Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: Do I have a problem?

  1. #1
    Member
    Join Date
    Oct 2008
    Posts
    53

    Default Do I have a problem?

    I was cleaning out old e-mails last night, decided to unsubscribe from some commercial sites, and then started having problems. First, some dynamic links quit working ... just no response. Due to some experience with a recent infection, I decided to scan for malware with MBAM and Spybot. When I clicked on the Spybot icon, it would not open, and when I clicked on the MBAM icon, I got a message that I had insufficient memory (?). I then tried to reboot, but got a blue Stop Error screen with the 0x0000007e message. I was able to boot into safe mode, and ran both Spybot and MBAM scans (I last updated each a week ago), neither of which detected malware. I then rebooted, and again got the blue screen. I successfully rebooted into Last Known Good Configuration, updated Spybot and MBAM, and no malware showed up. The computer seems to be working OK right now, but I'm not sure what caused all the problems, or if they will recur with my next boot.

    Here is an HJT log:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 7:58:21 PM, on 1/17/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16762)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
    C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\McAfee\MBK\MBackMonitor.exe
    C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
    c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    C:\Program Files\McAfee\MPF\MPFSrv.exe
    C:\WINDOWS\system32\PnkBstrA.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\system32\MsPMSPSv.exe
    C:\WINDOWS\system32\svchost.exe
    c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\WINDOWS\ehome\ehtray.exe
    C:\Program Files\Common Files\AOL\1142944241\ee\AOLSoftware.exe
    C:\WINDOWS\system32\Rundll32.exe
    C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
    C:\Program Files\QuickTime\QTTask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
    C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
    C:\Program Files\Secunia\PSI\psi.exe
    C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\eHome\ehmsas.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
    c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R3 - URLSearchHook: IAOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL Toolbar\aoltb.dll
    O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
    O2 - BHO: AOL Toolbar Loader - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL Toolbar\aoltb.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL Toolbar\aoltb.dll
    O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1142944241\ee\AOLSoftware.exe
    O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
    O4 - HKLM\..\Run: [McAfee Backup] C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
    O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe
    O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
    O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
    O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
    O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
    O4 - Startup: Secunia PSI.lnk = C:\Program Files\Secunia\PSI\psi.exe
    O8 - Extra context menu item: &AOL Toolbar Search - C:\Documents and Settings\All Users\Application Data\AOL\ieToolbar\resources\en-US\local\search.html
    O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {26FCCDF9-A7E1-452A-A73D-7BF7B4D0BA6C} (AOL Pictures Uploader Class) - http://o.aolcdn.com/pictures/ap/Reso...s.10.6.0.4.cab
    O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
    O16 - DPF: {B69B0694-EB7C-4468-B572-B781062A1EF2} (KooPlayer Control) - http://static.mediazone.com/player/1...7/MZPlayer.CAB
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...82/mcfscan.cab
    O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
    O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
    O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
    O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
    O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
    O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
    O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

    --
    End of file - 11439 bytes

  2. #2
    In Memoriam -Always in our heart pskelley's Avatar
    Join Date
    Oct 2005
    Location
    Clearwater, Florida
    Posts
    20,247

    Default

    Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
    "BEFORE you POST" (READ this Procedure before Requesting Assistance) http://forums.spybot.info/showthread.php?t=288
    All advice given is taken at your own risk.
    Please make sure you have read this information so we are on the same page.

    I apologize for the wait, volunteers are swamped at all forums with infected computers. If you have resolved your issues, please post to let me know so I can close this topic.

    Did you google that error message?
    http://support.microsoft.com/kb/330182

    If it does not happen again, I would forget it. (Have had that happen myself at least once) I do not see malware in the log, and it is likely something other than malware that caused the issue. If it does occur again, I suggest a good Windows XP forum, here are two:
    http://www.techsupportforum.com/micr...ws-xp-support/
    http://www.geekstogo.com/forum/Windo...003-NT-f5.html

    Post only at one, they are very busy also.

