1 2 3
#31December 14th, 2008 · 01:04 PM
341 threads / 59 songs
4,361 posts
Cymru (Wales)
What is (Bonjour Service) : C:Program FilesBonjourmDNSResponder.exe ?
Virus or not , do you need it?
#32December 14th, 2008 · 01:16 PM
190 threads / 27 songs
2,845 posts
Germany
Bonjour is part of Apple's stuff. Kinda messenger shit. Not necessary at all
#33December 14th, 2008 · 04:20 PM
128 threads / 44 songs
2,814 posts
Puerto Rico
Kings,TLS I see the Heyoke file still on the hijack folder that I just did..Tried going to Sytem32 folder but Is not there as per the log....I also saw the the site you mentioned Kings regarding this issue..At the moment the Pc is behaving quite well at the moment...Spyware stopper running,Ill have to see were the next hit comes from and try and stop it...I ran the spyware stopper in save mode no issues..The Bittorrent one was deleted from both The C drive and prefetch...man owe you guys big for this help..Thanks guys!
#34December 14th, 2008 · 06:17 PM
341 threads / 59 songs
4,361 posts
Cymru (Wales)
Did you find tajelavo.dll and rophvd.dll

If your happy you have messed it up enough to delete it all from your system make sure you turn off System Restore , reboot and turn it on again (if you want to). A lot of these trojans hide in System Restore. And make sure you delete all your temp / recycle bin , thoroughly.

I'd love to see your HJT log now.
#35December 14th, 2008 · 09:33 PM
128 threads / 44 songs
2,814 posts
Puerto Rico
kings wrote…
Did you find tajelavo.dll and rophvd.dll

If your happy you have messed it up enough to delete it all from your system make sure you turn off System Restore , reboot and turn it on again (if you want to). A lot of these trojans hide in System Restore. And make sure you delete all your temp / recycle bin , thoroughly.

I'd love to see your HJT log now.
I did a search on my pc for that nothing came up...I know heyoke is still in there...The other things Rcth.... or whatnot are related to my sound card which is disabled via device manager due my Maudio use as per some searches I did..
I'll post the new High jack log tomorrow after work..Thx again !!!!!

I owe you big time....

and tx Tk and TLS!
#36December 15th, 2008 · 05:06 PM
341 threads / 59 songs
4,361 posts
Cymru (Wales)
Yes do post a new HJT log, I've done some searches on the file names in your original by now, so comparing with a recent one would be really good.

I've also seen that some of the stranger sounding files are related to your sound card, video card and router.

Stop getting side tracked and going off to make excellent music !!!!  
#37December 15th, 2008 · 07:30 PM
128 threads / 44 songs
2,814 posts
Puerto Rico
K ..Here it is Kings..
I also did research on another weird named dll which didn't necessary showed up as a virus but it could very well have been due to the location found..The dll was Bae.dll and it was in my system 32 folder when its home is actually in C program file..When i deleted this Dll it took about 50 sec for the Pc to delete from both the systems folder and the trash bin..

I still can't find how to get to heyevoki...or what to do...

But this is what it reads when I do hijack and I highlight that folder..

it reads:

undll32.exe "C:WINDOWSsystem32heyovoki.dll",s (User 'LOCAL SERVICE')

This part of the scan checks for several suspicious that autoload when windows starts.. 
Autoloading entries can load a registry script,VB script or Java script file possibly causing IE start page ,search page,search bar and search assistant to revert back to the hijacker's page after a system reboot..Also a Dll can be loaded that can be hook up into several parts of your system...

Infected examples
regeditc:widows system sp.tmp/s
Kernel 32 VBS

Cwindowstempinstall.js
rundll32 CprogramfilesNewDotNetnewdotnet4_5dll,NewDotNet Startup

[action taken registry value is deleted]..

