TechSpot

213.163.89.106:80

By efi1610
Apr 25, 2010
  1. Hi there!
    It seems that my computer is infected with a spyware/malware. Whenever I search something on google I get this warning from Nod32:

    Address has been blocked
    IP address
    213.163.89.106:80
    or
    213.163.89.105:80

    Sometimes I also get this message:
    Object:
    188.40.50.214/inst_n105.exe
    Threat:
    Win32/TrojanClicker.Delf.NJE trojan

    I performed a scan with combofix but I don't know what to do next...

    Your help would be extremely appreciated!
     

    Attached Files:

  2. Broni

    Broni Malware Annihilator Posts: 52,892   +344

  3. efi1610

    efi1610 TS Rookie Topic Starter

    Thank you for your reply!
    I hope I have followed all the steps correctly...
     

    Attached Files:

  4. Broni

    Broni Malware Annihilator Posts: 52,892   +344

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
    c:\documents and settings\All Users\Application Data\CH3Q4KIA.exe
    
    
    Folder::
    c:\program files\Alwil Software
    c:\documents and settings\All Users\Application Data\Alwil Software
    
    RenV::
    c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager .exe
    c:\program files\Common Files\Nero\Lib\NeroCheck .exe
    c:\program files\Java\jre6\bin\jusched .exe
    c:\program files\QuickTime\qttask  .exe
    
    AtJob::
    
    Driver::
    
    Registry::
    
    RegNull::
    [HKEY_USERS\S-1-5-21-1214440339-1229272821-1417001333-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{94C1B1A1-DF8A-3B3F-79C7-9A8F4A5B1619}*]
    [HKEY_USERS\S-1-5-21-1214440339-1229272821-1417001333-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{C7CB73F7-9519-E627-3CEC-8D6525946F11}*]
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{C7CB73F7-9519-E627-3CEC-8D6525946F11}\InProcServer32*]
    
    RegLockDel::
    
    

    3. Save the above as CFScript.txt

    4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
    • A new HijackThis log.
     
  5. efi1610

    efi1610 TS Rookie Topic Starter

    Hi again! So, here are the logs.
     

    Attached Files:

  6. Broni

    Broni Malware Annihilator Posts: 52,892   +344

    Is NOD still complaining?
     
  7. efi1610

    efi1610 TS Rookie Topic Starter

    Unfortunately...
     
  8. Broni

    Broni Malware Annihilator Posts: 52,892   +344

    Download Dr.Web CureIt to the desktop:
    ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
    Alternative download: http://majorgeeks.com/Dr.Web_CureIT_d4783.html

    • Doubleclick the drweb-cureit.exe file and click Scan to run express scan. Click OK in pop-up window to allow scan.
    • This will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it. This is only a short scan.
    • Once the short scan has finished, select Complete scan.
    • Click the green arrow [​IMG] at the right, and the scan will start.
    • Click Yes to all if it asks if you want to cure/move the file.
    • When the scan has finished, in the menu, click File and choose Save report list
    • Save the report to your desktop. The report will be called DrWeb.csv
    • Close Dr.Web Cureit.
    • [color=5]Important![/color] Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
    • Copy and paste that log in the next reply. You can use Notepad to open the DrWeb.cvs report.

    NOTE. During the scan, pop-up window will open asking for full version purchase. Simply close the window by clicking on X in upper right corner.


    Post fresh HijackThis log as well.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...