    Thanks
    MS-MVP Consumer Security 2007-08-09
    Proud Member ASAP
    UNITE Member 2006

  3. #3
    Member
    Join Date
    Oct 2008
    Posts
    53

    Default

    After I posted my HJT log, I ran a Kaspersky Online Scan, and it identified not-a-virus.Adware.Win32.Surfside.bj on my system.

    *KASPERSKY ONLINE SCANNER 7 REPORT*
    Sunday, January 18, 2009
    Operating System: Microsoft Windows XP Professional Service Pack 3
    (build 2600)
    Kaspersky Online Scanner 7 version: 7.0.25.0
    Program database last update: Sunday, January 18, 2009 20:17:08
    Records in database: 1643542

    *Scan settings*
    Scan using the following database extended
    Scan archives yes
    Scan mail databases yes
    *Scan area* My Computer
    C:\
    D:\
    E:\
    *Scan statistics*
    Files scanned 166446
    Threat name 1
    Infected objects 1
    Suspicious objects 0
    Duration of the scan 02:10:28


    *File name* *Threat name* *Threats count*
    C:\Program Files\eSoftware\studio.dll Infected:
    not-a-virus:AdWare.Win32.SurfSide.bj 1
    * The selected area was scanned.*

  4. #4
    Member
    Join Date
    Oct 2008
    Posts
    53

    Default

    Maybe I'm paranoid after my last experience. Is it OK to just delete that single file that Kaspersky identified? Will "Delete" nuke it, or do I need to do more than that to make sure it is dead and gone.

  5. #5
    In Memoriam -Always in our heart pskelley's Avatar
    Join Date
    Oct 2005
    Location
    Clearwater, Florida
    Posts
    20,247

    Default

    C:\Program Files\eSoftware\studio.dll Infected:
    not-a-virus:AdWare.Win32.SurfSide.bj

    Sure you can delete the file in red, but keep in mind Kaspersky is calling it adware and it may or may not be an issue, Malware identification is not an exact science. You could also get other opinions here:
    http://virusscan.jotti.org/
    http://www.kaspersky.com/scanforvirus
    http://www.virustotal.com/

    Keep in mind that once you delete that file, the program eSoftware may stop working or not work right?

    Thanks
    MS-MVP Consumer Security 2007-08-09
    Proud Member ASAP
    UNITE Member 2006

  6. #6
    Member
    Join Date
    Oct 2008
    Posts
    53

    Default

    I was able to boot my computer into Normal Mode this morning without the blue Stop Error screen, and it seems to be running fine, but I have assiduously avoided any Web surfing until I'm sure this issue is resolved. I ran another HJT scan last night after changing the name to Wildcats.exe, and it still isn't picking up that eSoftware\studio.dll file.

    I see the folder "eSoftware" in my Program Files, and it contains a DAT file named "studio" as well as the studio.dll file. I have never heard of eSoftware, and it is not something I ever downloaded or installed on my computer. I have googled eSoftware\studio.dll, and it appears that it is a backdoor trojan. There are several threads about it on other malware sites, and it's supposed to show up on HJT, but it doesn't on mine.

  7. #7
    In Memoriam -Always in our heart pskelley's Avatar
    Join Date
    Oct 2005
    Location
    Clearwater, Florida
    Posts
    20,247

    Default

    HJT is a small tool that shows certain areas, it does not show everything. If you don't know what that program is, uninstall it if it shows in Add Remove Programs, if not delete it. Then run KOS again to be sure it is gone.
    MS-MVP Consumer Security 2007-08-09
    Proud Member ASAP
    UNITE Member 2006

  8. #8
    Member
    Join Date
    Oct 2008
    Posts
    53

    Default

    I uploaded the eSoftware\studio.dll file to VirusTotal, and 27/39 antivirus sites recognized it as a Trojan. The majority of those sites linked it to Zlob.5835. I don't know how readable this is, or if it is helpful, but here is the report from VirusTotal.

    File studio.dll received on 01.24.2009 18:13:46 (CET)
    Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


    Result: 27/39 (69.24%)
    Loading server information...

    Email:


    Antivirus Version Last Update Result
    a-squared 4.0.0.73 2009.01.24 Trojan-Downloader.Agen.282636!IK
    AhnLab-V3 5.0.0.2 2009.01.24 Win-Trojan/Agen.282636
    AntiVir 7.9.0.60 2009.01.23 TR/Dldr.Agen.282636
    Authentium 5.1.0.4 2009.01.24 W32/AdAgent.B.gen!Eldorado
    Avast 4.8.1281.0 2009.01.23 Win32:Trojan-gen {Other}
    AVG 8.0.0.229 2009.01.23 Generic3.CZN
    BitDefender 7.2 2009.01.24 Trojan.Zlob.5835
    CAT-QuickHeal 10.00 2009.01.24 AdWare.SurfSide.bj (Not a Virus)
    ClamAV 0.94.1 2009.01.24 Trojan.Downloader-27284
    Comodo 944 2009.01.24 -
    DrWeb 4.44.0.09170 2009.01.24 -
    eSafe 7.0.17.0 2009.01.22 -
    eTrust-Vet 31.6.6325 2009.01.24 Win32/Pripecs.ADN
    F-Prot 4.4.4.56 2009.01.23 W32/AdAgent.B.gen!Eldorado
    F-Secure 8.0.14470.0 2009.01.24 AdWare.Win32.SurfSide.bj
    Fortinet 3.117.0.0 2009.01.24 Adware/SurfSide
    GData 19 2009.01.24 Trojan.Zlob.5835
    Ikarus T3.1.1.45.0 2009.01.24 Trojan-Downloader.Agen.282636
    K7AntiVirus 7.10.604 2009.01.24 not-a-virus:AdWare.Win32.SurfSide.bj
    Kaspersky 7.0.0.125 2009.01.24 not-a-virus:AdWare.Win32.SurfSide.bj
    McAfee 5504 2009.01.23 -
    McAfee+Artemis 5504 2009.01.23 -
    Microsoft 1.4205 2009.01.24 -
    NOD32 3796 2009.01.24 -
    Norman 5.93.01 2009.01.23 W32/SurfSide.HT
    nProtect 2009.1.8.0 2009.01.23 Trojan.Zlob.5835
    Panda 9.5.1.2 2009.01.24 -
    PCTools 4.4.2.0 2009.01.24 -
    Prevx1 V2 2009.01.24 Adware
    Rising 21.13.42.00 2009.01.23 AdWare.Win32.Undef.dfh
    SecureWeb-Gateway 6.7.6 2009.01.24 Trojan.Dldr.Agen.282636
    Sophos 4.37.0 2009.01.24 Generic SurfSide Application
    Sunbelt 3.2.1835.2 2009.01.16 -
    Symantec 10 2009.01.24 Trojan.Zlob
    TheHacker 6.3.1.5.227 2009.01.24 Adware/SurfSide.bj
    TrendMicro 8.700.0.1004 2009.01.24 -
    VBA32 3.12.8.11 2009.01.23 AdWare.Win32.SurfSide.bj
    ViRobot 2009.1.23.1576 2009.01.23 -
    VirusBuster 4.5.11.0 2009.01.24 Adware.SurfSide.DP
    Additional information
    File size: 282636 bytes
    MD5...: 10b2230a791527354f0d11ad52a864fc
    SHA1..: f31ca20e099135c9f8c2cab8650720dc61094e07
    SHA256: f2b1decdc523989c7be8ac3b832e30c142879a120f6f5355ff751ec7ee78ce07
    SHA512: f52eed7c63be87fb29d13f7d841d676f1071102ec46b12a835dc080fff843240
    4ce6f9722abe3564a7619f449e3b96134fc451620c208c29011b14648c58c30f

    ssdeep: 6144:MzB6Q/FT6LkH8PYi4wqm8NDpXIVEcVLktL:rwwvt6pXIBgL

    PEiD..: -
    TrID..: File type identification
    Win64 Executable Generic (59.6%)
    Win32 Executable MS Visual C++ (generic) (26.2%)
    Win32 Executable Generic (5.9%)
    Win32 Dynamic Link Library (generic) (5.2%)
    Generic Win/DOS Executable (1.3%)
    PEInfo: PE Structure information

    ( base data )
    entrypointaddress.: 0x1001ee9c
    timedatestamp.....: 0x47d319bd (Sat Mar 08 22:57:01 2008)
    machinetype.......: 0x14c (I386)

    ( 5 sections )
    name viradd virsiz rawdsiz ntrpy md5
    .text 0x1000 0x2e4be 0x2f000 6.61 23c39db0b12a9d272619bb8007db0420
    .rdata 0x30000 0x9ee4 0xa000 5.67 b942260e608238c172a4899c19bfd41b
    .data 0x3a000 0x651c 0x5000 5.15 280c8e0fbe62783f8beb0902f7f1f256
    .rsrc 0x41000 0xe60 0x1000 4.85 d1c6ae46d524f364c6e452ea914f58a2
    .reloc 0x42000 0x4be4 0x5000 5.80 ffaf76df97d2b5f6c38d458121d88c3e

    ( 9 imports )
    > urlmon.dll: UrlMkGetSessionOption
    > WININET.dll: InternetReadFile, InternetOpenUrlA, InternetOpenA, InternetCanonicalizeUrlA, InternetCloseHandle
    > KERNEL32.dll: lstrlenW, RaiseException, GetLastError, lstrcmpiA, VirtualProtect, LockResource, SizeofResource, LoadResource, FindResourceA, CreateThread, GetModuleFileNameA, DisableThreadLibraryCalls, IsDBCSLeadByte, InterlockedIncrement, InterlockedDecrement, FreeLibrary, LoadLibraryExA, GetModuleHandleA, SetThreadLocale, GetThreadLocale, CreateFileA, GetTempPathA, WriteFile, ReadFile, SetFilePointer, CreateProcessA, Sleep, CreateMutexA, ExitThread, FlushInstructionCache, GetCurrentProcess, lstrcmpA, MulDiv, GlobalUnlock, GlobalLock, GlobalAlloc, GetCurrentThreadId, SetLastError, Process32Next, Process32First, CreateToolhelp32Snapshot, GetProcAddress, LocalFree, InterlockedExchange, GetACP, GetLocaleInfoA, GetVersionExA, InterlockedCompareExchange, WideCharToMultiByte, GetProcessHeap, lstrlenA, LoadLibraryA, IsProcessorFeaturePresent, VirtualFree, VirtualAlloc, GetConsoleMode, GetConsoleCP, GetCurrentDirectoryA, GetFullPathNameA, GetStartupInfoA, SetHandleCount, GetFileType, SetStdHandle, GetOEMCP, GetCPInfo, HeapSize, TlsFree, TlsSetValue, TlsAlloc, TlsGetValue, GetStdHandle, ExitProcess, HeapCreate, HeapDestroy, GetCommandLineA, IsDebuggerPresent, SetUnhandledExceptionFilter, UnhandledExceptionFilter, TerminateProcess, FindFirstFileA, GetDriveTypeA, FileTimeToLocalFileTime, FileTimeToSystemTime, FindClose, GetSystemTimeAsFileTime, RtlUnwind, VirtualQuery, GetSystemInfo, HeapReAlloc, MultiByteToWideChar, LCMapStringA, SetEvent, EnterCriticalSection, WaitForSingleObject, ResetEvent, LeaveCriticalSection, DeleteCriticalSection, CloseHandle, CreateEventA, HeapFree, InitializeCriticalSection, LCMapStringW, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, SetEndOfFile, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, FlushFileBuffers, CompareStringA, CompareStringW, HeapAlloc, SetEnvironmentVariableA, GetTimeZoneInformation, GetStringTypeW, GetStringTypeA, GetCurrentProcessId, GetTickCount, QueryPerformanceCounter
    > USER32.dll: GetWindowTextLengthA, RegisterWindowMessageA, UnregisterClassA, GetWindowTextA, SetWindowTextA, PeekMessageA, GetForegroundWindow, GetWindowThreadProcessId, AttachThreadInput, GetActiveWindow, GetSystemMetrics, SetForegroundWindow, SetActiveWindow, CreateAcceleratorTableA, LoadCursorA, GetClassInfoExA, IsWindow, GetDesktopWindow, SetFocus, GetFocus, GetWindow, DestroyAcceleratorTable, BeginPaint, EndPaint, CallWindowProcA, FillRect, ReleaseCapture, GetClassNameA, GetDlgItem, GetParent, IsChild, SetCapture, RedrawWindow, InvalidateRgn, InvalidateRect, ReleaseDC, GetDC, ScreenToClient, ClientToScreen, GetClientRect, SetWindowPos, MoveWindow, GetSysColor, DefWindowProcA, SendMessageA, LockWindowUpdate, ShowWindow, DestroyWindow, CreateWindowExA, GetWindowLongA, SetWindowLongA, wsprintfA, CharNextA, SetTimer, KillTimer, RegisterClassExA
    > ADVAPI32.dll: RegEnumKeyExA, RegQueryInfoKeyA, RegSetValueExA, RegOpenKeyExA, RegCreateKeyExA, RegCloseKey, RegDeleteValueA, RegDeleteKeyA, RegQueryValueExA
    > ole32.dll: CoUninitialize, CreateStreamOnHGlobal, CLSIDFromString, CLSIDFromProgID, CoGetClassObject, CoInitialize, CoCreateInstance, StringFromGUID2, CoTaskMemFree, CoTaskMemRealloc, CoTaskMemAlloc, OleInitialize, OleUninitialize, CoMarshalInterface, CoReleaseMarshalData, CoUnmarshalInterface, OleLockRunning
    > OLEAUT32.dll: -, -, -, -, -, -, -, -, -, -, -, -, -, -, -
    > SHLWAPI.dll: StrStrIA
    > GDI32.dll: DeleteObject, DeleteDC, CreateCompatibleBitmap, CreateCompatibleDC, BitBlt, GetDeviceCaps, CreateSolidBrush, GetObjectA, GetStockObject, SelectObject

    ( 4 exports )
    DllCanUnloadNow, DllGetClassObject, DllRegisterServer, DllUnregisterServer

    Prevx info: <a href='http://info.prevx.com/aboutprogramtext.asp?PX5=FAC8CF840CC82866505804FAE16A1D00B4D540E9' target='_blank'>http://info.prevx.com/aboutprogramtext.asp?PX5=FAC8CF840CC82866505804FAE16A1D00B4D540E9</a>

  9. #9
    Member
    Join Date
    Oct 2008
    Posts
    53

    Default

    And the report from Jotti:

    Scan taken on 24 Jan 2009 17:32:20 (GMT)
    A-Squared Found Trojan-Downloader.Agen.282636!IK
    AntiVir Found TR/Dldr.Agen.282636
    ArcaVir Found Adware.Surfside.Bj
    Avast Found Win32:Trojan-gen {Other}
    AVG Antivirus Found Generic3.CZN
    BitDefender Found Trojan.Zlob.5835
    ClamAV Found Trojan.Downloader-27284
    CPsecure Found nothing
    Dr.Web Found nothing
    F-Prot Antivirus Found W32/AdAgent.B.gen!Eldorado
    F-Secure Anti-Virus Found not-a-virus:AdWare.Win32.SurfSide.bj (4, 1, 400)
    G DATA Found Win32:Trojan-gen
    Ikarus Found Trojan-Downloader.Agen.282636
    Kaspersky Anti-Virus Found not-a-virus:AdWare.Win32.SurfSide.bj
    NOD32 Found nothing
    Norman Virus Control Found W32/SurfSide.HT
    Panda Antivirus Found nothing
    Sophos Antivirus Found nothing
    VirusBuster Found Adware.SurfSide.DP
    VBA32 Found AdWare.Win32.SurfSide.bj

  10. #10
    In Memoriam -Always in our heart pskelley's Avatar
    Join Date
    Oct 2005
    Location
    Clearwater, Florida
    Posts
    20,247

    Default

    If you don't know what that program is, uninstall it if it shows in Add Remove Programs, if not delete it. Then run KOS again to be sure it is gone.
    Why not just delete the junk?
    MS-MVP Consumer Security 2007-08-09
    Proud Member ASAP
    UNITE Member 2006

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •