CWS and trj/Startpage.DI and DE

CWS and trj/Startpage.DI and ED

This is the trickiest spyware/CWS/virus/trojan I've ever had to deal with. I need serious expert help here!

What happens is that every day (24hr cycle?) my Panda Titanium pops up saying it neutralized trj/Startpage.DI. And it won't happen again until the next day. You can read up on trj/Startpage.DI all you want, but there is something else that is still here, that keeps reinfecting me.
Here are the strait facts of what I've noticed:

1. It infects upon opening of a browser or pressing the home page button. Panda will catch it about 2 seconds after opening a browser.

2. It creates 1 random DLL in Windows\System32.

3. It also creates a BHO object which is the DLL and which Panda deletes. But also it creates various entries linking IE to the DLL.

4. Also, after Panda deletes it, and I remove about 6 or 7 items from HJT, CWShredder will find and remove "CWS.Searchx".

5. Now, just as I started this message, Panda caught 2 trj/Startpage.DE one after the other (about 1min apart).

6. It comes only once each day, but if I set my clock ahead one day and reopen the browser, I can get it to reinfect.

7. After using HJT, BHO captor, CWShredder, Diamond TDS-3, various anti-spyware "restricted sites" lists, a program called "pv" to reset Hosts files and a couple other things, resetting winsock with an LSP fix tool, doing multiple and different online virus scans from Panda, Bitdefender, and TrendMicro, looking through my running processes and system startups, I CAN'T FIND THE FREAKING THING! I'm sure I've done even more than that too.

Note that I do run a web server and SQL server, but I keep my startups and so forth clean. I am behind a firewall to the Internet but often will have "questionable" or even dirty machines on the same internal network. However this has been happening for a while and those internal machines are always changing. The infection is on my machine somewhere.

This thing shows itself as a virus and as CWS. But where does it come from? It can't be in the winsock because I've reset it with WinsockXPFix. I suppose it could be hijacked right into IE itself, but then why wouldn't it reinfect more often than once a day? I open and close browsers many many times a day, but it only catches it once a day.

I will post some logs in new threads.

 

Here is the HJT log which contains the, already cleaned, virus entries.

Logfile of HijackThis v1.97.3
Scan saved at 9:37:45 AM, on 5/18/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\mysql\bin\mysqld-nt.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\Pavsrv51.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\AVENGINE.EXE
C:\Program Files\KeyFocus\KFWS\bin\kfwsmon.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE
C:\Program Files\NotesImp\NotesImp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\KeyFocus\KFWS\bin\kfwserv.exe
C:\WINDOWS\System32\tlntsvr.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\WebProxy.exe
C:\Documents and Settings\Zacktech\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\jhacdaa.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\jhacdaa.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\jhacdaa.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\jhacdaa.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\jhacdaa.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\jhacdaa.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {D9FB82E1-B083-4752-B6A9-862C9C4B5C5D} - C:\WINDOWS\System32\jhacdaa.dll (file missing)
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O3 - Toolbar: Zend Studio - {95188727-288F-4581-A48D-EAB3BD027314} - C:\Program Files\Zend\bin\ZendIEToolbar.dll
O4 - HKLM\..\Run: [NvMixerTray] C:\Program Files\NVIDIA Corporation\NvMixer\NvMixerTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [KFWebServer] C:\Program Files\KeyFocus\KFWS\bin\kfwsmon.exe
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE" /s
O4 - HKCU\..\Run: [NotesImp] C:\Program Files\NotesImp\NotesImp.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Download with Star Downloader - C:\Program Files\Star Downloader\sdie.htm
O8 - Extra context menu item: Enqueue in Star Downloader - C:\Program Files\Star Downloader\sdieenq.htm
O8 - Extra context menu item: Fill Forms &] - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Leech with Star Downloader - C:\Program Files\Star Downloader\leechie.htm
O8 - Extra context menu item: Save Forms &[ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ieSpell (HKLM)
O9 - Extra 'Tools' menuitem: ieSpell (HKLM)
O9 - Extra 'Tools' menuitem: ieSpell Options (HKLM)
O9 - Extra button: Fill Forms (HKLM)
O9 - Extra 'Tools' menuitem: Fill Forms &] (HKLM)
O9 - Extra button: Save (HKLM)
O9 - Extra 'Tools' menuitem: Save Forms &[ (HKLM)
O9 - Extra button: RoboForm (HKLM)
O9 - Extra 'Tools' menuitem: RF Toolbar &2 (HKLM)
O9 - Extra button: Zend Studio Toolbar (HKLM)
O9 - Extra 'Tools' menuitem: Zend Studio (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/09bb5d3076969cc80419/netzip/RdxIE601.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://tsweb.thepcworks.com/msrdp.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/SassCln.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://antu.popcap.com/games/popcaploader_v5.cab


I always remove those DLLs after Panda cleans the virus out. Then I run CWShredder to remove CWS.Searchx. See anything?

 

Here is the log from Portscan, just in case there is something here, I don't know.

DiamondCS OpenPorts v1.0 (-? for help)
Copyright (C) 2003, DiamondCS - http://www.diamondcs.com.au/openports/
Free for personal and educational use only. See openports.txt for more details.
_______________________________________________________________________________

SYSTEM [4]
TCP 0.0.0.0:1030 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 192.168.0.106:139 0.0.0.0:0 LISTENING
UDP 192.168.0.106:137 0.0.0.0:0 LISTENING
UDP 0.0.0.0:445 0.0.0.0:0 LISTENING
UDP 192.168.0.106:138 0.0.0.0:0 LISTENING
_______________________________________________________________________________

C:\WINDOWS\System32\tlntsvr.exe [412]
TCP 0.0.0.0:23 0.0.0.0:0 LISTENING
_______________________________________________________________________________

C:\Program Files\KeyFocus\KFWS\bin\kfwserv.exe [420]
TCP 127.0.0.1:9727 0.0.0.0:0 LISTENING
TCP 0.0.0.0:80 0.0.0.0:0 LISTENING
_______________________________________________________________________________

C:\WINDOWS\system32\lsass.exe [524]
UDP 0.0.0.0:500 0.0.0.0:0 LISTENING
_______________________________________________________________________________

C:\WINDOWS\system32\svchost.exe [752]
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
_______________________________________________________________________________

C:\WINDOWS\System32\svchost.exe [816]
TCP 192.168.0.106:1035 192.168.0.1:5678 CLOSE_WAIT
TCP 0.0.0.0:1035 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING
UDP 192.168.0.106:123 0.0.0.0:0 LISTENING
UDP 127.0.0.1:1034 0.0.0.0:0 LISTENING
UDP 127.0.0.1:123 0.0.0.0:0 LISTENING
_______________________________________________________________________________

C:\WINDOWS\System32\svchost.exe [908]
UDP 0.0.0.0:1225 0.0.0.0:0 LISTENING
UDP 0.0.0.0:1222 0.0.0.0:0 LISTENING
UDP 0.0.0.0:1036 0.0.0.0:0 LISTENING
UDP 0.0.0.0:1226 0.0.0.0:0 LISTENING
UDP 0.0.0.0:1223 0.0.0.0:0 LISTENING
UDP 0.0.0.0:1224 0.0.0.0:0 LISTENING
UDP 0.0.0.0:1228 0.0.0.0:0 LISTENING
_______________________________________________________________________________

C:\WINDOWS\System32\svchost.exe [920]
TCP 0.0.0.0:5000 0.0.0.0:0 LISTENING
TCP 0.0.0.0:2869 0.0.0.0:0 LISTENING
UDP 192.168.0.106:1900 0.0.0.0:0 LISTENING
UDP 127.0.0.1:1900 0.0.0.0:0 LISTENING
_______________________________________________________________________________

C:\mysql\bin\mysqld-nt.exe [1488]
TCP 0.0.0.0:3306 0.0.0.0:0 LISTENING
_______________________________________________________________________________

C:\Program Files\Avant Browser\iexplore.exe [1808]
UDP 127.0.0.1:1061 0.0.0.0:0 LISTENING
_______________________________________________________________________________

C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\WebProxy.exe [2372]
TCP 127.0.0.1:31595 0.0.0.0:0 LISTENING
UDP 127.0.0.1:18001 0.0.0.0:0 LISTENING
_______________________________________________________________________________

 

This is a rather LARGE log file of registry activity WHILE I was being infected. What I did was clean up the previous infection, close all browsers, set my clock ahead 1 day; then I started this registry monitoring util and opened IE, I got infected, and Panda cleaned it. Then I stopped the reg logging prog. So this log is about 5 or 10 seconds of registry activity before, during, and after getting infected. I looked through it but couldn't seem to find at what point I was infected.

Maybe if you have the patience to help me out, you could look through it and maybe get a clue as to what started the infection.


[edit: woops! To large to upload!]
If my web server is running ( I have it up most of the time) you can read the log at http://www.zacksdomain.com/regmon.txt

 

Hello,

You are running hijackthis from your desktop, this is not a good idea because when we do a fix hijackthis will create backups and they will be spread all over your desktop. Can you please create a folder in My Documents and call it Hijack (or something similar). Then extract hijackthis into the folder you have created and run it from there. When you have done that, delete the copy of hijackthis that you have on your desktop.

Fix the following entries in HijackThis,

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\jhacdaa.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\jhacdaa.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\jhacdaa.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\jhacdaa.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\jhacdaa.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\jhacdaa.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {D9FB82E1-B083-4752-B6A9-862C9C4B5C5D} - C:\WINDOWS\System32\jhacdaa.dll (file missing)
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/09bb5d3...ip/RdxIE601.cab

Reboot in SAFE MODE and Show Hidden Files/Folders and delete if found,

C:\WINDOWS\System32\jhacdaa.dll

Now open CWShredder and run FIX and let it fix what it finds.

Reboot in normal mode and post a fresh log

Regards

 

Thanks for your reply subratam. That is what I do (minus in Safe Mode). The file is never there because Panda deletes it. In the HJT log for the BHO, it's marked ("missing"). So it's always gone, and it's always recreated with a new name. Sometimes the virus is detected in the temporary Internet files folder as a CAB file.

