Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with moolight v virus i think? Regedit missing


  • This topic is locked This topic is locked
4 replies to this topic

#1 twoshai

twoshai

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:53 PM

Posted 08 August 2014 - 08:34 AM

My sister put a usb in to my computer, avast come back with a warning and then went to boot scan. After that my computer would not work properly avast wont run, regedit wont work it says regedit is not a valid win32 application . I googled and it come back with moon light v virus?

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 6.0.2900.5512
Run by my1 at 1:24:30 on 2014-08-09
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.3047.2186 [GMT 12:00]
.
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: avast! Antivirus *Enabled*
.
============== Running Processes ================
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Documents and Settings\my1\Templates\O53635Z\service.exe
C:\WINDOWS\M24727\smss.exe
C:\WINDOWS\M24727\EmangEloh.exe
C:\Documents and Settings\my1\Templates\O53635Z\winlogon.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AVAST Software\Avast\Setup\Instup.exe
C:\Program Files\IncrediMail\Bin\IncMail.exe
C:\Program Files\IncrediMail\Bin\ImApp.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = hxxp://www.koyotesoft.com/thankyou.php?soft=5&systemid=421&appid=0&type=New
uSearchAssistant = hxxp://www.google.com
mWinlogon: Shell = explorer.exe, "c:\documents and settings\my1\templates\o53635z\TuxO53635Z.exe"
mWinlogon: Userinit = c:\windows\system32\userinit.exe , "c:\windows\m24727\Ja845720bLay.com"
uRun: [T1247177TT4] c:\windows\system32\16276534852l.exe
mRun: [T35Z627] c:\windows\sa-754177.exe
mRun: [SkyTel] SkyTel.EXE
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [AvastUI.exe] "c:\program files\avast software\avast\AvastUI.exe" /nogui
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\documents and settings\my1\start menu\programs\startup\sql.cmd
StartupFolder: c:\windows\system32\x50234go\Z16276cie.cmd
uPolicies-Explorer: NoDriveTypeAutoRun = dword:323
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
uPolicies-Explorer: NoDrives = dword:0
uPolicies-System: DisableRegistryTools = dword:1
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: EnableLUA = dword:0
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: Free YouTube to MP3 Converter - c:\documents and settings\my1\application data\dvdvideosoftiehelpers\freeyoutubetomp3converter.htm
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\my1\start menu\programs\imvu\Run IMVU.lnk
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://windowsupdate.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1347227430703
TCP: NameServer = 10.1.1.1
TCP: Interfaces\{2A9D138F-5484-46A2-8CF9-71AEE711B161} : DHCPNameServer = 10.1.1.1
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook - {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - c:\program files\windows defender\MpShHook.dll
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\34.0.1847.116\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
IFEO: msconfig.exe - c:\windows\notepad.exe
IFEO: regedit.exe - c:\windows\notepad.exe
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\my1\application data\mozilla\firefox\profiles\q4i7c6l8.default-1407386129609\
FF - prefs.js: browser.startup.homepage - hxxps://www.facebook.com/
FF - plugin: c:\documents and settings\my1\local settings\application data\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\update\1.3.23.9\npGoogleUpdate3.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.30514.0\npctrlui.dll
FF - plugin: c:\windows\system32\adobe\director\np32dsw_1207148.dll
FF - plugin: c:\windows\system32\adobe\director\np32dsw_1210150.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_14_0_0_145.dll
.
============= SERVICES / DRIVERS ===============
.
R0 DasBoot;Panda AntiMalware Support;\SystemRoot\\SystemRoot\system32\DRIVERS\DasBoot.SYS --> \SystemRoot\\SystemRoot\system32\DRIVERS\DasBoot.SYS [?]
R0 DasBootF;Panda AntiMalware Support MF;\SystemRoot\\SystemRoot\system32\DRIVERS\DasBootF.SYS --> \SystemRoot\\SystemRoot\system32\DRIVERS\DasBootF.SYS [?]
