iexplore starts every hour.

[needtechy]

Help
I have an annoying problem with my Toshiba A30.
I suspect I haev a trojan but I have virus scanned it with AVG and malware scanned with both the Microsoft Beta Antispyware and Spybot.

I have checked the tasks running and cannot see any bogus ones (I havent run Hijack this yet, but will do.)

However after one hour of being turned on and every hour after something starts iexplore minimised and contacts www.tenmonkey.com. I know it runs iexplore.exe (all lower case) as I have watched the task manager at this time and caught it on a screenie. As for the website this is captured on my outgoing log on my firewall.

This activity is sufficient to cause the cursor to change to a close any open window that is currently showing reverting back to the taskbar.

I have updated my hosts file to stop the outgoing traffic to tenmonkey but do not know where to look for what is starting the task.

I would be grateful for any help.

 

[RealBlackStuff]

If you are on dial-up you have got a rogue dialler.
Get the 30-day trialversion Trojan Horse remover from http://www.simplysup.com/tremover/

 

[needtechy]

I got a copy of hijackthis and found a popcap loader so I removed this.
I also did as you suggested and as you suggested and Trojan removal found nothing to remove. I am still encountering the hourly incident.

I enclose the hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 21:56:04, on 13/06/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\TOSHIBA\Power Management\CeEPwrSvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\PROGRA~1\EzButton\CPLDFL10.EXE
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\WEMADE Entertainment\Legend of Mir\Mir.exe
C:\WINDOWS\system32\agentsvr.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file:///C:\Program Files\TOSHIBA\Free Update Service\splash.html
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [CPLDFL10] C:\PROGRA~1\EzButton\CPLDFL10.EXE
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [agentsvr] C:\WINDOWS\system32\agentsvr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=file:///C:\Program Files\TOSHIBA\Free Update Service\splash.html
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Program Files\TOSHIBA\Power Management\CeEPwrSvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

 

[Vigilante]

Not sure about the tenmonkey thing, that is suspicious. But if something happens every hour on the hour then I would check your scheduled tasks and see if something is in there set to "go" every hour. If so, of course, remove it.

You might also download autoruns from http://www.sysinternals.com/. Get the one for your OS and read how to use it. Have it search every possible place and see if anything suspicious is in there. These are for you system startups and services. Check the "hide microsoft signed" entry as well.

cheers

 

[RealBlackStuff]

Registrant:
Silly Mango (TENMONKEY-COM-DOM)
Baljit Jain
Plaza Ashok Chambers
V.M.Road,Santa Cruz
Mumbai,Maharastra, Maharastra 409054
India
+91.023543178
**********@rediffmail.com

Domain Name: TENMONKEY.COM
Status: PROTECTED

Administrative Contact:
Silly Mango ******@aol.com
Plaza Ashok Chambers
V.M.Road,Santa Cruz
Mumbai,Maharastra, Maharastra 409054
India
+91.023543178

Technical Contact, Zone Contact:
************@rdsindia.com ************@rdsindia.com
6-3-900/9, Veeru Castle Durganagar Colony
Punjagutta
Hyderabad, Andhra Pradesh 500082
INDIA
+91.4023404033
Fax- +91.4023406306

The only one I can see is this MIR program. Take it out of your startup/bootup if there and start again.
You should also run a HJT in safe mode and fix:
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file:///C:\Program Files\TOSHIBA\Free Update Service\splash.html
O14 - IERESET.INF: START_PAGE_URL=file:///C:\Program Files\TOSHIBA\Free Update Service\splash.html
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

Delete all files and directories from: C:\Documents and Settings\[username]\Local Settings\Temp
Repeat this for ALL [usernames].

 

[needtechy]

Just to say:
I did as you suggested.
In safe mode ran ADaware, spybot Microsoft Beta spyware.
Ran hijackthis and removed the unknown items.
Ran AVG scan

All came out clean.

Restarted and waited. and after an hour it tried to call ten monkey again.

Had to take the clean slate option in the end as I was taking too much time trying to fix it and waiting for it to happen again.

Thanks for your help though, I learned alot.

 

[jaxx_rr]

guess what

Baljit Jain is back... and he is f*cking ppl up big time..

The registrant of the www.tenmonkey.com site has launched a bigger virus-like website.

http://www.gamechallanger.com

Registrant:
Baljit Jain (GAMECHALLANGER-COM-DOM)
Baljit Jain
Dhillion House
The mall Behind,Patiala
Patiala, Patiala 144001
INDIA
+91.0119132109595
baljitjain@rediffmail.com

Domain Name: GAMECHALLANGER.COM
Status: PROTECTED

Administrative Contact:
Baljit Jain baljitjain@rediffmail.com
Dhillion House
The mall Behind,Patiala
Patiala, Patiala 144001
INDIA
+91.0119132109595

Technical Contact, Zone Contact:
registration@rdsindia.com registration@rdsindia.com
6-3-900/9, Veeru Castle Durganagar Colony
Punjagutta
Hyderabad, Andhra Pradesh 500082
INDIA
+91.4055664332
Fax- +91.4023406306


There is no GAME and NO PRIZE. Do NOT REGISTER if you get an invitation from one of your friends!!!
It speads like the bird flue ...
THIS GUY SHOULD BE EXECUTED!!! -> Baljit Jain <-
Write emails to registration@rdsindia.com so they close the site...

Is there no place to report and/or complain about stuff like this?

 

[compguy13]

Avg is ok but there is another virus program that is much better, "Kaspersky" it is better at getting rid of trojans and viruses.This is from experience of having used both. was running AVG and showed no viruses, but could not get on the internet, installed Kaspersky,and found 13 viruses and 6 worms and all were removed and deleted, and no problems since.

 

[jaxx_rr]

I have norton 2006 and verry satisfied with it, thanks..
but the problem is: it is not a virus, so it can not be detected!
I said virus-like because it spreads like a virus:

I got a mail from a friend saying that I am invited to a game challange.
I get to that site and they ask for my mail username and pass.

This also happened at www.goowy.com whitch is a new and trustable free email so they can add the accounts one allready has into their database...
so I'm thinking it's an ok procedure..

..then I arrive at this SITE FULL OF **** called http://www.elitemate.com/

So now I feel like I was assraped... I could take an uzi and go amok on theese kind of ****ing pests.. Just kill ALL the adds(ware) spreading loosers wanting money for nothing AND the COMPANIES giving them them the money including every COMPANY that EVER wants to sell me their ****.

There are no limits to this anymore.. they have no shame.
I cant understand how people tollerate this kind of crap.
You may call me a bit radical but..
I would like to give them ALL a big PRIZE -> burn their faces with acid!

That would make up for all the honest people that where ripped off...