Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Infected Laptop..tried everything..nothing seems to work..

  • This topic is locked This topic is locked
2 replies to this topic

#1 arish7


  • Members
  • 1 posts
  • Local time:07:58 PM

Posted 17 November 2015 - 03:34 PM



My computer seems to be infected.I'm not sure what kind of malware it exactly is ,but possibly Trojan. I don't have access to internet because of the following the error : DNS PROBE FINISHED NXDOMAIN ,and the windows troubleshoot says the ip utility program has stopped working, but I've checked and neither proxy servers nor DNS settings seem to be causing it.

Even after I use Rkill I can't setup Malwarebytes there's a run time error that pops up : 97:137 or 85:137 .

The only anti-malware program that I was able to run was  SuperAntiSpyware, and I've run the most in depth scan using that 3 time although it removed a number of threats it doesn't seem to change much..internet is not back on, and I still cant setup Malwarebytes. 

I really had no where else to turn.. I appreciate any help I can get. 


Attached File  Addition.txt   33.13KB   3 downloadsAttached File  FRST.txt   42.49KB   3 downloads

Edited by arish7, 17 November 2015 - 05:34 PM.

BC AdBot (Login to Remove)


#2 nasdaq


  • Malware Response Team
  • 40,256 posts
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:58 PM

Posted 19 November 2015 - 04:24 PM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.

Remove these programs in bold via the Control Panel > Programs and Features applet.

Image Logo (HKU\S-1-5-21-229189262-673764306-707130458-1001\...\{9563BC59-9556-4805-8CD4-886781779D8D}) (Version: 1.1.8 - Bus Rush corp) <==== ATTENTION
Setup (HKLM-x32\...\{7ADF667E-E14D-4D2C-827C-B0108F0D93BC}) (Version: - ) <==== ATTENTION

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.