Here is the log (after) I clean it. I posted the old one so you could see what the entries look like:

Logfile of HijackThis v1.97.3
Scan saved at 10:55:34 AM, on 5/18/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\Pavsrv51.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\AVENGINE.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE
C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\WebProxy.exe
C:\Program Files\TDS3\tds-3.exe
C:\WINDOWS\msagent\AgentSvr.exe
C:\Program Files\Avant Browser\iexplore.exe
C:\Program Files\KeyFocus\KFWS\bin\kfwsmon.exe
C:\Program Files\KeyFocus\KFWS\bin\kfwserv.exe
C:\Documents and Settings\Zacktech\Desktop\hijack\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O3 - Toolbar: Zend Studio - {95188727-288F-4581-A48D-EAB3BD027314} - C:\Program Files\Zend\bin\ZendIEToolbar.dll
O4 - HKLM\..\Run: [NvMixerTray] C:\Program Files\NVIDIA Corporation\NvMixer\NvMixerTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [KFWebServer] C:\Program Files\KeyFocus\KFWS\bin\kfwsmon.exe
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE" /s
O4 - HKCU\..\Run: [NotesImp] C:\Program Files\NotesImp\NotesImp.exe
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Add to AD Black List - C:\Program Files\Avant Browser\AddToADBlackList.htm
O8 - Extra context menu item: Block All Images from the Same Server - C:\Program Files\Avant Browser\AddAllToADBlackList.htm
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Download with Star Downloader - C:\Program Files\Star Downloader\sdie.htm
O8 - Extra context menu item: Enqueue in Star Downloader - C:\Program Files\Star Downloader\sdieenq.htm
O8 - Extra context menu item: Fill Forms &] - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Highlight - C:\Program Files\Avant Browser\Highlight.htm
O8 - Extra context menu item: Leech with Star Downloader - C:\Program Files\Star Downloader\leechie.htm
O8 - Extra context menu item: Open All Links in This Page... - C:\Program Files\Avant Browser\OpenAllLinks.htm
O8 - Extra context menu item: Save Forms &[ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ieSpell (HKLM)
O9 - Extra 'Tools' menuitem: ieSpell (HKLM)
O9 - Extra 'Tools' menuitem: ieSpell Options (HKLM)
O9 - Extra button: Fill Forms (HKLM)
O9 - Extra 'Tools' menuitem: Fill Forms &] (HKLM)
O9 - Extra button: Save (HKLM)
O9 - Extra 'Tools' menuitem: Save Forms &[ (HKLM)
O9 - Extra button: RoboForm (HKLM)
O9 - Extra 'Tools' menuitem: RF Toolbar &2 (HKLM)
O9 - Extra button: Zend Studio Toolbar (HKLM)
O9 - Extra 'Tools' menuitem: Zend Studio (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://tsweb.thepcworks.com/msrdp.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/SassCln.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B24B34FD-20C1-4024-BD43-824DF9DE3454}: NameServer = 192.168.0.1


I do wonder about the very last line. What is that for?

 

Here is the log for Panda antivirus:

Panda Titanium Antivirus 2004 incident report


EVENT DATE RESULTS ADDITIONAL INFORMATION
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Virus detected: Trj/Startpage.DI 05/18/04 10:44:29 Disinfected Location: c:\windows\system32\pfgf.dll
Virus detected: Trj/Startpage.DI 05/18/04 10:44:29 Disinfected Location: c:\documents and settings\localservice\local settings\temporary internet files\content.ie5\jnmn7cg3\m[1].bin
Virus detected: Trj/StartPage.ED 05/18/04 10:07:50 Disinfected Location: c:\windows\system32\msxslab.dll
Virus detected: Trj/StartPage.ED 05/18/04 10:06:41 Disinfected Location: c:\windows\system32\msproto3.dll
Scan completed 05/18/04 09:33:48 Scan: Pop-up menu
Scan started 05/18/04 09:33:46 Scan: Pop-up menu
Virus detected: Trj/Startpage.DI 05/18/04 09:33:39 Disinfected Location: c:\windows\system32\jhacdaa.dll
Virus detected: Trj/Startpage.DI 05/17/04 08:38:58 Disinfected Location: c:\windows\system32\dbp.dll
Virus detected: Trj/Startpage.DI 05/16/04 09:57:19 Disinfected Location: c:\documents and settings\zacktech\local settings\temporary internet files\content.ie5\od2bsx6z\m[1].bin
Virus detected: Trj/Startpage.DI 05/16/04 09:57:19 Disinfected Location: c:\windows\system32\bkcpkc.dll
Scan completed 05/16/04 05:04:52 Scan: Pop-up menu
Scan started 05/16/04 05:04:46 Scan: Pop-up menu
Virus detected: Trj/Startpage.DI 05/15/04 16:52:58 Disinfected Location: c:\windows\system32\jge.dll
Virus detected: Trj/Startpage.DI 05/15/04 09:29:14 Disinfected Location: c:\windows\system32\beo.dll
Virus detected: Trj/Startpage.DI 05/15/04 09:29:13 Disinfected Location: c:\documents and settings\zacktech\local settings\temporary internet files\content.ie5\45mz4hen\m[1].bin
Scan completed 05/15/04 05:34:59 Scan: Pop-up menu
Scan started 05/15/04 05:34:52 Scan: Pop-up menu
Virus detected: Trj/Startpage.DI 05/14/04 13:43:10 Disinfected Location: c:\windows\system32\lkncpg.dll
Virus detected: Trj/Startpage.DI 05/14/04 13:43:10 Disinfected Location: c:\documents and settings\localservice\local settings\temporary internet files\content.ie5\qdlyhz2y\m[1].bin
Virus detected: Trj/Startpage.DI 05/14/04 09:24:37 Disinfected Location: c:\windows\system32\nllo.dll
Virus detected: Trj/Startpage.DI 05/14/04 09:24:35 Disinfected Location: c:\documents and settings\zacktech\local settings\temporary internet files\content.ie5\0b8t0f4h\m[1].bin
Scan completed 05/14/04 04:02:06 Scan: Pop-up menu
Scan started 05/14/04 04:01:58 Scan: Pop-up menu
Scan completed 05/13/04 13:27:44 Scan: Pop-up menu
Scan started 05/13/04 13:27:37 Scan: Pop-up menu
Virus detected: Trj/Startpage.DI 05/13/04 08:51:40 Disinfected Location: c:\windows\system32\hhopnk.dll
Scan completed 05/13/04 03:41:06 Scan: Pop-up menu
Scan started 05/13/04 03:40:58 Scan: Pop-up menu
Scan completed 05/12/04 10:07:28 Scan: Pop-up menu
Scan started 05/12/04 10:07:01 Scan: Pop-up menu
Virus detected: Trj/Startpage.DI 05/12/04 08:52:45 Disinfected Location: c:\windows\system32\hdj.dll
Scan completed 05/12/04 08:22:34 Scan: Pop-up menu
Scan started 05/12/04 08:22:26 Scan: Pop-up menu
Scan completed 05/11/04 15:18:43 Scan: Pop-up menu
Scan started 05/11/04 15:18:32 Scan: Pop-up menu
Scan completed 05/11/04 09:52:13 Scan: Pop-up menu
Scan started 05/11/04 09:52:05 Scan: Pop-up menu
Virus detected: Trj/Startpage.DI 05/11/04 08:53:21 Disinfected Location: c:\windows\system32\kkalefa.dll
Scan completed 05/11/04 02:11:10 Scan: Pop-up menu
Scan started 05/11/04 02:11:05 Scan: Pop-up menu
Scan completed 05/10/04 15:43:35 Scan: All My Computer
Suspicious file 05/10/04 15:43:29 Renamed File: C:\WINDOWS\system32\xwebpic10.ocx Scan started 05/10/04 14:53:28 Scan: All My Computer
Scan completed 05/10/04 14:42:16 Scan: Pop-up menu
Scan started 05/10/04 14:42:16 Scan: Pop-up menu
Scan completed 05/10/04 14:21:25 Scan: Pop-up menu
Virus detected: Trj/Startpage.DI 05/10/04 14:21:24 Disinfected Location: C:\WINDOWS\System32\kkeo.dll
Scan started 05/10/04 14:21:21 Scan: Pop-up menu
---------------------------------------

 

Hello again,

The log looks ok .. but as you said it returns back.. so I would say.. wait and see if it returns now and then report back. we have to follow other route then

O17 - HKLM\System\CCS\Services\Tcpip\..\{B24B34FD-20C1-4024-BD43-824DF9DE3454}: NameServer = 192.168.0.1--- that is nothing but your DNS server for ISP or Company Network

Regards

 

Yes, it did come back again. But only just today it started appearing more than once, and the trj/Startpage.ED version started showing up as well. Those are both new.

It's not in the Winsock, and it's not anything 4 virus scanners, a trojan scanner, and 3 spyware scanners can find. And all Windows updates done, and CWShredder ran, and even more various scan tools ran, and I'm behind a firewall. Then where can it be hiding?
It's not in my startups, I've looked through 3 startup listing programs and checked the reg myself. It's not the Internet, because I don't go to any bad places, just places I've always been going to. My Windows System Restore is turned off as well.

BTW, I have XP Pro, a 2800+ Athlon, 512mb, 120gb, Radeon 9200 128mb.

When I first got this virus, I looked it up on Trend Micro and it was only found about 13 days earlier. Though I seem to remember always deleting "startpage" virus's. So I guess this is a pretty new one.

Does anybody know any more about this trojan? How can it be reinfecting me like this?

 

I think, after all this, that the infection must be right in IE itself. Somehow the code has been hijacked so that every so often, when IE is opened, it reinfects the system.

To test this theory, I'm going to remove IE altogether if I can figure out how. I would use IEradicator but it doesn't support XP. And I can't just delete the files because WFP will just restore them all.

So first I'll just try reloading IE, then I'll try to remove it all if that doesn't work.

Any other suggestions? I'm getting real sick of walking in here every day and up pops "trj/Startpage.DI has been neutralized" I can't get rid of it!

 

STILL DIDN'T WORK!!!

I did all this cool stuff, again, and on the last step of my jurney, up pops the virus again.
Here is what I did this time around:

1. Panda deleted the virus DLL
2. Removed it's entries with HJT
3. Removed the CWS with shredder
4. Ran Ad-aware and spybot and removed what they found
5. Cleared Hosts files
6. Cleared wininit files
7. Deleted all temps, caches, histories in windows/temp and ~user/temp areas
8. Changed a reg key as per MS instruction so I could reinstall IE/OE
9. Completely reinstalled IE
10. Ran full system virus scan with Panda...

On step 10, during the virus scan, and NOT having opened any browsers during all this, the virus popped up again. And when the virus scan was done, it didn't find anything.
It even popped up when Spybot's new little web monitor thingy was running.

What am I missing here? Why can't I track it down?

 

I'm keeping a close eye on this subject. Has anybody noticed the alarming trend of messages on this board about home page hijackers? "about:blank" redirecting to search sites? While I know mine is trj/Startpage.DI, maybe there is actually something else? Or maybe this forum is filled with 20 variants of the same virus/CWS/Trojan?

I am still fighting this virus. I have the new Spybot 1.3 on here and have the teatimer background thing running as well as the SD helper. They do see the changes the virus tries to make, and I tell it to deny it. But the virus still infects me every day, and now sometimes more than once a day. It's like the more and more "fighting" programs I put on here to stop it, the easier it is to get in. This doesn't make any sense.

