I am running windows 7 ultimate and my firefox 3.5.4 browser got hijacked apparently. I have tried all the usual things but I can not get any of them to run as the trojan is shutting them down before I can get any log files. I did use Kapersky online and was able to determine what it was but now I can't get rid of it. Attached is the log file any help on how to proceed would be much appreciated.
Combofix even renaming it on the download does not install, i tried running as administrator and in compatibility mode XP Service Pack 2.
Malware Bytes and hijack this installs and runs but during the scans gets shut down and the files are permission locked. I used Inherit to unlock them and uninstall the programs. I installed AVG 9.0 FREE after the fact and scanned the computer but it did not detect anything so I uninstalled it.
I also ran EXEHelper and was able to get a log as well
UPDATE: I ran the online superantispyware.com and during the scan it shut down as well this thing is pissing me off.
the Kapersky and EXEhelper logs are posted below thanks for your help!!
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Thursday, October 22, 2009
Operating system: Microsoft Professional (build 7600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Thursday, October 22, 2009 16:25:32
Records in database: 3045602
--------------------------------------------------------------------------------
Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes
Scan area - My Computer:
C:\
D:\
E:\
F:\
Scan statistics:
Objects scanned: 102267
Threats found: 2
Infected objects found: 45
Suspicious objects found: 2
Scan duration: 01:32:53
File name / Threat / Threats count
wininit.exe\CAFB175D.x86.dll/wininit.exe\CAFB175D.x86.dll Infected: Trojan-Spy.Win32.Agent.bahu 1
globalroot\Device\__max++>\CAFB175D.x86.dll/globalroot\Device\__max++>\CAFB175D.x86.dll Infected: Trojan-Spy.Win32.Agent.bahu 23
services.exe\CAFB175D.x86.dll/services.exe\CAFB175D.x86.dll Infected: Trojan-Spy.Win32.Agent.bahu 1
svchost.exe\CAFB175D.x86.dll/svchost.exe\CAFB175D.x86.dll Infected: Trojan-Spy.Win32.Agent.bahu 8
spoolsv.exe\CAFB175D.x86.dll/spoolsv.exe\CAFB175D.x86.dll Infected: Trojan-Spy.Win32.Agent.bahu 1
AppleMobileDeviceService.exe\CAFB175D.x86.dll/AppleMobileDeviceService.exe\CAFB175D.x86.dll Infected: Trojan-Spy.Win32.Agent.bahu 1
mDNSResponder.exe\CAFB175D.x86.dll/mDNSResponder.exe\CAFB175D.x86.dll Infected: Trojan-Spy.Win32.Agent.bahu 1
msmdsrv.exe\CAFB175D.x86.dll/msmdsrv.exe\CAFB175D.x86.dll Infected: Trojan-Spy.Win32.Agent.bahu 1
sqlbrowser.exe\CAFB175D.x86.dll/sqlbrowser.exe\CAFB175D.x86.dll Infected: Trojan-Spy.Win32.Agent.bahu 1
WLIDSVC.EXE\CAFB175D.x86.dll/WLIDSVC.EXE\CAFB175D.x86.dll Infected: Trojan-Spy.Win32.Agent.bahu 1
explorer.exe\CAFB175D.x86.dll/explorer.exe\CAFB175D.x86.dll Infected: Trojan-Spy.Win32.Agent.bahu 1
SQLAGENT.EXE\CAFB175D.x86.dll/SQLAGENT.EXE\CAFB175D.x86.dll Infected: Trojan-Spy.Win32.Agent.bahu 1
jusched.exe\CAFB175D.x86.dll/jusched.exe\CAFB175D.x86.dll Infected: Trojan-Spy.Win32.Agent.bahu 1
iTunesHelper.exe\CAFB175D.x86.dll/iTunesHelper.exe\CAFB175D.x86.dll Infected: Trojan-Spy.Win32.Agent.bahu 1
firefox.exe\CAFB175D.x86.dll/firefox.exe\CAFB175D.x86.dll Infected: Trojan-Spy.Win32.Agent.bahu 1
java.exe\CAFB175D.x86.dll/java.exe\CAFB175D.x86.dll Infected: Trojan-Spy.Win32.Agent.bahu 1
Selected area has been scanned.
_______________________________________ _______________________________________ ____
exeHelper by Raktor
Build 20091021
Run at 15:00:33 on 10/22/09
Now searching...
Checking for numerical processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Removing HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PopRock
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--
