I was cleaning out old e-mails last night, decided to unsubscribe from some commercial sites, and then started having problems. First, some dynamic links quit working ... just no response. Due to some experience with a recent infection, I decided to scan for malware with MBAM and Spybot. When I clicked on the Spybot icon, it would not open, and when I clicked on the MBAM icon, I got a message that I had insufficient memory (?). I then tried to reboot, but got a blue Stop Error screen with the 0x0000007e message. I was able to boot into safe mode, and ran both Spybot and MBAM scans (I last updated each a week ago), neither of which detected malware. I then rebooted, and again got the blue screen. I successfully rebooted into Last Known Good Configuration, updated Spybot and MBAM, and no malware showed up. The computer seems to be working OK right now, but I'm not sure what caused all the problems, or if they will recur with my next boot.

Here is an HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:58:21 PM, on 1/17/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Common Files\AOL\1142944241\ee\AOLSoftware.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Secunia\PSI\psi.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: IAOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL Toolbar\aoltb.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: AOL Toolbar Loader - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL Toolbar\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL Toolbar\aoltb.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1142944241\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [McAfee Backup] C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Startup: Secunia PSI.lnk = C:\Program Files\Secunia\PSI\psi.exe
O8 - Extra context menu item: &AOL Toolbar Search - C:\Documents and Settings\All Users\Application Data\AOL\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {26FCCDF9-A7E1-452A-A73D-7BF7B4D0BA6C} (AOL Pictures Uploader Class) - http://o.aolcdn.com/pictures/ap/Resources/2.0.6.9/cab/aolpPlugins.10.6.0.4.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {B69B0694-EB7C-4468-B572-B781062A1EF2} (KooPlayer Control) - http://static.mediazone.com/player/1.0.0.67/MZPlayer.CAB
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5382/mcfscan.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 11439 bytes

Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance) http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

I apologize for the wait, volunteers are swamped at all forums with infected computers. If you have resolved your issues, please post to let me know so I can close this topic.

Did you google that error message?
http://support.microsoft.com/kb/330182

If it does not happen again, I would forget it. (Have had that happen myself at least once) I do not see malware in the log, and it is likely something other than malware that caused the issue. If it does occur again, I suggest a good Windows XP forum, here are two:
http://www.techsupportforum.com/microsoft-support/windows-xp-support/
http://www.geekstogo.com/forum/Windows-XP-2000-2003-NT-f5.html

Post only at one, they are very busy also.

Thanks

After I posted my HJT log, I ran a Kaspersky Online Scan, and it identified not-a-virus.Adware.Win32.Surfside.bj on my system.

*KASPERSKY ONLINE SCANNER 7 REPORT*
Sunday, January 18, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3
(build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, January 18, 2009 20:17:08
Records in database: 1643542

*Scan settings*
Scan using the following database extended
Scan archives yes
Scan mail databases yes
*Scan area* My Computer
C:\
D:\
E:\
*Scan statistics*
Files scanned 166446
Threat name 1
Infected objects 1
Suspicious objects 0
Duration of the scan 02:10:28


*File name* *Threat name* *Threats count*
C:\Program Files\eSoftware\studio.dll Infected:
not-a-virus:AdWare.Win32.SurfSide.bj 1
* The selected area was scanned.*

Maybe I'm paranoid after my last experience. Is it OK to just delete that single file that Kaspersky identified? Will "Delete" nuke it, or do I need to do more than that to make sure it is dead and gone.

C:\Program Files\eSoftware\studio.dll Infected:
not-a-virus:AdWare.Win32.SurfSide.bj

Sure you can delete the file in red, but keep in mind Kaspersky is calling it adware and it may or may not be an issue, Malware identification is not an exact science. You could also get other opinions here:
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/

Keep in mind that once you delete that file, the program eSoftware may stop working or not work right?

Thanks

I was able to boot my computer into Normal Mode this morning without the blue Stop Error screen, and it seems to be running fine, but I have assiduously avoided any Web surfing until I'm sure this issue is resolved. I ran another HJT scan last night after changing the name to Wildcats.exe, and it still isn't picking up that eSoftware\studio.dll file.

I see the folder "eSoftware" in my Program Files, and it contains a DAT file named "studio" as well as the studio.dll file. I have never heard of eSoftware, and it is not something I ever downloaded or installed on my computer. I have googled eSoftware\studio.dll, and it appears that it is a backdoor trojan. There are several threads about it on other malware sites, and it's supposed to show up on HJT, but it doesn't on mine.

HJT is a small tool that shows certain areas, it does not show everything. If you don't know what that program is, uninstall it if it shows in Add Remove Programs, if not delete it. Then run KOS again to be sure it is gone.

I uploaded the eSoftware\studio.dll file to VirusTotal, and 27/39 antivirus sites recognized it as a Trojan. The majority of those sites linked it to Zlob.5835. I don't know how readable this is, or if it is helpful, but here is the report from VirusTotal.

File studio.dll received on 01.24.2009 18:13:46 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 27/39 (69.24%)
Loading server information...

Email:


Antivirus Version Last Update Result
a-squared 4.0.0.73 2009.01.24 Trojan-Downloader.Agen.282636!IK
AhnLab-V3 5.0.0.2 2009.01.24 Win-Trojan/Agen.282636
AntiVir 7.9.0.60 2009.01.23 TR/Dldr.Agen.282636
Authentium 5.1.0.4 2009.01.24 W32/AdAgent.B.gen!Eldorado
Avast 4.8.1281.0 2009.01.23 Win32:Trojan-gen {Other}
AVG 8.0.0.229 2009.01.23 Generic3.CZN
BitDefender 7.2 2009.01.24 Trojan.Zlob.5835
CAT-QuickHeal 10.00 2009.01.24 AdWare.SurfSide.bj (Not a Virus)
ClamAV 0.94.1 2009.01.24 Trojan.Downloader-27284
Comodo 944 2009.01.24 -
DrWeb 4.44.0.09170 2009.01.24 -
eSafe 7.0.17.0 2009.01.22 -
eTrust-Vet 31.6.6325 2009.01.24 Win32/Pripecs.ADN
F-Prot 4.4.4.56 2009.01.23 W32/AdAgent.B.gen!Eldorado
F-Secure 8.0.14470.0 2009.01.24 AdWare.Win32.SurfSide.bj
Fortinet 3.117.0.0 2009.01.24 Adware/SurfSide
GData 19 2009.01.24 Trojan.Zlob.5835
Ikarus T3.1.1.45.0 2009.01.24 Trojan-Downloader.Agen.282636
K7AntiVirus 7.10.604 2009.01.24 not-a-virus:AdWare.Win32.SurfSide.bj
Kaspersky 7.0.0.125 2009.01.24 not-a-virus:AdWare.Win32.SurfSide.bj
McAfee 5504 2009.01.23 -
McAfee+Artemis 5504 2009.01.23 -
Microsoft 1.4205 2009.01.24 -
NOD32 3796 2009.01.24 -
Norman 5.93.01 2009.01.23 W32/SurfSide.HT
nProtect 2009.1.8.0 2009.01.23 Trojan.Zlob.5835
Panda 9.5.1.2 2009.01.24 -
PCTools 4.4.2.0 2009.01.24 -
Prevx1 V2 2009.01.24 Adware
Rising 21.13.42.00 2009.01.23 AdWare.Win32.Undef.dfh
SecureWeb-Gateway 6.7.6 2009.01.24 Trojan.Dldr.Agen.282636
Sophos 4.37.0 2009.01.24 Generic SurfSide Application
Sunbelt 3.2.1835.2 2009.01.16 -
Symantec 10 2009.01.24 Trojan.Zlob
TheHacker 6.3.1.5.227 2009.01.24 Adware/SurfSide.bj
TrendMicro 8.700.0.1004 2009.01.24 -
VBA32 3.12.8.11 2009.01.23 AdWare.Win32.SurfSide.bj
ViRobot 2009.1.23.1576 2009.01.23 -
VirusBuster 4.5.11.0 2009.01.24 Adware.SurfSide.DP
Additional information
File size: 282636 bytes
MD5...: 10b2230a791527354f0d11ad52a864fc
SHA1..: f31ca20e099135c9f8c2cab8650720dc61094e07
SHA256: f2b1decdc523989c7be8ac3b832e30c142879a120f6f5355ff751ec7ee78ce07
SHA512: f52eed7c63be87fb29d13f7d841d676f1071102ec46b12a835dc080fff843240
4ce6f9722abe3564a7619f449e3b96134fc451620c208c29011b14648c58c30f

ssdeep: 6144:MzB6Q/FT6LkH8PYi4wqm8NDpXIVEcVLktL:rwwvt6pXIBgL

PEiD..: -
TrID..: File type identification
Win64 Executable Generic (59.6%)
Win32 Executable MS Visual C++ (generic) (26.2%)
Win32 Executable Generic (5.9%)
Win32 Dynamic Link Library (generic) (5.2%)
Generic Win/DOS Executable (1.3%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x1001ee9c
timedatestamp.....: 0x47d319bd (Sat Mar 08 22:57:01 2008)
machinetype.......: 0x14c (I386)

( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x2e4be 0x2f000 6.61 23c39db0b12a9d272619bb8007db0420
.rdata 0x30000 0x9ee4 0xa000 5.67 b942260e608238c172a4899c19bfd41b
.data 0x3a000 0x651c 0x5000 5.15 280c8e0fbe62783f8beb0902f7f1f256
.rsrc 0x41000 0xe60 0x1000 4.85 d1c6ae46d524f364c6e452ea914f58a2
.reloc 0x42000 0x4be4 0x5000 5.80 ffaf76df97d2b5f6c38d458121d88c3e

( 9 imports )
> urlmon.dll: UrlMkGetSessionOption
> WININET.dll: InternetReadFile, InternetOpenUrlA, InternetOpenA, InternetCanonicalizeUrlA, InternetCloseHandle
> KERNEL32.dll: lstrlenW, RaiseException, GetLastError, lstrcmpiA, VirtualProtect, LockResource, SizeofResource, LoadResource, FindResourceA, CreateThread, GetModuleFileNameA, DisableThreadLibraryCalls, IsDBCSLeadByte, InterlockedIncrement, InterlockedDecrement, FreeLibrary, LoadLibraryExA, GetModuleHandleA, SetThreadLocale, GetThreadLocale, CreateFileA, GetTempPathA, WriteFile, ReadFile, SetFilePointer, CreateProcessA, Sleep, CreateMutexA, ExitThread, FlushInstructionCache, GetCurrentProcess, lstrcmpA, MulDiv, GlobalUnlock, GlobalLock, GlobalAlloc, GetCurrentThreadId, SetLastError, Process32Next, Process32First, CreateToolhelp32Snapshot, GetProcAddress, LocalFree, InterlockedExchange, GetACP, GetLocaleInfoA, GetVersionExA, InterlockedCompareExchange, WideCharToMultiByte, GetProcessHeap, lstrlenA, LoadLibraryA, IsProcessorFeaturePresent, VirtualFree, VirtualAlloc, GetConsoleMode, GetConsoleCP, GetCurrentDirectoryA, GetFullPathNameA, GetStartupInfoA, SetHandleCount, GetFileType, SetStdHandle, GetOEMCP, GetCPInfo, HeapSize, TlsFree, TlsSetValue, TlsAlloc, TlsGetValue, GetStdHandle, ExitProcess, HeapCreate, HeapDestroy, GetCommandLineA, IsDebuggerPresent, SetUnhandledExceptionFilter, UnhandledExceptionFilter, TerminateProcess, FindFirstFileA, GetDriveTypeA, FileTimeToLocalFileTime, FileTimeToSystemTime, FindClose, GetSystemTimeAsFileTime, RtlUnwind, VirtualQuery, GetSystemInfo, HeapReAlloc, MultiByteToWideChar, LCMapStringA, SetEvent, EnterCriticalSection, WaitForSingleObject, ResetEvent, LeaveCriticalSection, DeleteCriticalSection, CloseHandle, CreateEventA, HeapFree, InitializeCriticalSection, LCMapStringW, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, SetEndOfFile, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, FlushFileBuffers, CompareStringA, CompareStringW, HeapAlloc, SetEnvironmentVariableA, GetTimeZoneInformation, GetStringTypeW, GetStringTypeA, GetCurrentProcessId, GetTickCount, QueryPerformanceCounter
> USER32.dll: GetWindowTextLengthA, RegisterWindowMessageA, UnregisterClassA, GetWindowTextA, SetWindowTextA, PeekMessageA, GetForegroundWindow, GetWindowThreadProcessId, AttachThreadInput, GetActiveWindow, GetSystemMetrics, SetForegroundWindow, SetActiveWindow, CreateAcceleratorTableA, LoadCursorA, GetClassInfoExA, IsWindow, GetDesktopWindow, SetFocus, GetFocus, GetWindow, DestroyAcceleratorTable, BeginPaint, EndPaint, CallWindowProcA, FillRect, ReleaseCapture, GetClassNameA, GetDlgItem, GetParent, IsChild, SetCapture, RedrawWindow, InvalidateRgn, InvalidateRect, ReleaseDC, GetDC, ScreenToClient, ClientToScreen, GetClientRect, SetWindowPos, MoveWindow, GetSysColor, DefWindowProcA, SendMessageA, LockWindowUpdate, ShowWindow, DestroyWindow, CreateWindowExA, GetWindowLongA, SetWindowLongA, wsprintfA, CharNextA, SetTimer, KillTimer, RegisterClassExA
> ADVAPI32.dll: RegEnumKeyExA, RegQueryInfoKeyA, RegSetValueExA, RegOpenKeyExA, RegCreateKeyExA, RegCloseKey, RegDeleteValueA, RegDeleteKeyA, RegQueryValueExA
> ole32.dll: CoUninitialize, CreateStreamOnHGlobal, CLSIDFromString, CLSIDFromProgID, CoGetClassObject, CoInitialize, CoCreateInstance, StringFromGUID2, CoTaskMemFree, CoTaskMemRealloc, CoTaskMemAlloc, OleInitialize, OleUninitialize, CoMarshalInterface, CoReleaseMarshalData, CoUnmarshalInterface, OleLockRunning
> OLEAUT32.dll: -, -, -, -, -, -, -, -, -, -, -, -, -, -, -
> SHLWAPI.dll: StrStrIA
> GDI32.dll: DeleteObject, DeleteDC, CreateCompatibleBitmap, CreateCompatibleDC, BitBlt, GetDeviceCaps, CreateSolidBrush, GetObjectA, GetStockObject, SelectObject

( 4 exports )
DllCanUnloadNow, DllGetClassObject, DllRegisterServer, DllUnregisterServer

Prevx info: <a href='http://info.prevx.com/aboutprogramtext.asp?PX5=FAC8CF840CC82866505804FAE16A1D00B4D540E9' target='_blank'>http://info.prevx.com/aboutprogramtext.asp?PX5=FAC8CF840CC82866505804FAE16A1D00B4D540E9</a>

And the report from Jotti:

Scan taken on 24 Jan 2009 17:32:20 (GMT)
A-Squared Found Trojan-Downloader.Agen.282636!IK
AntiVir Found TR/Dldr.Agen.282636
ArcaVir Found Adware.Surfside.Bj
Avast Found Win32:Trojan-gen {Other}
AVG Antivirus Found Generic3.CZN
BitDefender Found Trojan.Zlob.5835
ClamAV Found Trojan.Downloader-27284
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found W32/AdAgent.B.gen!Eldorado
F-Secure Anti-Virus Found not-a-virus:AdWare.Win32.SurfSide.bj (4, 1, 400)
G DATA Found Win32:Trojan-gen
Ikarus Found Trojan-Downloader.Agen.282636
Kaspersky Anti-Virus Found not-a-virus:AdWare.Win32.SurfSide.bj
NOD32 Found nothing
Norman Virus Control Found W32/SurfSide.HT
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found Adware.SurfSide.DP
VBA32 Found AdWare.Win32.SurfSide.bj

If you don't know what that program is, uninstall it if it shows in Add Remove Programs, if not delete it. Then run KOS again to be sure it is gone.

Why not just delete the junk?

Again, after my previous experience, I guess I'm paranoid that there may be more to it than just that single eSoftware folder with the studio.dll and DAT files. If HJT missed those files, what are the chances that it is not picking up changes that the Trojan may have made elsewhere?

When I do delete the files, should I do it in Safe Mode? Does it matter?

Easier to just delete that folder in normal mode unless it gives you trouble. If it does, boot to safe mode and do it there, then scan with KOS to be sure all is OK.

Thanks

Junk deleted.
Kaspersky clean.
MBAM clean.
Normal boot without blue screen.
Machine running OK.
SpywareBlaster and SpywareGuard updated.
Thanks again.

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

http://www.malwarecomplaints.info/

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

http://users.telenet.be/bluepatchy/miekiemoes/Links.html