Unfortunately, I haven't been able to run Spywareblaster because of the error that my hard drive might be bad.

Almost every day I update these tools and run them again hoping the fix has been found. But it hasn't.

DOES ANYBODY KNOW ANYTHING ABOUT THIS PROBLEM YET?

 

I have a new breakthrough! I'm now running filemon from sysinternals. I had that monitoring my hard drive access before, during, and after being infected again.
All registry activity was monitored during a previous infection, read the log at http://www.zacksdomain.com/virusLOGS/regmon.txt

Also read my new hard drive activity log at http://www.zacksdomain.com/virusLOGS/filemonvirus.txt

And here is the part of my Panda Antivirus log that caught the virus during the HDD monitor (note the date is one day ahead, that's because I set my clock ahead to get reinfected in order to monitor it)

______________________________________________________________

Panda Titanium Antivirus 2004 incident report


EVENT DATE RESULTS ADDITIONAL INFORMATION
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Virus detected: Trj/Startpage.DI 05/22/04 10:49:17 Disinfected Location: c:\windows\system32\fbi.dll
Virus detected: Trj/Startpage.DI 05/22/04 10:49:17 Disinfected Location: c:\documents and settings\localservice\local settings\temporary internet files\content.ie5\8t6bspaf\m[1].bin
Virus detected: Trj/Startpage.DI 05/22/04 10:48:37 Disinfected Location: c:\documents and settings\zacktech\local settings\temporary internet files\content.ie5\gncp6hcb\m[1].bin
Virus detected: Trj/Startpage.DI 05/22/04 10:48:37 Disinfected Location: c:\windows\system32\fmlgf.dll
Virus detected: Trj/Startpage.DI 05/21/04 10:46:21 Disinfected Location: c:\windows\system32\mjpedmp.dll
Virus detected: Trj/Startpage.DI 05/21/04 10:46:21 Disinfected Location: c:\documents and settings\localservice\local settings\temporary internet files\content.ie5\jnmn7cg3\m[1].bin

____________________________________________________________

If you look in the filemon log just a little past half way through, you'll see the first instance of "m[1].bin" show up. I'm not so much worried about that, because Panda removes all that. But what I want to find out from the log is what DLL or process was accessed first and created it?

Because it was "downloaded" to the temp internet folder, I wonder if it wasn't created at all, but was simply downloaded and reinfected me somehow. Like I don't have the virus to begin with, but something in IE or some hack is allowing the virus to be downloaded over and over again.

Note that the registry log is not the same infection, the filenames won't be the same in there, that was a previous infection. But maybe someone might notice a bad entry in there.
I think the filemon log will give the experts here a better idea of where to look.

I'm in hot pursuit!

 

The part of the filemon log that interrests me is this:
-------------------------------------
2382 10:48:36 AM IEXPLORE.EXE:2096 QUERY INFORMATION C:\Documents and Settings\Zacktech\Local Settings\Temporary Internet Files\Content.IE5\index.dat SUCCESS Length: 2850816
2383 10:48:36 AM IEXPLORE.EXE:2096 QUERY INFORMATION C:\Documents and Settings\Zacktech\Local Settings\Temporary Internet Files\Content.IE5\index.dat SUCCESS Length: 2850816
2384 10:48:36 AM IEXPLORE.EXE:2096 QUERY INFORMATION C:\Documents and Settings\Zacktech\Local Settings\Temporary Internet Files\Content.IE5\index.dat SUCCESS Length: 2850816
2385 10:48:36 AM IEXPLORE.EXE:2096 QUERY INFORMATION C:\Documents and Settings\Zacktech\Local Settings\Temporary Internet Files\Content.IE5\index.dat SUCCESS Length: 2850816
2386 10:48:36 AM IEXPLORE.EXE:2096 QUERY INFORMATION C:\WINDOWS\notepad.exe SUCCESS Attributes: A
2387 10:48:36 AM IEXPLORE.EXE:2096 QUERY INFORMATION C:\Program Files\Microsoft Office\Office\WINWORD.EXE SUCCESS Attributes: RA
2388 10:48:36 AM IEXPLORE.EXE:2096 QUERY INFORMATION C:\Program Files\Zend\bin\ZDE.exe SUCCESS Attributes: A
2389 10:48:36 AM IEXPLORE.EXE:2096 QUERY INFORMATION C:\Program Files\Zend\bin\ZDE.exe SUCCESS Attributes: A
2390 10:48:36 AM IEXPLORE.EXE:2096 QUERY INFORMATION C:\WINDOWS\System32\mshtmled.dll SUCCESS Attributes: A
2391 10:48:36 AM IEXPLORE.EXE:2096 OPEN C:\WINDOWS\System32\mshtmled.dll SUCCESS Options: Open Access: Execute
2392 10:48:36 AM IEXPLORE.EXE:2096 QUERY INFORMATION C:\WINDOWS\System32\mshtmled.dll SUCCESS Length: 434688
2393 10:48:36 AM IEXPLORE.EXE:2096 CLOSE C:\WINDOWS\System32\mshtmled.dll SUCCESS
2394 10:48:36 AM IEXPLORE.EXE:2096 QUERY INFORMATION C:\WINDOWS\System32\mshtmled.dll SUCCESS Attributes: A
2395 10:48:36 AM IEXPLORE.EXE:2096 OPEN C:\WINDOWS\System32\mshtmled.dll SUCCESS Options: Open Access: Execute
2396 10:48:36 AM IEXPLORE.EXE:2096 CLOSE C:\WINDOWS\System32\mshtmled.dll SUCCESS
2397 10:48:36 AM explorer.exe:456 QUERY INFORMATION C:\WINDOWS\System32\SHDOCVW.dll SUCCESS Attributes: A
2398 10:48:36 AM IEXPLORE.EXE:2096 QUERY INFORMATION C:\Documents and Settings\Zacktech\Local Settings\Temporary Internet Files\Content.IE5\index.dat SUCCESS Length: 2850816
2399 10:48:36 AM IEXPLORE.EXE:2096 QUERY INFORMATION C:\Documents and Settings\Zacktech\Local Settings\Temporary Internet Files\Content.IE5\index.dat SUCCESS Length: 2850816
2400 10:48:36 AM IEXPLORE.EXE:2096 QUERY INFORMATION C:\Documents and Settings\Zacktech\Local Settings\Temporary Internet Files\Content.IE5\OD2BSX6Z\space[1].gif FILE NOT FOUND Attributes: Error
2401 10:48:36 AM IEXPLORE.EXE:2096 CREATE C:\Documents and Settings\Zacktech\Local Settings\Temporary Internet Files\Content.IE5\OD2BSX6Z\space[1].gif SUCCESS Options: Create Access: All
2402 10:48:36 AM IEXPLORE.EXE:2096 WRITE C:\Documents and Settings\Zacktech\Local Settings\Temporary Internet Files\Content.IE5\OD2BSX6Z\space[1].gif SUCCESS Offset: 0 Length: 1261
2403 10:48:37 AM IEXPLORE.EXE:2096 WRITE C:\Documents and Settings\Zacktech\Local Settings\Temporary Internet Files\Content.IE5\OD2BSX6Z\space[1].gif SUCCESS Offset: 1261 Length: 3987
2404 10:48:37 AM IEXPLORE.EXE:2096 QUERY INFORMATION C:\Documents and Settings\Zacktech\Local Settings\Temporary Internet Files\Content.IE5\OD2BSX6Z\space[1].gif SUCCESS Attributes: A
2405 10:48:37 AM IEXPLORE.EXE:2096 CLOSE C:\Documents and Settings\Zacktech\Local Settings\Temporary Internet Files\Content.IE5\OD2BSX6Z\space[1].gif SUCCESS
2406 10:48:37 AM IEXPLORE.EXE:2096 QUERY INFORMATION C:\Documents and Settings\Zacktech\Local Settings\Temporary Internet Files\Content.IE5\index.dat SUCCESS Length: 2850816
2407 10:48:37 AM IEXPLORE.EXE:2096 QUERY INFORMATION C:\Documents and Settings\Zacktech\Local Settings\Temporary Internet Files\Content.IE5\index.dat SUCCESS Length: 2850816
2408 10:48:37 AM IEXPLORE.EXE:2096 QUERY INFORMATION C:\Documents and Settings\Zacktech\Local Settings\Temporary Internet Files\Content.IE5\index.dat SUCCESS Length: 2850816
2409 10:48:37 AM IEXPLORE.EXE:2096 QUERY INFORMATION C:\Documents and Settings\Zacktech\Local Settings\Temporary Internet Files\Content.IE5\index.dat SUCCESS Length: 2850816
2410 10:48:37 AM IEXPLORE.EXE:2096 QUERY INFORMATION C:\Documents and Settings\Zacktech\Local Settings\Temporary Internet Files\Content.IE5\index.dat SUCCESS Length: 2850816
2411 10:48:37 AM IEXPLORE.EXE:2096 QUERY INFORMATION C:\Documents and Settings\Zacktech\Local Settings\Temporary Internet Files\Content.IE5\index.dat SUCCESS Length: 2850816
2412 10:48:37 AM IEXPLORE.EXE:2096 OPEN C:\filter.log FILE NOT FOUND Options: Open Access: All
2413 10:48:37 AM IEXPLORE.EXE:2096 OPEN C:\WINDOWS\System32\ SUCCESS Options: Open Directory Access: All
2414 10:48:37 AM IEXPLORE.EXE:2096 DIRECTORY C:\WINDOWS\System32\ NO SUCH FILE FileBothDirectoryInformation: njeoae.dll
2415 10:48:37 AM IEXPLORE.EXE:2096 CLOSE C:\WINDOWS\System32\ SUCCESS
2416 10:48:37 AM IEXPLORE.EXE:2096 OPEN C:\WINDOWS\System32\ SUCCESS Options: Open Directory Access: All
2417 10:48:37 AM IEXPLORE.EXE:2096 DIRECTORY C:\WINDOWS\System32\ NO SUCH FILE FileBothDirectoryInformation: fmlgf.dll
2418 10:48:37 AM IEXPLORE.EXE:2096 CLOSE C:\WINDOWS\System32\ SUCCESS
2419 10:48:37 AM IEXPLORE.EXE:2096 QUERY INFORMATION C:\Documents and Settings\Zacktech\Local Settings\Temporary Internet Files\Content.IE5\index.dat SUCCESS Length: 2850816
2420 10:48:37 AM IEXPLORE.EXE:2096 QUERY INFORMATION C:\Documents and Settings\Zacktech\Local Settings\Temporary Internet Files\Content.IE5\index.dat SUCCESS Length: 2850816
2421 10:48:37 AM IEXPLORE.EXE:2096 QUERY INFORMATION C:\Documents and Settings\Zacktech\Local Settings\Temporary Internet Files\Content.IE5\index.dat SUCCESS Length: 2850816
2422 10:48:37 AM IEXPLORE.EXE:2096 QUERY INFORMATION C:\Documents and Settings\Zacktech\Local Settings\Temporary Internet Files\Content.IE5\index.dat SUCCESS Length: 2850816
2423 10:48:37 AM IEXPLORE.EXE:2096 QUERY INFORMATION C:\Documents and Settings\Zacktech\Local Settings\Temporary Internet Files\Content.IE5\index.dat SUCCESS Length: 2850816
2424 10:48:37 AM IEXPLORE.EXE:2096 QUERY INFORMATION C:\Documents and Settings\Zacktech\Local Settings\Temporary Internet Files\Content.IE5\index.dat SUCCESS Length: 2850816
2425 10:48:37 AM IEXPLORE.EXE:2096 QUERY INFORMATION C:\Documents and Settings\Zacktech\Local Settings\Temporary Internet Files\Content.IE5\index.dat SUCCESS Length: 2850816
2426 10:48:37 AM IEXPLORE.EXE:2096 QUERY INFORMATION C:\Documents and Settings\Zacktech\Local Settings\Temporary Internet Files\Content.IE5\index.dat SUCCESS Length: 2850816
2427 10:48:37 AM IEXPLORE.EXE:2096 QUERY INFORMATION C:\Documents and Settings\Zacktech\Local Settings\Temporary Internet Files\Content.IE5\index.dat SUCCESS Length: 2850816
2428 10:48:37 AM IEXPLORE.EXE:2096 QUERY INFORMATION C:\Documents and Settings\Zacktech\Local Settings\Temporary Internet Files\Content.IE5\index.dat SUCCESS Length: 2850816
2429 10:48:37 AM IEXPLORE.EXE:2096 QUERY INFORMATION C:\Documents and Settings\Zacktech\Local Settings\Temporary Internet Files\Content.IE5\GNCP6HCB\m[1].bin FILE NOT FOUND Attributes: Error
2430 10:48:37 AM IEXPLORE.EXE:2096 CREATE C:\Documents and Settings\Zacktech\Local Settings\Temporary Internet Files\Content.IE5\GNCP6HCB\m[1].bin SUCCESS Options: Create Access: All
2431 10:48:37 AM IEXPLORE.EXE:2096 WRITE C:\Documents and Settings\Zacktech\Local Settings\Temporary Internet Files\Content.IE5\GNCP6HCB\m[1].bin SUCCESS Offset: 0 Length: 8192
2432 10:48:37 AM IEXPLORE.EXE:2096 WRITE C:\Documents and Settings\Zacktech\Local Settings\Temporary Internet Files\Content.IE5\GNCP6HCB\m[1].bin SUCCESS Offset: 8192 Length: 8192
2433 10:48:37 AM IEXPLORE.EXE:2096 WRITE C:\Documents and Settings\Zacktech\Local Settings\Temporary Internet Files\Content.IE5\GNCP6HCB\m[1].bin SUCCESS Offset: 16384 Length: 8192
2434 10:48:37 AM IEXPLORE.EXE:2096 WRITE C:\Documents and Settings\Zacktech\Local Settings\Temporary Internet Files\Content.IE5\GNCP6HCB\m[1].bin SUCCESS Offset: 24576 Length: 6656
2435 10:48:37 AM IEXPLORE.EXE:2096 QUERY INFORMATION C:\Documents and Settings\Zacktech\Local Settings\Temporary Internet Files\Content.IE5\GNCP6HCB\m[1].bin SUCCESS Attributes: A
2436 10:48:37 AM IEXPLORE.EXE:2096 CLOSE C:\Documents and Settings\Zacktech\Local Settings\Temporary Internet Files\Content.IE5\GNCP6HCB\m[1].bin SUCCESS
2437 10:48:37 AM AVENGINE.EXE:720 OPEN C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\pav.sig SUCCESS Options: Open Access: All
2438 10:48:37 AM AVENGINE.EXE:720 READ C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\pav.sig SUCCESS Offset: 402791 Length: 4
2439 10:48:37 AM AVENGINE.EXE:720 CLOSE C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\pav.sig SUCCESS
2440 10:48:37 AM AVENGINE.EXE:720 OPEN C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\pav.sig SUCCESS Options: Open Access: All
2441 10:48:37 AM AVENGINE.EXE:720 READ C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\pav.sig SUCCESS Offset: 1930391 Length: 255
2442 10:48:37 AM AVENGINE.EXE:720 CLOSE C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\pav.sig SUCCESS
------------------------------------------------

