[RKinner]

Open an elevated Command prompt as before.  Type (with an Enter after the line) :

at

It should say:

 

C:\Windows\system32>at

There are no entries in the list.

 

Does it?  This is the old DOS method of scheduling a task.  Just wanted to make sure there was nothing there.

 

 

There are also two .job tasks in the FRST scan.  These should not work because there is no longer a default association with the .job extension.  It wouldn't hurt to delete them just in case:

 

C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job 

 C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job 

 

 

I would also uninstall Java 8 Update 91.  It is sometimes used by malware and most websites no longer use it.  If you find one that does need it you can reinstall it but I'd like to get rid of it as a test.

 

Search For Event Viewer and hit Enter.  It should open Event Viewer.  Click on the arrow in front of Event Viewer then on the arrow in front of Applications and Services Logs then on the arrow in front of Microsoft then on the arrow in front of Windows then on the arrow in front of Task Scheduler.  Click on Operational.  This will be empty.  Click on Enable Log on the far right.  Now close event viewer and wait until the malware comes back.  

 

If it does come back, go back into Operational  and look for tasks that ran during the time window when it came back.  These should all be native Windows tasks but I suppose if I were a malware writer I could figure out how to modify one somehow.  FRST doesn't look at the Windows tasks so would be a good place to hide.

[Advertisements]

When trying the AT command it says "The AT command has been deprecated. Please use schtasks.exe instead" I did what you said with the event viewer, so I will report back by tomorrow to see what happens.

 

edit; I also uninstalled the java 8

Edited by oPiruz, 29 May 2016 - 12:20 PM.

[oPiruz]

When trying the AT command it says "The AT command has been deprecated. Please use schtasks.exe instead" I did what you said with the event viewer, so I will report back by tomorrow to see what happens.

 

edit; I also uninstalled the java 8

Edited by oPiruz, 29 May 2016 - 12:20 PM.

[oPiruz]

It came back, and it came back at 3:57, the events go from 2:11 to 4:33, so I dont think its anything in operational.

[RKinner]

How do you know when it appears?  What is the last thing in Operations log before it shows up?

 

I have a way to keep it from changing the keys if you want to try it:

 

There are three registry keys that get changed.

 

HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER

 

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER

   

HKEY_USERS\S-1-5-21-761187832-1820794338-2722413759-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER

 

Search for regedit.exe and hit Enter.  That should bring up the Registry Editor.

 

Find the first key and click on Explorer.  look in the right pane.  If NoFolderOptions  exists then right click on it and Delete.

 

Then right click on EXPLORER and select Permissions.  There are three entries:

 

System

Administrator 

Users

 

If you click on System you will see it has Full Control.  Same for Administrator.  Users has only Read checked.

 

Click on Advanced then Uncheck Include Inheritable Conditions...  Apply.  Ignore the warning.  Note that all 3 are gone.

 

Click on Add.  Type System and then Check Names.  Repeat for Administrator and Users.  

 

Now click on System and Edit.  Check the Query Value, Enumerate Subkeys, Notify, Read Control boxes under Allow.  OK.  Repeat for  Administrator and Users.  OK until all boxes are closed.

 

Repeat for the other two keys,

 

What this does is make it very difficult for anything to change the 3 keys.   It should not interfere with normal operations tho. 

[oPiruz]

Sorry, recently sold my GFX card and had to wait for my 1080 to arrive, now that I can use my PC i will try that and report back in a few days

[oPiruz]

It still shows up, is my PC in any real threat from these folder things or can I just ignore it?

[RKinner]

The folder things aren't a threat as such but I worry that something that we can't see is changing them.  Perhaps we could try the free Kaspersky scan.  See if it finds something.

 

http://www.kaspersky...free-virus-scan

[oPiruz]

I did a kaspersky PC scan, and it found 11 problems but they are all about settings in internet explorer and me having auto-run for USBs and CDs turned on.

[RKinner]

Did you see anything in the Task Scheduler logs?  How do you know when the registry changed?

[oPiruz]

Did you see anything in the Task Scheduler logs?  How do you know when the registry changed?

Because every time the folders change malwarebytes gives me a pop-up

[RKinner]

Download GMER from Here.  Note the file's name and save it to your root folder, such as C:\.

Disconnect from the Internet and close all running programs.

Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.

Click on this link to see a list of programs that should be disabled.

Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")

Allow the driver to load if asked.

You may be prompted to scan immediately if it detects rootkit activity.

If you are prompted to scan your system click "No", save the log and post back the results.

If not prompted, click the "Rootkit/Malware" tab.

On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.

Select all drives that are connected to your system to be scanned.

Click the Scan button to begin. (Please be patient as it can take some time to complete)

When the scan is finished, click Save to save the scan results to your Desktop.

Save the file as Results.log and copy/paste the contents in your next reply.

Exit the program and re-enable all active protection when done.