busebayu.dll error

cascadelink · 11-05-2009, 09:12 AM

I'm getting these two errors on startup:

Error loading c:\windows\system32\busebayu.dll
The specified module could not be found

and

Windows cannot find 'logon.exe'. Make sure you typed the name correctly, and then try again. To search for a file, click on the Start button, and then click Search.

I've been running AVG 8.5.424

Any ideas on how to fix this?
Thanks,
Tim

Osiris · 11-05-2009, 09:34 AM

Go to start, run, type msconfig and click ok. Go to Startup, click disable all, then recheck your antivirus, and reboot. Does the message still appear after rebooting?

cascadelink · 11-05-2009, 09:49 AM

It fixed the busebayu.dll error--that does appear on startup.

But, the logon.exe error still appears.

cascadelink · 11-05-2009, 09:54 AM

woops, meant to say that busebayu does NOT appear at startup

only logon.exe error now

Osiris · 11-05-2009, 09:56 AM

Now run Combofix and then Malwarebytes and post both of their logs.

For XP XP Full

For Vista Vista Full

cascadelink · 11-05-2009, 05:03 PM

Ok, here's the log from Combofix, I'll get the Malware log next

ComboFix 09-11-05.01 - Administrator 11/05/2009 15:02.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1434 [GMT -5:00]
Running from: c:\documents and settings\Administrator\My Documents\Downloads\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\recycler\S-1-5-21-2025429265-1450960922-839522115-500
c:\temp\Inet\Temporary Internet Files\SKBGM.cfg
c:\temp\Inet\Temporary Internet Files\SKBGM0.che
c:\temp\Inet\Temporary Internet Files\SKBGM1.che
c:\temp\Inet\Temporary Internet Files\SKBGM2.che
c:\temp\Inet\Temporary Internet Files\SKBGM3.che
c:\temp\Inet\Temporary Internet Files\SKBGM4.che
c:\temp\Inet\Temporary Internet Files\SKBGM5.che
c:\temp\Inet\Temporary Internet Files\SKBGM6.che
c:\temp\Inet\Temporary Internet Files\SKBGM7.che
c:\temp\Inet\Temporary Internet Files\SKBGM8.che
c:\temp\Inet\Temporary Internet Files\SKBGM9.che

----- BITS: Possible infected sites -----

hxxp://77.74.48.111
.
((((((((((((((((((((((((( Files Created from 2009-10-05 to 2009-11-05 )))))))))))))))))))))))))))))))
.

2009-11-04 02:58 . 2009-11-04 04:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-04 02:58 . 2009-11-04 03:01 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-04 00:12 . 2009-11-04 00:18 -------- d-----w- c:\program files\support.com
2009-11-04 00:12 . 2009-11-04 00:12 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\SupportSoft
2009-11-04 00:12 . 2009-11-04 00:12 -------- d-----w- c:\program files\Common Files\SupportSoft
2009-11-03 18:59 . 2009-10-06 23:47 3510552 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgui.exe
2009-10-25 01:57 . 2009-10-25 01:57 1925024 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player.exe
2009-10-25 01:57 . 2009-10-26 02:06 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-10-22 12:22 . 2009-10-06 23:47 2064152 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-10-17 12:20 . 2009-10-17 12:20 2025752 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgtray.exe
2009-10-10 01:39 . 2009-10-10 01:39 126970 ----a-w- c:\documents and settings\Administrator\Application Data\Move Networks\uninstall.exe
2009-10-10 01:38 . 2009-10-10 01:39 1407680 ----a-w- c:\documents and settings\Administrator\Application Data\Move Networks\MoveMediaPlayerWin_071505000010.exe
2009-10-08 16:06 . 2009-10-06 23:46 1142552 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-11-05 13:54 . 2009-01-20 02:43 -------- d-----w- c:\documents and settings\Administrator\Application Data\skypePM
2009-11-04 01:31 . 2008-12-11 13:14 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-10-22 23:34 . 2009-01-20 02:38 -------- d-----w- c:\documents and settings\Administrator\Application Data\Skype
2009-10-13 12:14 . 2007-05-19 23:32 -------- d--h--w- c:\documents and settings\Administrator\Application Data\Move Networks
2009-10-10 01:39 . 2009-08-03 21:48 4187512 ----a-w- c:\documents and settings\Administrator\Application Data\Move Networks\plugins\npqmp071505000010.dll
2009-09-25 21:58 . 2009-01-20 19:58 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2009-09-21 13:33 . 2009-04-22 16:22 -------- d-----w- c:\program files\Flickr Uploadr
2009-09-11 14:18 . 2006-05-17 11:54 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2006-05-17 11:54 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 07:36 . 2006-05-17 11:55 832512 ----a-w- c:\windows\system32\wininet.dll
2009-08-29 07:36 . 2006-05-17 11:54 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36 . 2006-05-17 11:54 17408 ----a-w- c:\windows\system32\corpol.dll
2009-08-26 08:00 . 2006-05-17 11:55 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-23 18:34 . 2008-12-11 13:14 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-23 18:34 . 2008-12-11 13:14 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-23 18:34 . 2008-12-11 13:14 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-17 18:46 . 2009-08-17 18:46 152576 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\loginkey]
2008-04-14 00:11 47104 ----a-w- c:\program files\Common Files\Microsoft Shared\Ink\loginkey.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-23 18:34 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TabBtnWL]
2002-08-29 10:41 11776 ----a-w- c:\windows\system32\tabbtnwl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpgwlnotify]
2008-04-14 00:12 32256 ----a-w- c:\windows\system32\tpgwlnot.dll