This is where the actual infected file is first created "m[1]".

First IE for some reason already thinks the file is there but can't find it:
"2429 10:48:37 AM IEXPLORE.EXE:2096 QUERY INFORMATION C:\Documents and Settings\Zacktech\Local Settings\Temporary Internet Files\Content.IE5\GNCP6HCB\m[1].bin FILE NOT FOUND Attributes: Error"

Then it automatically creates the file instead with the next line:

"2430 10:48:37 AM IEXPLORE.EXE:2096 CREATE C:\Documents and Settings\Zacktech\Local Settings\Temporary Internet Files\Content.IE5\GNCP6HCB\m[1].bin SUCCESS Options: Create Access: All"


How can it be looking for a file that has never existed? This is the first appearance of m[1] ever, the virus has a random name each time. But it was already looking for the file before it was ever created. How can that be?

I have but one question then: I'm always scanning and deleting things, but I never delete the XP files index.dat or thumbs.db and so forth. Because in this log IE was always checking the index.dat file, I wonder if I should be deleting index.dat also?

 

Here is the Explorer DLLs using the PV DOS program:
------

Module information for 'Explorer.EXE'
MODULE BASE SIZE PATH
Explorer.EXE 1000000 1011712 C:\WINDOWS\Explorer.EXE 6.00.2800.1221 (xpsp2.030511-1403) Windows Explorer
ntdll.dll 77f50000 684032 C:\WINDOWS\System32\ntdll.dll 5.1.2600.1217 (xpsp2.030429-2131) NT Layer DLL
kernel32.dll 77e60000 942080 C:\WINDOWS\system32\kernel32.dll 5.1.2600.1106 (xpsp1.020828-1920) Windows NT BASE API Client DLL
msvcrt.dll 77c10000 339968 C:\WINDOWS\system32\msvcrt.dll 7.0.2600.1106 (xpsp1.020828-1920) Windows NT CRT DLL
ADVAPI32.dll 77dd0000 577536 C:\WINDOWS\system32\ADVAPI32.dll 5.1.2600.1106 (xpsp1.020828-1920) Advanced Windows 32 Base API
RPCRT4.dll 78000000 552960 C:\WINDOWS\system32\RPCRT4.dll 5.1.2600.1361 (xpsp2.040109-1800) Remote Procedure Call Runtime
GDI32.dll 7e090000 266240 C:\WINDOWS\system32\GDI32.dll 5.1.2600.1346 (xpsp2.040109-1800) GDI Client DLL
USER32.dll 77d40000 573440 C:\WINDOWS\system32\USER32.dll 5.1.2600.1255 (xpsp2.030804-1745) Windows XP USER API Client DLL
SHLWAPI.dll 70bd0000 413696 C:\WINDOWS\system32\SHLWAPI.dll 6.00.2800.1106 Shell Light-weight Utility Library
SHELL32.dll 773d0000 8331264 C:\WINDOWS\system32\SHELL32.dll 6.00.2800.1233 (xpsp2.030604-1804) Windows Shell Common Dll
ole32.dll 771b0000 1196032 C:\WINDOWS\system32\ole32.dll 5.1.2600.1362 (xpsp2.040109-1800) Microsoft OLE for Windows
OLEAUT32.dll 77120000 569344 C:\WINDOWS\system32\OLEAUT32.dll 3.50.5016.0 Microsoft OLE 3.50 for Windows NT(TM) and Windows 95(TM) Operating Systems
BROWSEUI.dll 71160000 1036288 C:\WINDOWS\System32\BROWSEUI.dll 6.00.2800.1106 Shell Browser UI Library
SHDOCVW.dll 71000000 1347584 C:\WINDOWS\System32\SHDOCVW.dll 6.00.2800.1106 Shell Doc Object and Control Library
UxTheme.dll 5ad70000 212992 C:\WINDOWS\System32\UxTheme.dll 6.00.2800.1106 (xpsp1.020828-1920) Microsoft UxTheme Library
Secur32.dll 76f90000 65536 C:\WINDOWS\System32\Secur32.dll 5.1.2600.1106 (xpsp1.020828-1920) Security Support Provider Interface
iphlpapi.dll 76d60000 90112 C:\WINDOWS\System32\iphlpapi.dll 5.1.2600.1240 (xpsp2.030618-0119) IP Helper API
WS2_32.dll 71ab0000 81920 C:\WINDOWS\System32\WS2_32.dll 5.1.2600.1240 (xpsp2.030618-0119) Windows Socket 2.0 32-Bit DLL
WS2HELP.dll 71aa0000 32768 C:\WINDOWS\System32\WS2HELP.dll 5.1.2600.0 (xpclient.010817-114 Windows Socket 2.0 Helper for Windows NT
comctl32.dll 71950000 933888 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805\comctl32.dll 6.0 (xpsp1.020828-1920) User Experience Controls Library
comctl32.dll 77340000 569344 C:\WINDOWS\system32\comctl32.dll 5.82 (xpsp1.020828-1920) Common Controls Library
appHelp.dll 75f40000 126976 C:\WINDOWS\system32\appHelp.dll 5.1.2600.1106 (xpsp1.020828-1920) Application Compatibility Client Library
CLBCATQ.DLL 7c890000 528384 C:\WINDOWS\System32\CLBCATQ.DLL 2001.12.4414.53
COMRes.dll 77050000 806912 C:\WINDOWS\System32\COMRes.dll 2001.12.4414.42
VERSION.dll 77c00000 28672 C:\WINDOWS\system32\VERSION.dll 5.1.2600.0 (xpclient.010817-114 Version Checking and File Installation Libraries
cscui.dll 76620000 319488 C:\WINDOWS\System32\cscui.dll 5.1.2600.1106 (xpsp1.020828-1920) Client Side Caching UI
CSCDLL.dll 76600000 110592 C:\WINDOWS\System32\CSCDLL.dll 5.1.2600.0 (xpclient.010817-114 Offline Network Agent
themeui.dll 559e0000 462848 C:\WINDOWS\System32\themeui.dll 6.00.2800.1106 (xpsp1.020828-1920) Windows Theme API
MSIMG32.dll 76380000 20480 C:\WINDOWS\System32\MSIMG32.dll 5.1.2600.1106 (xpsp1.020828-1920) GDIEXT Client DLL
USERENV.dll 75a70000 675840 C:\WINDOWS\system32\USERENV.dll 5.1.2600.1106 (xpsp1.020828-1920) Userenv
netapi32.dll 71c20000 319488 C:\WINDOWS\System32\netapi32.dll 5.1.2600.1343 (xpsp2.040109-1800) Net Win32 API DLL
urlmon.dll 702b0000 499712 C:\WINDOWS\system32\urlmon.dll 6.00.2800.1106 OLE32 Extensions for Win32
mlang.dll 70440000 585728 C:\WINDOWS\System32\mlang.dll 6.00.2800.1106 Multi Language Support DLL
WININET.DLL 70200000 610304 C:\WINDOWS\system32\WININET.DLL 6.00.2800.1106 Internet Extensions for Win32
CRYPT32.dll 762c0000 557056 C:\WINDOWS\system32\CRYPT32.dll 5.131.2600.1123 (xpsp2.020921-0842) Crypto API32
MSASN1.dll 762a0000 65536 C:\WINDOWS\system32\MSASN1.dll 5.1.2600.1362 (xpsp2.040109-1800) ASN.1 Runtime APIs
RASAPI32.DLL 76ee0000 225280 C:\WINDOWS\System32\RASAPI32.DLL 5.1.2600.1106 (xpsp1.020828-1920) Remote Access API
rasman.dll 76e90000 69632 C:\WINDOWS\System32\rasman.dll 5.1.2600.1106 (xpsp1.020828-1920) Remote Access Connection Manager
TAPI32.dll 76eb0000 176128 C:\WINDOWS\System32\TAPI32.dll 5.1.2600.1106 (xpsp1.020828-1920) Microsoft® Windows(TM) Telephony API Client DLL
rtutils.dll 76e80000 53248 C:\WINDOWS\System32\rtutils.dll 5.1.2600.0 (xpclient.010817-114 Routing Utilities
WINMM.dll 76b40000 180224 C:\WINDOWS\System32\WINMM.dll 5.1.2600.1106 (xpsp1.020828-1920) MCI API DLL
sensapi.dll 722b0000 20480 C:\WINDOWS\System32\sensapi.dll 5.1.2600.1106 (xpsp1.020828-1920) SENS Connectivity API DLL
ntshrui.dll 76990000 147456 C:\WINDOWS\System32\ntshrui.dll 5.1.2600.1106 (xpsp1.020828-1920) Shell extensions for sharing
ATL.DLL 76b20000 86016 C:\WINDOWS\System32\ATL.DLL 3.00.9435 ATL Module for Windows NT (Unicode)
WINSTA.dll 76360000 61440 C:\WINDOWS\System32\WINSTA.dll 5.1.2600.1106 (xpsp1.020828-1920) Winstation Library
shdoclc.dll 718c0000 540672 C:\WINDOWS\System32\shdoclc.dll 6.00.2800.1106 Shell Doc Object and Control Library
webcheck.dll 70340000 266240 C:\WINDOWS\System32\webcheck.dll 6.00.2800.1106 Web Site Monitor
SETUPAPI.dll 76670000 946176 C:\WINDOWS\System32\SETUPAPI.dll 5.1.2600.1106 (xpsp1.020828-1920) Windows Setup API
LINKINFO.dll 76980000 28672 C:\WINDOWS\System32\LINKINFO.dll 5.1.2600.0 (xpclient.010817-114 Windows Volume Tracking
stobject.dll 74b00000 131072 C:\WINDOWS\System32\stobject.dll 5.1.2600.1106 (xpsp1.020828-1920) Systray shell service object
BatMeter.dll 74af0000 36864 C:\WINDOWS\System32\BatMeter.dll 6.00.2600.0000 (xpclient.010817-114 Battery Meter Helper DLL
POWRPROF.dll 74ad0000 28672 C:\WINDOWS\System32\POWRPROF.dll 6.00.2600.0000 (xpclient.010817-114 Power Profile Helper DLL
WTSAPI32.dll 76f50000 32768 C:\WINDOWS\System32\WTSAPI32.dll 5.1.2600.1106 (xpsp1.020828-1920) Windows Terminal Server SDK APIs
wdmaud.drv 72d20000 36864 C:\WINDOWS\System32\wdmaud.drv 5.1.2600.0 (XPClient.010817-114 WDM Audio driver mapper
msacm32.drv 72d10000 32768 C:\WINDOWS\System32\msacm32.drv 5.1.2600.0 (xpclient.010817-114 Microsoft Sound Mapper
MSACM32.dll 77be0000 81920 C:\WINDOWS\System32\MSACM32.dll 5.1.2600.0 (xpclient.010817-114 Microsoft ACM Audio Filter
midimap.dll 77bd0000 28672 C:\WINDOWS\System32\midimap.dll 5.1.2600.0 (xpclient.010817-114 Microsoft MIDI Mapper
NETSHELL.dll 75cf0000 1642496 C:\WINDOWS\system32\NETSHELL.dll 5.1.2600.1254 (xpsp2.030801-1834) Network Connections Shell
credui.dll 76c00000 184320 C:\WINDOWS\system32\credui.dll 5.1.2600.1106 (xpsp1.020828-1920) Credential Manager User Interface
IMM32.DLL 76390000 114688 C:\WINDOWS\System32\IMM32.DLL 5.1.2600.1106 (xpsp1.020828-1920) Windows XP IMM32 API Client DLL
msi.dll 2b30000 2101248 C:\WINDOWS\System32\msi.dll 2.0.2600.1106 Windows Installer
printui.dll 74b80000 532480 C:\WINDOWS\System32\printui.dll 5.1.2600.1106 (xpsp1.020828-1920) Print UI DLL
WINSPOOL.DRV 73000000 143360 C:\WINDOWS\System32\WINSPOOL.DRV 5.1.2600.1106 (xpsp1.020828-1920) Windows Spooler Driver
ACTIVEDS.dll 76e40000 192512 C:\WINDOWS\System32\ACTIVEDS.dll 5.1.2600.0 (xpclient.010817-114 ADs Router Layer DLL
adsldpc.dll 76e10000 151552 C:\WINDOWS\System32\adsldpc.dll 5.1.2600.1106 (xpsp1.020828-1920) ADs LDAP Provider C DLL
WLDAP32.dll 76f60000 180224 C:\WINDOWS\system32\WLDAP32.dll 5.1.2600.1106 (xpsp1.020828-1920) Win32 LDAP API DLL
CFGMGR32.dll 74ae0000 28672 C:\WINDOWS\System32\CFGMGR32.dll 5.1.2600.0 (xpclient.010817-114 Configuration Manager Forwarder DLL
MPR.dll 71b20000 69632 C:\WINDOWS\system32\MPR.dll 5.1.2600.0 (xpclient.010817-114 Multiple Provider Router DLL
shfolder.dll 3210000 32768 C:\WINDOWS\System32\shfolder.dll 6.00.2800.1106 Shell Folder Service
BCShellEx.dll 3220000 110592 C:\Program Files\Beyond Compare 2\BCShellEx.dll 2.1.0.0 Context Menu Shell Extension
mydocs.dll 72410000 102400 C:\WINDOWS\System32\mydocs.dll 6.00.2600.0000 (xpclient.010817-114 My Documents Folder UI
drprov.dll 75f60000 24576 C:\WINDOWS\System32\drprov.dll 5.1.2600.0 (xpclient.010817-114 Microsoft Terminal Server Network Provider
ntlanman.dll 71c10000 53248 C:\WINDOWS\System32\ntlanman.dll 5.1.2600.1106 (xpsp1.020828-1920) Microsoft® Lan Manager
NETUI0.dll 71cd0000 90112 C:\WINDOWS\System32\NETUI0.dll 5.1.2600.0 (xpclient.010817-114 NT LM UI Common Code - GUI Classes
NETUI1.dll 71c90000 245760 C:\WINDOWS\System32\NETUI1.dll 5.1.2600.0 (xpclient.010817-114 NT LM UI Common Code - Networking classes
NETRAP.dll 71c80000 24576 C:\WINDOWS\System32\NETRAP.dll 5.1.2600.0 (xpclient.010817-114 Net Remote Admin Protocol DLL
SAMLIB.dll 71bf0000 69632 C:\WINDOWS\System32\SAMLIB.dll 5.1.2600.1106 (xpsp1.020828-1920) SAM Library DLL
davclnt.dll 75f70000 36864 C:\WINDOWS\System32\davclnt.dll 5.1.2600.0 (xpclient.010817-114 Web DAV Client DLL
SXS.DLL 75e90000 684032 C:\WINDOWS\System32\SXS.DLL 5.1.2600.1106 (xpsp1.020828-1920) Fusion 2.5
WINTRUST.dll 76c30000 176128 C:\WINDOWS\System32\WINTRUST.dll 5.131.2600.0 (xpclient.010817-114 Microsoft Trust Verification APIs
IMAGEHLP.dll 76c90000 139264 C:\WINDOWS\system32\IMAGEHLP.dll 5.1.2600.1106 (xpsp1.020828-1920) Windows NT Image Helper
rsaenh.dll ffd0000 143360 C:\WINDOWS\System32\rsaenh.dll 5.1.2600.1029 (xpsp1.020426-1800) Microsoft Base Cryptographic Provider
browselc.dll 9c0000 73728 C:\WINDOWS\System32\browselc.dll 6.00.2800.1106 Shell Browser UI Library
MSGINA.dll 75970000 991232 C:\WINDOWS\System32\MSGINA.dll 5.1.2600.1343 (xpsp2.040109-1800) Windows NT Logon GINA DLL
ODBC32.dll 2af0000 204800 C:\WINDOWS\System32\ODBC32.dll 3.520.9042.0 Microsoft Data Access - ODBC Driver Manager
comdlg32.dll 763b0000 282624 C:\WINDOWS\system32\comdlg32.dll 6.00.2800.1106 (xpsp1.020828-1920) Common Dialogs DLL
odbcint.dll 1f850000 90112 C:\WINDOWS\System32\odbcint.dll 3.520.7713.0 Microsoft Data Access - ODBC Resources
sti.dll 73ba0000 73728 C:\WINDOWS\System32\sti.dll 5.1.2600.1106 (xpsp1.020828-1920) Still Image Devices client DLL
jscript.dll 6b700000 589824 C:\WINDOWS\System32\jscript.dll 5.6.0.8513 Microsoft (r) JScript
wsock32.dll 71ad0000 32768 C:\WINDOWS\System32\wsock32.dll 5.1.2600.0 (xpclient.010817-114 Windows Socket 32-Bit DLL
mswsock.dll 71a50000 241664 C:\WINDOWS\System32\mswsock.dll 5.1.2600.0 (xpclient.010817-114 Microsoft Windows Sockets 2.0 Service Provider
rasadhlp.dll 76fc0000 20480 C:\WINDOWS\System32\rasadhlp.dll 5.1.2600.0 (xpclient.010817-114 Remote Access AutoDial Helper
DNSAPI.dll 76f20000 151552 C:\WINDOWS\System32\DNSAPI.dll 5.1.2600.1106 (xpsp1.020828-1920) DNS Client API DLL
winrnr.dll 76fb0000 28672 C:\WINDOWS\System32\winrnr.dll 5.1.2600.0 (xpclient.010817-114 LDAP RnR Provider DLL
wshtcpip.dll 71a90000 32768 C:\WINDOWS\System32\wshtcpip.dll 5.1.2600.0 (xpclient.010817-114 Windows Sockets Helper DLL
WZCSAPI.DLL 73030000 45056 C:\WINDOWS\System32\WZCSAPI.DLL 5.1.2600.1276 (xpsp2.030825-2117) Wireless Zero Configuration service API
MPRAPI.dll 76d40000 90112 C:\WINDOWS\System32\MPRAPI.dll 5.1.2600.0 (xpclient.010817-114 Windows NT MP Router Administration DLL
Cabinet.dll 75150000 77824 C:\WINDOWS\System32\Cabinet.dll 5.1.2600.1106 (xpsp1.020828-1920) Microsoft® Cabinet File API
SDHelper.dll 17c0000 765952 C:\PROGRA~1\SPYBOT~1\SDHelper.dll 1, 3, 0, 12 Bad download blocker
olepro32.dll 5edd0000 106496 C:\WINDOWS\System32\olepro32.dll 5.0.5014 Microsoft (R) OLE Property Support DLL
rarext.dll 1a40000 176128 C:\Program Files\WinRAR\rarext.dll
PSICON.DLL 28b0000 147456 C:\Program Files\Common Files\Adobe\Shell\PSICON.DLL 7.0 Icons for Adobe Photoshop
zipfldr.dll 73380000 335872 C:\WINDOWS\System32\zipfldr.dll 6.00.2800.1126 (xpsp2.020921-0842) Compressed (zipped) Folders
srecopy.dll 11000000 32768 C:\WINDOWS\System32\srecopy.dll 1.00.0018
MSVBVM60.DLL 6a9d0000 1392640 C:\WINDOWS\System32\MSVBVM60.DLL 6.00.9690 Visual Basic Virtual Machine
actxprxy.dll 703d0000 110592 C:\WINDOWS\System32\actxprxy.dll 6.00.2800.1106 ActiveX Interface Marshaling Library
NTMARTA.DLL 76ce0000 126976 C:\WINDOWS\System32\NTMARTA.DLL 5.1.2600.1106 (xpsp1.020828-1920) Windows NT MARTA provider
asfsipc.dll 70eb0000 28672 C:\WINDOWS\System32\asfsipc.dll 1.1.00.3917 ASFSipc Object
MSISIP.DLL 605f0000 53248 C:\WINDOWS\System32\MSISIP.DLL 2.0.2600.0 MSI Signature SIP Provider
wshext.dll 74ea0000 65536 C:\WINDOWS\System32\wshext.dll 5.6.0.6626 Microsoft (r) Shell Extension for Windows Script Host
------

See anything suspicious? I'll post the IE DLLs next.

 

Here is IE's DLLs.
-----

Module information for 'iexplore.exe'
MODULE BASE SIZE PATH
iexplore.exe 400000 2269184 C:\Program Files\Avant Browser\iexplore.exe 9.0.2.26 Avant Browser
ntdll.dll 77f50000 684032 C:\WINDOWS\System32\ntdll.dll 5.1.2600.1217 (xpsp2.030429-2131) NT Layer DLL
kernel32.dll 77e60000 942080 C:\WINDOWS\system32\kernel32.dll 5.1.2600.1106 (xpsp1.020828-1920) Windows NT BASE API Client DLL
advapi32.dll 77dd0000 577536 C:\WINDOWS\system32\advapi32.dll 5.1.2600.1106 (xpsp1.020828-1920) Advanced Windows 32 Base API
RPCRT4.dll 78000000 552960 C:\WINDOWS\system32\RPCRT4.dll 5.1.2600.1361 (xpsp2.040109-1800) Remote Procedure Call Runtime
comctl32.dll 77340000 569344 C:\WINDOWS\system32\comctl32.dll 5.82 (xpsp1.020828-1920) Common Controls Library
GDI32.dll 7e090000 266240 C:\WINDOWS\system32\GDI32.dll 5.1.2600.1346 (xpsp2.040109-1800) GDI Client DLL
USER32.dll 77d40000 573440 C:\WINDOWS\system32\USER32.dll 5.1.2600.1255 (xpsp2.030804-1745) Windows XP USER API Client DLL
comdlg32.dll 763b0000 282624 C:\WINDOWS\system32\comdlg32.dll 6.00.2800.1106 (xpsp1.020828-1920) Common Dialogs DLL
SHLWAPI.dll 70bd0000 413696 C:\WINDOWS\system32\SHLWAPI.dll 6.00.2800.1106 Shell Light-weight Utility Library
msvcrt.dll 77c10000 339968 C:\WINDOWS\system32\msvcrt.dll 7.0.2600.1106 (xpsp1.020828-1920) Windows NT CRT DLL
SHELL32.dll 773d0000 8331264 C:\WINDOWS\system32\SHELL32.dll 6.00.2800.1233 (xpsp2.030604-1804) Windows Shell Common Dll
imm32.dll 76390000 114688 C:\WINDOWS\System32\imm32.dll 5.1.2600.1106 (xpsp1.020828-1920) Windows XP IMM32 API Client DLL
ole32.dll 771b0000 1196032 C:\WINDOWS\system32\ole32.dll 5.1.2600.1362 (xpsp2.040109-1800) Microsoft OLE for Windows
oleaut32.dll 77120000 569344 C:\WINDOWS\system32\oleaut32.dll 3.50.5016.0 Microsoft OLE 3.50 for Windows NT(TM) and Windows 95(TM) Operating Systems
URLMON.DLL 702b0000 499712 C:\WINDOWS\system32\URLMON.DLL 6.00.2800.1106 OLE32 Extensions for Win32
VERSION.dll 77c00000 28672 C:\WINDOWS\system32\VERSION.dll 5.1.2600.0 (xpclient.010817-114 Version Checking and File Installation Libraries
wininet.dll 70200000 610304 C:\WINDOWS\system32\wininet.dll 6.00.2800.1106 Internet Extensions for Win32
CRYPT32.dll 762c0000 557056 C:\WINDOWS\system32\CRYPT32.dll 5.131.2600.1123 (xpsp2.020921-0842) Crypto API32
MSASN1.dll 762a0000 65536 C:\WINDOWS\system32\MSASN1.dll 5.1.2600.1362 (xpsp2.040109-1800) ASN.1 Runtime APIs
winmm.dll 76b40000 180224 C:\WINDOWS\System32\winmm.dll 5.1.2600.1106 (xpsp1.020828-1920) MCI API DLL
winspool.drv 73000000 143360 C:\WINDOWS\System32\winspool.drv 5.1.2600.1106 (xpsp1.020828-1920) Windows Spooler Driver
Secur32.dll 76f90000 65536 C:\WINDOWS\System32\Secur32.dll 5.1.2600.1106 (xpsp1.020828-1920) Security Support Provider Interface
comctl32.dll 71950000 933888 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805\comctl32.dll 6.0 (xpsp1.020828-1920) User Experience Controls Library
uxtheme.dll 5ad70000 212992 C:\WINDOWS\System32\uxtheme.dll 6.00.2800.1106 (xpsp1.020828-1920) Microsoft UxTheme Library
msimg32.dll 76380000 20480 C:\WINDOWS\System32\msimg32.dll 5.1.2600.1106 (xpsp1.020828-1920) GDIEXT Client DLL
olepro32.dll 5edd0000 106496 C:\WINDOWS\System32\olepro32.dll 5.0.5014 Microsoft (R) OLE Property Support DLL
SETUPAPI.dll 76670000 946176 C:\WINDOWS\System32\SETUPAPI.dll 5.1.2600.1106 (xpsp1.020828-1920) Windows Setup API
appHelp.dll 75f40000 126976 C:\WINDOWS\system32\appHelp.dll 5.1.2600.1106 (xpsp1.020828-1920) Application Compatibility Client Library
CLBCATQ.DLL 7c890000 528384 C:\WINDOWS\System32\CLBCATQ.DLL 2001.12.4414.53
COMRes.dll 77050000 806912 C:\WINDOWS\System32\COMRes.dll 2001.12.4414.42
cscui.dll 76620000 319488 C:\WINDOWS\System32\cscui.dll 5.1.2600.1106 (xpsp1.020828-1920) Client Side Caching UI
CSCDLL.dll 76600000 110592 C:\WINDOWS\System32\CSCDLL.dll 5.1.2600.0 (xpclient.010817-114 Offline Network Agent
USERENV.dll 75a70000 675840 C:\WINDOWS\system32\USERENV.dll 5.1.2600.1106 (xpsp1.020828-1920) Userenv
browseui.dll 71160000 1036288 C:\WINDOWS\System32\browseui.dll 6.00.2800.1106 Shell Browser UI Library
shdocvw.dll 71000000 1347584 C:\WINDOWS\System32\shdocvw.dll 6.00.2800.1106 Shell Doc Object and Control Library
shdoclc.dll 718c0000 540672 C:\WINDOWS\System32\shdoclc.dll 6.00.2800.1106 Shell Doc Object and Control Library
SXS.DLL 75e90000 684032 C:\WINDOWS\System32\SXS.DLL 5.1.2600.1106 (xpsp1.020828-1920) Fusion 2.5
mlang.dll 70440000 585728 C:\WINDOWS\System32\mlang.dll 6.00.2800.1106 Multi Language Support DLL
wsock32.dll 71ad0000 32768 C:\WINDOWS\System32\wsock32.dll 5.1.2600.0 (xpclient.010817-114 Windows Socket 32-Bit DLL
WS2_32.dll 71ab0000 81920 C:\WINDOWS\System32\WS2_32.dll 5.1.2600.1240 (xpsp2.030618-0119) Windows Socket 2.0 32-Bit DLL
WS2HELP.dll 71aa0000 32768 C:\WINDOWS\System32\WS2HELP.dll 5.1.2600.0 (xpclient.010817-114 Windows Socket 2.0 Helper for Windows NT
RASAPI32.DLL 76ee0000 225280 C:\WINDOWS\System32\RASAPI32.DLL 5.1.2600.1106 (xpsp1.020828-1920) Remote Access API
rasman.dll 76e90000 69632 C:\WINDOWS\System32\rasman.dll 5.1.2600.1106 (xpsp1.020828-1920) Remote Access Connection Manager
NETAPI32.dll 71c20000 319488 C:\WINDOWS\System32\NETAPI32.dll 5.1.2600.1343 (xpsp2.040109-1800) Net Win32 API DLL
TAPI32.dll 76eb0000 176128 C:\WINDOWS\System32\TAPI32.dll 5.1.2600.1106 (xpsp1.020828-1920) Microsoft® Windows(TM) Telephony API Client DLL
rtutils.dll 76e80000 53248 C:\WINDOWS\System32\rtutils.dll 5.1.2600.0 (xpclient.010817-114 Routing Utilities
mswsock.dll 71a50000 241664 C:\WINDOWS\system32\mswsock.dll 5.1.2600.0 (xpclient.010817-114 Microsoft Windows Sockets 2.0 Service Provider
wshtcpip.dll 71a90000 32768 C:\WINDOWS\System32\wshtcpip.dll 5.1.2600.0 (xpclient.010817-114 Windows Sockets Helper DLL
sensapi.dll 722b0000 20480 C:\WINDOWS\System32\sensapi.dll 5.1.2600.1106 (xpsp1.020828-1920) SENS Connectivity API DLL
rasadhlp.dll 76fc0000 20480 C:\WINDOWS\System32\rasadhlp.dll 5.1.2600.0 (xpclient.010817-114 Remote Access AutoDial Helper
DNSAPI.dll 76f20000 151552 C:\WINDOWS\System32\DNSAPI.dll 5.1.2600.1106 (xpsp1.020828-1920) DNS Client API DLL
winrnr.dll 76fb0000 28672 C:\WINDOWS\System32\winrnr.dll 5.1.2600.0 (xpclient.010817-114 LDAP RnR Provider DLL
WLDAP32.dll 76f60000 180224 C:\WINDOWS\system32\WLDAP32.dll 5.1.2600.1106 (xpsp1.020828-1920) Win32 LDAP API DLL
RoboForm.dll 10000000 2502656 C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll 5-6-2 RoboForm Main Module
oledlg.dll 74d30000 131072 C:\WINDOWS\System32\oledlg.dll 1.0 (XPClient.010817-114 Microsoft Windows(TM) OLE 2.0 User Interface Support
mshtml.dll 70c50000 2805760 C:\WINDOWS\System32\mshtml.dll 6.00.2800.1106 Microsoft (R) HTML Viewer
msimtf.dll 746f0000 155648 C:\WINDOWS\System32\msimtf.dll 5.1.2600.1106 (xpsp1.020828-1920) Active IMM Server DLL
MSCTF.dll 74720000 278528 C:\WINDOWS\System32\MSCTF.dll 5.1.2600.1106 (xpsp1.020828-1920) MSCTF Server DLL
MSLS31.DLL 746c0000 159744 C:\WINDOWS\System32\MSLS31.DLL 3.10.349.0 Microsoft Line Services library file
jscript.dll 6b700000 589824 C:\WINDOWS\System32\jscript.dll 5.6.0.8513 Microsoft (r) JScript
imgutil.dll 70510000 40960 C:\WINDOWS\System32\imgutil.dll 6.00.2800.1106 IE plugin image decoder support DLL
pngfilt.dll 70530000 45056 C:\WINDOWS\System32\pngfilt.dll 6.00.2800.1106 IE PNG plugin image decoder
PSAPI.dll 76bf0000 45056 C:\WINDOWS\System32\PSAPI.dll 5.1.2600.1106 (xpsp1.020828-1920) Process Status Helper
wdmaud.drv 72d20000 36864 C:\WINDOWS\System32\wdmaud.drv 5.1.2600.0 (XPClient.010817-114 WDM Audio driver mapper
msacm32.drv 72d10000 32768 C:\WINDOWS\System32\msacm32.drv 5.1.2600.0 (xpclient.010817-114 Microsoft Sound Mapper
MSACM32.dll 77be0000 81920 C:\WINDOWS\System32\MSACM32.dll 5.1.2600.0 (xpclient.010817-114 Microsoft ACM Audio Filter
midimap.dll 77bd0000 28672 C:\WINDOWS\System32\midimap.dll 5.1.2600.0 (xpclient.010817-114 Microsoft MIDI Mapper
mshtmled.dll 70f30000 450560 C:\WINDOWS\System32\mshtmled.dll 6.00.2800.1106 Microsoft (R) HTML Editing Component
mscoree.dll 79170000 155648 C:\WINDOWS\System32\mscoree.dll 1.1.4322.573 Microsoft .NET Runtime Execution Engine
mscorie.dll 79410000 86016 C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorie.dll 1.1.4322.573 Microsoft .NET IE MIME Filter
MSVCR71.dll 7c340000 352256 C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\MSVCR71.dll 7.10.3052.4 Microsoft® C Runtime Library
mscorld.dll 79480000 98304 C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorld.dll 1.1.4322.573 Microsoft Remote object loader
WINTRUST.dll 76c30000 176128 C:\WINDOWS\System32\WINTRUST.dll 5.131.2600.0 (xpclient.010817-114 Microsoft Trust Verification APIs
IMAGEHLP.dll 76c90000 139264 C:\WINDOWS\system32\IMAGEHLP.dll 5.1.2600.1106 (xpsp1.020828-1920) Windows NT Image Helper
plugin.ocx 3450000 98304 C:\WINDOWS\System32\plugin.ocx 6.00.2800.1106 ActiveX Plugin OCX
SDIE55~1.DLL 3470000 172032 C:\PROGRA~1\STARDO~1\SDIE55~1.DLL
SDIEInt.dll 34a0000 155648 C:\PROGRA~1\STARDO~1\SDIEInt.dll
-------------

