Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

also infected by Win32.BHO.AGZ & Win32/TrojanCLicker.Delf.NAZ

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

also infected by Win32.BHO.AGZ & Win32/TrojanCLicker.Delf.NAZ

Unread postby trotter » January 13th, 2008, 11:55 am

Hello,

I have the same problem too. Ran the CombiFix program like you said MRUTeacher, but alas, the files couldn't be removed according to the log. I hope you can help me with this.

Here is the log from combi fix and Hijack this.

-----
ComboFix 08-01-13.1 - NUSSELDER 2008-01-13 16:58:33.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1043.18.261 [GMT 1:00]
Gestart vanuit: C:\Documents and Settings\NUSSELDER\Bureaublad\ComboFix.exe
* Nieuw herstelpunt werd aangemaakt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\NUSSELDER\Application Data\CROSOF~1
C:\WINNT\system32\grouppolicy\machine\scripts\scripts.ini
C:\WINNT\System32\fbdafbd.dll . . . . konden niet verwijderd worden

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_QGZLKHOC
-------\qgzlkhoc


(((((((((((((((((((( Bestanden Gemaakt van 2007-12-13 to 2008-01-13 ))))))))))))))))))))))))))))))
.

2008-01-13 16:57 . 2000-08-31 08:00 51,200 --a------ C:\WINNT\NirCmd.exe
2008-01-13 16:29 . 2008-01-13 16:33 84,992 --------- C:\WINNT\system32\fbdafbd.dll
2008-01-13 16:17 . 2008-01-13 16:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-01-13 16:08 . 2008-01-13 16:08 0 --a------ C:\WINNT\nsreg.dat
2008-01-13 14:12 . 2008-01-13 14:12 <DIR> d--h----- C:\WINNT\$hf_mig$
2008-01-13 14:12 . 2004-03-30 02:51 36,864 --a------ C:\WINNT\system32\mf3216.dll
2008-01-13 14:11 . 2008-01-13 15:49 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-13 14:11 . 2007-12-10 14:53 81,288 --a------ C:\WINNT\system32\drivers\iksyssec.sys
2008-01-13 14:11 . 2007-12-10 14:53 66,952 --a------ C:\WINNT\system32\drivers\iksysflt.sys
2008-01-13 14:11 . 2007-12-10 14:53 41,864 --a------ C:\WINNT\system32\drivers\ikfilesec.sys
2008-01-13 14:11 . 2007-12-10 14:53 29,576 --a------ C:\WINNT\system32\drivers\kcom.sys
2008-01-13 14:10 . 2008-01-13 14:10 <DIR> d-------- C:\Documents and Settings\NUSSELDER\Application Data\PC Tools
2008-01-13 14:10 . 2008-01-13 14:10 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2008-01-13 14:10 . 2008-01-13 14:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2008-01-13 14:10 . 2007-03-01 19:54 144,960 --a------ C:\WINNT\system32\drivers\ssidrv.sys
2008-01-13 14:10 . 2007-03-01 19:54 22,080 --a------ C:\WINNT\system32\drivers\sshrmd.sys
2008-01-13 14:10 . 2007-03-01 19:54 21,056 --a------ C:\WINNT\system32\drivers\sskbfd.sys
2008-01-13 14:10 . 2007-03-01 19:54 20,544 --a------ C:\WINNT\system32\drivers\SSFS0509.sys
2008-01-13 14:09 . 2008-01-13 14:09 <DIR> d-------- C:\Documents and Settings\NUSSELDER\Application Data\Webroot
2008-01-13 14:09 . 2008-01-13 14:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-13 14:01 . 2008-01-13 14:01 0 --a------ C:\WINNT\system32\mapisvc.inf
2008-01-13 14:00 . 2008-01-13 13:59 512,096 --a------ C:\WINNT\system32\drivers\amon.sys
2008-01-13 14:00 . 2008-01-13 13:59 298,104 --a------ C:\WINNT\system32\imon.dll
2008-01-13 14:00 . 2008-01-13 13:59 15,424 --a------ C:\WINNT\system32\drivers\nod32drv.sys
2008-01-13 13:59 . 2008-01-13 13:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Prevx
2007-12-31 10:10 . 2007-12-31 10:10 <DIR> d-------- C:\Documents and Settings\NUSSELDER\WINDOWS

.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-14 11:10 63,488 ----a-w C:\WINNT\xobglu16.dll
2007-12-14 11:10 23,552 ----a-w C:\WINNT\xobglu32.dll
2003-12-07 14:53 19,552 ----a-w C:\Documents and Settings\NUSSELDER\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E75B9A61-72C5-43C1-A6F0-D74977E45590}]
2008-01-13 16:33 84992 --------- c:\winnt\system32\fbdafbd.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINNT\System32\ctfmon.exe" [2002-09-09 22:08 13312]
"uuvade2"="C:\WINNT\system32\uuvade2.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINNT\System32\NvCpl.dll" [2003-08-12 15:12 4804608]
"nwiz"="nwiz.exe" [2003-08-12 15:12 323584 C:\WINNT\system32\nwiz.exe]
"CARPService"="carpserv.exe" [2002-10-17 10:54 4608 C:\WINNT\system32\carpserv.exe]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2002-08-22 18:28 143360]
"Synchronization Manager"="C:\WINNT\system32\mobsync.exe" [2001-09-07 13:00 136704]
"USB2Check"="C:\WINNT\System32\PCLECoInst.dll" [2004-09-21 12:22 73728]
"USBToolTip"="C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe" [2005-06-13 02:30 192512]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-12-04 14:03 98304]
"PRISMSVR.EXE"="C:\Program Files\Thomson SpeedTouch\SpeedTouch 121g Wireless USB Monitor\PRISMSVR.exe" [2004-07-02 16:27 295001]
"uuvade2"="C:\WINNT\system32\uuvade2.exe" [ ]
"nod32kui"="D:\Program Files\Eset\nod32kui.exe" [2008-01-13 13:59 949376]
"Hitman Pro Expiration Helper"="D:\Program Files\Hitman Pro\xphelper.exe" [2007-01-30 14:41 596760]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINNT\System32\CTFMON.EXE" [2002-09-09 22:08 13312]

