A mystery program, monsvr.exe, is trying to send mystery emails form my computer and is interfering with my email program (Thunderbird) and browser (Firefox)

The file Monsvr.exe is in my directory c:\windows\prefix
File monsvr.exe-07368D3B.pf
A pf file of 61Kb

I scanned with spybot and found nothing

I have scanned my computer using AdAware. AdAware found 1 critical object a tracking cookie, IE cache entry, Data Miner
Cookie: [my name]@microsoftwga.112.207.net
This cookie disappeared when I allowed monsvr access to the internet.

i use zone alarm firewall and windows xp

When I turn on my computer, Zone alarm asks me to accept or deny requests from monSvr.exe:
. Monssvr.exe trying to access the internet: accept or deny
. Monssvr.exe wants to accept connections from the internet
. Monssvr.exe wants to accept connections from the trusted zone
. Monssvr.exe wants to send emails

Only after I accept monsvr having access to the internet can Thunderbird access my mail box.

I think that monsvr is also interfering with Firefox accessing the internet. I often get messages like “Server not found” even when I am trying to access Google. This has led me to start using Internet Explorer as it can access the web while Firefox cannot.

I searched mozilla knowledge base and found nothing on the subject

I searched Microsoft knowledge base and found nothing on the subject – despite the above mentioned cookie having Microsoft in its name.

I searched using Google and only found mention of monsvr on the site selling prevx protection software. This site suggested that monsvr had the potential to send mass emails. I downloaded their software for a trial but it did not identify any problems on my computer.

The prevx site identified a path name associated with monsvr.exe
Path name: %temp%icbb-11-14 r69-27 iinet b01 monitor temporary items
Vendor: not known
The path name includes the characters iinet and my service provider is iinet.
I rang iinet, they say this is a coincidence and has nothing to do with them.

I have scanned my computer using Symantic antivirus and found nothing.

I am considering copying monsvr.exe onto a floppy disc and then deleting monsvr from my hard disk. I hope this does not cause problems.

Do you have any advice to me.

HI

Sounds like a rootkit we are seeing a lot of recently...

Please download Sophos Anti-Rootkit,and save it on your desktop.

http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html

1. Double-click sarsfx.exe to extract the files and leave the default settings.
2. Open the folder C:\SOPHTEMP and double-click sargui.exe to start the program.
3. Make sure the following are checked:

- Running processes
- Windows Registry
- Local Hard Drives

4. Click the "Start Scan" button.
5. Click the "OK" button after you get the notification that the scan has finished and close the program.
6. Click on Start>Run and type, or copy and paste:-

%temp%\sarscan.log

then press Enter.

7. This should open the log from the rootkit scan.

Post the log into your next reply.

Note:
If the scan is performed while the computer is in use, false positives may appear in the scan results.
This is caused by files or registry entries being deleted,including temporary files being deleted automatically.
It has also been reported that Trojan Hunter is detecting Sophos Anti-rootkit as Trojan.Dropper.Interlac.100
So if you have Trojan Hunter installed you will need to disable it prior to running a scan.

---
I would also like to see a hijackthis log...

Download a self-extracting copy of HijackThis from :-
http://downloads.malwareremoval.com/hijackthis_sfx.exe
1. save it to your Desktop.
2. Double-click on the file hijackthis_sfx.exe and it will self-extract into its own folder,
C:\Program Files\HijackThis
3. Go to this folder and run the hijackthis.exe file
4. click Do a system scan and save a logfile
5. Copy & paste the logfile into your next post here...

steam

Hello steamwiz

Thanks for your response and easy to follow instructions.
Here are the logs you suggested I get and post
I am a novice at this stuff
I await further suggestions - what does it tell us?

The sophos anti root kit log
**

Sophos Anti-Rootkit Version 1.3RC (data 1.06) (c) 2006 Sophos Plc
Started logging on 21/04/2007 at 20:18:27 PM
Hidden: registry item \HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Hidden: registry item \HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012004022720040228
Stopped logging on 21/04/2007 at 20:21:52 PM

**

Hijackthis log
**
Logfile of HijackThis v1.99.1
Scan saved at 8:27:36 PM, on 21/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\WINDOWS\System32\vmnat.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\vmnetdhcp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iiNet\iConnect\launcher.exe
C:\DOCUME~1\ANDREW~1\LOCALS~1\Temp\iCBB_11_13 R09-27 IINET B01 Monitor Temporary Items\monSvr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.iinet.net.au/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.iinet.net.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.iinet.net.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.iinet.net.au/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Service Centre.lnk = C:\Program Files\iiNet\iConnect\launcher.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1177072787343
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\System32\vmnetdhcp.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\System32\vmnat.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

**

Hi

Here it is running from one of your temp folders ...

