Iexplore replicating: tojan found

[Juliet]

You can install Unchecky to make sure that the check boxes will remain clean when you install new software.
Beware the product is in beta stage.


~~~
Please open Notepad *Do Not Use Wordpad!* or use any other text editor than Notepad or the script will fail. (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the quote box below:
To do this highlight the contents of the box and right click on it and select copy.
Paste this into the open notepad. save it to the Desktop as fixlist.txt
NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.
It needs to be saved Next to the "Farbar Recovery Scan Tool" (If asked to overwrite existing one please allow)

start
CloseProcesses:
C:\OEM\Preload\Autorun\APP\Nero 10 Essentials Acer Edition\ISSetupPrerequisites\{BF80A1C0-C3FF-4B1C-ABEF-22CD4F97A0AB}\Toolbar.exe
C:\Program Files (x86)\SIW\siw.exe
C:\Program Files (x86)\WinZip Driver Updater\Network.dll
C:\Program Files (x86)\WinZip Driver Updater\winzipduhelper.dll
C:\ProgramData\InstallMate\{A6D7867A-26BF-5675-608C-2282A2FB7707}\_Setupx.dll
C:\ProgramData\Microsoft\Security\Client\SecurityHelper.dll
C:\ProgramData\Microsoft\Security\Client\temp\tmp586A.exe
C:\ProgramData\Microsoft\Security\Client\temp\tmpABC3.exe
C:\Users\All Users\Microsoft\Security\Client\temp\tmp586A.exe
C:\Users\All Users\Microsoft\Security\Client\temp\tmpABC3.exe
C:\Users\All Users\InstallMate\{A6D7867A-26BF-5675-608C-2282A2FB7707}\_Setupx.dll
C:\Users\All Users\Microsoft\Security\Client\SecurityHelper.dll
C:\Users\mike\AppData\Local\dsisetup949181842.exe
C:\Users\mike\AppData\Local\Ehxtion\QuickLibs80.dll
C:\Users\mike\AppData\Local\Ibbhsoft\DRMApiDyn64.dll
C:\Users\mike\AppData\Local\PCTuner1\PCTuner1.exe
C:\Windows\assembly\GAC\Microsoft.VisualStudio.OLE.Interop\7.1.40304.0__b03f5f7f11d50a3a\Microsoft.VisualStudio.OLE.Interop.dll
C:\Windows\assembly\GAC_MSIL\Interop.SHDocVw\1.1.0.0__84542ff99aed6a4d\Interop.SHDocVw.dll
C:\Windows\Installer\MSI3BF2.tmp
D:\backup\z-Other-not often\Downloads\Acer PC install stuff\xfire_installer_44598.exe
EmptyTemp:
End

Open FRST/FRST64 and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

After running the above script tell me how the computer is now.

[mikenowo]

Ok I ran FRST64.exe with the Fixlist.txt data that you sent. It had to reboot, everything seems to be working fine, BUT I got this message in a window (see attachment).

Any ideas why?
error after reboot.jpg

[mikenowo]

I also just noticed that this dang file is BACK:

C:\Users\mike\AppData\Roaming\麽鎒駓覜

Any suggestions as to where it is coming from? I can see superimposed glyphs over my tabs again:

glyphs.jpg

[mikenowo]

Also I notice that the file mentioned in that error is different now in that "C:\Users\mike\AppData\Local\Ibbhsoft" directory. It's now named 'DRMApiDyn64.3'. Thus the error I imagine. WHAT is Ibbhsoft anyway, I never installed anything from a manufacturer with that name?

[mikenowo]

I've also been getting alot of these popups from the Malwarebytes software:

malwarebytes message.jpg

Could my Firefox browser be being hijacked by this 'bestwaytosearch.com' ?

[Juliet]

Instructions on how to backup your Favourites/Bookmarks and other data can be found below.

• Backup Internet Explorer Favourites
• Backup Firefox Bookmarks

Proceed with the reset once done.

• Internet Explorer: How to reset Internet Explorer settings
• Firefox:Reset Firefox

~~~~~~~~

Please download the attached fixlist.txt save it to Desktop as fixlist.txt
NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.
It needs to be saved Next to the "Farbar Recovery Scan Tool" (If asked to overwrite existing one please allow)



