Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT LOG from CATMANDOO as requested by stidyup


  • Please log in to reply
2 replies to this topic

#1 Catmandoo

Catmandoo

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:30 AM

Posted 12 April 2005 - 12:46 PM

:thumbsup: HI ALL!
The problem stated by the firewall (eTrust) is MONITOR.EXE trying to reach IP# 63.188.4831 and 63.188.48.31 which is sdn-qp-006dcwashP0031.dialsprint.net. The port scans are consecutive #s trying to break in, but the HOME source (I double-checked it with 2 different trace services) is the "American Registry for Internet Numbers" (ARIN). Is this Federal surveillance? And why do they even care about my WIN98SE with 64mbRAM? The system was reinstalled CLEAN, and this didn't start up again for a couple of hours online. The firewall was in place BEFORE any Net connection, so these mothers must insert their trojan spyware past ordinary firewall defenses.
My humble opinion, for what it's worth, is that this is NOT just MY problem, because if the FIREWALL didn't stop it, "What's happening when there's no monitoring of ALL traffic?" These people will get right in (most of the intrusions are directed toward NetBios) to most people's computers unnoticed. The nature of this intrusion cannot be overstated.
The vehicle for connection attempts (hundreds) is "MONITOR.EXE", although it hasn't been limited to that before setting up defenses. You CAN run the machine despite this, but WHAT the H is this?
Logfile of HijackThis v1.99.0
Scan saved at 12:52:46 PM, on 4/12/05
Platform: Windows 98 SE (Win9x 4.10.1998A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\ENCOMPASS\MONITOR.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
c:\windows\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\WINDOWS\SYSTEM\ATITASK.EXE
C:\PROGRAM FILES\AUDIO VIDEO SUITE\VTRAY.EXE
C:\PROGRAM FILES\MEDIASCAPE\VAIO SMART KEYBOARD\MEDIACTR.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ FIREWALL\CA.EXE
C:\PROGRAM FILES\ISP50\BIN\BARTSHEL.EXE
C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
C:\PROGRAM FILES\MEDIASCAPE\VAIO SMART KEYBOARD\MMKEYBD.EXE
C:\PROGRA~1\MEDIAS~1\ONSCRE~1\OSD.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\REMINDER.EXE
C:\PROGRAM FILES\UNH SOLUTIONS\IE PRIVACY KEEPER\IEPRIVACYKEEPER.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\ERASER\ERASER.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\BHODEMON 2\BHODEMON.EXE
C:\PROGRAM FILES\MRU-BLASTER\SCHEDULER.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\PROGRAM FILES\MEDIASCAPE\VAIO SMART KEYBOARD\MMUSBKB.EXE
C:\PROGRAM FILES\ISP50\BIN\PPSHARED.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\PROGRAM FILES\ISP50\BIN\BARTSHEL.EXE
C:\PROGRAM FILES\ISP50\DIALER\DIALER.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\PROGRAM FILES\ANALOGX\PORTBLOCKER\PBLOCK.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.peoplepc.com/search
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://home.peoplepc.com/search
O2 - BHO: PeoplePC FixedBandBHO - {3DE88907-3E38-11D4-BEB2-CBE76C0598DD} - C:\Program Files\ISP50\Bin\BandObject.dll (disabled by BHODemon)
O2 - BHO: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - C:\Program Files\PeoplePC\Toolbar\PPCToolbar.dll (disabled by BHODemon)
O2 - BHO: IE Privacy Keeper - Last IE Window Detector - {1201333E-BAD9-481C-BCF5-6904498CF85B} - C:\PROGRAM FILES\UNH SOLUTIONS\IE PRIVACY KEEPER\IEPKBHO.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - C:\Program Files\PeoplePC\Toolbar\PPCToolbar.dll__BHODemonDisabled_UCMBTCNSUENCEADKHPPBHICDGAEKHXQJ (file missing)
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiKey] Atitask.exe
O4 - HKLM\..\Run: [QuickenSEMessage] C:\QUICKENW\QSEMSG.EXE
O4 - HKLM\..\Run: [BillMinder] C:\QUICKENW\BILLMIND.EXE
O4 - HKLM\..\Run: [VoyetraTray] C:\PROGRAM FILES\AUDIO VIDEO SUITE\VTRAY.EXE /s
O4 - HKLM\..\Run: [KBD MediaCenter] C:\Program Files\Mediascape\VAIO Smart Keyboard\MediaCtr.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\ca.exe
O4 - HKLM\..\Run: [Bart Station] C:\Program Files\ISP50\hta\station.sbrt
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\winpatrol.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [EncMonitor] C:\Program Files\Encompass\Monitor.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunOnce: [MRUBlaster] C:\PROGRAM FILES\MRU-BLASTER\indexcleaner.exe -COOKIES
O4 - HKCU\..\Run: [Reminder] C:\Program Files\Microsoft Money\System\reminder.exe
O4 - HKCU\..\Run: [IE Privacy Keeper] "C:\PROGRAM FILES\UNH SOLUTIONS\IE PRIVACY KEEPER\IEPRIVACYKEEPER.EXE" -stcleanup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Eraser] C:\PROGRAM FILES\ERASER\ERASER.EXE -hide
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O4 - Startup: MRU-Blaster Scheduler.lnk = C:\Program Files\MRU-Blaster\scheduler.exe
O4 - Startup: MRU-Blaster Silent Clean.lnk = C:\Program Files\MRU-Blaster\mrublaster.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe

Here's the HJT file--and Many Thanks to You who take pity on a fellow traveler. You are good samaritans. I have read about "Flux" Trojans, which are not impeded by Routers, Hardware or Software firewalls.
--Catmandoo

BC AdBot (Login to Remove)

 


m

#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,395 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:30 AM

Posted 12 April 2005 - 10:45 PM

Do you know what this is?

O4 - HKCU\..\Run: [Eraser] C:\PROGRAM FILES\ERASER\ERASER.EXE -hide


The problem you are having is a not a virus or other malware, but it is a program that you do not need to keep running.

Fix this entry in hijackthis:

O4 - HKLM\..\RunServices: [EncMonitor] C:\Program Files\Encompass\Monitor.exe


Reboot and post a new log

#3 Catmandoo

Catmandoo
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:30 AM

Posted 16 April 2005 - 08:47 AM

HELLO And THANKS!! to Grinler and to BleepBleep!
What's this?: It's a program called "Eraser", which comes with a lot of convenient options for cleaning out files, remnants, and even has a "nuke your disc" disc making faculty for when you want nothing left behind, or before a system restore. It can easily be set up to skip over existing files, and clean all remnants and "tips" that can cause false positives in virus detection programs after deletion of the original bugs. It has several algorithms to select from, or if you prefer brute force--about 65,000 overwrites. This may take a while, and I've been fine with the default algorithm, which eliminates a lot of error messages during operation.
Thankyou for the advice about "encompassmonitor.exe". You were exactly correct, and another method (thanks to Tony Klein at Wilders') is: START to "Run", type "msconfig", click 'startup' tab; uncheck "Encmonitor", then restart the computer to Make It So. It stopped the problem immediately, but what's with MS, when they claim the thing doesn't connect? :thumbsup:
--Catmandoo




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users