spool32.exe trying to launch Monitor.exe to Net

Discussion in 'malware problems & news' started by Hump, Mar 29, 2005.

Thread Status:
Not open for further replies.
  1. Hump

    Hump Registered Member

    Joined:
    Mar 29, 2005
    Posts:
    13
    HELP!
    This thing is driving me CRAZY! I have Sygate firewall, and have it set to block persistent numerous attempts to access a remote host. It says "C:\windows\system\spool32.exe try to launch another application C:\program files\encompass\monitor.exe" to remote host; "ftp.encmpss4.com" 206.204.30.83 on the traffic log. It also has a whole bunch of IP #'s trying to access my computer, and may be preventing successful scanning with AdAware, which locks up before completion in Normal mode, but ran in Safe mode. It seems to have started after downloading a (free?) comedy video. I don't know what this thing is, and my AVG Antivirus, SpybotS&D, and HT didn't find it. It runs after connecting to the net with a browser, and fills the whole firewall traffic log with connection attempts. PLEASE HELP!
    Thanks.
    --Hump
     
  2. Don Pelotas

    Don Pelotas Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    2,257
    Try the GENERAL Virus and Trojan removal Instructions.. Post back with the results. :)
     
  3. Hump

    Hump Registered Member

    Joined:
    Mar 29, 2005
    Posts:
    13

    Don,
    Thanks for your reply. This forum is a real eye-opener for me. The Panda online-scan indicated (1) adware known as ExactSearch (and a bunch of other names) which is undetected by most programs. My system (WIN98 SE, 64mb ram) is insufficient to run their paid product, so will try TrendMicro PCcillin and hope it works to remove it. Perhaps this belongs under adware/spyware forum instead. It was Sygate that tipped me off, and probably prevented a whole host of other installs from other products? Would this stuff eventually cripple the system and kill the goose from which they harvest their ill-gotten gains? Many thanks, and will let you know if this worked. (The way you set up those links is mighty impressive--and convenient.)
    --Hump
     
  4. Don Pelotas

    Don Pelotas Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    2,257
    Hump, after using Trend Micro-Housecall from my link, both the older one and the newer one called 6.0. I would still recommend that you download and install and update some of the programs from the "GENERAL Virus and Trojan removal Instructions", but we have to be carefull, because you do not have that many ram:

    For anti-virus:Nod32 very light footprint, has it's support on this forum, configuration:Blackspears Extra settings for Nod32. I'm assuming that you don't have any AV running ATM, uninstall it if you do, two doesn't work well together.

    Free adware/spyware-scanners:

    Spybot
    Ad-Aware

    For Anti-trojan:

    A2-free

    Simply update and run them. If you unable to run these, then perhaps downloading HiJackThis , posting your log at Spywareinfo or CastleCops could be your last resort, Wilders doesn't provide this service anymore.

    Post back with the results. :)
     
    Last edited: Mar 30, 2005
  5. Hump

    Hump Registered Member

    Joined:
    Mar 29, 2005
    Posts:
    13
    Hi Don,
    It's been a real battle with this spyware. It seems like when MRU Blaster and Monitor Application first accessed the web, and I allowed it, outside spoofed IP #'s claiming to come from legitimate businesses, started pouring in--15 or more. I scanned with Bit Defender, Panda (nothing except Panda's false ad detection); then PCCillin found "SPYW_INVKEYI2A; KEYLOGWN.A; SPYAGENT.A; SPYANYWER.A; SPYDANYWE.A; PLDIALA; TROJ_CLICKER.DN. The "Spyagent" seems to attack AV and firewall components, and the firewall log indicated it had been turned off a few times. Also, had to reinstall AVG with repairs. Had to remove it to try other stuff. The way I've survived so far is by saving 'install wizards' to recycle and reinstalling stuff, especially SNMPAPI.DLL, (damaged by 'Spyagent') needed for firewall operation. PCCillin can't block outgoing traffic selectively, like Sygate, so the infection contacts it's home: ftp.Encompass4.com 206.204.30.83 and I'm attacked with some insidious methods. One indicated by PCCillin firewall: Security Rule Matched: IP 63.188.73.57 port 135. As soon as there's contact, a storm of activity assaults the computer, and doesn't stop until it's shut off. The first target is firewall/antivirus. It attacked at a weak moment after downloading updates for PCCillin, during 'restart computer' prompt. I'm surviving because of Sygate; as PCCillin was damaged from attack, so deleted. Have not found even one virus during scans, and all aforementioned spyware has been removed. Thankyou for the additional suggestions, which I shall try, and report back. Meantime, I have reinstalled AdAware (functions exactly as before) and will reinstall MRUBlaster in the hope the infection may be removed.
    I've been using SpybotS&D, SpywareGuard, CWShredder, AdAware, SpywareBlaster, HJTv1.99, MRUBlaster, BHODemon, SpywareBlocklist, IESpyad, and had AVG antivirus and Sygate firewall. Nothing detected this. Tried SpywareDoctor, and found a couple trojans--don't remember which ones, and deleted.
    I'm going to try TrojanDefenseSuite, and a couple of other devices, and Sygate is keeping the bad guys out. A torrent of port scans follows anything outgoing from the spyware, so must batten the hatches. PCCillin won't work if the firewall is turned off, so can't have the best of both worlds.
    Have you tried ZoneAlarm? I had to reinstall the OS each time I tried it (twice), but perhaps it was not properly set up? That was before I discovered this forum.
    I'll try all your kind suggestions, and report back. If all else fails (wish I had an external HD), there's always reinstall the OS, but the best thing that could happen is to find out how to beat these guys! At least until next time.
    --Hump
     
