Jump to content

Build Theme!
  • Infected?


Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 92143 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


[Closed] Help removing Trojan-spy.win32.agent.bahu

  • This topic is locked This topic is locked
2 replies to this topic

#1 jspizzy


    New Member

  • New Member
  • Pip
  • 1 posts

Posted 22 October 2009 - 03:21 PM

I am running windows 7 ultimate and my firefox 3.5.4 browser got hijacked apparently. I have tried all the usual things but I can not get any of them to run as the trojan is shutting them down before I can get any log files. I did use Kapersky online and was able to determine what it was but now I can't get rid of it. Attached is the log file any help on how to proceed would be much appreciated. Combofix even renaming it on the download does not install, i tried running as administrator and in compatibility mode XP Service Pack 2. Malware Bytes and hijack this installs and runs but during the scans gets shut down and the files are permission locked. I used Inherit to unlock them and uninstall the programs. I installed AVG 9.0 FREE after the fact and scanned the computer but it did not detect anything so I uninstalled it. I also ran EXEHelper and was able to get a log as well UPDATE: I ran the online superantispyware.com and during the scan it shut down as well this thing is burning me off. the Kapersky and EXEhelper logs are posted below thanks for your help!! -------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7.0: scan report Thursday, October 22, 2009 Operating system: Microsoft Professional (build 7600) Kaspersky Online Scanner version: Last database update: Thursday, October 22, 2009 16:25:32 Records in database: 3045602 -------------------------------------------------------------------------------- Scan settings: scan using the following database: extended Scan archives: yes Scan e-mail databases: yes Scan area - My Computer: C:\ D:\ E:\ F:\ Scan statistics: Objects scanned: 102267 Threats found: 2 Infected objects found: 45 Suspicious objects found: 2 Scan duration: 01:32:53 File name / Threat / Threats count wininit.exe\CAFB175D.x86.dll/wininit.exe\CAFB175D.x86.dll Infected: Trojan-Spy.Win32.Agent.bahu 1 globalroot\Device\__max++>\CAFB175D.x86.dll/globalroot\Device\__max++>\CAFB175D.x86.dll Infected: Trojan-Spy.Win32.Agent.bahu 23 services.exe\CAFB175D.x86.dll/services.exe\CAFB175D.x86.dll Infected: Trojan-Spy.Win32.Agent.bahu 1 svchost.exe\CAFB175D.x86.dll/svchost.exe\CAFB175D.x86.dll Infected: Trojan-Spy.Win32.Agent.bahu 8 spoolsv.exe\CAFB175D.x86.dll/spoolsv.exe\CAFB175D.x86.dll Infected: Trojan-Spy.Win32.Agent.bahu 1 AppleMobileDeviceService.exe\CAFB175D.x86.dll/AppleMobileDeviceService.exe\CAFB175D.x86.dll Infected: Trojan-Spy.Win32.Agent.bahu 1 mDNSResponder.exe\CAFB175D.x86.dll/mDNSResponder.exe\CAFB175D.x86.dll Infected: Trojan-Spy.Win32.Agent.bahu 1 msmdsrv.exe\CAFB175D.x86.dll/msmdsrv.exe\CAFB175D.x86.dll Infected: Trojan-Spy.Win32.Agent.bahu 1 sqlbrowser.exe\CAFB175D.x86.dll/sqlbrowser.exe\CAFB175D.x86.dll Infected: Trojan-Spy.Win32.Agent.bahu 1 WLIDSVC.EXE\CAFB175D.x86.dll/WLIDSVC.EXE\CAFB175D.x86.dll Infected: Trojan-Spy.Win32.Agent.bahu 1 explorer.exe\CAFB175D.x86.dll/explorer.exe\CAFB175D.x86.dll Infected: Trojan-Spy.Win32.Agent.bahu 1 SQLAGENT.EXE\CAFB175D.x86.dll/SQLAGENT.EXE\CAFB175D.x86.dll Infected: Trojan-Spy.Win32.Agent.bahu 1 jusched.exe\CAFB175D.x86.dll/jusched.exe\CAFB175D.x86.dll Infected: Trojan-Spy.Win32.Agent.bahu 1 iTunesHelper.exe\CAFB175D.x86.dll/iTunesHelper.exe\CAFB175D.x86.dll Infected: Trojan-Spy.Win32.Agent.bahu 1 firefox.exe\CAFB175D.x86.dll/firefox.exe\CAFB175D.x86.dll Infected: Trojan-Spy.Win32.Agent.bahu 1 java.exe\CAFB175D.x86.dll/java.exe\CAFB175D.x86.dll Infected: Trojan-Spy.Win32.Agent.bahu 1 Selected area has been scanned. _______________________________________ _______________________________________ ____ exeHelper by Raktor Build 20091021 Run at 15:00:33 on 10/22/09 Now searching... Checking for numerical processes... Checking for bad processes... Checking for bad files... Checking for bad registry entries... Removing HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PopRock Resetting filetype association for .exe Resetting filetype association for .com Resetting userinit and shell values... Resetting policies... --Finished--


Register to Remove

#2 Tomk


    Beguilement Monitor

  • Classroom Admin
  • 20,193 posts

Posted 26 October 2009 - 11:27 AM

Hi jspizzy,


My name is Tomk. I would be glad to take a look at your log and help you with solving any malware problems. Logs can take a while to research, so please be patient and I'd be grateful if you would note the following:

  • I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for the issues on this machine.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.

  • Download DDS and save it to your desktop from
  • Here
  • here or
  • here.
    • Disable any script blocking protection (How to Disable your Security Programs)
    • Double click DDS icon to run the tool (may take up to 3 minutes to run)
    • When done, DDS.txt will open.
    • After a few moments, attach.txt will open in a second window.
    • Save both reports to your desktop.
  • We Need to check for Rootkits with RootRepeal
    • Download RootRepeal from one of the following locations and save it to your desktop.
    • Open Posted Image on your desktop.
    • Click the Posted Image tab.
    • Click the Posted Image button.
    • In the Select Scan dialog, check
      Posted Image
    • Push Ok
    • Check the box for your main system drive (Usually C:), and press Ok.
    • Allow RootRepeal to run a scan of your system. This may take some time.
    • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt.
  • Copy/paste the log (that you've previously saved to your desktop) from RootRepeal onto your post.

  • Copy/paste the DDS.txt log (that you've previously saved to your desktop) onto your post.

  • Attach the Attach.txt report to your post by scroling down to the Attachments area and then clicking Browse. Browse to where you saved the file, and click Open and then click UPLOAD.




Topics are closed after 5 days without response

#3 Tomk


    Beguilement Monitor

  • Classroom Admin
  • 20,193 posts

Posted 02 November 2009 - 12:37 AM

Due to inactivity this topic will be closed. If you need help please start a new thread.



Topics are closed after 5 days without response

Related Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users