So that's what the actual heyovoki info is given by highjack this..Now Highjack this has a fix me button..Should I press it??lol..This is like another language I'm still trying to get it but man wow!!!
OK so here is the the log:
Log file of Trend Micro HijackThis v2.0.2
Scan saved at 6:07:31 PM, on 12/15/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32Ati2evxx.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32Ati2evxx.exe
C:WINDOWSExplorer.EXE
C:WINDOWSsystem32spoolsv.exe
C:PROGRA~1GrisoftAVG7avgamsvr.exe
C:PROGRA~1GrisoftAVG7avgupsvc.exe
C:Program FilesBonjourmDNSResponder.exe
C:WINDOWSsystem32crypserv.exe
C:Program FilesCommon FilesNew BoundaryPrismXLPRISMXL.SYS
C:Program FilesCyberLinkShared FilesRichVideo.exe
C:Program FilesSpyware Terminatorsp_rsser.exe
C:WINDOWSRTHDCPL.EXE
C:Program FilesSpyware TerminatorSpywareTerminatorShield.exe
C:WINDOWSsystem32ctfmon.exe
C:WINDOWSsystem32wscntfy.exe
C:WINDOWSsystem32rundll32.exe
C:Program FilesMozilla Firefoxfirefox.exe
C:PROGRA~1CrawlerCToolbar.exe
C:Program FilesTrend MicroHijackThisHijackThis.exe
C:WINDOWSsystem32svchost.exe

R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Bar = http://www.gateway.com/g/sidepanel.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=T3516
R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://forum.bandamp.com/Audio_Review.html
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLMSoftwareMicrosoftInternet ExplorerSearch,SearchAssistant = http://www.gateway.com/g/sidepanel.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=T3516
R1 - HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,ProxyServer = :0
R1 - HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:PROGRA~1Crawlerctbr.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:Program FilesYahoo!Commonyiesrvc.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:windowssystem32BAE.dll (file missing)
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:Program FilesWinamp Toolbarwinamptb.dll
O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:PROGRA~1Crawlerctbr.dll
O4 - HKLM..Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM..Run: [Recguard] %WINDIR%SMINSTRECGUARD.EXE
O4 - HKLM..Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM..Run: [AVG7_CC] C:PROGRA~1GrisoftAVG7avgcc.exe /STARTUP
O4 - HKLM..Run: [SpywareTerminator] "C:Program FilesSpyware TerminatorSpywareTerminatorShield.exe"
O4 - HKCU..Run: [ctfmon.exe] C:WINDOWSsystem32ctfmon.exe
O4 - HKCU..Run: [updateMgr] "C:Program FilesAdobeAcrobat 7.0ReaderAdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKUSS-1-5-19..Run: [AVG7_Run] C:PROGRA~1GrisoftAVG7avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUSS-1-5-19..Run: [tudilukomu] Rundll32.exe "C:WINDOWSsystem32heyovoki.dll",s (User 'LOCAL SERVICE')
O4 - HKUSS-1-5-20..Run: [AVG7_Run] C:PROGRA~1GrisoftAVG7avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUSS-1-5-18..Run: [AVG7_Run] C:PROGRA~1GrisoftAVG7avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS.DEFAULT..Run: [AVG7_Run] C:PROGRA~1GrisoftAVG7avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:Program FilesAdobeAcrobat 7.0Readerreader_sl.exe
O8 - Extra context menu item: &Winamp Toolbar Search - C:Documents and SettingsAll UsersApplication DataWinamp ToolbarieToolbarresourcesen-USlocalsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:Program FilesYahoo!Common/ycsrch.htm
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:PROGRA~1MICROS~2OFFICE11EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:Program FilesYahoo!Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:Program FilesYahoo!Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:Program FilesYahoo!Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:Program FilesYahoo!Commonyiesrvc.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:Program FilesSkypeToolbarsInternet ExplorerSkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:PROGRA~1MICROS~2OFFICE11REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:WINDOWSsystem32Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:PROGRA~1COMMON~1SkypeSKYPE4~1.DLL
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:PROGRA~1Crawlerctbr.dll
O20 - AppInit_DLLs: rophvd.dll   c:windowssystem32tajelavo.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:Program FilesCommon FilesAdobe Systems SharedServiceAdobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:WINDOWSsystem32Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:WINDOWSsystem32ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:PROGRA~1GrisoftAVG7avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:PROGRA~1GrisoftAVG7avgupsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:Program FilesBonjourmDNSResponder.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:WINDOWSSYSTEM32crypserv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:Program FilesCommon FilesMacrovision SharedFLEXnet PublisherFNPLicensingService.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:Program FilesCommon FilesNew BoundaryPrismXLPRISMXL.SYS
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:Program FilesCyberLinkShared FilesRichVideo.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:Program FilesSpyware Terminatorsp_rsser.exe