C:\DOCUME~1\ANDREW~1\LOCALS~1\Temp\iCBB_11_13 R09-27 IINET B01 Monitor Temporary Items\monSvr.exe

very few legitimate programs run from temp folders, & anything running from a temp folder is asking to be deleted..


Right click the Taskbar and click "Task Manager" or Ctrl-Alt-Del to bring up task manager ...

On the processes tab, look for monSvr.exe

Highlight it and click end process

Then...

Browse to & delete .....The entire contents of the C:\documents and settings\ANDREW~1\local settings\temp

folder ( Do NOT delete the folder itself)

You can also delete the monsvr.exe-07368D3B.pf file in the prefetch folder

Reboot & post a new hijackthis log

steam

Hello steamwiz

I followed your latest instructions. thanks for them

When I rebooted monsvr reappeared.
Monsvr.exe was in the recycle bin

I wondered whether you wanted to keep it in the recycle bin as back up.
Being rash, I emptied the recycle bin and went through your steps again
. Ending monsvr process in task manager
. deleting contents of my \local settings\temp folder
. deleting file monsvr.exe
. rebooting

Shock horror: zone alarm still shows monsvr is trying to access the internet.
I denied this and now thankfully I think it is not effecting my email and browsing.
Monsvr is still an active process as I type

Here are the logs again

Sophos Anti-Rootkit Version 1.3RC (data 1.06) (c) 2006 Sophos Plc
Started logging on 22/04/2007 at 14:03:24 PM
Hidden: registry item \HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Hidden: registry item \HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012004022720040228
Stopped logging on 22/04/2007 at 14:06:47 PM

Logfile of HijackThis v1.99.1
Scan saved at 2:08:39 PM, on 22/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\WINDOWS\System32\vmnat.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\vmnetdhcp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iiNet\iConnect\launcher.exe
C:\DOCUME~1\ANDREW~1\LOCALS~1\Temp\iCBB_11_13 R09-27 IINET B01 Monitor Temporary Items\monSvr.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.iinet.net.au/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.iinet.net.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.iinet.net.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.iinet.net.au/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Service Centre.lnk = C:\Program Files\iiNet\iConnect\launcher.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1177072787343
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\System32\vmnetdhcp.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\System32\vmnat.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Hi

Please upload the file for me,

Please go here :-

http://www.thespykiller.co.uk/index.php?board=1.0

Start a new topic ...title files for steamwiz

put this in your post :-

for steamwiz ...

link :- http://forums.spybot.info/showthread.php?t=13083

C:\DOCUME~1\ANDREW~1\LOCALS~1\Temp\iCBB_11_13 R09-27 IINET B01 Monitor Temporary Items\monSvr.exe


then please find the C:\DOCUME~1\ANDREW~1\LOCALS~1\Temp\iCBB_11_13 R09-27 IINET B01 Monitor Temporary Items\monSvr.exe file ...

... zip it & attach it to the post...

---
Then...

1. Please download silentrunners from here :-

http://www.silentrunners.org/Silent%20Runners.zip

2. unzip to your desktop

3. double click on the VBS file (If your AntiVirus alerts, allow the script to run.)

4. Once finished, the script will save a Notepad document to your Desktop.

5. Copy and paste the contents of that text file in this thread.


steam

hello steamwiz

when i searched for monsvr.exe in file explorer, i noticed that it has an icon that is the same as the iinet iconnect service centre icon
iinet is my service provider
could it be part of the iinet system
iinet does appear in the path name
the iinet staff i talked to said it had nothing to do with iinet
I have been having problems with my service connection often getting a message
"internet service disconnected"
yeaterday the "service centre" "could not connect to my router"

