Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Hijack.folderoptions won't remove.


  • Please log in to reply

#31
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,031 posts
  • MVP

Open an elevated Command prompt as before.  Type (with an Enter after the line) :

at

It should say:

 

C:\Windows\system32>at
There are no entries in the list.
 
Does it?  This is the old DOS method of scheduling a task.  Just wanted to make sure there was nothing there.
 
 
There are also two .job tasks in the FRST scan.  These should not work because there is no longer a default association with the .job extension.  It wouldn't hurt to delete them just in case:
 
C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job 
 C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job 

 

 

I would also uninstall Java 8 Update 91.  It is sometimes used by malware and most websites no longer use it.  If you find one that does need it you can reinstall it but I'd like to get rid of it as a test.

 

Search For Event Viewer and hit Enter.  It should open Event Viewer.  Click on the arrow in front of Event Viewer then on the arrow in front of Applications and Services Logs then on the arrow in front of Microsoft then on the arrow in front of Windows then on the arrow in front of Task Scheduler.  Click on Operational.  This will be empty.  Click on Enable Log on the far right.  Now close event viewer and wait until the malware comes back.  

 

If it does come back, go back into Operational  and look for tasks that ran during the time window when it came back.  These should all be native Windows tasks but I suppose if I were a malware writer I could figure out how to modify one somehow.  FRST doesn't look at the Windows tasks so would be a good place to hide.


  • 0

Advertisements


#32
oPiruz

oPiruz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts

When trying the AT command it says "The AT command has been deprecated. Please use schtasks.exe instead" I did what you said with the event viewer, so I will report back by tomorrow to see what happens.

 

edit; I also uninstalled the java 8


Edited by oPiruz, 29 May 2016 - 12:20 PM.

  • 0

#33
oPiruz

oPiruz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
It came back, and it came back at 3:57, the events go from 2:11 to 4:33, so I dont think its anything in operational.

  • 0

#34
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,031 posts
  • MVP
How do you know when it appears?  What is the last thing in Operations log before it shows up?
 
I have a way to keep it from changing the keys if you want to try it:
 
There are three registry keys that get changed.
 
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER
 
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER
   
HKEY_USERS\S-1-5-21-761187832-1820794338-2722413759-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER
 
Search for regedit.exe and hit Enter.  That should bring up the Registry Editor.
 
Find the first key and click on Explorer.  look in the right pane.  If NoFolderOptions  exists then right click on it and Delete.
 
Then right click on EXPLORER and select Permissions.  There are three entries:
 
System
Administrator 
Users
 
If you click on System you will see it has Full Control.  Same for Administrator.  Users has only Read checked.
 
Click on Advanced then Uncheck Include Inheritable Conditions...  Apply.  Ignore the warning.  Note that all 3 are gone.
 
Click on Add.  Type System and then Check Names.  Repeat for Administrator and Users.  
 
Now click on System and Edit.  Check the Query Value, Enumerate Subkeys, Notify, Read Control boxes under Allow.  OK.  Repeat for  Administrator and Users.  OK until all boxes are closed.
 
Repeat for the other two keys,
 
What this does is make it very difficult for anything to change the 3 keys.   It should not interfere with normal operations tho. 

  • 0

#35
oPiruz

oPiruz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts

Sorry, recently sold my GFX card and had to wait for my 1080 to arrive, now that I can use my PC i will try that and report back in a few days


  • 0

#36
oPiruz

oPiruz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts

It still shows up, is my PC in any real threat from these folder things or can I just ignore it?


  • 0

#37
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,031 posts
  • MVP

The folder things aren't a threat as such but I worry that something that we can't see is changing them.  Perhaps we could try the free Kaspersky scan.  See if it finds something.

 

http://www.kaspersky...free-virus-scan


  • 0

#38
oPiruz

oPiruz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts

I did a kaspersky PC scan, and it found 11 problems but they are all about settings in internet explorer and me having auto-run for USBs and CDs turned on.


  • 0

#39
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,031 posts
  • MVP

Did you see anything in the Task Scheduler logs?  How do you know when the registry changed?


  • 0

#40
oPiruz

oPiruz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts

Did you see anything in the Task Scheduler logs?  How do you know when the registry changed?

Because every time the folders change malwarebytes gives me a pop-up


  • 0

Advertisements


#41
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,031 posts
  • MVP
Download GMER from Here.  Note the file's name and save it to your root folder, such as C:\.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
  • Allow the driver to load if asked.
  • You may be prompted to scan immediately if it detects rootkit activity.
  • If you are prompted to scan your system click "No", save the log and post back the results.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as Results.log and copy/paste the contents in your next reply.
  • Exit the program and re-enable all active protection when done.

    • 0






    Similar Topics

    0 user(s) are reading this topic

    0 members, 0 guests, 0 anonymous users

    As Featured On:

    Microsoft Yahoo BBC MSN PC Magazine Washington Post HP