--
End of file - 7379 bytes
#38December 16th, 2008 · 03:51 PM
341 threads / 59 songs
4,361 posts
Cymru (Wales)
C:PROGRA~1CrawlerCToolbar.exe
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:PROGRA~1Crawlerctbr.dll
O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:PROGRA~1Crawlerctbr.dll
O4 - HKUSS-1-5-19..Run: [tudilukomu] Rundll32.exe "C:WINDOWSsystem32heyovoki.dll",s (User 'LOCAL SERVICE')
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:PROGRA~1Crawlerctbr.dll
O20 - AppInit_DLLs: rophvd.dll   c:windowssystem32tajelavo.dll

M, these are lines from the HJT log that need your attention, I went looking for ctbr.dll and tbr:iemenu and came up with this thread (fixed) http://www.bullguard.com/forum/10/ConHook-trojan_24325.html , he seams to point to Crawler and the very same entries as you have.

This is odd : O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:Program FilesSpyware Terminatorsp_rsser.exe  is the last entry , But this program is also by Crawler !!??

And your tajelavo.dll is still there.

New BoundaryPrismXL seam legit but I found this about it : The PrismXL service lets the Client deploy Tasks on a target computer regardless of the current user.s permissions.  

Have you tried EWIDO , it's cleaned out a lot of shit for me in the past and your man on the thread above recommends it too. I just downloaded Ewido 4 from : http://www.softpedia.com/progDownload/Ewido-Security-Suite-Download-22503.html

Keep me posted !  
#39December 16th, 2008 · 04:23 PM
341 threads / 59 songs
4,361 posts
Cymru (Wales)
I wouldn't want them scanning my computer but they have a very nice list of viruses, malware and trojans :
http://www.incodesolutions.com/virl109.php

tajelavo.dll is in there so is antiviruspro2009.exe
#40December 16th, 2008 · 05:13 PM
128 threads / 44 songs
2,814 posts
Puerto Rico
kings wrote…
C:PROGRA~1CrawlerCToolbar.exe
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:PROGRA~1Crawlerctbr.dll
O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:PROGRA~1Crawlerctbr.dll
O4 - HKUSS-1-5-19..Run: [tudilukomu] Rundll32.exe "C:WINDOWSsystem32heyovoki.dll",s (User 'LOCAL SERVICE')
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:PROGRA~1Crawlerctbr.dll
O20 - AppInit_DLLs: rophvd.dll   c:windowssystem32tajelavo.dll

M, these are lines from the HJT log that need your attention, I went looking for ctbr.dll and tbr:iemenu and came up with this thread (fixed) http://www.bullguard.com/forum/10/ConHook-trojan_24325.html , he seams to point to Crawler and the very same entries as you have.

This is odd : O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:Program FilesSpyware Terminatorsp_rsser.exe  is the last entry , But this program is also by Crawler !!??

And your tajelavo.dll is still there.

New BoundaryPrismXL seam legit but I found this about it : The PrismXL service lets the Client deploy Tasks on a target computer regardless of the current user.s permissions.  

Have you tried EWIDO , it's cleaned out a lot of shit for me in the past and your man on the thread above recommends it too. I just downloaded Ewido 4 from : http://www.softpedia.com/progDownload/Ewido-Security-Suite-Download-22503.html

Keep me posted !   ;)

The Crawler stuff is part of the real time protection included in Spyware terminator.Is actually what tells me when a site is trying to come into my system...So far it has worked great..The tajelavo.dll and the Heyovoki are the things of concern which I cant find although I know they are there..The Rphd is related to my audio card....
Ill try Ewido!Thx kings!
1 2 3
Sorry, you do not have access to post...
Wanna post? Join Today!

Server Time: November 22nd, 2024 · 6:38 PM
© 2002-2012 BandAMP. All Rights Reserved.