  6. Hump

    Hump Registered Member

    Joined:
    Mar 29, 2005
    Posts:
    13
    Hello everyone,
    I deleted required dll's with "CrapCleaner" and the system wouldn't function anymore, so reinstalled the OS fresh after defrag. The reason for trying CC is after all the stuff I tried out, the computer was pretty slow and I got a little too desperate and reckless. I'm sticking with MRUBlaster and IEPrivacy keeper. Then downloaded and installed programs, and when I activated Sygate, the same thing had already invaded, and was trying to contact the spoofed spy addresses from Monitor application, and spoofed port scans are coming. Also had MRUBlaster trying to access the net. Is that valid? Has anyone else encountered this stuff? The Sygate Pro firewall is good so far. The trouble is, in order to set up, a net connection is required, and there's no firewall until one is downloaded. Nothing has found this so far, so perhaps it's time for a HT analysis. What if it still finds nothing?
    Is this like someone getting your home phone #? Has this happened to anyone else? PLEASE, any help or advice would be appreciated.
    THANKS!
    --Hump
     
  7. Don Pelotas

    Don Pelotas Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    2,257
    That's not good, Hump. I only have couple of suggestions for you. What i would do is to download Bitguard firewall, it's the only one i know, that will fit on a floppy! so download this to a floppy and do a format/reinstall, and install Bitguard before connecting to the internet again and downloading you usual setup/programs and see if this will help you. :)
     
  8. Hump

    Hump Registered Member

    Joined:
    Mar 29, 2005
    Posts:
    13
    THANK-YOU! For all the suggestions. I'm trying to post a Hijack This log, but never "cut and pasted" anything before, so I'll try again at Castlecops (under this same heading). I'll try buying some floppy discs and downloading a firewall for install BEFORE accessing the Net again. It seems like these dogs have got my scent.
    I'll let you know what happens. If anyone has encountered this before, it sure would be interesting to hear about it.
    --Hump
     
  9. Hump

    Hump Registered Member

    Joined:
    Mar 29, 2005
    Posts:
    13
    HELLO! to all my readers.
    And thank-you for taking the time to help out. I have posted a HJT log (whew! . . .) which was a learning experience in itself, and awaiting a reply. Boy, there sure are a lot of people with computer bugs. Just hope its not lost in the crowd.
    --H
     
  10. illukka

    illukka Spyware Fighter

    Joined:
    Jun 23, 2003
    Posts:
    633
    Location:
    S.A.V.O
    hi i replied to your post at castle cops :D

    be sure to reply back ;)
     
  11. Hump

    Hump Registered Member

    Joined:
    Mar 29, 2005
    Posts:
    13
    Hi illukka,
    I followed your suggestions, deleted as per the HJT log items. Then tried to post the next HJT log, but things started to get very erratic with the computer, and could not close running application of HJT. Then stupidly tried cleaning house with MRUBlaster, which deleted a bunch of desktop shortcuts. These problems had nothing to do with the deletions. Then couldn't get HJT out of Wordpad, and into Notepad. It was stuck. So instead of restarting, I decided to reinstall the OS from recovery disc. For good measure, I did it twice (probably didn't matter anyway), in the hope that if this thing is buried deep inside, it will be destroyed. Then the FIRST place I went was to download Sygate firewall from PCWorld. It indicated portscanning galore, and the device was already trying to call home by the time it started up. So it was too late. I'm going to reinstall again, but this time with a firewall (ZoneAlarm). Not my first choice, but Bill Gates provided it with MS updates, so I'll try to follow Wilders' setup instructions and see if it keeps the buggers out. Thanks again, and I'll let you know what happens.
    --Hump
     
  12. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Hi Hump, welcome to Wilders.

    You may want to take a look HERE. As well there are discussions HERE and even more HERE.

    Hope this helps...

    Let us know how you go.

    Cheers :D
     
Loading...
Thread Status:
Not open for further replies.