danarothrock
New member
Daughter's emachine desktop PC got hit with Brastia.exe (new in March) trojan and she probably clicked on Antivirus Agent Pro pop-up (aap.exe).
Explorer.exe wouldn't load. Message said didn't exist. Saw it once in Task Manager File/Run/Browse, then disappeared forever.
Safe Mode stuck in black screen.
Brought Explorer back by deleting the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe
Tried to run Spybot, refused to go. Uninstalled, reinstalled, no go.
Downloaded Malwarebytes, ran, found these:
Malwarebytes' Anti-Malware 1.35
Database version: 1943
Windows 5.1.2600 Service Pack 2
4/5/2009 8:11:43 PM
mbam-log-2009-04-05 (20-11-43).txt
Scan type: Full Scan (C:\|D:\|)
Objects scanned: 125476
Time elapsed: 19 minute(s), 32 second(s)
Memory Processes Infected: 1
Memory Modules Infected: 1
Registry Keys Infected: 9
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 4
Files Infected: 11
Memory Processes Infected:
C:\Program Files\Antivirus Agent Pro\aap.exe (Rogue.AntivirusAgentPro) -> Unloaded process successfully.
Memory Modules Infected:
C:\WINDOWS\system32\yvvzmqj.dll (Trojan.Vundo.H) -> Delete on reboot.
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5b7fcff2-96e8-450f-b4db-bb8fe29f787f} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sukuqjyn (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{5b7fcff2-96e8-450f-b4db-bb8fe29f787f} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3ba4271e-5c1e-48e2-b432-d8bf420dd31d} (Rogue.DeusCleaner) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\jusykoib (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\jusykoib (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\jusykoib (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\jusykoib (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{5b7fcff2-96e8-450f-b4db-bb8fe29f787f} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009 (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\Microsoft Common (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Antivirus Agent Pro (Rogue.AntiVirusAgentPro) -> Quarantined and deleted successfully.
Files Infected:
c:\WINDOWS\system32\yvvzmqj.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\Program Files\Antivirus Agent Pro\aap.exe (Rogue.AntivirusAgentPro) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\K52JG5AB\guard[1].exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\WP2JSHA3\aap[2].exe (Rogue.AntivirusAgentPro) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winarps32.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\4ZW3K5MT\187[1].exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Program Files\Antivirus Agent Pro\aapcn.dll (Rogue.AntiVirusAgentPro) -> Quarantined and deleted successfully.
C:\Program Files\Antivirus Agent Pro\rt.sys (Rogue.AntiVirusAgentPro) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\beep.sys (Fake.Beep.Sys) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dllcache\beep.sys (Fake.Beep.Sys) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\brastia.exe (Trojan.FakeAlert) -> Delete on reboot.
Then, Spybot would run.
Spybot may not be operating right. Couldn't find log after scan.
"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance)
Explorer.exe wouldn't load. Message said didn't exist. Saw it once in Task Manager File/Run/Browse, then disappeared forever.
Safe Mode stuck in black screen.
Brought Explorer back by deleting the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe
Tried to run Spybot, refused to go. Uninstalled, reinstalled, no go.
Downloaded Malwarebytes, ran, found these:
Malwarebytes' Anti-Malware 1.35
Database version: 1943
Windows 5.1.2600 Service Pack 2
4/5/2009 8:11:43 PM
mbam-log-2009-04-05 (20-11-43).txt
Scan type: Full Scan (C:\|D:\|)
Objects scanned: 125476
Time elapsed: 19 minute(s), 32 second(s)
Memory Processes Infected: 1
Memory Modules Infected: 1
Registry Keys Infected: 9
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 4
Files Infected: 11
Memory Processes Infected:
C:\Program Files\Antivirus Agent Pro\aap.exe (Rogue.AntivirusAgentPro) -> Unloaded process successfully.
Memory Modules Infected:
C:\WINDOWS\system32\yvvzmqj.dll (Trojan.Vundo.H) -> Delete on reboot.
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5b7fcff2-96e8-450f-b4db-bb8fe29f787f} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sukuqjyn (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{5b7fcff2-96e8-450f-b4db-bb8fe29f787f} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3ba4271e-5c1e-48e2-b432-d8bf420dd31d} (Rogue.DeusCleaner) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\jusykoib (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\jusykoib (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\jusykoib (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\jusykoib (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{5b7fcff2-96e8-450f-b4db-bb8fe29f787f} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009 (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\Microsoft Common (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Antivirus Agent Pro (Rogue.AntiVirusAgentPro) -> Quarantined and deleted successfully.
Files Infected:
c:\WINDOWS\system32\yvvzmqj.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\Program Files\Antivirus Agent Pro\aap.exe (Rogue.AntivirusAgentPro) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\K52JG5AB\guard[1].exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\WP2JSHA3\aap[2].exe (Rogue.AntivirusAgentPro) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winarps32.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\4ZW3K5MT\187[1].exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Program Files\Antivirus Agent Pro\aapcn.dll (Rogue.AntiVirusAgentPro) -> Quarantined and deleted successfully.
C:\Program Files\Antivirus Agent Pro\rt.sys (Rogue.AntiVirusAgentPro) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\beep.sys (Fake.Beep.Sys) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dllcache\beep.sys (Fake.Beep.Sys) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\brastia.exe (Trojan.FakeAlert) -> Delete on reboot.
Then, Spybot would run.
Spybot may not be operating right. Couldn't find log after scan.
"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance)
Last edited by a moderator:
