WHY Is "MONITOR.EXE" Trying To Connect?

Discussion in 'other security issues & news' started by Hump, Apr 11, 2005.

Thread Status:
Not open for further replies.
  1. Hump

    Hump Registered Member

    Joined:
    Mar 29, 2005
    Posts:
    13
    :eek: According to MS, "Monitor.exe" regulates internal functioning, and does not access the Internet, but this tries multiple times to CONNECT while on-line. The attempts are blocked by eTrust firewall; and outside port scans are blocked by PortBlocker. But once when I allowed access, it connected me with some VICIOUS malware (about seven trojans/spybots before I could turn off the computer--the stuff just went crazy even after the phone was unplugged). Is there some sinister device that exploits "Monitor.exe" and puts a bulls-eye on your IP#? Any and all experiences, ideas, or possible explanations/speculations are appreciated.
    I have gone so far as to reinstall the system from OEM CDs (Sony). Then with a firewall in place before even setting up the ISP connection, and never letting Monitor.exe out of its cage, by blocking it. It stayed quiet for a time, then started up again. Does this function this way for all systems and I just noticed it? Thanks for any replies or shared experiences.
    --Hump
     
  2. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    Malware (spyware, trojans, worms) routinely choose innocent or legitimate sounding names in order to pretend to be what they're not...

    We know of a monitor.exe file which is a part of a browser hijacker, redirecting to NCM Search, and there could well be others.

    I suggest you run an updated Ad-Aware and/or MS Antispyware, then go to a support forum still offering spyware/adware removal services, and post a Hijack This log.

    Here are a few good places:

    Bleeping Computer: http://www.bleepingcomputer.com/forums/index.php?
    CastleCops: http://castlecops.com/modules.php?name=Forums&file=favforums
    Gladiator Security Forum: http://forum.gladiator-antivirus.com/index.php?act=idx
    Spyware Warrior Forums: http://www.spywarewarrior.com/index.php
    SpywareInfo: http://www.spywareinfoforum.com/
    Subratam.org: http://forums.subratam.org/index.php?
     
  3. Hump

    Hump Registered Member

    Joined:
    Mar 29, 2005
    Posts:
    13
    Hi Tony! Thanks for the good advice. Before the most recent re-install, I ran 3 on-line scans: Bit-Defender, TrendMicro Housecall, Panda; installed (alternately) Mcafee AV, TrendMicro PCCillin (a disaster because no outbound firewall control), AVG AV, Panda AV, A-2 (a-squared); and about 10 other anti-spyware devices and scanners. No viruses ever came up, but spyware/trojan devices did and were stopped and removed from the machine. I shoulld mention I've had SpybotS&D, SpywareGuard, (had) CWShredder, AVG AV, Sygate Firewall (which was attacked and shut off, and settings changed), AdAware, SpywareBlaster, BlockList, BHODemon, WinPatrol, HJT, all updated. I use Firefox browser, have all MS updates and IE security settings are set high; net bios file has been renamed to help protect it. ActiveX and Javascript disabled.
    Is it possible, in your opinion, for something to either evade all my defenses and plant itself yet again? Or could something remain deep within the HDD waiting to emerge? The Monitor.exe must do something important, so it doesn't seem like a good idea to delete it. I've posted HJT logs, and no one could find a problem in the scan.
    --Hump
     
  4. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    Impossible to say without a closer look. This particular monitor.exe file could be legitimate, or it could be malware.

    If you're stating "once when I allowed it access, it connected me with some VICIOUS malware", that really doesn't sound like something a legitimate file would be doing... Of course you could also be misinterpreting what exactly it was that happened.

    Whatever the case, in order to offer more than just an educated guess, one would need a closer look at your configuration.

    So I'd really advise you to post at one of the boards mentioned, explain your problem in as much detail as possible, and post a fresh HT log.
     