i uploaded monsvr.exe to the spykiller forum

i ran silent killers and post the results here

thank you for your continuing assistance


"Silent Runners.vbs", revision R50, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"PRONoMgr.exe" = "C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" ["Intel(R) Corporation"]
"ATIPTA" = "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."]
"vptray" = "C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" ["Symantec Corporation"]
"AGRSMMSG" = "AGRSMMSG.exe" ["Agere Systems"]
"IntelliType" = ""C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"" [MS]
"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]
"Zone Labs Client" = ""C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"" ["Zone Labs, LLC"]
"Windows Defender" = ""C:\Program Files\Windows Defender\MSASCui.exe" -hide" [MS]
"SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.6.0\bin\jusched.exe"" ["Sun Microsystems, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0\bin\ssv.dll" ["Sun Microsystems, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{BDA77241-42F6-11d0-85E2-00AA001FE28C}" = "LDVP Shell Extensions"
-> {HKLM...CLSID} = "VpshellEx Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{58670320-13EC-11D0-BF8E-F7B4D9CD8E4A}" = "Folder Size Shell Extension v3.1a"
-> {HKLM...CLSID} = "Folder Size Shell Extension v3.1a"
\InProcServer32\(Default) = "C:\WINDOWS\System32\Shellext\dfolder.dll" ["Orium Software"]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {HKLM...CLSID} = "Microsoft Office Outlook"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{32020A01-506E-484D-A2A8-BE3CF17601C3}" = "AlcoholShellEx"
-> {HKLM...CLSID} = "AlcoholShellEx"
\InProcServer32\(Default) = "C:\PROGRA~1\ALCOHO~1\ALCOHO~1\AXShlEx.dll" ["Alcohol Soft Development Team"]
"{1CAA843A-6DBD-40EF-AB71-8F7B209997C0}" = "IntelliType Pro Key Settings Control Panel Property Page"
-> {HKLM...CLSID} = "ITPropertyPage Class"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Hardware\Keyboard\itcpl.dll" [MS]
"{3DE5DB7C-0EA5-4337-8A5C-D0AC6D154C1B}" = "SFS_CONTEXT"
-> {HKLM...CLSID} = "Simple File Shredder Shell Context Menu"
\InProcServer32\(Default) = "C:\PROGRA~1\scar5\SIMPLE~1\sfsshell.dll" ["scar5 Software"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}" = "Microsoft AntiMalware ShellExecuteHook"
-> {HKLM...CLSID} = "Microsoft AntiMalware ShellExecuteHook"
\InProcServer32\(Default) = "C:\PROGRA~1\WIFD1F~1\MpShHook.dll" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
-> {HKLM...CLSID} = "WPDShServiceObj Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]
<<!>> NavLogon\DLLName = "C:\WINDOWS\System32\NavLogon.dll" [null data]

HKLM\Software\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
LDVPMenu\(Default) = "{BDA77241-42F6-11d0-85E2-00AA001FE28C}"
-> {HKLM...CLSID} = "VpshellEx Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
SFS_CONTEXT\(Default) = "{3DE5DB7C-0EA5-4337-8A5C-D0AC6D154C1B}"
-> {HKLM...CLSID} = "Simple File Shredder Shell Context Menu"
\InProcServer32\(Default) = "C:\PROGRA~1\scar5\SIMPLE~1\sfsshell.dll" ["scar5 Software"]
UltraEdit-32\(Default) = "{b5eedee0-c06e-11cf-8c56-444553540000}"
-> {HKLM...CLSID} = "UltraEdit-32"
\InProcServer32\(Default) = "C:\PROGRA~1\ULTRAE~1\ue32ctmn.dll" [empty string]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
SFS_CONTEXT\(Default) = "{3DE5DB7C-0EA5-4337-8A5C-D0AC6D154C1B}"
-> {HKLM...CLSID} = "Simple File Shredder Shell Context Menu"
\InProcServer32\(Default) = "C:\PROGRA~1\scar5\SIMPLE~1\sfsshell.dll" ["scar5 Software"]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
LDVPMenu\(Default) = "{BDA77241-42F6-11d0-85E2-00AA001FE28C}"
-> {HKLM...CLSID} = "VpshellEx Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\sstext3d.scr" [MS]


Startup items in "Andrew Gunner" & "All Users" startup folders:
---------------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
"Adobe Reader Synchronizer" -> shortcut to: "C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe" [null data]
"Service Centre" -> shortcut to: "C:\Program Files\iiNet\iConnect\launcher.exe" [null data]


Enabled Scheduled Tasks:
------------------------

"MyAlarmUseCalculator" -> launches: "C:\WINDOWS\system32\calc.exe" [MS]
"MyPeriodicInterrupt" -> launches: "F:\My Documents\Andrew\Health\ExercisesInterrupt.txt" [null data]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 21
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{327C2873-E90D-4C37-AA9D-10AC9BABA46C}" = "Easy-WebPrint"
-> {HKLM...CLSID} = "Easy-WebPrint"
\InProcServer32\(Default) = "C:\Program Files\Canon\Easy-WebPrint\Toolband.dll" [empty string]

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\

HKLM\Software\Classes\CLSID\{03C1C47F-0538-4645-8372-D3109B9FC636}\(Default) = "Easy-WebPrint"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\Program Files\Canon\Easy-WebPrint\Toolband.dll" [empty string]

HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Research"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{08B0E5C0-4FCB-11CF-AAA5-00401C608501}"

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"

{E2E2DD38-D088-4134-82B7-F2BA38496583}\
"MenuText" = "@xpsp3res.dll,-20001"
"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]
DefWatch, DefWatch, "C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe" ["Symantec Corporation"]
Diskeeper, Diskeeper, "C:\Program Files\Executive Software\Diskeeper\DkService.exe" ["Executive Software International, Inc."]
Symantec AntiVirus Client, Norton AntiVirus Server, "C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe" ["Symantec Corporation"]
TrueVector Internet Monitor, vsmon, "C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service" ["Zone Labs, LLC"]
VMware Authorization Service, VMAuthdService, "C:\Program Files\VMware\VMware Workstation\vmware-authd.exe" ["VMware, Inc."]
VMware DHCP Service, VMnetDHCP, "C:\WINDOWS\System32\vmnetdhcp.exe" ["VMware, Inc."]
VMware NAT Service, VMware NAT Service, "C:\WINDOWS\System32\vmnat.exe" ["VMware, Inc."]
Windows Defender, WinDefend, ""C:\Program Files\Windows Defender\MsMpEng.exe"" [MS]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
Canon BJ Language Monitor i865\Driver = "CNMLM5m.DLL" ["CANON INC."]
CutePDF Writer Monitor\Driver = "cpwmon2k.dll" [null data]
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]


----------
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 59 seconds, including 19 seconds for message boxes)

HI

On the face of it, it looks as though it might be from your ISP, but take a look at this writeup from prevx...

http://spywarefiles.prevx.com/RRHJID26700111/MONSVR.EXE.html

MONSVR.EXE is a file recently detected by the Prevx database. This file is yet to be determined globally as Good or Bad,

ACTIVITY ANALYSIS OF: MONSVR.EXE
The following behaviors have been observed for this object:
Invokes dll components.
Runs temporary programs.
Runs other programs.
Communicates with web sites using httpout protocols.
Has mass mail capabilities.
Sends mail using your email program.

Why would your ISP want to install & run a program on your computer, which Sends mail using your email program.?

I've had a look at the file & my disassembling program got nowhere with it ...

I'm 99% certain we are dealing with malware here, but I'm going to get some other opinions before we go any further.

steam

hello steamwiz

these observations may help you track this down

I have told zone alarm to not allow monsvr.exe acess to anything.

Now I notice that the "iconnect service centre" icon at the botton ritght of my screen is red. (connection to my broadband)
When i move my mouse over the icon i am told "service centre disconnected"

when i double click this "service centre icon" zone alarm says that iconnect wants to access the trusted zone. I allow this.

This shows my connection status (and gets it wrong)
it shows trouble with my computer - a red cross
it shows nothing next to network, internet and email

as soon as I allow monsvr.exe access to internet, all these aspects of my system get a green tick: my computer, my network, my internet and my email. it would seem that monsvr blocks iconnect.

there are several files containing "iconnect" one is
c:\program files\iiNet\iConnect\iConnectBrowser.exe

when I delete monsvr.exe something puts it back onto my computer

as soon as I allow monsvr.exe access to internet, all these aspects of my system get a green tick: my computer, my network, my internet and my email. it would seem that monsvr blocks iconnect.


or monsvr is part of iconnect ?

I haven't forgotton you, we're still trying to find out excatly what monsvr is...

Would you do this for me please :-

Download WinPFind3U.exe (http://download.bleepingcomputer.com/oldtimer/winpfind3u.exe) to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.

Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.

In the Processes group click ALL
In the Win32 Services group click ALL
In the Driver Services group click ALL
In the Registry group click ALL
In the Files Created Within group click 30 days Make sure Non-Microsoft only is UNCHECKED
In the Files Modified Within group select 30 days Make sure Non-Microsoft only is UNCHECKED
In the File String Search group select ALL

in the Additional scans sections please press select all
Now click the Run Scan button on the toolbar.
The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Save that notepad file
Copy/Paste the information back here.