Open FRST/FRST64 and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

~~~~

Please download RogueKiller and save it to your desktop.

You can check here if you're not sure if your computer is 32-bit or 64-bit

• Download RogueKiller to your desktop.
  
  
• Quit all running programs.
• For Windows XP, double-click to start.
• For Vista,Windows 7/8, Right-click on the program and select Run as Administrator to start and when prompted allow it to run.
• Read and accept the EULA (End User Licene Agreement)
• Click Scan to scan the system.
• When the scan completes Close the program > Don't Fix anything!
• Don't run any other options, they're not all bad!!
• Post back the report which should be located on your desktop.

[mikenowo]

Well, running RogueKiller now.. pity, was always a rogue myself ;-p.. in any event that C:\Users\mike\AppData\Local\Ibbhsoft message no longer comes up BUT that directory is still there. You never mentioned what that Ibbhsoft might be or why it's on my system? Should I delete the directory now too? Any idea what it is and where it came from?

[mikenowo]

Roque results:

RogueKiller V10.5.4.0 [Mar 12 2015] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : mike [Administrator]
Started from : C:\Users\mike\Downloads\RogueKiller.exe
Mode : Scan -- Date : 03/14/2015 05:33:46

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 10 ¤¤¤
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\0WinSecurityProvider | (default) : {F76FA5C2-3B6A-451E-8CA5-34C8D0AE0637} -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\aswVmm (\??\C:\Users\mike\AppData\Local\Temp\aswVmm.sys) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\aswVmm (\??\C:\Users\mike\AppData\Local\Temp\aswVmm.sys) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\aswVmm (\??\C:\Users\mike\AppData\Local\Temp\aswVmm.sys) -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-261593359-1049202612-806197226-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_TrackProgs : 0 -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-261593359-1049202612-806197226-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_TrackProgs : 0 -> Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> Found

¤¤¤ Tasks : 2 ¤¤¤
[Suspicious.Path] EasyShare Registration RunOnce Task.job -- C:\Windows\system32\rundll32.exe (C:\PROGRA~3\Kodak\EASYSH~2\$REGIS~1\Registration_8.3.30.1.sxt _RegistrationOfferSilence@16) -> Found
[Suspicious.Path] EasyShare Registration Task.job -- C:\Windows\system32\rundll32.exe (C:\PROGRA~3\Kodak\EASYSH~2\$REGIS~1\Registration_8.3.30.1.sxt _RegistrationOffer@16) -> Found

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Not loaded [0xc000036b]) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: WDC WD10EADX-22TDHB0 ATA Device +++++
--- User ---
[MBR] 827b71a3dcd7830cf3758f133a5db68a
[BSP] d791f61362482ad634cec41db0842f07 : Windows Vista/7/8 MBR Code
Partition table:
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: Generic- Multi-Card USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

[Juliet]

IBBHSOFT doesn't have a product name yet and it is developed by unknown

%USERPROFILE%\AppData\Local\Oxnmics <--might be associated and which I did not find on your machine.

C:\Users\mike\AppData\Local\Ibbhsoft
Go on and delete this folder and let it stay in the recycle bin for a few days to see if something throws up an error. My thinking is, if it does it might show a path as to where it came from.
Then of course if nothing appears then permanently delete it out.

~~~~~

Quit all programs that you may have started.
Please disconnect any USB or external drives from the computer before you run this scan!

Run RogueKiller again and click Scan, Wait until the Status box shows "Scan Finished"
When the scan completes place a check by these entries

[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\0WinSecurityProvider | (default) : {F76FA5C2-3B6A-451E-8CA5-34C8D0AE0637} -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\aswVmm (\??\C:\Users\mike\AppData\Local\Temp\aswVmm.sys) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\aswVmm (\??\C:\Users\mike\AppData\Local\Temp\aswVmm.sys) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\aswVmm (\??\C:\Users\mike\AppData\Local\Temp\aswVmm.sys) -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-261593359-1049202612-806197226-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_TrackProgs : 0 -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-261593359-1049202612-806197226-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_TrackProgs : 0 -> Found

(The other entries are harmless)

click on "delete"
Wait until the Status box shows "Deleting Finished"
Click on "Report" and copy/paste the content of the Notepad into your next reply.
The log should be found in RKreport[1].txt on your Desktop
Exit/Close RogueKiller

[Juliet]

Also, did you download and run the fixlist I create in post #16?

Can you post that?