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk
backup=c:\windows\pss\Microsoft Office OneNote 2003 Quick Launch.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\skcbgm.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Documents and Settings\\Administrator\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octosh ape.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessen ger.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Flickr Uploadr\\Flickr Uploadr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 FJGPNV;FJGPNV;c:\windows\system32\drivers\FJGPNV.S YS [05/17/2006 2:56 PM 10496]
R0 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2medi a.sys [02/21/2006 5:05 PM 36352]
R0 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.s ys [09/23/2005 9:48 AM 28544]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [12/11/2008 8:14 AM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [12/11/2008 8:14 AM 108552]
R1 cmdGuard;cmdGuard;c:\windows\system32\drivers\cmdg uard.sys [12/10/2008 10:42 PM 101776]
R1 cmdHlp;cmdHlp;c:\windows\system32\drivers\cmdhlp.s ys [12/10/2008 10:42 PM 31504]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [12/11/2008 8:14 AM 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [12/11/2008 8:14 AM 297752]
R2 FlashDrv;FlashDrv;c:\progra~1\Fujitsu\FlashAid\Fla shDrv.sys [05/17/2006 2:56 PM 7196]
R3 Fjbtndrv;Fujitsu Button Driver;c:\windows\system32\drivers\FjBtnDrv.sys [05/17/2006 2:56 PM 17920]
R3 FUJ02E1;%FUJ02E1.DeviceDesc%;c:\windows\system32\d rivers\FUJ02E1.sys [05/17/2006 2:39 PM 5632]
R3 FUJ02E3;Fujitsu FUJ02E3 Device Driver;c:\windows\system32\drivers\fuj02e3.sys [05/17/2006 2:39 PM 4864]
R3 hidpen;Wacom Serial Pen HID MiniDriver;c:\windows\system32\drivers\hidpen.sys [05/17/2006 2:39 PM 31104]
S3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.s ys [05/17/2006 2:39 PM 35968]
S3 WacomPen;Wacom Serial Pen HID Driver;c:\windows\system32\drivers\wacompen.sys [05/17/2006 7:31 AM 14208]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*Deregistered* - mbr
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.micros oft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.yahoo.com
mStart Page = hxxp://www.yahoo.com
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
DPF: {E75386B4-C629-11DB-8338-444553544200} - hxxp://cyimg7.cyworld.com/cymusic/package/cyinstal.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\o66nfd0h.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.locorunning.com/race-series.php
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\documents and settings\Administrator\Application Data\Move Networks\plugins\npqmp071505000010.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -

SharedTaskScheduler-{d9918442-cc02-4a59-bef4-fbb9c59ea853} - c:\windows\system32\busebayu.dll
SharedTaskScheduler-{5a267ced-62b7-4c04-8f0e-ec76db4c3ffb} - c:\windows\system32\busebayu.dll
SharedTaskScheduler-{e87ca22f-b05e-4055-a199-9ddc675f4ddd} - c:\windows\system32\busebayu.dll
SharedTaskScheduler-{7df4301b-b9d7-4975-9a27-356b796c32ab} - c:\windows\system32\busebayu.dll
SharedTaskScheduler-{64919a54-20dd-4c35-9247-ebb666c1ce4b} - c:\windows\system32\busebayu.dll
SSODL-hapokegik-{d9918442-cc02-4a59-bef4-fbb9c59ea853} - c:\windows\system32\busebayu.dll
SSODL-kazilokur-{5a267ced-62b7-4c04-8f0e-ec76db4c3ffb} - c:\windows\system32\busebayu.dll
SSODL-zamezakif-{e87ca22f-b05e-4055-a199-9ddc675f4ddd} - c:\windows\system32\busebayu.dll
SSODL-wineyusap-{7df4301b-b9d7-4975-9a27-356b796c32ab} - c:\windows\system32\busebayu.dll
SSODL-lezoyulam-{64919a54-20dd-4c35-9247-ebb666c1ce4b} - c:\windows\system32\busebayu.dll
Notify-WgaLogon - (no file)
AddRemove-KB923789 - c:\windows\system32\MacroMed\Flash\genuinst.exe

************************************************** ************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2009-11-05 15:08
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3644)
c:\windows\system32\WININET.dll
c:\program files\windows journal\nbmaptip.dll
c:\windows\IME\SPGRMR.DLL
c:\windows\system32\IEFRAME.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
c:\windows\SYSTEM32\WISPTIS.EXE
c:\windows\System32\tabbtnu.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\System32\digtizer.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\Ink\TCServer.exe
c:\windows\system32\igfxext.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\o2flash.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
.
************************************************** ************************
.
Completion time: 2009-11-05 15:16 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-05 20:16

Pre-Run: 51,120,893,952 bytes free
Post-Run: 50,993,229,824 bytes free

- - End Of File - - 77E069C885B1A6429522B6840BD84568

cascadelink · 11-05-2009, 05:16 PM

And here's the log from Malwarebytes:

Malwarebytes' Anti-Malware 1.41
Database version: 3107
Windows 5.1.2600 Service Pack 3

11/05/2009 5:18:11 PM
mbam-log-2009-11-05 (17-18-11).txt

Scan type: Quick Scan
Objects scanned: 97148
Time elapsed: 5 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

cascadelink · 11-05-2009, 05:18 PM

Combofix log:

ComboFix 09-11-05.01 - Administrator 11/05/2009 15:02.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1434 [GMT -5:00]
Running from: c:\documents and settings\Administrator\My Documents\Downloads\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\recycler\S-1-5-21-2025429265-1450960922-839522115-500
c:\temp\Inet\Temporary Internet Files\SKBGM.cfg
c:\temp\Inet\Temporary Internet Files\SKBGM0.che
c:\temp\Inet\Temporary Internet Files\SKBGM1.che
c:\temp\Inet\Temporary Internet Files\SKBGM2.che
c:\temp\Inet\Temporary Internet Files\SKBGM3.che
c:\temp\Inet\Temporary Internet Files\SKBGM4.che
c:\temp\Inet\Temporary Internet Files\SKBGM5.che
c:\temp\Inet\Temporary Internet Files\SKBGM6.che
c:\temp\Inet\Temporary Internet Files\SKBGM7.che
c:\temp\Inet\Temporary Internet Files\SKBGM8.che
c:\temp\Inet\Temporary Internet Files\SKBGM9.che

----- BITS: Possible infected sites -----

hxxp://77.74.48.111
.
((((((((((((((((((((((((( Files Created from 2009-10-05 to 2009-11-05 )))))))))))))))))))))))))))))))
.

2009-11-04 02:58 . 2009-11-04 04:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-04 02:58 . 2009-11-04 03:01 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-04 00:12 . 2009-11-04 00:18 -------- d-----w- c:\program files\support.com
2009-11-04 00:12 . 2009-11-04 00:12 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\SupportSoft
2009-11-04 00:12 . 2009-11-04 00:12 -------- d-----w- c:\program files\Common Files\SupportSoft
2009-11-03 18:59 . 2009-10-06 23:47 3510552 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgui.exe
2009-10-25 01:57 . 2009-10-25 01:57 1925024 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player.exe
2009-10-25 01:57 . 2009-10-26 02:06 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-10-22 12:22 . 2009-10-06 23:47 2064152 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-10-17 12:20 . 2009-10-17 12:20 2025752 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgtray.exe
2009-10-10 01:39 . 2009-10-10 01:39 126970 ----a-w- c:\documents and settings\Administrator\Application Data\Move Networks\uninstall.exe
2009-10-10 01:38 . 2009-10-10 01:39 1407680 ----a-w- c:\documents and settings\Administrator\Application Data\Move Networks\MoveMediaPlayerWin_071505000010.exe
2009-10-08 16:06 . 2009-10-06 23:46 1142552 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-11-05 13:54 . 2009-01-20 02:43 -------- d-----w- c:\documents and settings\Administrator\Application Data\skypePM
2009-11-04 01:31 . 2008-12-11 13:14 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-10-22 23:34 . 2009-01-20 02:38 -------- d-----w- c:\documents and settings\Administrator\Application Data\Skype
2009-10-13 12:14 . 2007-05-19 23:32 -------- d--h--w- c:\documents and settings\Administrator\Application Data\Move Networks
2009-10-10 01:39 . 2009-08-03 21:48 4187512 ----a-w- c:\documents and settings\Administrator\Application Data\Move Networks\plugins\npqmp071505000010.dll
2009-09-25 21:58 . 2009-01-20 19:58 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2009-09-21 13:33 . 2009-04-22 16:22 -------- d-----w- c:\program files\Flickr Uploadr
2009-09-11 14:18 . 2006-05-17 11:54 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2006-05-17 11:54 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 07:36 . 2006-05-17 11:55 832512 ----a-w- c:\windows\system32\wininet.dll
2009-08-29 07:36 . 2006-05-17 11:54 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36 . 2006-05-17 11:54 17408 ----a-w- c:\windows\system32\corpol.dll
2009-08-26 08:00 . 2006-05-17 11:55 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-23 18:34 . 2008-12-11 13:14 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-23 18:34 . 2008-12-11 13:14 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-23 18:34 . 2008-12-11 13:14 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-17 18:46 . 2009-08-17 18:46 152576 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\loginkey]
2008-04-14 00:11 47104 ----a-w- c:\program files\Common Files\Microsoft Shared\Ink\loginkey.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-23 18:34 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TabBtnWL]
2002-08-29 10:41 11776 ----a-w- c:\windows\system32\tabbtnwl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpgwlnotify]
2008-04-14 00:12 32256 ----a-w- c:\windows\system32\tpgwlnot.dll

