Inactive 213.163.89.106:80

[efi1610]

Hi there!
It seems that my computer is infected with a spyware/malware. Whenever I search something on google I get this warning from Nod32:

Address has been blocked
IP address
213.163.89.106:80
or
213.163.89.105:80

Sometimes I also get this message:
Object:
188.40.50.214/inst_n105.exe
Threat:
Win32/TrojanClicker.Delf.NJE trojan

I performed a scan with combofix but I don't know what to do next...

Your help would be extremely appreciated!

 

[Broni]

Please, complete all steps listed here: https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/

 

[efi1610]

Thank you for your reply!
I hope I have followed all the steps correctly...

 

[Broni]

1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
c:\documents and settings\All Users\Application Data\CH3Q4KIA.exe


Folder::
c:\program files\Alwil Software
c:\documents and settings\All Users\Application Data\Alwil Software

RenV::
c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager .exe
c:\program files\Common Files\Nero\Lib\NeroCheck .exe
c:\program files\Java\jre6\bin\jusched .exe
c:\program files\QuickTime\qttask  .exe

AtJob::

Driver::

Registry::

RegNull::
[HKEY_USERS\S-1-5-21-1214440339-1229272821-1417001333-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{94C1B1A1-DF8A-3B3F-79C7-9A8F4A5B1619}*]
[HKEY_USERS\S-1-5-21-1214440339-1229272821-1417001333-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{C7CB73F7-9519-E627-3CEC-8D6525946F11}*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{C7CB73F7-9519-E627-3CEC-8D6525946F11}\InProcServer32*]

RegLockDel::

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt
• A new HijackThis log.

 

[efi1610]

Hi again! So, here are the logs.

 

[Broni]

Is NOD still complaining?

 

[efi1610]

Unfortunately...

 

[Broni]

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
Alternative download: http://majorgeeks.com/Dr.Web_CureIT_d4783.html

• Doubleclick the drweb-cureit.exe file and click Scan to run express scan. Click OK in pop-up window to allow scan.
• This will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it. This is only a short scan.
• Once the short scan has finished, select Complete scan.
• Click the green arrow
  
  at the right, and the scan will start.
• Click Yes to all if it asks if you want to cure/move the file.
• When the scan has finished, in the menu, click File and choose Save report list
• Save the report to your desktop. The report will be called DrWeb.csv
• Close Dr.Web Cureit.
• [color=5]Important![/color] Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
• Copy and paste that log in the next reply. You can use Notepad to open the DrWeb.cvs report.

NOTE. During the scan, pop-up window will open asking for full version purchase. Simply close the window by clicking on X in upper right corner.


Post fresh HijackThis log as well.