8 steps and problem

By jagoffee
Apr 16, 2009
  1. The browser (Explorer) is not functioning correctly. I am able to get into certain Websites and I am able to download at certain websites, but not others. I was not able to initally register on Techspot because I could not see the verification code. I registered from another computer. Although I can log in at ETrade, it does not function. I also cannot get into window updates directly (The screen is blank with Done on the bottom of the screen) and when I do get into the website indirectly, it cannot communicate with me.

    I followed the 8 steps as recommended, except that the Java portion cannot verify my revision. I see from the add and remove function that I have version 11 of Java, but I do not see it in Programs.

    I have run Malwarebtyes numerous time and although it is stated that the Trojan.agents will be deleted with I reboot, they appear again when I repeat the scan. The same each time.

    I do not seem to have an option to attach files as indicated. (unless it comes up after I submit the new thread) So I will try to copy them for you. I know that you wanted me to attach them, but I am not sure that this is working properly for me? If this does not work perhaps I can attach them to an e mail, send them to another computer, and then attach them on that computer?

    Malwarebytes log:

    Scan type: Full Scan (C:\|)
    Objects scanned: 138391
    Time elapsed: 28 minute(s), 45 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 3
    Registry Values Infected: 4
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 2

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8b6dad0b-2057-4e9a-8cdd-081375d94c5b} (Trojan.BHO.H) -> Delete on reboot.
    HKEY_CLASSES_ROOT\CLSID\{8b6dad0b-2057-4e9a-8cdd-081375d94c5b} (Trojan.BHO.H) -> Delete on reboot.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{8b6dad0b-2057-4e9a-8cdd-081375d94c5b} (Spyware.Passwords) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Delete on reboot.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Delete on reboot.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Delete on reboot.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Delete on reboot.

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\WINDOWS\system32\audiode.dll (Trojan.BHO.H) -> Delete on reboot.
    C:\Documents and Settings\James Goffee\Local Settings\Temp\vdwzyikf.dat (Rootkit.Agent) -> Delete on reboot.

    The Superantispyware had two adware cookies that were deleted.

    Sorry for the long posts. I apologize, I can't seem to get the attachment function.

    I have read a few threads that seem close to my problem. Thank you for your help.

    P.S. i just might have the most scanned Laptop on earth at this point.
  2. touch

    touch TS Rookie Posts: 978

    Hi jagoffee

    To attach a log click on New Thread (or use Post Reply in your existing thread).
    Scroll down until you see a button Manage Attachments. Click on that and a popup-window opens.
    Click on the Browse button, find the requested log file, and doubleclick on it.
    Now click on the Upload button in the popup. When done, click on the Close this window button.
    Please Note: you can attach more than one file to a post

    Update malwarebyte and Superantispyware, run a complete systemscan.

    Attach log files from malwarebyte, Superantispyware and hijackthis.
  3. jagoffee

    jagoffee TS Rookie Topic Starter

    Thank you for your response. With all the useful information, I was able to get my computer to work properly. I can now attach files. It would be greatly appreciated if someone could review the attachments and let me know how I can get rid of the problem files indicated by Malwarebytes. I can the same result each time I run it.
    Thank you.

    P.S. If something else does not look right on my system, I would appreciate feedback.
  4. touch

    touch TS Rookie Posts: 978

    Let´s dig deeper, and see if combofix find any infections -

    Please download Combofix:

    And save to the desktop.

    Open notepad and copy/paste the text in the quotebox below into it:
    Name the file as CFScript
    and Save it on the desktop

    Once saved, refering to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report.

    Do not mouseclick combofix's window whilst it's running. That may cause it to stall
  5. jagoffee

    jagoffee TS Rookie Topic Starter

    Thank you. After doing what you suggested, I reread and saw that I forgot to drag the CFScript into Combofix. This is the result without dragging it.

    I will now go rerun.

    This is the rerun. Thanks
  6. touch

    touch TS Rookie Posts: 978

    Ok ;)

    Open notepad and copy/paste the text in the quotebox below into it:
    Name the file as CFScript
    and Save it on the desktop

    Once saved, refering to the picture above, drag CFScript.txt into ComboFix.exe, and attach the resulting report, along with fresh hijackthis log

    Do not mouseclick combofix's window whilst it's running. That may cause it to stall
  7. jagoffee

    jagoffee TS Rookie Topic Starter

    Thanks. Here are the new files after running.
  8. touch

    touch TS Rookie Posts: 978

    It looks like you haven´t run CFScript ! any problems with it ?
  9. jagoffee

    jagoffee TS Rookie Topic Starter


    Thank you for being the follow up and being understanding. I thought that I had run it, but I think that I did something really stupid and did not drag the Script into the right file. Kind of silly because it was explained perfectly.

    Did I do it right this time?

    Here is the best part. It is now all gone.

    Generally what did you do? Clean out some of the registers?


    I cannot thank you enjoy for taking the time to help me. Thank you very much.

    This is a great site and it has been invaluable to me. Just reading some of the other information and following the steps was very helpful. I will be visiting more often.

    Touch, Anything other suggestions for me?
  10. touch

    touch TS Rookie Posts: 978

    That´s good news. You have done a good job, and it was My pleasure to help :)

    Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    (Description: Intel hotkey applet. Unnecessary. Removing this will free up a small amount of system resources.)
    O4 - HKLM\..\Run: [ISUSScheduler] \"C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe\" -start
    (Description: InstallShield updater - not needed at startup. Removing this may free up system resources.)
    O4 - HKLM\..\Run: [SunJavaUpdateSched] \"C:\Program Files\Java\jre6\bin\jusched.exe\"
    (Description: Sun Java update scheduler. Checks for updates. Not necessary. Removing this entry will free up a small amount of system resources.)

    It looks like it was combofix there got rid of it.

    You should Create a New Restore Point to prevent possible reinfection from an old one.
    The easiest and safest way to do this is:
    Go to Start > All Programs > Accessories > System Tools > System Restore
    Select Create a restore point, and Ok it.
    Next, go to Start > Run and type in cleanmgr
    Select the More options tab
    Choose the option to clean up system restore and OK it.

    This will remove all restore points except the new one you just created.

    Please download OTCleanIt
    Save it to desktop.
    This will remove all the tools we used to clean your computer.
    Please note. It will NOT remove Mbam, Ccleaner and SuperAntispyware.

    To learn more about how to protect yourself while on the internet, please read Tony Klein´s guide:
    How did I get infected in the first place

    Keep safe :wave:
  11. jagoffee

    jagoffee TS Rookie Topic Starter


    Thank you for all your help. Your instructions were easy to follow and execute. Your efforts were very much appreciated and has lead me to a safer computer.
  12. touch

    touch TS Rookie Posts: 978

    Thanks for the kind words :)
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...