TechSpot

iexplore starts every hour.

By needtechy
Jun 10, 2005
  1. Help
    I have an annoying problem with my Toshiba A30.
    I suspect I haev a trojan but I have virus scanned it with AVG and malware scanned with both the Microsoft Beta Antispyware and Spybot.

    I have checked the tasks running and cannot see any bogus ones (I havent run Hijack this yet, but will do.)

    However after one hour of being turned on and every hour after something starts iexplore minimised and contacts www.tenmonkey.com. I know it runs iexplore.exe (all lower case) as I have watched the task manager at this time and caught it on a screenie. As for the website this is captured on my outgoing log on my firewall.

    This activity is sufficient to cause the cursor to change to a close any open window that is currently showing reverting back to the taskbar.

    I have updated my hosts file to stop the outgoing traffic to tenmonkey but do not know where to look for what is starting the task.

    I would be grateful for any help.
     
  2. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

  3. needtechy

    needtechy TS Rookie Topic Starter

    I got a copy of hijackthis and found a popcap loader so I removed this.
    I also did as you suggested and as you suggested and Trojan removal found nothing to remove. I am still encountering the hourly incident.

    I enclose the hijackthis log:

    Logfile of HijackThis v1.99.1
    Scan saved at 21:56:04, on 13/06/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\Program Files\TOSHIBA\Power Management\CeEPwrSvc.exe
    C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Apoint2K\Apoint.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
    C:\PROGRA~1\EzButton\CPLDFL10.EXE
    C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
    C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
    C:\Program Files\Apoint2K\Apntex.exe
    C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
    C:\Program Files\WEMADE Entertainment\Legend of Mir\Mir.exe
    C:\WINDOWS\system32\agentsvr.exe
    C:\Program Files\Hijackthis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file:///C:\Program Files\TOSHIBA\Free Update Service\splash.html
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
    O4 - HKLM\..\Run: [CPLDFL10] C:\PROGRA~1\EzButton\CPLDFL10.EXE
    O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
    O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKCU\..\Run: [agentsvr] C:\WINDOWS\system32\agentsvr.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O14 - IERESET.INF: START_PAGE_URL=file:///C:\Program Files\TOSHIBA\Free Update Service\splash.html
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Program Files\TOSHIBA\Power Management\CeEPwrSvc.exe
    O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
     
  4. Vigilante

    Vigilante TechSpot Paladin Posts: 1,666

    Not sure about the tenmonkey thing, that is suspicious. But if something happens every hour on the hour then I would check your scheduled tasks and see if something is in there set to "go" every hour. If so, of course, remove it.

    You might also download autoruns from http://www.sysinternals.com/. Get the one for your OS and read how to use it. Have it search every possible place and see if anything suspicious is in there. These are for you system startups and services. Check the "hide microsoft signed" entry as well.

    cheers
     
  5. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

    Registrant:
    Silly Mango (TENMONKEY-COM-DOM)
    Baljit Jain
    Plaza Ashok Chambers
    V.M.Road,Santa Cruz
    Mumbai,Maharastra, Maharastra 409054
    India
    +91.023543178
    **********@rediffmail.com

    Domain Name: TENMONKEY.COM
    Status: PROTECTED

    Administrative Contact:
    Silly Mango ******@aol.com
    Plaza Ashok Chambers
    V.M.Road,Santa Cruz
    Mumbai,Maharastra, Maharastra 409054
    India
    +91.023543178

    Technical Contact, Zone Contact:
    ************@rdsindia.com ************@rdsindia.com
    6-3-900/9, Veeru Castle Durganagar Colony
    Punjagutta
    Hyderabad, Andhra Pradesh 500082
    INDIA
    +91.4023404033
    Fax- +91.4023406306

    The only one I can see is this MIR program. Take it out of your startup/bootup if there and start again.
    You should also run a HJT in safe mode and fix:
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file:///C:\Program Files\TOSHIBA\Free Update Service\splash.html
    O14 - IERESET.INF: START_PAGE_URL=file:///C:\Program Files\TOSHIBA\Free Update Service\splash.html
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

    Delete all files and directories from: C:\Documents and Settings\[username]\Local Settings\Temp
    Repeat this for ALL [usernames].
     
  6. needtechy

    needtechy TS Rookie Topic Starter

    Just to say:
    I did as you suggested.
    In safe mode ran ADaware, spybot Microsoft Beta spyware.
    Ran hijackthis and removed the unknown items.
    Ran AVG scan

    All came out clean.

    Restarted and waited. and after an hour it tried to call ten monkey again.

    Had to take the clean slate option in the end as I was taking too much time trying to fix it and waiting for it to happen again.

    Thanks for your help though, I learned alot.
     
  7. jaxx_rr

    jaxx_rr TS Rookie

    guess what

    Baljit Jain is back... and he is f*cking ppl up big time..

    The registrant of the www.tenmonkey.com site has launched a bigger virus-like website.

    http://www.gamechallanger.com

    Registrant:
    Baljit Jain (GAMECHALLANGER-COM-DOM)
    Baljit Jain
    Dhillion House
    The mall Behind,Patiala
    Patiala, Patiala 144001
    INDIA
    +91.0119132109595
    baljitjain@rediffmail.com

    Domain Name: GAMECHALLANGER.COM
    Status: PROTECTED

    Administrative Contact:
    Baljit Jain baljitjain@rediffmail.com
    Dhillion House
    The mall Behind,Patiala
    Patiala, Patiala 144001
    INDIA
    +91.0119132109595

    Technical Contact, Zone Contact:
    registration@rdsindia.com registration@rdsindia.com
    6-3-900/9, Veeru Castle Durganagar Colony
    Punjagutta
    Hyderabad, Andhra Pradesh 500082
    INDIA
    +91.4055664332
    Fax- +91.4023406306


    There is no GAME and NO PRIZE. Do NOT REGISTER if you get an invitation from one of your friends!!!
    It speads like the bird flue ...
    THIS GUY SHOULD BE EXECUTED!!! -> Baljit Jain <-
    Write emails to registration@rdsindia.com so they close the site...

    Is there no place to report and/or complain about stuff like this?
     
  8. compguy13

    compguy13 TS Rookie

    Avg is ok but there is another virus program that is much better, "Kaspersky" it is better at getting rid of trojans and viruses.This is from experience of having used both. was running AVG and showed no viruses, but could not get on the internet, installed Kaspersky,and found 13 viruses and 6 worms and all were removed and deleted, and no problems since.
     
  9. jaxx_rr

    jaxx_rr TS Rookie

    I have norton 2006 and verry satisfied with it, thanks..
    but the problem is: it is not a virus, so it can not be detected!
    I said virus-like because it spreads like a virus:

    I got a mail from a friend saying that I am invited to a game challange.
    I get to that site and they ask for my mail username and pass.

    This also happened at www.goowy.com whitch is a new and trustable free email so they can add the accounts one allready has into their database...
    so I'm thinking it's an ok procedure..

    ..then I arrive at this SITE FULL OF **** called http://www.elitemate.com/

    So now I feel like I was assraped... I could take an uzi and go amok on theese kind of ****ing pests.. Just kill ALL the adds(ware) spreading loosers wanting money for nothing AND the COMPANIES giving them them the money including every COMPANY that EVER wants to sell me their ****.

    There are no limits to this anymore.. they have no shame.
    I cant understand how people tollerate this kind of crap.
    You may call me a bit radical but..
    I would like to give them ALL a big PRIZE -> burn their faces with acid!

    That would make up for all the honest people that where ripped off...
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...