Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

credu.dll problem


  • This topic is locked This topic is locked
2 replies to this topic

#1 Chester345

Chester345

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:43 PM

Posted 08 September 2009 - 09:02 PM

Hello,

Working on a friends computer and I cannot get rid of a trojan of some sort. Whenever windows explorer or internet explorer is started, AVG pops up saying it found a trojan BHO.BFO and lists the windows/system32/credu.dll as the culprit. It can happen 10-12 times in a row after AVG says it healed the file or deleted it. I would love to know how to get rid of this! Thanks in advance!




DDS (Ver_09-07-30.01) - NTFSx86
Run by Nick at 20:51:24.46 on Tue 09/08/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.328 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\ALCMTR.EXE
C:\WINDOWS\ALCFDRTM.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\AnalogX\MaxMem\maxmem.exe
C:\Program Files\HOTALBUMMyBOX\MediaChecker.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Nick\Local Settings\Temporary Internet Files\Content.IE5\LXJAHRXO\dds[1].scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
mWinlogon: SFCDisable=4 (0x4)
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 5.0\reader\activex\AcroIEHelper.ocx
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: {471daa58-d914-4e9a-ac4e-61247c9e8f13} - c:\windows\system32\lanctr.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: {66ca7d47-59e0-4b2d-a36c-db400a213828} - c:\windows\system32\credu.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: 1 (0x1) - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {ED3912DF-EE05-4242-89D9-D31EFE9D4AF4} - No File
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
uRun: [<NO NAME>]
uRun: [ATI Launchpad]
uRun: [ATI DeviceDetect] c:\program files\ati multimedia\main\ATIDtct.EXE
uRun: [ATI Remote Control] c:\program files\ati multimedia\remctrl\ATIRW.exe
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [ISMModule2] "c:\program files\ism\ISMModule2.exe"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [hpppta] c:\program files\hewlett-packard\hp precisionscan\precisionscan pro\hpppta.exe /ICON
mRun: [sysalgg] c:\windows\system32\sysalgg.exe
mRun: [AlcFDMonitor] c:\windows\ALCFDRTM.EXE
mRun: [MBBalloon] c:\program files\hotalbummybox\MBBalloon.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [ms] c:\docume~1\nick\locals~1\temp\23317\gm.exe1
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\maxmem~1.lnk - c:\program files\analogx\maxmem\maxmem.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mediac~1.lnk - c:\program files\hotalbummybox\MediaChecker.exe
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {44226DFF-747E-4edc-B30C-78752E50CD0C} - {44226DFF-747E-4edc-B30C-78752E50CD0C} - c:\program files\ati multimedia\dtv\EXPLBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - hxxp://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: atifmon - atifmon.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: lanctr - lanctr.dll
AppInit_DLLs: c:\windows\system32\ec.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\nick\applic~1\mozilla\firefox\profiles\hlqced45.default\
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\mozilla firefox\extensions\talkback@mozilla.org\components\qfaservices.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 iteraid;ITERAID_Service_Install;c:\windows\system32\drivers\iteraid.sys [2007-3-30 24971]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-9-7 64160]
R0 PzWDM;PzWDM;c:\windows\system32\drivers\PzWDM.sys [2007-7-3 15172]
R0 rkcjbpma;rkcjbpma;c:\windows\system32\drivers\akjslbcq.dat --> c:\windows\system32\drivers\akjslbcq.dat [?]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-8-28 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-8-28 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-8-28 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-8-28 297752]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-7-3 1029456]
R3 ATICXCAP;ATI TV Wonder Pro A/V Capture;c:\windows\system32\drivers\aticxcap.sys [2007-4-3 173824]
R3 ATICXTUN;ATI TV Wonder Pro Tuner (Philips 1236 MK3);c:\windows\system32\drivers\aticxtun.sys [2007-4-3 29184]
R3 ATICXXBR;ATI TV Wonder Pro A/V Crossbar;c:\windows\system32\drivers\aticxxbr.sys [2007-4-3 9088]
R3 axvbusx;axvbusx;c:\windows\system32\drivers\axvbusx.sys [2002-12-27 8384]
R3 axvscsi;axvscsi;c:\windows\system32\drivers\axvscsi.sys [2002-12-27 98560]
S0 Sqx53;Sqx53; [x]
S2 gupdate1c96a03cbb7b912;Google Update Service (gupdate1c96a03cbb7b912);c:\program files\google\update\GoogleUpdate.exe [2008-12-29 133104]
S2 NtmlSvc;NtmlSvc;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]
S3 FXDRV;FXDRV;c:\program files\superutilities\Fxdrv.sys [2007-3-30 13440]
S3 METROP;Hewlett-Packard ScanJet 5300C/5370C;c:\windows\system32\drivers\hp53pw2k.sys [2007-4-24 131712]