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk
backup=c:\windows\pss\Microsoft Office OneNote 2003 Quick Launch.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\skcbgm.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Documents and Settings\\Administrator\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octosh ape.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessen ger.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Flickr Uploadr\\Flickr Uploadr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 FJGPNV;FJGPNV;c:\windows\system32\drivers\FJGPNV.S YS [05/17/2006 2:56 PM 10496]
R0 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2medi a.sys [02/21/2006 5:05 PM 36352]
R0 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.s ys [09/23/2005 9:48 AM 28544]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [12/11/2008 8:14 AM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [12/11/2008 8:14 AM 108552]
R1 cmdGuard;cmdGuard;c:\windows\system32\drivers\cmdg uard.sys [12/10/2008 10:42 PM 101776]
R1 cmdHlp;cmdHlp;c:\windows\system32\drivers\cmdhlp.s ys [12/10/2008 10:42 PM 31504]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [12/11/2008 8:14 AM 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [12/11/2008 8:14 AM 297752]
R2 FlashDrv;FlashDrv;c:\progra~1\Fujitsu\FlashAid\Fla shDrv.sys [05/17/2006 2:56 PM 7196]
R3 Fjbtndrv;Fujitsu Button Driver;c:\windows\system32\drivers\FjBtnDrv.sys [05/17/2006 2:56 PM 17920]
R3 FUJ02E1;%FUJ02E1.DeviceDesc%;c:\windows\system32\d rivers\FUJ02E1.sys [05/17/2006 2:39 PM 5632]
R3 FUJ02E3;Fujitsu FUJ02E3 Device Driver;c:\windows\system32\drivers\fuj02e3.sys [05/17/2006 2:39 PM 4864]
R3 hidpen;Wacom Serial Pen HID MiniDriver;c:\windows\system32\drivers\hidpen.sys [05/17/2006 2:39 PM 31104]
S3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.s ys [05/17/2006 2:39 PM 35968]
S3 WacomPen;Wacom Serial Pen HID Driver;c:\windows\system32\drivers\wacompen.sys [05/17/2006 7:31 AM 14208]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*Deregistered* - mbr
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.micros oft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.yahoo.com
mStart Page = hxxp://www.yahoo.com
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
DPF: {E75386B4-C629-11DB-8338-444553544200} - hxxp://cyimg7.cyworld.com/cymusic/package/cyinstal.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\o66nfd0h.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.locorunning.com/race-series.php
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\documents and settings\Administrator\Application Data\Move Networks\plugins\npqmp071505000010.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -

SharedTaskScheduler-{d9918442-cc02-4a59-bef4-fbb9c59ea853} - c:\windows\system32\busebayu.dll
SharedTaskScheduler-{5a267ced-62b7-4c04-8f0e-ec76db4c3ffb} - c:\windows\system32\busebayu.dll
SharedTaskScheduler-{e87ca22f-b05e-4055-a199-9ddc675f4ddd} - c:\windows\system32\busebayu.dll
SharedTaskScheduler-{7df4301b-b9d7-4975-9a27-356b796c32ab} - c:\windows\system32\busebayu.dll
SharedTaskScheduler-{64919a54-20dd-4c35-9247-ebb666c1ce4b} - c:\windows\system32\busebayu.dll
SSODL-hapokegik-{d9918442-cc02-4a59-bef4-fbb9c59ea853} - c:\windows\system32\busebayu.dll
SSODL-kazilokur-{5a267ced-62b7-4c04-8f0e-ec76db4c3ffb} - c:\windows\system32\busebayu.dll
SSODL-zamezakif-{e87ca22f-b05e-4055-a199-9ddc675f4ddd} - c:\windows\system32\busebayu.dll
SSODL-wineyusap-{7df4301b-b9d7-4975-9a27-356b796c32ab} - c:\windows\system32\busebayu.dll
SSODL-lezoyulam-{64919a54-20dd-4c35-9247-ebb666c1ce4b} - c:\windows\system32\busebayu.dll
Notify-WgaLogon - (no file)
AddRemove-KB923789 - c:\windows\system32\MacroMed\Flash\genuinst.exe

************************************************** ************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2009-11-05 15:08
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3644)
c:\windows\system32\WININET.dll
c:\program files\windows journal\nbmaptip.dll
c:\windows\IME\SPGRMR.DLL
c:\windows\system32\IEFRAME.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
c:\windows\SYSTEM32\WISPTIS.EXE
c:\windows\System32\tabbtnu.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\System32\digtizer.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\Ink\TCServer.exe
c:\windows\system32\igfxext.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\o2flash.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
.
************************************************** ************************
.
Completion time: 2009-11-05 15:16 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-05 20:16

Pre-Run: 51,120,893,952 bytes free
Post-Run: 50,993,229,824 bytes free

- - End Of File - - 77E069C885B1A6429522B6840BD84568

cascadelink · 11-05-2009, 05:21 PM

Sorry about the duplicate log info

Osiris · 11-05-2009, 06:48 PM

No problem...

Let me see a hijackthis log now

Are you still getting those errors?

Member Login