() C:\Program Files (x86)\A4D4DE77-1447744054-7D49-AA6F-D850E64772B9\hnsm39F2.tmp
() C:\Program Files (x86)\A4D4DE77-1447744054-7D49-AA6F-D850E64772B9\jnst183F.tmp
() C:\Users\ARIAN\AppData\Roaming\NetService\netservice.exe
() C:\Program Files (x86)\A4D4DE77-1447744054-7D49-AA6F-D850E64772B9\knsxEDAF.tmpfs
HKLM-x32\...\Run: [Chrome] => C:\Users\ARIAN\AppData\Local\Temp\msconfig.exe [28672 2015-11-16] (ChromePower) <===== ATTENTION
HKLM-x32\...\Run: [ospd_us_013010146] => [X]
HKLM-x32\...\Run: [gmsd_ca_005010146] => [X]
ShellExecuteHooks-x32: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - E:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL No File [ ]
ShellIconOverlayIdentifiers-x32: [Groove Explorer Icon Overlay 1 (GFS Unread Stub)] -> {99FD978C-D287-4F50-827F-B2C658EDA8E7} => E:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL No File
ShellIconOverlayIdentifiers-x32: [Groove Explorer Icon Overlay 2 (GFS Stub)] -> {AB5C5600-7E6E-4B06-9197-9ECEF74D31CC} => E:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL No File
ShellIconOverlayIdentifiers-x32: [Groove Explorer Icon Overlay 3 (GFS Folder)] -> {16F3DD56-1AF5-4347-846D-7C10C4192619} => E:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL No File
ShellIconOverlayIdentifiers-x32: [Groove Explorer Icon Overlay 4 (GFS Unread Mark)] -> {2916C86E-86A6-43FE-8112-43ABE6BF8DCC} => E:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL No File
Winsock: Catalog9 01 C:\Windows\SysWOW64\Ohybom.dll [289128 2015-11-16] ()
Winsock: Catalog9 02 C:\Windows\SysWOW64\Ohybom.dll [289128 2015-11-16] ()
Winsock: Catalog9 03 C:\Windows\SysWOW64\Ohybom.dll [289128 2015-11-16] ()
Winsock: Catalog9 04 C:\Windows\SysWOW64\Ohybom.dll [289128 2015-11-16] ()
Winsock: Catalog9-x64 01 C:\Windows\system32\Ohybom64.dll [375144 2015-11-16] ()
Winsock: Catalog9-x64 02 C:\Windows\system32\Ohybom64.dll [375144 2015-11-16] ()
Winsock: Catalog9-x64 03 C:\Windows\system32\Ohybom64.dll [375144 2015-11-16] ()
Winsock: Catalog9-x64 04 C:\Windows\system32\Ohybom64.dll [375144 2015-11-16] ()
Winsock: Catalog9-x64 16 C:\Windows\system32\Ohybom64.dll [375144 2015-11-16] ()
SearchScopes: HKU\S-1-5-21-229189262-673764306-707130458-1001 -> {015DB5FA-EAFB-4592-A95B-F44D3EE87FA9} URL = hxxp://www.trovi.com/Results.aspx?gd=&ctid=CT3333887&octid=EB_ORIGINAL_CTID&ISID=M3E3B73C6-48EF-4532-A157-DB25A06AFE89&SearchSource=58&CUI=&UM=8&UP=SPD376809F-7E8E-4EB9-B90B-FF75E52EE75D&D=111615&q={searchTerms}&SSPV=
BHO: IDM integration (IDMIEHlprObj Class) -> {0055C089-8582-441B-A0BF-17B458C2A3A8} -> D:\Program Files (x86)\Internet Download Manager\IDMIECC64.dll [2015-08-28] (Internet Download Manager, Tonec Inc.)
BHO-x32: IDM integration (IDMIEHlprObj Class) -> {0055C089-8582-441B-A0BF-17B458C2A3A8} -> D:\Program Files (x86)\Internet Download Manager\IDMIECC.dll => No File
BHO-x32: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> E:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL => No File
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> E:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL => No File
FF HKLM\...\Firefox\Extensions: [{DB2C0E8E-910F-404B-8151-DC33F533155D}] - C:\Program Files\shopperz171120150823\Firefox\{DB2C0E8E-910F-404B-8151-DC33F533155D}.xpi => not found
FF HKLM-x32\...\Firefox\Extensions: [{DB2C0E8E-910F-404B-8151-DC33F533155D}] - C:\Program Files\shopperz171120150823\Firefox\{DB2C0E8E-910F-404B-8151-DC33F533155D}.xpi => not found
CHR HomePage: Default -> hxxp://www.trovi.com/?gd=&ctid=CT3333887&octid=EB_ORIGINAL_CTID&ISID=M3E3B73C6-48EF-4532-A157-DB25A06AFE89&SearchSource=55&CUI=&UM=8&UP=SPD376809F-7E8E-4EB9-B90B-FF75E52EE75D&D=111615&SSPV=