R0 PRSBDRVR;Nemesis Link;\SystemRoot\\SystemRoot\system32\DRIVERS\PRSBDRVR.SYS --> \SystemRoot\\SystemRoot\system32\DRIVERS\PRSBDRVR.SYS [?]
R2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2011-2-12 35088]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 amsint32;amsint32;\??\c:\windows\system32\drivers\jnhjgj.sys --> c:\windows\system32\drivers\jnhjgj.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 PCloudCleanerService;Panda Security CloudCLeaner Service;c:\windows\system32\PCloudCleanerService.EXE [2014-8-9 108792]
S3 massfilter_hs;ZTE HandSet Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter_hs.sys --> c:\windows\system32\drivers\massfilter_hs.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2013-7-20 754856]
S3 zgwhsdiag;ZTE WCDMA Handset Diagnostic Port;c:\windows\system32\drivers\zgwhsdiag.sys --> c:\windows\system32\drivers\zgwhsdiag.sys [?]
S3 zgwhsmdm;ZTE WCDMA Handset USB Modem;c:\windows\system32\drivers\zgwhsmdm.sys --> c:\windows\system32\drivers\zgwhsmdm.sys [?]
S3 zgwhsnmea;WCDMA Handset NMEA Port;c:\windows\system32\drivers\zgwhsnmea.sys --> c:\windows\system32\drivers\zgwhsnmea.sys [?]
.
=============== Created Last 30 ================
.
2014-08-08 12:53:55    47632    ----a-w-    c:\windows\system32\drivers\PSKMAD.sys
2014-08-08 12:51:07    108792    ----a-w-    c:\windows\system32\PCloudCleanerService.EXE
2014-08-08 12:51:01    9376    ----a-w-    c:\windows\system32\drivers\DasBootI.SYS
2014-08-08 12:51:01    9376    ----a-w-    c:\windows\system32\drivers\DasBootE.SYS
2014-08-08 12:51:01    59552    ----a-w-    c:\windows\system32\drivers\DasBootF.SYS
2014-08-08 12:51:01    33440    ----a-w-    c:\windows\system32\drivers\DasPtct.SYS
2014-08-08 12:51:01    27936    ----a-w-    c:\windows\system32\drivers\PRSBDRVR.SYS
2014-08-08 12:51:01    27808    ----a-w-    c:\windows\system32\drivers\DasBootK.SYS
2014-08-08 12:51:01    251040    ----a-w-    c:\windows\system32\drivers\DasBootS.SYS
2014-08-08 12:51:01    21152    ----a-w-    c:\windows\system32\drivers\DasBoot.SYS
2014-08-08 12:51:01    10272    ----a-w-    c:\windows\system32\drivers\DasBootD.SYS
2014-08-08 12:51:01    --------    d-----w-    c:\windows\system32\DBBK
2014-08-08 12:20:59    2944    -c--a-w-    c:\windows\system32\dllcache\brfilt.sys
2014-08-08 12:20:59    12800    -c--a-w-    c:\windows\system32\dllcache\brevif.dll
2014-08-08 12:08:58    0    ----a-w-    c:\documents and settings\my1\regedit.exe
2014-08-08 11:11:47    --------    d-----w-    c:\program files\Panda Security
2014-08-08 07:04:08    2321288    ----a-w-    c:\documents and settings\all users\application data\microsoft\windows defender\definition updates\backup\mpengine.dll
2014-08-08 07:03:55    8217224    ----a-w-    c:\documents and settings\all users\application data\microsoft\windows defender\definition updates\{f177d9d7-4966-4c54-8888-00ce4d7e10b9}\mpengine.dll
2014-08-08 06:59:35    --------    d-----w-    c:\program files\SiteLookup
2014-08-08 06:59:32    --------    d-----w-    c:\documents and settings\my1\application data\SimilarAddon
2014-08-08 05:45:14    9728    -c--a-w-    c:\windows\system32\dllcache\brcoinst.dll
2014-08-08 05:45:13    19456    -c--a-w-    c:\windows\system32\dllcache\brbidiif.dll
2014-08-08 05:43:08    102400    -c--a-w-    c:\windows\system32\dllcache\binlsvc.dll
2014-08-08 05:43:04    11776    -c--a-w-    c:\windows\system32\dllcache\bdasup.sys
2014-08-08 05:43:03    871388    -c--a-w-    c:\windows\system32\dllcache\bcmdm.sys
2014-08-08 05:43:03    26568    -c--a-w-    c:\windows\system32\dllcache\bcm4e5.sys
2014-08-08 05:43:02    66557    -c--a-w-    c:\windows\system32\dllcache\bcm42u.sys
2014-08-08 05:43:02    54271    -c--a-w-    c:\windows\system32\dllcache\bcm42xx5.sys
2014-08-08 05:43:01    14208    -c--a-w-    c:\windows\system32\dllcache\battc.sys
2014-08-08 05:43:00    36128    -c--a-w-    c:\windows\system32\dllcache\banshee.sys
2014-08-08 05:41:59    584448    -c--a-w-    c:\windows\system32\dllcache\adm8810.sys
2014-08-08 04:44:17    --------    d-----w-    c:\program files\ACW
2014-08-07 04:37:18    --------    d-----w-    C:\AdwCleaner
2014-08-07 04:13:09    779536    ----a-w-    c:\windows\system32\drivers\aswSnx.sys
2014-08-07 04:13:09    192352    ----a-w-    c:\windows\system32\drivers\aswVmm.sys
2014-08-07 04:13:08    67824    ----a-w-    c:\windows\system32\drivers\aswMonFlt.sys
