when no drivers were loaded? I was thinking the rootkit had returned when in actuality it was the change of OS to Win7 that was causing the similar symptoms. Do a Google and you will see this is a common problem with Win 7 Ult installs! But who would Google this if you thought the rootkit had returned?. After reformatting the old drive and then installing a new one, where the hell was the rootkit hiding to return from?

The final cure was to disable the ATI device in hardware and let the Dell run on generic drivers!

I believe a new video card is on my friends agenda! Although not necessary as the box is running fine and he is not a gamer needing 3D and such!

Whewwwwwww!
 

exdeath

Lifer
Jan 29, 2004
13,679
10
81
It looks like I'm not out of the woods yet!!

Just getting ready to leave this guys house and I do a hard reboot, and it's back !! Even though I've found the original offending program and deleted/uninstalled it, the rootkit it contained and installed, is still present and active!

Checked the registry and sure enough . . .

[HKEY_LOCAL_MACHINE] \SYSTEM\ControlSet001\services\fwriyuog\\ImagePath

. . . is in the registry. I removed it and did a registry search for fwriyuog and it shows up in Legacy entries which I CAN'T remove!

Now how the sam hill did it return? I deleted the above program earlier, where did it return from?

Did a system restore back three software installs, and still at boot up, in normal mode, blank screen and lockup! Safe mode boots fine!

Now I'm thinking this rootkit is in a separate partition on the HARD drive and it's still active. So after deleting all partitions and reformatting the largest one (440gb) I will reinstall win 7 ultimate tomorrow!

getting some sleep, it's been a long day!

thanks all

It can be where ever it wants to be, that's the whole point of a rootkit. Once a OS image is comprimised with a root kit, it cannot be trusted. The drive must be wiped or analyzed externally from an uncompromised unbiased environment on another machine. The rootkits you can clean from within the infected OS are simply bad rootkits with flaws and bugs allowing them to be detected. A really good rootkit is impossible to detect from within the infected OS...
 

fastamdman

Golden Member
Nov 18, 2011
1,335
70
91
It sounds to me like you need to get the correct drivers for the video card. I am sure windows 7 has the right drivers to run the video card you just gotta find em.
 

mindless1

Diamond Member
Aug 11, 2001
8,752
1,759
136
FYI, a lot of the time I'm successful removing malware by just pulling the drive, mounting it in another system (not booting it), scanning for malware AND doing a file search for recently created files and folders, and/or with one or more offending files or folders known, looking at the time stamps for them and looking for others with a near match... or the next period the system was online as some malware will download *friends* the next chance it gets... which is yet another reason to never let a still-infected system have internet access if it's avoidable.
 

Matt1970

Lifer
Mar 19, 2007
12,320
3
0
It can be where ever it wants to be, that's the whole point of a rootkit. Once a OS image is comprimised with a root kit, it cannot be trusted. The drive must be wiped or analyzed externally from an uncompromised unbiased environment on another machine. The rootkits you can clean from within the infected OS are simply bad rootkits with flaws and bugs allowing them to be detected. A really good rootkit is impossible to detect from within the infected OS...

I have seen a few hundred and it is rare that rootkill can't stop them.