danarothrock
2009-04-06, 05:48
Daughter's emachine desktop PC got hit with Brastia.exe (new in March) trojan and she probably clicked on Antivirus Agent Pro pop-up (aap.exe).
Explorer.exe wouldn't load. Message said didn't exist. Saw it once in Task Manager File/Run/Browse, then disappeared forever.
Safe Mode stuck in black screen.
Brought Explorer back by deleting the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe
Tried to run Spybot, refused to go. Uninstalled, reinstalled, no go.
Downloaded Malwarebytes, ran, found these:
Malwarebytes' Anti-Malware 1.35
Database version: 1943
Windows 5.1.2600 Service Pack 2
4/5/2009 8:11:43 PM
mbam-log-2009-04-05 (20-11-43).txt
Scan type: Full Scan (C:\|D:\|)
Objects scanned: 125476
Time elapsed: 19 minute(s), 32 second(s)
Memory Processes Infected: 1
Memory Modules Infected: 1
Registry Keys Infected: 9
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 4
Files Infected: 11
Memory Processes Infected:
C:\Program Files\Antivirus Agent Pro\aap.exe (Rogue.AntivirusAgentPro) -> Unloaded process successfully.
Memory Modules Infected:
C:\WINDOWS\system32\yvvzmqj.dll (Trojan.Vundo.H) -> Delete on reboot.
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5b7fcff2-96e8-450f-b4db-bb8fe29f787f} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sukuqjyn (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{5b7fcff2-96e8-450f-b4db-bb8fe29f787f} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3ba4271e-5c1e-48e2-b432-d8bf420dd31d} (Rogue.DeusCleaner) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\jusykoib (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\jusykoib (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\jusykoib (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\jusykoib (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{5b7fcff2-96e8-450f-b4db-bb8fe29f787f} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009 (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\Microsoft Common (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Antivirus Agent Pro (Rogue.AntiVirusAgentPro) -> Quarantined and deleted successfully.
Files Infected:
c:\WINDOWS\system32\yvvzmqj.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\Program Files\Antivirus Agent Pro\aap.exe (Rogue.AntivirusAgentPro) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\K52JG5AB\guard[1].exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\WP2JSHA3\aap[2].exe (Rogue.AntivirusAgentPro) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winarps32.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\4ZW3K5MT\187[1].exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Program Files\Antivirus Agent Pro\aapcn.dll (Rogue.AntiVirusAgentPro) -> Quarantined and deleted successfully.
C:\Program Files\Antivirus Agent Pro\rt.sys (Rogue.AntiVirusAgentPro) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\beep.sys (Fake.Beep.Sys) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dllcache\beep.sys (Fake.Beep.Sys) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\brastia.exe (Trojan.FakeAlert) -> Delete on reboot.
Then, Spybot would run.
Spybot may not be operating right. Couldn't find log after scan.
"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)
Explorer.exe wouldn't load. Message said didn't exist. Saw it once in Task Manager File/Run/Browse, then disappeared forever.
Safe Mode stuck in black screen.
Brought Explorer back by deleting the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe
Tried to run Spybot, refused to go. Uninstalled, reinstalled, no go.
Downloaded Malwarebytes, ran, found these:
Malwarebytes' Anti-Malware 1.35
Database version: 1943
Windows 5.1.2600 Service Pack 2
4/5/2009 8:11:43 PM
mbam-log-2009-04-05 (20-11-43).txt
Scan type: Full Scan (C:\|D:\|)
Objects scanned: 125476
Time elapsed: 19 minute(s), 32 second(s)
Memory Processes Infected: 1
Memory Modules Infected: 1
Registry Keys Infected: 9
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 4
Files Infected: 11
Memory Processes Infected:
C:\Program Files\Antivirus Agent Pro\aap.exe (Rogue.AntivirusAgentPro) -> Unloaded process successfully.
Memory Modules Infected:
C:\WINDOWS\system32\yvvzmqj.dll (Trojan.Vundo.H) -> Delete on reboot.
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5b7fcff2-96e8-450f-b4db-bb8fe29f787f} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sukuqjyn (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{5b7fcff2-96e8-450f-b4db-bb8fe29f787f} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3ba4271e-5c1e-48e2-b432-d8bf420dd31d} (Rogue.DeusCleaner) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\jusykoib (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\jusykoib (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\jusykoib (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\jusykoib (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{5b7fcff2-96e8-450f-b4db-bb8fe29f787f} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009 (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\Microsoft Common (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Antivirus Agent Pro (Rogue.AntiVirusAgentPro) -> Quarantined and deleted successfully.
Files Infected:
c:\WINDOWS\system32\yvvzmqj.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\Program Files\Antivirus Agent Pro\aap.exe (Rogue.AntivirusAgentPro) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\K52JG5AB\guard[1].exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\WP2JSHA3\aap[2].exe (Rogue.AntivirusAgentPro) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winarps32.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\4ZW3K5MT\187[1].exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Program Files\Antivirus Agent Pro\aapcn.dll (Rogue.AntiVirusAgentPro) -> Quarantined and deleted successfully.
C:\Program Files\Antivirus Agent Pro\rt.sys (Rogue.AntiVirusAgentPro) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\beep.sys (Fake.Beep.Sys) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dllcache\beep.sys (Fake.Beep.Sys) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\brastia.exe (Trojan.FakeAlert) -> Delete on reboot.
Then, Spybot would run.
Spybot may not be operating right. Couldn't find log after scan.
"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)