I hope I can find this soon! Any of you experts have any ideas? If I can track this down, I should get an honarary title as an expert spyware fighter!

 

After running Spybot's Teatimer program, here is the log for the past week:
--------------
5/19/2004 11:39:04 AM Allowed value "Add to AD Black List" (new data: "") added in Browser menu extension!
5/19/2004 11:39:08 AM Allowed value "Block All Images from the Same Server" (new data: "") added in Browser menu extension!
5/19/2004 11:39:10 AM Allowed value "Highlight" (new data: "") added in Browser menu extension!
5/19/2004 11:39:11 AM Allowed value "Open All Links in This Page..." (new data: "") added in Browser menu extension!
5/19/2004 12:31:08 PM Allowed value "WinPatrol" (new data: ""C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"") added in System Startup global entry!
5/19/2004 12:54:12 PM Allowed value "Local Page" (new data: "C:\WINDOWS\SYSTEM32\blank.htm") added in Browser page!
5/19/2004 12:54:12 PM Allowed value "Local Page" (new data: "C:\WINDOWS\SYSTEM32\blank.htm") added in Browser page!
5/19/2004 2:16:06 PM Denied value "{18A2DBA7-5B83-4B86-AE52-1D8BAAC78FD0}" (new data: "") added in Browser Helper Object!
5/19/2004 2:16:09 PM Denied value "Search Page" (new data: "res://%43%3a%5c%57%49%4e%44%4f%57%53%5c%53%79%73%74%65%6d%33%32%5c%6f%6f%67%64%6b%70%2e%64%6c%6c/%73%70%2e%68%74%6d%6c") added in Browser page!
5/19/2004 2:16:11 PM Denied value "Search Bar" (new data: "res://%43%3a%5c%57%49%4e%44%4f%57%53%5c%53%79%73%74%65%6d%33%32%5c%6f%6f%67%64%6b%70%2e%64%6c%6c/%73%70%2e%68%74%6d%6c") added in Browser page!
5/19/2004 2:16:12 PM Denied value "HomeOldSP" (new data: "about:blank") added in Browser page!
5/19/2004 2:16:14 PM Denied value "Search Page" (new data: "res://%43%3a%5c%57%49%4e%44%4f%57%53%5c%53%79%73%74%65%6d%33%32%5c%6f%6f%67%64%6b%70%2e%64%6c%6c/%73%70%2e%68%74%6d%6c") added in Browser page!
5/19/2004 2:16:15 PM Denied value "Search Bar" (new data: "res://%43%3a%5c%57%49%4e%44%4f%57%53%5c%53%79%73%74%65%6d%33%32%5c%6f%6f%67%64%6b%70%2e%64%6c%6c/%73%70%2e%68%74%6d%6c") added in Browser page!
5/19/2004 2:16:16 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
5/19/2004 2:16:18 PM Denied value "HomeOldSP" (new data: "about:blank") added in Browser page!
5/19/2004 2:16:19 PM Denied value "SearchAssistant" (new data: "res://%43%3a%5c%57%49%4e%44%4f%57%53%5c%53%79%73%74%65%6d%33%32%5c%6f%6f%67%64%6b%70%2e%64%6c%6c/%73%70%2e%68%74%6d%6c") changed in Browser page!
5/19/2004 5:02:17 PM Allowed value "{74D05D43-3236-11D4-BDCD-00C04F9A3B61}" (new data: "") added in ActiveX Distribution Unit!
5/19/2004 8:54:17 AM Allowed value "Start Page" (new data: "http://www.google.com/") changed in Browser page!
5/19/2004 2:37:30 PM Denied value "{E093425D-0DEC-48E4-9ADB-2A8ED327E24C}" (new data: "") added in Browser Helper Object!
5/19/2004 2:37:32 PM Denied value "Search Page" (new data: "res://%43%3a%5c%57%49%4e%44%4f%57%53%5c%53%79%73%74%65%6d%33%32%5c%6e%6a%65%6f%61%65%2e%64%6c%6c/%73%70%2e%68%74%6d%6c") added in Browser page!
5/19/2004 2:37:32 PM Denied value "Search Bar" (new data: "res://%43%3a%5c%57%49%4e%44%4f%57%53%5c%53%79%73%74%65%6d%33%32%5c%6e%6a%65%6f%61%65%2e%64%6c%6c/%73%70%2e%68%74%6d%6c") added in Browser page!
5/19/2004 2:37:33 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
5/19/2004 2:37:33 PM Denied value "Search Page" (new data: "res://%43%3a%5c%57%49%4e%44%4f%57%53%5c%53%79%73%74%65%6d%33%32%5c%6e%6a%65%6f%61%65%2e%64%6c%6c/%73%70%2e%68%74%6d%6c") added in Browser page!
5/19/2004 2:37:34 PM Denied value "Search Bar" (new data: "res://%43%3a%5c%57%49%4e%44%4f%57%53%5c%53%79%73%74%65%6d%33%32%5c%6e%6a%65%6f%61%65%2e%64%6c%6c/%73%70%2e%68%74%6d%6c") added in Browser page!
5/19/2004 2:37:35 PM Denied value "SearchAssistant" (new data: "res://%43%3a%5c%57%49%4e%44%4f%57%53%5c%53%79%73%74%65%6d%33%32%5c%6e%6a%65%6f%61%65%2e%64%6c%6c/%73%70%2e%68%74%6d%6c") changed in Browser page!
5/20/2004 10:16:20 AM Denied value "QuickTime Task" (new data: ""C:\Program Files\QuickTime\qttask.exe" -atboottime") added in System Startup global entry!
5/21/2004 5:26:18 PM Allowed value "Local Page" (new data: "") deleted in Browser page!
5/21/2004 5:26:19 PM Allowed value "Local Page" (new data: "") deleted in Browser page!
5/21/2004 5:26:20 PM Allowed value "Start Page" (new data: "http://www.msn.com/") changed in Browser page!
5/24/2004 9:47:52 AM Denied value "{C8E7913B-4BB8-46C8-9211-F40DF9A2D4D0}" (new data: "") added in Browser Helper Object!
5/24/2004 9:47:54 AM Denied value "Search Page" (new data: "res://%43%3a%5c%57%49%4e%44%4f%57%53%5c%53%79%73%74%65%6d%33%32%5c%66%63%65%2e%64%6c%6c/%73%70%2e%68%74%6d%6c") added in Browser page!
5/24/2004 9:47:55 AM Denied value "Search Bar" (new data: "res://%43%3a%5c%57%49%4e%44%4f%57%53%5c%53%79%73%74%65%6d%33%32%5c%66%63%65%2e%64%6c%6c/%73%70%2e%68%74%6d%6c") added in Browser page!
5/24/2004 9:47:55 AM Denied value "Search Page" (new data: "res://%43%3a%5c%57%49%4e%44%4f%57%53%5c%53%79%73%74%65%6d%33%32%5c%66%63%65%2e%64%6c%6c/%73%70%2e%68%74%6d%6c") added in Browser page!
5/24/2004 9:47:56 AM Denied value "Search Bar" (new data: "res://%43%3a%5c%57%49%4e%44%4f%57%53%5c%53%79%73%74%65%6d%33%32%5c%66%63%65%2e%64%6c%6c/%73%70%2e%68%74%6d%6c") added in Browser page!
5/24/2004 9:47:56 AM Denied value "SearchAssistant" (new data: "res://%43%3a%5c%57%49%4e%44%4f%57%53%5c%53%79%73%74%65%6d%33%32%5c%66%63%65%2e%64%6c%6c/%73%70%2e%68%74%6d%6c") changed in Browser page!
5/24/2004 9:49:45 AM Denied value "Search Page" (new data: "res://%43%3a%5c%57%49%4e%44%4f%57%53%5c%53%79%73%74%65%6d%33%32%5c%66%63%65%2e%64%6c%6c/%73%70%2e%68%74%6d%6c") added in Browser page!