C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-12-02 18:32:09]
EPSON Status Monitor 3 Environment Check 2.lnk - C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXE [2003-11-06 17:04:24]
SpeedTouch 121g Wireless USB Monitor.lnk - C:\Program Files\Thomson SpeedTouch\SpeedTouch 121g Wireless USB Monitor\st121g.exe [2004-09-23 18:36:30]
TabUserW.exe.lnk - C:\WINNT\system32\Wtablet\TabUserW.exe [2003-05-29 14:33:34]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogOff"= 1 (0x1)
"NoSMBalloonTip"= 1 (0x1)
"DisablePersonalDirChange"= 1 (0x1)
"NoAutoUpdate"= 1 (0x1)

R0 weekoqgt;Microsoft RPC API Helper;C:\WINNT\System32\drivers\qgjqeums.sys []
R3 GTICARD;GTICARD;C:\WINNT\System32\DRIVERS\gticard.sys [2003-02-14 14:03]
S3 BT4501G;SpeedTouch 121g Wireless USB Adapter Driver;C:\WINNT\System32\DRIVERS\BT4501G.sys [2004-07-29 12:55]
S3 Ip6FwHlp;IPv6 Internet Connection Firewall;C:\WINNT\System32\svchost.exe [2001-09-07 13:00]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-13 17:03:09
Windows 5.1.2600 Service Pack 1 NTFS

scannen van verborgen processen ...

scannen van verborgen autostart items ...

scannen van verborgen bestanden ...

Scan succesvol afgerond
verborgen bestanden: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINNT\system32\lsass.exe [5.01.2600.1106]
-> D:\Program Files\Eset\pr_imon.dll
.
Voltooingstijd: 2008-01-13 17:04:59 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-13 16:04:31
-----------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:16, on 2008-01-13
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\Program Files\Eset\nod32krn.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\Tablet.exe
D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINNT\System32\wltrysvc.exe
C:\WINNT\System32\bcmwltry.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\carpserv.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Thomson SpeedTouch\SpeedTouch 121g Wireless USB Monitor\PRISMSVR.EXE
D:\Program Files\Eset\nod32kui.exe
C:\WINNT\System32\ctfmon.exe
C:\Program Files\Thomson SpeedTouch\SpeedTouch 121g Wireless USB Monitor\st121g.exe
C:\WINNT\system32\Wtablet\TabUserW.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINNT\system32\notepad.exe
C:\Documents and Settings\NUSSELDER\Bureaublad\Hiephoi.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.monumentenzorg.nl
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {E75B9A61-72C5-43C1-A6F0-D74977E45590} - c:\winnt\system32\fbdafbd.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [USB2Check] RUNDLL32.EXE "C:\WINNT\System32\PCLECoInst.dll",CheckUSBController
O4 - HKLM\..\Run: [USBToolTip] "C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\Program Files\Thomson SpeedTouch\SpeedTouch 121g Wireless USB Monitor\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [uuvade2] C:\WINNT\system32\uuvade2.exe
O4 - HKLM\..\Run: [nod32kui] "D:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [Hitman Pro Expiration Helper] "D:\Program Files\Hitman Pro\xphelper.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINNT\System32\ctfmon.exe
O4 - HKCU\..\Run: [uuvade2] C:\WINNT\system32\uuvade2.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINNT\System32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINNT\System32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINNT\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINNT\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: SpeedTouch 121g Wireless USB Monitor.lnk = C:\Program Files\Thomson SpeedTouch\SpeedTouch 121g Wireless USB Monitor\st121g.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINNT\system32\Wtablet\TabUserW.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - (no file)
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.monumentenzorg.nl
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200 ... taller.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - D:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - D:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - D:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINNT\System32\Tablet.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINNT\System32\wltrysvc.exe

--
End of file - 6094 bytes
trotter
Active Member
 
Posts: 1
Joined: January 13th, 2008, 11:48 am
Advertisement
Register to Remove

Re: also infected by Win32.BHO.AGZ & Win32/TrojanCLicker.Delf.NA

Unread postby Shaba » January 13th, 2008, 12:16 pm

Hi trotter

I splitted topic as every victim is supposed to start a new topic regardless whether or not there is a topic with same symptoms.

So continue in this one, please.

Open notepad and copy/paste the text in the quotebox below into it:

Code: Select all
File::
C:\WINNT\system32\fbdafbd.dll

Driver::
weekoqgt

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E75B9A61-72C5-43C1-A6F0-D74977E45590}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"uuvade2"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"uuvade2"=-


Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: also infected by Win32.BHO.AGZ & Win32/TrojanCLicker.Delf.NA

Unread postby NonSuch » January 20th, 2008, 4:56 pm

Due to a lack of response this topic is now closed.

If you still require help, please open a new thread in the Malware Removal forum and wait
for a new helper.

If you have been helped and wish to donate to help with the costs of this volunteer site,
please read
Donations For Malware Removal
User avatar
NonSuch
Administrator
Administrator
 
Posts: 28747
Joined: February 23rd, 2005, 7:08 am
Location: California


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 327 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware