Announcement

**Sumpson** · 02-22-2007, 06:47 AM

I've had something like that before, what helped was re-installing windows, you can try to save as many files as possible in those 5mins. Perhaps there's other ways to fix it I don't know about tho..

**Maverick** · 02-22-2007, 10:37 AM

Sounds like a virus to me, run an online virus scan.

Reinstalling windows isn't always the right solution, stop suggesting it ffs <_<

**Richard Creager** · 02-22-2007, 12:28 PM

1) Pray you have a system restore point, you can try it first if you wish or
2) Get your ass loaded up into safe mode, unplug your ethernet, get the fuck rid of as much shady shit as you can find, then find more, then fuck up more shit, reboot and if it still is there then do step 1. If neither of this works
3) Pray your OS is on a different partition than all of your files, reinstall microshit, recompile your kernel, or get a unix installed just to be able to manage your data in peace.

PH · 02-22-2007, 05:03 PM

Well, the rebooting seems to have stopped, so I'll update on my progress.

I found a file named "E81.tmp" that was eating CPU and bandwidth, and a Google search says it was a trojan downloader, so I killed and deleted it. Unfortunately I can't figure out why it keeps spawning. I'm updating a virus scanner as we speak (Mav, I can't really use HouseCall because as I said this thing randomly closes programs, and it interrupted three scans before I gave up and got a scanner to run offline. HouseCall is really good though, I have used it before), so hopefully I will be rid of whatever this thing is soon.

PH · 02-22-2007, 05:53 PM

This thing is a mutt consisting of several types of trojan horses.

Trojan horse Proxy.KPU (C:\rawpy.exe)
Trojan horse Downloader.Generic3.TKJ (C:\eiplx.exe)
Trojan horse Downloader.Agent.IMX (C:\ybaxd.exe)
Trojan horse Collected.Z (C:\jiyywtxq.exe)
Trojan horse Collected.Z (C:\eibkqlk.exe)
Trojan horse Downloader.Agent.ICW (C:\WINDOWS\system32\crypts.dll)
Trojan horse Proxy.KEB (C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\MLPEOAL7\s3.0[1].exe)

Plus about 15 randomly named .htm and .txt files in LocalService\Local Settings\TIF\Content.IE5\[random folder]. Very annoying.

The .exe files in the root folder keep spawning, but the main one that keeps closing everything (tcpipmon.exe) has not run yet. I'm still going to run another full scan and see if I can wipe it out entirely.

**SEAL** · 02-22-2007, 05:58 PM

install http://www.mlin.net/StartupCPL.shtml
simple, handy and nothing you wouldn't / shouldn't know. Yet, very handy for an overview.

avg and ad-watch perhaps for the future?

PH · 02-22-2007, 07:53 PM

I keep my startup list very small, so that program didn't show me anything that I didn't already know about. Even running HijackThis and fixing the things I missed has failed to keep the files from coming back. I have removed all references to tcpipmon.exe, rebooted into safe mode with command prompt and deleted it, and it just continues to come back. In fact, it's running TWICE in my processes as we speak.

On the bright side, the annoying system tray icon that it produces has not appeared since I rebooted. Obviously I would like to get rid of it, but I'm at a loss. AVG knows what all this junk is, but even it has failed me. My next option will involve a sledgehammer unless I get some help.

**Xog** · 02-22-2007, 09:12 PM

TCPIPmon.exe isn't a virus, there is most likely something else that is making your computer restart.

TCPIPmon.exe is the TCP-IP Monitor program running in your background and it's most likely from your firewall or router.

Got a linksys router?

PH · 02-22-2007, 09:31 PM

I don't have a router hooked up, and I've never seen this file before in my life. It has never appeared in my startup, and I have never seen it any of the times I've looked through my Windows folder. There's no reason for it to recreate itself and run TWICE on startup. If it was a legitimate file I think I would be able to find something on Google about it, but there are only a few results and they are all in other languages.

Another note: during the most recent reboot its icon changed from a shield with an X through it to a warning sign (yellow triangle with black exclamation mark). There's no way this thing is legit. I've deleted every suspicious file that I've seen since it was created, including a .sys file, and it WILL NOT DIE. The process itself cannot even be killed.

aoshgdaoshgaodaghsogdsoagdhos

**HeavenSent** · 02-22-2007, 09:34 PM

I don't know if this would help...
What I do in cases like this is (in safe mode with command prompt) go to my DOS prompt. Then I go to the directories where the files seem to be appearing (C:\, System32, Windows, Application Data, Local Settings/Temp,Program Files). "dir /O -D" To list newest files first. Then from time when all the shit started, I deleted all the files created.
Also, i'd go to MSCONFIG & startup tab and note the processes that i don't want and look for those lines in my REGEDIT and delete them & the folders they're in before rebooting.

PH · 02-23-2007, 01:51 AM

I've basically dissected every possible thing this machine runs at startup, and I can't figure out where the hell the files are coming from. I'm going to throw in the towel and use Richard's third option, a clean XP install. Thanks for the attempted help anyway, guys.

**Money** · 02-23-2007, 02:03 AM

less porn, less porn.

**Maurauth** · 02-23-2007, 10:10 AM

Originally posted by Xog View Post

TCPIPmon.exe isn't a virus, there is most likely something else that is making your computer restart.

TCPIPmon.exe is the TCP-IP Monitor program running in your background and it's most likely from your firewall or router.

Got a linksys router?

yeah but it appears that what he has is a trojan using that process name so that it doesn't appear to be anything other than a router program.

**Mr. 420** · 02-23-2007, 11:17 AM

If you have the Restore Points thingy enabled, you need to disable it, then remove all the bad files, reboot, then turn it back on.

If you don't have it running, I don't know what's wrong, I would just format.

Announcement

tcpipmon.exe

tcpipmon.exe

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Channels