Jump to content

Recommended Posts

Hi All,

I'm running across an interesting set of registry keys (IEAddOn.DLL) being flagged while conducting a full system scan on a coworker's machine.  Here is some information after further investigation (FYI - all machines in question are Windows 10 OS):

  • The same keys (IEAddOn.DLL) are found on multiple machines while other machines are coming back completely clean.
  • Some of the machines with these "infections" are freshly imaged.
  • The keys do not delete on reboot after running a full scan.
  • In testing, I ran a full scan while in Safe Mode without networking and the keys still did not delete.
  • I'm not able to find any information via Google for these particular keys, hence why I'm posting here.

My thoughts are that they're potentially false positives since 1. They're showing on a freshly imaged machine, 2. There is no pattern (I've got two recently imaged machines sitting next to each other with the same software - one has the "infections", one does not).

Has anyone come across this before?  Any information would be greatly appreciated!  Thank you!

-Scott

 

Malwarebytes Anti-Malware (Corporate) 1.80.2.1012
www.malwarebytes.org

Database version:
  main:    v2016.12.05.06
  rootkit: v0000.00.00.00

Windows 10 x64 NTFS
Internet Explorer 11.633.10586.0

Protection: Enabled

12/9/2016 12:15:03 PM
mbam-log-2016-12-09 (12-15-03).txt

Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled:
Objects scanned: 344670
Time elapsed: 25 minute(s), 38 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 3
HKLM\SOFTWARE\CLASSES\APPID\IEAddOn.DLL (Rogue.UnVirex) -> Delete on reboot. [9d1d3fa40c8ee74fd9817d57a65c718f]
HKLM\SOFTWARE\CLASSES\WOW6432NODE\APPID\IEAddOn.DLL (Rogue.UnVirex) -> Delete on reboot. [dbdfc41f5c3e1224e8726b699270a060]
HKLM\SOFTWARE\WOW6432NODE\CLASSES\APPID\IEAddOn.DLL (Rogue.UnVirex) -> Delete on reboot. [427808db237760d686d423b1c141c040]

Folders Detected: 0
(No malicious items detected)

 

 

12_9_MBAM.txt

Link to post
Share on other sites
  • 2 weeks later...

Okay, there are some group policies in place that "could" be valid for business, or they could potentially be from some type of infection, or left-over element of an infection. No easy way for me to know. I'll script to remove them and if they're valid domain policies they should restore on reboot from the domain controller.

Give me a few to review further.

 

Link to post
Share on other sites

The policies are probably legit, but the logs show they're having issues working as well. Adobe Reader is failing an install, removal, etc. The hard disk is also logging errors.

Please run a full disk check on the drive if you can, at minimum run a normal disk check.

CHKDSK  C: /R

or

CHKDSK C: /F

The /R will do a full disk check when ran from an Elevated admin prompt and reboot to run it.

 

Please run the following. It will clean up proxies and policies and temp files. If needed you may need to update proxies after this fix but I didn't see a specific on specified.

Please download the attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST or FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

fixlist.txt

Will check back on you a bit later today.

Thanks

 

Link to post
Share on other sites
  • 2 weeks later...
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.