=============== Created Last 30 ================

2009-09-08 18:07 <DIR> --dsh--- c:\documents and settings\nick\PrivacIE
2009-09-08 15:57 153,088 -c------ c:\windows\system32\dllcache\triedit.dll
2009-09-08 07:17 <DIR> --dsh--- c:\documents and settings\nick\IETldCache
2009-09-08 07:04 100,352 -c------ c:\windows\system32\dllcache\iecompat.dll
2009-09-08 07:03 <DIR> --d----- c:\windows\ie8updates
2009-09-08 07:02 12,800 -c------ c:\windows\system32\dllcache\xpshims.dll
2009-09-08 07:02 246,272 -c------ c:\windows\system32\dllcache\ieproxy.dll
2009-09-08 07:02 <DIR> --d----- c:\windows\Offline Web Pages
2009-09-08 06:58 <DIR> -cd-h--- c:\windows\ie8
2009-09-07 19:25 13,030 a------- C:\PDOXUSRS.NET
2009-09-07 19:16 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-09-07 19:16 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{EF63305C-BAD7-4144-9208-D65528260864}
2009-09-07 19:05 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat
2009-08-30 03:10 <DIR> --d----- c:\windows\system32\XPSViewer
2009-08-30 03:09 89,088 -c------ c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-30 03:09 117,760 -------- c:\windows\system32\prntvpt.dll
2009-08-30 03:09 597,504 -c------ c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-30 03:09 575,488 -c------ c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-30 03:09 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-08-30 03:09 1,676,288 -c------ c:\windows\system32\dllcache\xpssvcs.dll
2009-08-30 03:09 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-08-30 03:09 <DIR> --d----- C:\bd0dc3f5e5fd508c5be85f7f7a6d
2009-08-29 17:09 255 a------- c:\windows\wininit.ini
2009-08-29 16:17 <DIR> --d----- c:\program files\SDHelper (Spybot - Search & Destroy)
2009-08-29 16:17 <DIR> --d----- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-08-29 16:17 <DIR> --d----- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-08-29 16:17 <DIR> --d----- c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-08-29 16:07 <DIR> --d----- c:\windows\pss
2009-08-29 04:23 1,174 a------- c:\windows\mozver.dat
2009-08-29 00:32 <DIR> --d----- c:\windows\system32\scripting
2009-08-29 00:32 <DIR> --d----- c:\windows\l2schemas
2009-08-29 00:32 <DIR> --d----- c:\windows\system32\en
2009-08-29 00:32 <DIR> --d----- c:\windows\system32\bits
2009-08-29 00:26 <DIR> --d----- c:\windows\ServicePackFiles
2009-08-28 21:57 12,800 -------- c:\windows\system32\drivers\usb8023x.sys
2009-08-28 21:56 294,912 -c------ c:\windows\system32\dllcache\msaud32.acm
2009-08-28 21:55 10,752 -------- c:\windows\system32\smtpapi.dll
2009-08-28 20:05 455,296 -c------ c:\windows\system32\dllcache\mrxsmb.sys
2009-08-28 20:01 128,512 -c------ c:\windows\system32\dllcache\dhtmled.ocx
2009-08-28 20:00 333,952 -c------ c:\windows\system32\dllcache\srv.sys
2009-08-28 20:00 331,776 -c------ c:\windows\system32\dllcache\msadce.dll
2009-08-28 20:00 1,315,328 -c------ c:\windows\system32\dllcache\msoe.dll
2009-08-28 19:59 691,712 -c------ c:\windows\system32\dllcache\inetcomm.dll
2009-08-28 19:59 337,408 -c------ c:\windows\system32\dllcache\netapi32.dll
2009-08-28 19:58 1,106,944 -c------ c:\windows\system32\dllcache\msxml3.dll
2009-08-28 19:58 1,203,922 -c------ c:\windows\system32\dllcache\sysmain.sdb
2009-08-28 19:58 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-08-28 19:58 215,552 -c------ c:\windows\system32\dllcache\wordpad.exe
2009-08-28 19:41 112 a------- c:\windows\win.ini
2009-08-28 19:39 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-08-28 19:36 411,368 a------- c:\windows\system32\deploytk.dll
2009-08-28 19:35 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-08-28 19:35 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-08-28 19:35 335,240 a------- c:\windows\system32\drivers\avgldx86.sys
2009-08-28 19:34 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-08-28 19:34 <DIR> --d----- c:\program files\AVG
2009-08-28 19:34 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-08-28 19:30 <DIR> --d----- c:\docume~1\nick\applic~1\AVG8

==================== Find3M ====================

2009-08-29 00:35 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-08-05 04:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-28 23:37 119,808 a------- c:\windows\system32\t2embed.dll
2009-07-28 23:37 81,920 a------- c:\windows\system32\fontsub.dll
2009-07-17 14:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-12 12:21 233,472 a------- c:\windows\system32\wmpdxm.dll
2009-07-03 12:09 915,456 a------- c:\windows\system32\wininet.dll
2009-06-12 07:31 80,896 a------- c:\windows\system32\tlntsess.exe
2009-06-12 07:31 76,288 a------- c:\windows\system32\telnet.exe
2008-03-15 17:48 33,280 a------- c:\docume~1\nick\applic~1\GDIPFONTCACHEV1.DAT
2007-08-25 18:59 124,700 a------- c:\docume~1\nick\applic~1\tmp12.tmp.exe

============= FINISH: 20:52:01.59 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Chester345

Chester345
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:43 PM

Posted 09 September 2009 - 05:56 AM

Actually, I think I fixed it after my post with MalwareBytes!!!

Thanks!

#3 Guest_The weatherman_*

Guest_The weatherman_*

  • Guests
  • OFFLINE
  •  

Posted 09 September 2009 - 05:18 PM

Thank you for letting us know Chester345. :(




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users