TROJ_JUNKSURF.A

Ok, this badboy has caused some issues around our place lately.

I'm not totally sure but from all the clues I can gather it seemed to have switched off the IMON function in Nod32 v2.0
I asked Junior if he shut it off or what, and he said that he never touched any of the settings in our complimentry AV.
He has been at some game sites and seems to have picked this one up along the way.
What got my attention yesterday was the HT log which I will post.

Logfile of HijackThis v1.97.2
Scan saved at 10:33:08 AM, on 25/10/03
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\Smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Free Surfer\fs20.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Documents and Settings\All Users\Desktop\My Briefcase\kazaabegone\KazaaBegone.exe
C:\Documents and Settings\All Users\Desktop\My Briefcase\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.forumthon.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\games\Qtime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\Smc.exe -startgui
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [nod32kui] C:\Program Files\Eset\nod32kui.exe /WAITSERVICE
O4 - HKLM\..\Run: [freesurfer] C:\Program Files\Free Surfer\fs20.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKLM\..\RunOnce: [MRUBlaster] C:\Program Files\MRU-Blaster\indexcleaner.exe -CC
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Free Surfer (HKLM)
O9 - Extra 'Tools' menuitem: Free Surfer (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O10 - Broken Internet access because of LSP provider 'imon.dll' missing
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37863.3018518519
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab


Then when I was reading some of the forums I lost the internet connection. So shut all machines off and re-booted the modem.
Everything worked again.
This happened the second time without good reason so I called my provider and found nothing to crazy on there end. So I did the on-line scan and it picked up the TROJ_JUNKSURF.A right at the start.
This is what the HT log looked like after the scan witch revealed no viruses by the way.

Logfile of HijackThis v1.97.2
Scan saved at 11:24:13 AM, on 25/10/03
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\Smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Free Surfer\fs20.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Documents and Settings\All Users\Desktop\My Briefcase\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.forumthon.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\games\Qtime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\Smc.exe -startgui
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [nod32kui] C:\Program Files\Eset\nod32kui.exe /WAITSERVICE
O4 - HKLM\..\Run: [freesurfer] C:\Program Files\Free Surfer\fs20.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKLM\..\RunOnce: [MRUBlaster] C:\Program Files\MRU-Blaster\indexcleaner.exe -CC
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Free Surfer (HKLM)
O9 - Extra 'Tools' menuitem: Free Surfer (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/d052c1d7d32ead/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37863.3018518519
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Now the item 10 is missing and I never asked HT to fix anything.

Also I'll provide a sceen-shot of the KazaaBegone log just for the heck of it, because it also mentions IMON for some reason I'm not aware of.

Not to sure if this information is of any use to the higher-ups but it doesnt really hurt matters IMO.
If you feel this post is totally unnecessary, feel free to remove.

Take care

EDIT: typos

 

Hi RJ100,

Could you please shut down IMON, then start it again and run HijackThis again to see if the O10 item returns.
I think you need it for IMON to work properly.

Regards,

Pieter

 

OK, that was really strange.
I did what you said by switching it off then on again.(without re-boot)
Checked the HT log and sure enough # 10 reappeared in the log.
However I tried to post back with this info but my connection was lost again. Had to re-boot the modem again.....
Opened up KazaaBegone and the lone entry for imon was in there.
Deleted the entry and it called for a re-boot one again and now I have connectivity and IMON in disabled as of now.
Should we turn it back on to see what happens?
Will stand by for further instruction.

Take care

EDIT: Ok as of now entry #10 is not in the HT log

 

I notice in the Kazaabegone screenshot a reference to Newdotnet and a broken lsp. I'll leave it to the pros here but it was very common that removal of newdotnet (comes with Kazaa) resulting in a broken lsp. (loss of internet connectivity)
I believe there's also 2 tools available to fix this.
There's some info on this at doxdesk
http://www.doxdesk.com/parasite/NewDotNet.html

I'm just wondering if it might not be preferable to remove newdotnet prior to using Kazaabegone?

 

Hi RJ100,

Could you download and run: LSPFix and post a screenshot of both the Keep and Remove lists.
Or if you own, and for some reason I think you do, AdAware Plus or Pro, click PlugIns, select the LSP Explorer, click Run Plugin, click OK, select Layered Service Providers, rightclick it and choose Export text document and post the content of that report.

Regards,

Pieter

 

Ok, as requested.............

 

Hi RJ100,

Absolutely no sign of NewDotNet. No surprise since it normally would have showed up in the HijackThis log as well.
I think this is a bug in KaZaaBegone.

Regards,

Pieter

 

OK Pieter,
Thanks for sharing your time on this issue!

Should I enable IMON now to see what happens next?

 

I think I know what will happen, but please do.

Regards,

Pieter

 

Ok , Imon is now switched on.

+ The 010 item is back in the HT log
+ The missing imon dll. file is back in KBG
+ Also to put a spin on things I ran XCleaner and.....

This program also confirms what both TH and KBG are saying.
Thinking now to uninstall/reinstall Nod32 or somehow insert the missing dll.
Here's the first S-Shot.

 

Here's the second S-Shot.

 

Hi RJ100,

Nothing to worry about.
NOD32 does not specify the path to imon.dll so these programs can´t find it and alert you about it.
http://www.wilderssecurity.com/showthread.php?t=9811
Windows can find imon.dll however, so therr is no real problem.

Regards,

Pieter

 

RjJ100:
Thanks for posting the screenshot. I find it helpful. I was curious.


Pieter: : I think I know what will happen, but please do."
Yes
I am only speculating but I guess imon was disabled by Kazaabegone.

 

Alright Pieter, I'll read through that link you provided...Thanks
This was going to be my next move but I think I'll wait until I'm just a little smarter
See S-Shot.........

 

Hey Welcome Aboard groundling, You stand to gain much knowledge browsing this forum

Take care, Ray