  5. Hump

    Hump Registered Member

    Joined:
    Mar 29, 2005
    Posts:
    13
    Yes, my interpretation of cause of the "vicious" attack could easily be wrong. I'll take your advice and post the log wherever they'll let me (thanks for the links. They're very convenient). I still don't know how to send links, or parse copy for answering parts of a letter . . . someday. If we were all under as much assault in our automobiles as on our computers, we'd all have to drive Bradleys to the food store. And if we had to understand cars to drive, most of us would be walking--and healthier.
    I'll keep you posted. By the way, does your 'Monitor.exe' connect to the net? Just wondering if the disaster I described earlier could have been coincidence. Thanks.
    --Hump
     
  6. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    You're very welcome. :)

    I don't have one (XP Pro or Win 98 SE).

    There is however a monitor.exe file that's part of the MS Server Suite: there it's a service related to monitoring hardware components for performance bottlenecks.

    You running that? If not, (and even if you are) chances are you're indeed dealing with spyware or worse.
     
    Last edited: Apr 12, 2005
  7. Hump

    Hump Registered Member

    Joined:
    Mar 29, 2005
    Posts:
    13
    :eek: Hi! Tony!!
    When you say "spyware or WORSE"o_O--What would that be? I've been posting HJT logs, and should get some evaluations, and will let you know right away. Your insight is greatly appreciated.
    The system didn't attempt to connect using "Monitor.exe" for about an hour after the clean system recovery, and the firewall was in before connecting to the Net. It makes me think of "Flux" trojans, which supposedly can get through routers and firewalls. The firewall indicates "sdn-ap-006dcwashP0031.dialsprint.net" as the location trying to be connected with from within my computer, and when I checked with two IP address information sites, they both verified that, from 63.188.48.31 and several others, pointing to the same source. It has some connection with "American Registry for Internet Numbers" "ARIN" and "ARINS-ARIN". What do you make of this?
    I've downloaded a version of Clam AV, which detects about a dozen variants of "Flux". I will shut down the eTrust firewall OFFLINE, then unzip and run it. Is this some form of surveillance? This thing is creepy. Will post back soon as I can.
    --Hump
     
  8. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    Well, I meant spyware, adware, or possibly a remote access trojan.

    But do have a look at the properties of your monitor.exe file (rightclick the file > Properties > Version tab, etcetera).
    Does that give any information about its nature?

    Still, as I said, let's wait what the people perusing your log will have say.
     
  9. illukka

    illukka Spyware Fighter

    Joined:
    Jun 23, 2003
    Posts:
    633
    Location:
    S.A.V.O
    hi guys

    i've been dealing with Hump at castle cops..

    the log looks very clean :D

    Tony if you wanna take a look :
    http://castlecops.com/postlite115082-.html

    the "monitor" is this

    O4 - HKLM\..\RunServices: [EncMonitor] C:\Program Files\Encompass\Monitor.exe
    a legit entry as far as i'm concerned

    i was going to post there but we might continue it here too ;)
     
  10. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    Hi Illukka. Thanks for that! :)

    Very well, it may not be spyware (or worse), but it really doesn't need to run: http://castlecops.com/startuplist-1108.html

    Go to Start > Run > Msconfig and uncheck the box for "Encmonitor" on the Startup tab.

    Click OK, close Msconfig, restart your computer, and Monitor.exe won't bother you any more.
     
  11. Hump

    Hump Registered Member

    Joined:
    Mar 29, 2005
    Posts:
    13
    HI! :) TONY!
    The scans are now ONLY coming from outside, where they belong, at about 1 per minute; also randomly, to many ports. Nearly all are from a common address, as I mentioned in an earlier post--sprint. What's with Sprint? Are they making money from compromising people's information? Many scans (all of which are blocked) are directed at NetBIOS. What does that give them?
    You and illukka are a great team, and I'm counting my lucky stars for having found you.
    I'm still trying to install and run ClamAV, and the missing "MFC30D.DLL". It didn't install itself, so I'm still looking for solutions for that one. If help is needed with that, is it another topic for another post? Your research skills are very impressive, as the links you so kindly provided left nothing to conjecture.
    --Hump
     
Loading...
Thread Status:
Not open for further replies.