CHR StartupUrls: Default -> "hxxp://www.trovi.com/?gd=&ctid=CT3333887&octid=EB_ORIGINAL_CTID&ISID=M3E3B73C6-48EF-4532-A157-DB25A06AFE89&SearchSource=55&CUI=&UM=8&UP=SPD376809F-7E8E-4EB9-B90B-FF75E52EE75D&D=111615&SSPV=","hxxps://ca.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wncy_xvidm_15_47&param1=1&param2=f%3D7%26b%3DChrome%26cc%3Dca%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1Qzu0DzzyDtD0EyCyEyByBtB0BzyyE0D0EtAtN0D0Tzu0StCyEtCyCtN1L2XzutAtFtCyDtFtAtFtBtN1L1Czu1TtN1L1G1B1V1N2Y1L1Qzu2StAtC0A0FzyyE0B0EtGyCtC0EtDtGtD0E0D0DtGtC0B0AyCtG0ByEtAyDyDtD0D0DyD0DtD0D2QtN1M1F1B2Z1V1N2Y1L1Qzu2Szz0EtB0BzzyCyEyEtG0C0CtB0BtGyEtA0DtDtG0B0AtDtBtG0E0DtDzyyB0CtD0CyE0C0E0F2QtN0A0LzuyE%26cr%3D1037830845%26a%3Dwncy_xvidm_15_47%26os%3DWindows%2B8.1%2BPro"
CHR Extension: (Managera) - C:\Users\ARIAN\AppData\Local\Temp\39fdaae5-8e0e-493c-88ec-e05c3be06e42 [2015-11-16]
CHR Extension: (Image Logo) - C:\Users\ARIAN\AppData\Local\Image Logo\Component [2015-11-17]
R2 bykesute; C:\Program Files (x86)\A4D4DE77-1447744054-7D49-AA6F-D850E64772B9\hnsm39F2.tmp [625664 2015-11-16] () [File not signed]
R2 myfejozi; C:\Program Files (x86)\A4D4DE77-1447744054-7D49-AA6F-D850E64772B9\jnst183F.tmp [373760 2015-11-16] () [File not signed]
R2 NetTcpHandler; C:\Users\ARIAN\AppData\Roaming\NetService\netservice.exe [173088 2015-07-08] ()
R2 tupisuxy; C:\Program Files (x86)\A4D4DE77-1447744054-7D49-AA6F-D850E64772B9\knsxEDAF.tmpfs [X]
R1 cherimoya; C:\Windows\System32\drivers\cherimoya.sys [56736 2015-11-16] (Windows (R) Win 7 DDK provider)
S3 BRDriver64_1_3_3_E02B25FC; \??\C:\ProgramData\BitRaider\support\1.3.3\E02B25FC\BRDriver64.sys [X]
S1 swsedrvr_vw_1_10_0_25; system32\drivers\swsedrvr_vw_1_10_0_25.sys [X]
Task: {0A307A2A-3EB8-4880-B2B1-C9D6518C1AA0} - \KMS Server OnLogon Activate -> No File <==== ATTENTION
Task: {2FC7F572-079C-479F-974F-A243F04FADDF} - System32\Tasks\TBPDJTGTPSPYJNTD => C:\ProgramData\Service1104\Service1104.exe [2015-11-16] () <==== ATTENTION
Task: {71DBC077-07E2-40FC-9B9C-E43CE12F2BE7} - \KMS Server Daily Activate -> No File <==== ATTENTION
Task: {D4A927E2-894F-428F-AC83-4F08B8EA4F14} - System32\Tasks\Koergyk => C:\PROGRA~1\SHOPPE~1\Geadka.bat
Task: {DFA36FC4-BF79-4D7F-90A2-7075B29F5CA2} - System32\Tasks\Image Logo => Rundll32.exe "C:\Users\ARIAN\AppData\Local\Image Logo\xBin\ImageLogo.dll",#3 <==== ATTENTION
Task: {F79679FF-21F7-4F65-BC83-1210E4B43B1C} - System32\Tasks\PFExe => C:\Users\ARIAN\AppData\Local\PriceFountain\pricefountain.exe <==== ATTENTION
Task: {F8167BB5-6BA1-40ED-BB9A-7991FBDBBC77} - System32\Tasks\Ufemsaafavo => C:\ProgramData\Ufemsaafavo\\wretliob.exe [2015-11-16] ()
Task: C:\Windows\Tasks\TBPDJTGTPSPYJNTD.job => C:\ProgramData\Service1104\Service1104.exe <==== ATTENTION
C:\Program Files (x86)\A4D4DE77-1447744054-7D49-AA6F-D850E64772B9
C:\Users\ARIAN\AppData\Local\Temp\Vlc media player.exe
C:\Users\ARIAN\AppData\Local\Image Logo
cmd: netsh winsock reset

Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the LogFile button and the report will open in Notepad.
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleanerCx.txt (x is a number).

Reset Chrome...
Open Google Chrome, click on menu icon google-chrome-setting-icon.png which is located right side top of the google chrome.
Click "Settings" then "Show advanced settings" at the bottom of the screen.
Click "Reset browser settings" button.
Clear your cache and cookies
Select "From the beginning of time"

Restart Chrome.

How is the computer running now?

#3 nasdaq


  • Malware Response Team
  • 40,256 posts
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:58 PM

Posted 24 November 2015 - 09:19 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users