Hi

if the log is too big to copy & paste .... you can attach it ;)

steam

Dear steamwiz

how are the investigations going?

Is there any way of finding out the proposed destination of the emails that zone alarm tells me monsvr wants to send. Is is to the mafia or is it a part of a spam facory.

Is there any way of finding out what would be in these emails.

Is the time between (a) starting the computer with the modem on and (b) the start up of the firewall and point of vulnerability for people. monsvr seems to start up as soon as I turn the computer on. should I turn my modem off until my firewall gets going.

I have started using internet explorer, rather than firefox ,as firefox seems to get blocked more frequently by what ever is happening on my computer.


thanks again
andrew

dear steamwiz

i now realise my first attempt to post this, on 26apr, did not succeed as it was too long.
the whole text file is about 300,000 characters

in "additional scans" i did press "select all".
I also unchecked "non-microsoft only" - has this made it too long

I tried pasting it - did not work. they want < 20,000 char.
I tried breaking file in half, before looking at the figueres, of course this did not work.

I will try to attach it. This did not work.
Message "file of 252.7 KB exceeds forums limit of 19.5 KB for this file type".

Is there another option?

thanks andrew

hello

today i tried something different.
I opened windows taks manager, clicked monsvr.exe and clicked end process.

The "iconnect broadband service centre icon" at bottom right of my screen dissapeared!!! Even wehn I restarted the computer the icon did not reappear neither did monsvr in "windows task manager: > "processes".

This icon should be green and pop up "Service centre" when you pass mouse over it.
It is normally red when I prevent monsvr from accessing the web using zone alarm. When it is red and i pass mouse over it, it pops up "inetnet service disconnected"

iiNet wrote to me yesterday saying
"As you are using the belkin modem this is an ethernet modem and does not need any additional software installed on the computer to work, it only requires a working ethernet card and to be plugged in. The iconnect software is used as a more streamlined way to trouble shoot when the connection is not working and to configure the modem however it is not needed. The modem works without the softare installed and you can configure your modem through the web browser interface if you need to make changes.
I would suggest to try uninstalling the iconnect software, restart your computer and see if this removes the problem processes."

does this suggest that monsvr.exe operates this icon. (I am out of my depth here)

I know steamwiz suggested it was strange functionality to give a "broadband connection debugging program".

regards andrew

Hi Andrew

Sorry I never got back to you, I've had a lot of work on recently, away from the net...

WE never got anywhere with the file you sent ... on the face of it, it does look legit...

Did you uninstall the program as your ISP suggested & is the problem now resolved ?

steam

Steamwiz

Hello and thanks for getting back to me. I’m quite relieved to have you to speak to about this again. I do not know what else can be done. I write to let you know where things got to.

I wanted to know where monsvr.exe comes from as zone alarm tells me that it attempts to send emails from my computer. I have discovered several things that suggest to me that monsvr.exe is part of the iinet iconnect program.

(1) The iinet installation cd that I got from iinet in April 2007 was labelled: “iinet iconnect 1 port voip modem” and contained a file called monSvr.dat

(2) This file is now also on my c drive: c:\programfiles\iinet\iconnect\monsvr.dat

(3) Before I deleted it, monsvr.exe had the characters "iinet" in its path
C:\DOCUME~1\ANDREW~1\LOCALS~1\Temp\iCBB_11_13 R09-27 IINET B01 Monitor Temporary Items\monSvr.exe

(3) When I double click the iconnect icon at the bottom right of my screen, Task manager shows that monitor.exe starts running. This suggests that moniotor.exe is the iconnect program. File monitor.dat is also on the iinet installation cd. It seems that the installation process produces a monitor.exe file and this could be directly related to the file monitor.dat.

(4) It is possible that the installation process, in a similar way, takes the file monsvr.dat and creates a program monsvr.exe.

(5) Task manager still shows that monsvr.exe is an active process after I start my computer. When I select monsvr.exe and press “end process” in task manager, the iconnect icon disappears from the bottom right of my screen. This suggests that monsvr.exe controls the iconnect icon.

(6) The iconnect icon can be green and pop up "Service centre" when you pass mouse over it. The iconnect icon turns red when I use zone alarm to stop monsvr.exe from accessing the web. When it is red and i pass mouse over it, it pops up "internet service disconnected". That the iconnect icon is influenced like this by monsvr.exe’s access to the interent suggests that monsvr.exe is part of the iconnect software.

I have emailed iinet support. They responded with statements like “As to whether the iconnect software is responsible for the process name you are querying we do not know as this is outside the scope of support we provide”.