2014-08-07 04:13:08    49944    ----a-w-    c:\windows\system32\drivers\aswRvrt.sys
2014-08-07 04:13:07    26136    ----a-w-    c:\windows\system32\drivers\aswKbd.sys
2014-08-07 04:13:07    252872    ----a-w-    c:\windows\system32\drivers\aswNdis2.sys
2014-08-07 04:12:48    12112    ----a-w-    c:\windows\system32\drivers\aswNdis.sys
2014-08-07 03:03:27    103140    --sh--r-    C:\pgpt.pif
2014-08-07 02:56:57    --------    d-sha-r-    C:\cmdcons
2014-08-07 02:55:56    98816    ----a-w-    c:\windows\sed.exe
2014-08-07 02:55:56    256000    ----a-w-    c:\windows\PEV.exe
2014-08-07 02:55:56    208896    ----a-w-    c:\windows\MBR.exe
2014-08-07 02:11:16    --------    d-----w-    c:\windows\jumpshot.com
2014-08-07 02:10:43    24184    ----a-w-    c:\windows\system32\drivers\aswHwid.sys
2014-08-07 02:10:33    43152    ----a-w-    c:\windows\avastSS.scr
2014-08-07 02:00:22    --------    d-----w-    c:\program files\AVAST Software
2014-08-07 01:31:05    --------    d-----w-    c:\documents and settings\all users\application data\CrapCleaner
2014-08-07 01:31:03    --------    d-----w-    c:\program files\Crap Cleaner
2014-08-07 01:00:32    1221348    ----a-w-    C:\dfpic.exe
2014-08-07 00:59:49    117248    ----a-w-    c:\program files\movie maker\shared\Love Song                                                             .scr
2014-08-07 00:48:50    --------    d-sh--r-    c:\windows\M24727
2014-08-07 00:48:50    --------    d-----w-    c:\windows\system32\X50234go
2014-07-20 02:46:58    --------    d-----w-    c:\program files\Mystery of the Ancients - Curse of the Black Water Collector's Edition
2014-07-20 02:13:59    --------    d-----w-    c:\program files\Nevertales - Shattered Image Collectors Edition
2014-07-12 13:36:57    --------    d-----w-    c:\program files\Dead Reckoning - Silvermoon Isle Collector's Edition
.
==================== Find3M  ====================
.
2014-08-07 01:13:35    414392    ----a-w-    c:\windows\system32\drivers\aswsp.sys.1407374326593
2014-08-04 21:20:02    231584    -c----w-    c:\windows\system32\MpSigStub.exe
2014-07-09 14:46:10    71344    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2014-07-09 14:46:10    699056    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2014-07-09 14:46:06    5659136    -c--a-w-    c:\windows\system32\FlashPlayerInstaller.exe
2009-01-02 11:24:16    117248    --sh--w-    c:\windows\sa-754177.exe
2009-01-02 11:24:16    117248    --sh--w-    c:\windows\Ti534852ta.exe
2009-01-02 11:24:16    117248    --sh--w-    c:\windows\m24727\EmangEloh.exe
2009-01-02 11:24:16    117248    --sh--w-    c:\windows\m24727\Ja845720bLay.com
2009-01-02 11:24:16    117248    --sha-w-    c:\windows\m24727\smss.exe
2008-04-13 17:42:02    1384479    --sha-r-    c:\windows\system\msvbvm60.dll
2009-01-02 11:24:16    117248    --sh--w-    c:\windows\system32\16276534852l.exe
2008-04-13 17:42:02    1384479    -csh--r-    c:\windows\system32\msvbvm60.dll
.
============= FINISH:  1:24:51.89 ===============
 

Attached Files



BC AdBot (Login to Remove)

 


#2 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:53 AM

Posted 08 August 2014 - 09:41 AM

Hi there,
my name is Marius and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

 

 

Please post up C:\combofix.txt... :rolleyes:


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#3 twoshai

twoshai
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:53 PM

Posted 08 August 2014 - 07:53 PM

Hi my brother come around and did a scan with panda cloud so files above may have changed should i re do it picked up some moonlight worms but i feel my computer is still infected. Should i re do step one? Thank you for your reply i will not let anyone touch or do anything to my computer while working with you to solve this problem



#4 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:53 AM

Posted 12 August 2014 - 03:57 AM

Someone ran combofix on this computer. I need to see what it did.

Please post the content of the file C:\combofix.txt. :)


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#5 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:53 AM

Posted 08 September 2014 - 09:09 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.
Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users