By efi1610 ยท 7 replies
Apr 25, 2010
  1. Hi there!
    It seems that my computer is infected with a spyware/malware. Whenever I search something on google I get this warning from Nod32:

    Address has been blocked
    IP address

    Sometimes I also get this message:
    Win32/TrojanClicker.Delf.NJE trojan

    I performed a scan with combofix but I don't know what to do next...

    Your help would be extremely appreciated!

    Attached Files:

  2. Broni

    Broni Malware Annihilator Posts: 54,260   +383

  3. efi1610

    efi1610 TS Rookie Topic Starter

    Thank you for your reply!
    I hope I have followed all the steps correctly...

    Attached Files:

  4. Broni

    Broni Malware Annihilator Posts: 54,260   +383

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    c:\documents and settings\All Users\Application Data\CH3Q4KIA.exe
    c:\program files\Alwil Software
    c:\documents and settings\All Users\Application Data\Alwil Software
    c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager .exe
    c:\program files\Common Files\Nero\Lib\NeroCheck .exe
    c:\program files\Java\jre6\bin\jusched .exe
    c:\program files\QuickTime\qttask  .exe
    [HKEY_USERS\S-1-5-21-1214440339-1229272821-1417001333-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{94C1B1A1-DF8A-3B3F-79C7-9A8F4A5B1619}*]
    [HKEY_USERS\S-1-5-21-1214440339-1229272821-1417001333-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{C7CB73F7-9519-E627-3CEC-8D6525946F11}*]

    3. Save the above as CFScript.txt

    4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.


    5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
    • A new HijackThis log.
  5. efi1610

    efi1610 TS Rookie Topic Starter

    Hi again! So, here are the logs.

    Attached Files:

  6. Broni

    Broni Malware Annihilator Posts: 54,260   +383

    Is NOD still complaining?
  7. efi1610

    efi1610 TS Rookie Topic Starter

  8. Broni

    Broni Malware Annihilator Posts: 54,260   +383

    Download Dr.Web CureIt to the desktop:
    Alternative download: http://majorgeeks.com/Dr.Web_CureIT_d4783.html

    • Doubleclick the drweb-cureit.exe file and click Scan to run express scan. Click OK in pop-up window to allow scan.
    • This will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it. This is only a short scan.
    • Once the short scan has finished, select Complete scan.
    • Click the green arrow [​IMG] at the right, and the scan will start.
    • Click Yes to all if it asks if you want to cure/move the file.
    • When the scan has finished, in the menu, click File and choose Save report list
    • Save the report to your desktop. The report will be called DrWeb.csv
    • Close Dr.Web Cureit.
    • [color=5]Important![/color] Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
    • Copy and paste that log in the next reply. You can use Notepad to open the DrWeb.cvs report.

    NOTE. During the scan, pop-up window will open asking for full version purchase. Simply close the window by clicking on X in upper right corner.

    Post fresh HijackThis log as well.
Topic Status:
Not open for further replies.

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...