I attempted to put similar questions to the whirlpool / iinet forum. My first thread was moved from the iinet lounge to the windows lounge ( it did look like malware).
http://forums.whirlpool.net.au/forum-replies.cfm?t=733923
My second thread to the iinet lounge was deemed a double posting and closed.
http://forums.whirlpool.net.au/forum-replies.cfm?t=741015#bottom
This avenue now seems closed to me.

My experience on internet forums is that people are often amazingly generous (like steamwiz). I am mystified by this difficulty in finding out the origin of monsvr.exe.

I have now blocked monsvr.exe from the web and am now using internet explorer as firefox was erratic when monsvr.exe could not access the web.

regards

HI

Can you upload the monsvr.dat to the same thread which you uploaded monsvr.exe to please :-

http://www.thespykiller.co.uk/index.php?topic=4039.0

So did you try to uninstall the software ?

I've read the posts in the whirlpool.net.au/forums

Assuming there is malware involved (which I am still not convinced of) we can run several general malware removal programs, & see if any of them find anything ...

Lets start with this :-

Download and install the 30 day trial of AVG Anti-Spyware from HERE :-

http://www.ewido.net/en/download/

1. Download it to your desktop
2. Doubleclick the AVG Anti-Spyware icon to start the ewido setup process...
3. update the definition files....
Click the Update icon then select the Update now link...
Select the Start Update button, the update will start and a progress bar will show the updates being installed.
4. select the Scanner icon at the top of the screen, then select the Settings tab
click on Recommended actions and then select Quarantine
5. Under Reports...
Select Automatically generate report after every scan
Un-Select Only if threats were found
6. Close AVG Anti-Spyware > Do not run the scan yet.

Boot your computer into Safemode

1. Go to Start> Shut Off your Computer> Restart
2. As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly, this will bring up a menu.
3. Use the Up and Down Arrow Keys to scroll up to SAFEMODE
4. Then press the Enter on your Keyboard

IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning process

1. Launch AVG Anti-Spyware by double-clicking the icon on your desktop.
2. Select the Scanner icon at the top and then the Scan tab then click on Complete System Scan.
3. AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
4. Once the scan is complete do the following:
5. If you have any infections you will prompted, then select Apply all actions
6. Next select the Reports icon at the top.
7. Select the Save report as button in the lower left hand of the screen and save it to a text file on your system
8. make sure to remember where you saved that file, this is important
9. Close AVG Anti-Spyware
10. Copy & paste the AVG Anti-Spyware report in your next post

steam

hello steam wiz

I uploaded monsvr.dat onto the spy killer

I did not try to uninstall the software. I have only deleted as you suggested

Thanks for reading the whirlpool posts

I downloaded avg set up avgas-setup-7.5.50.exe to desktop
When I ran I got a message “64 bit edition of windows is not supported”
Whatever that means

I ran //housecall65.trendmicro.com a week ago.
It did not pick up anything

I was looking in c:\program files\iinet\iconnect for an unistall program.
I could not find an uninstall.

I found an html help file which included:
. Welcome to iConnect
. iConnect will setup your connection to the broadband service using your router. If applicable, iConnect will also setup your connection to the VoIP service.
. This product was designed and manufactured for iiNet Pty Limited by OPEN Networks Pty Ltd.
. The Service Centre icon can be found on your Windows taskbar. The icon is green while the Internet Connection is operational. When the icon is red there is a problem.

Regards andrew

hello steam

I sent an email to open network support who created iconnect
They replied immediately saying:

. The purpose of Service Centre is to monitor the status of your internet service and advise you of any issues.
. Service Centre does this by constantly monitoring connectivity to your ADSL modem, web and email servers.
. To do this it requires Monsvr.exe to run.
. Set a rule in Zone Alarm to always allow Monsvr to run and issue will disappear.
End quote

It is a pity that iinet did not let me know this long ago.

Steam, Thank you very much for your support

Regards
Andrew

Hi

I'm glad OPEN Networks were able to finally confirm that Monsvr.exe is legit... still not a good idea for them to have it run from a temp folder, it not only makes it look dodgy, but it could easily be deleted by any cleaning program...



I downloaded avg set up avgas-setup-7.5.50.exe to desktop
When I ran I got a message “64 bit edition of windows is not supported”
Whatever that means


It means you must be running the 64 bit edition of windows XP ... instead of the "common" 32 bit version...

happy surfing

steam