IEAddOn.DLL

[scw4]

Hi All,

I'm running across an interesting set of registry keys (IEAddOn.DLL) being flagged while conducting a full system scan on a coworker's machine.  Here is some information after further investigation (FYI - all machines in question are Windows 10 OS):

• The same keys (IEAddOn.DLL) are found on multiple machines while other machines are coming back completely clean.
• Some of the machines with these "infections" are freshly imaged.
• The keys do not delete on reboot after running a full scan.
• In testing, I ran a full scan while in Safe Mode without networking and the keys still did not delete.
• I'm not able to find any information via Google for these particular keys, hence why I'm posting here.

My thoughts are that they're potentially false positives since 1. They're showing on a freshly imaged machine, 2. There is no pattern (I've got two recently imaged machines sitting next to each other with the same software - one has the "infections", one does not).

Has anyone come across this before?  Any information would be greatly appreciated!  Thank you!

-Scott

 

Malwarebytes Anti-Malware (Corporate) 1.80.2.1012
www.malwarebytes.org

Database version:
  main:    v2016.12.05.06
  rootkit: v0000.00.00.00

Windows 10 x64 NTFS
Internet Explorer 11.633.10586.0

Protection: Enabled

12/9/2016 12:15:03 PM
mbam-log-2016-12-09 (12-15-03).txt

Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled:
Objects scanned: 344670
Time elapsed: 25 minute(s), 38 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 3
HKLM\SOFTWARE\CLASSES\APPID\IEAddOn.DLL (Rogue.UnVirex) -> Delete on reboot. [9d1d3fa40c8ee74fd9817d57a65c718f]
HKLM\SOFTWARE\CLASSES\WOW6432NODE\APPID\IEAddOn.DLL (Rogue.UnVirex) -> Delete on reboot. [dbdfc41f5c3e1224e8726b699270a060]
HKLM\SOFTWARE\WOW6432NODE\CLASSES\APPID\IEAddOn.DLL (Rogue.UnVirex) -> Delete on reboot. [427808db237760d686d423b1c141c040]

Folders Detected: 0
(No malicious items detected)

 

 

12_9_MBAM.txt

[AdvancedSetup]

Hello @scw4 and

 

Sorry for the delay. I've been out on vacation and looks like your topic was over looked.

Please read the following and post back the 3 requested logs as an attachment.
 
Diagnostic Logs
 
Thanks

[scw4]

Hi Ron,

Thank you for the response!  Attached are the three files, please let me know if any additional information is needed.  Thanks again!

Scott

CheckResults.txt

FRST.txt

Addition.txt

[AdvancedSetup]

Is this a business computer?

 

 

[scw4]

Yes it is.

Scott

[AdvancedSetup]

Okay, there are some group policies in place that "could" be valid for business, or they could potentially be from some type of infection, or left-over element of an infection. No easy way for me to know. I'll script to remove them and if they're valid domain policies they should restore on reboot from the domain controller.

Give me a few to review further.

 

[AdvancedSetup]

The policies are probably legit, but the logs show they're having issues working as well. Adobe Reader is failing an install, removal, etc. The hard disk is also logging errors.

Please run a full disk check on the drive if you can, at minimum run a normal disk check.

CHKDSK  C: /R

or

CHKDSK C: /F

The /R will do a full disk check when ran from an Elevated admin prompt and reboot to run it.

 

Please run the following. It will clean up proxies and policies and temp files. If needed you may need to update proxies after this fix but I didn't see a specific on specified.

Please download the attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST or FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

fixlist.txt

Will check back on you a bit later today.

Thanks

 

[scw4]

Thanks Ron!  I'll get this started now.

Scott

[AdvancedSetup]

Okay, let me know. Will check on you again tomorrow.

Ron

 

[scw4]

Hi Ron,

Sorry for the delay.  I ran the full disk check first then tried running FRST64 but it froze about midway through.  I tried three times but it would still hang then the machine would be unresponsive.  A log was still produced; I've attached two here.

Scott

Fixlog.txt

Fixlog_test.txt

[AdvancedSetup]

Did you disable the antivirus? The log started to run but did not complete.