5/24/2004 9:52:54 AM Denied value "Search Page" (new data: "res://%43%3a%5c%57%49%4e%44%4f%57%53%5c%53%79%73%74%65%6d%33%32%5c%66%63%65%2e%64%6c%6c/%73%70%2e%68%74%6d%6c") added in Browser page!
5/24/2004 9:56:20 AM Denied value "Search Page" (new data: "res://%43%3a%5c%57%49%4e%44%4f%57%53%5c%53%79%73%74%65%6d%33%32%5c%66%63%65%2e%64%6c%6c/%73%70%2e%68%74%6d%6c") added in Browser page!
5/24/2004 9:57:40 AM Allowed value "{95188727-288F-4581-A48D-EAB3BD027314}" (new data: "") deleted in Global browser toolbar!
5/24/2004 9:57:41 AM Allowed value "{02BF25D5-8C17-4B23-BC80-D3488ABDDC6B}" (new data: "") deleted in ActiveX Distribution Unit!
5/24/2004 9:57:41 AM Allowed value "{166B1BCA-3F9C-11CF-8075-444553540000}" (new data: "") deleted in ActiveX Distribution Unit!
5/24/2004 9:57:44 AM Allowed value "Local Page" (new data: "C:\WINDOWS\SYSTEM32\blank.htm") added in Browser page!
5/24/2004 9:57:44 AM Allowed value "Local Page" (new data: "C:\WINDOWS\SYSTEM32\blank.htm") added in Browser page!
5/24/2004 9:57:47 AM Allowed value "{74D05D43-3236-11D4-BDCD-00C04F9A3B61}" (new data: "") deleted in ActiveX Distribution Unit!
5/24/2004 9:57:48 AM Allowed value "{9059F30F-4EB1-4BD2-9FDC-36F43A218F4A}" (new data: "") deleted in ActiveX Distribution Unit!
5/24/2004 9:57:49 AM Allowed value "{D27CDB6E-AE6D-11CF-96B8-444553540000}" (new data: "") deleted in ActiveX Distribution Unit!
5/24/2004 9:58:49 AM Allowed value "&ieSpell Options" (new data: "") deleted in Browser menu extension!
5/24/2004 9:58:50 AM Allowed value "Check &Spelling" (new data: "") deleted in Browser menu extension!
5/24/2004 9:59:26 AM Denied value "Search Page" (new data: "res://%43%3a%5c%57%49%4e%44%4f%57%53%5c%53%79%73%74%65%6d%33%32%5c%66%63%65%2e%64%6c%6c/%73%70%2e%68%74%6d%6c") added in Browser page!
5/24/2004 10:40:30 AM Allowed value "{9059F30F-4EB1-4BD2-9FDC-36F43A218F4A}" (new data: "") added in ActiveX Distribution Unit!
5/24/2004 12:39:13 PM Denied value "{EAACB724-2CCC-40EA-8443-2EECE872931F}" (new data: "") added in Browser Helper Object!
5/24/2004 12:39:15 PM Denied value "Search Page" (new data: "res://%43%3a%5c%57%49%4e%44%4f%57%53%5c%53%79%73%74%65%6d%33%32%5c%68%6e%68%6f%64%2e%64%6c%6c/%73%70%2e%68%74%6d%6c") added in Browser page!
5/24/2004 12:39:17 PM Denied value "Search Bar" (new data: "res://%43%3a%5c%57%49%4e%44%4f%57%53%5c%53%79%73%74%65%6d%33%32%5c%68%6e%68%6f%64%2e%64%6c%6c/%73%70%2e%68%74%6d%6c") added in Browser page!
5/24/2004 12:39:19 PM Denied value "Start Page" (new data: "about:blank") changed in Browser page!
5/24/2004 12:39:21 PM Denied value "Search Page" (new data: "res://%43%3a%5c%57%49%4e%44%4f%57%53%5c%53%79%73%74%65%6d%33%32%5c%68%6e%68%6f%64%2e%64%6c%6c/%73%70%2e%68%74%6d%6c") added in Browser page!
5/24/2004 12:39:22 PM Denied value "Search Bar" (new data: "res://%43%3a%5c%57%49%4e%44%4f%57%53%5c%53%79%73%74%65%6d%33%32%5c%68%6e%68%6f%64%2e%64%6c%6c/%73%70%2e%68%74%6d%6c") added in Browser page!
5/24/2004 12:39:24 PM Denied value "SearchAssistant" (new data: "res://%43%3a%5c%57%49%4e%44%4f%57%53%5c%53%79%73%74%65%6d%33%32%5c%68%6e%68%6f%64%2e%64%6c%6c/%73%70%2e%68%74%6d%6c") changed in Browser page!
5/24/2004 1:07:22 PM Allowed value "{F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6}" (new data: "") added in ActiveX Distribution Unit!
5/24/2004 2:27:38 PM Denied value "{95188727-288F-4581-A48D-EAB3BD027314}" (new data: "") deleted in Global browser toolbar!
5/24/2004 2:27:42 PM Denied value "{95188727-288F-4581-A48D-EAB3BD027314}" (new data: "") deleted in Global browser toolbar!
5/24/2004 2:27:44 PM Denied value "{95188727-288F-4581-A48D-EAB3BD027314}" (new data: "") deleted in Global browser toolbar!
5/24/2004 2:27:46 PM Denied value "{95188727-288F-4581-A48D-EAB3BD027314}" (new data: "") deleted in Global browser toolbar!
5/24/2004 2:27:49 PM Denied value "{95188727-288F-4581-A48D-EAB3BD027314}" (new data: "") deleted in Global browser toolbar!
5/24/2004 4:35:09 PM Denied value "{055AD936-26FE-48DD-83C8-08B8DAA33790}" (new data: "") added in Browser Helper Object!
5/24/2004 4:35:14 PM Denied value "Search Page" (new data: "res://%43%3a%5c%57%49%4e%44%4f%57%53%5c%53%79%73%74%65%6d%33%32%5c%68%67%6c%65%66%68%61%2e%64%6c%6c/%73%70%2e%68%74%6d%6c") added in Browser page!
5/24/2004 4:35:17 PM Denied value "Search Bar" (new data: "res://%43%3a%5c%57%49%4e%44%4f%57%53%5c%53%79%73%74%65%6d%33%32%5c%68%67%6c%65%66%68%61%2e%64%6c%6c/%73%70%2e%68%74%6d%6c") added in Browser page!
5/24/2004 4:35:19 PM Denied value "Search Page" (new data: "res://%43%3a%5c%57%49%4e%44%4f%57%53%5c%53%79%73%74%65%6d%33%32%5c%68%67%6c%65%66%68%61%2e%64%6c%6c/%73%70%2e%68%74%6d%6c") added in Browser page!
5/24/2004 4:35:21 PM Denied value "Search Bar" (new data: "res://%43%3a%5c%57%49%4e%44%4f%57%53%5c%53%79%73%74%65%6d%33%32%5c%68%67%6c%65%66%68%61%2e%64%6c%6c/%73%70%2e%68%74%6d%6c") added in Browser page!
5/24/2004 4:35:26 PM Denied value "SearchAssistant" (new data: "res://%43%3a%5c%57%49%4e%44%4f%57%53%5c%53%79%73%74%65%6d%33%32%5c%68%67%6c%65%66%68%61%2e%64%6c%6c/%73%70%2e%68%74%6d%6c") changed in Browser page!
5/25/2004 12:25:54 PM Allowed value "Mozilla Quick Launch" (new data: ""C:\Program Files\mozilla.org\Mozilla\Mozilla.exe" -turbo") added in System Startup user entry!
5/25/2004 4:36:35 PM Denied value "{7E0A5003-F06F-416B-AA52-2054F6FF16E8}" (new data: "") added in Browser Helper Object!
5/25/2004 4:36:37 PM Denied value "Search Page" (new data: "res://%43%3a%5c%57%49%4e%44%4f%57%53%5c%53%79%73%74%65%6d%33%32%5c%66%6e%70%61%67%6b%66%2e%64%6c%6c/%73%70%2e%68%74%6d%6c") added in Browser page!
5/25/2004 4:36:38 PM Denied value "Search Bar" (new data: "res://%43%3a%5c%57%49%4e%44%4f%57%53%5c%53%79%73%74%65%6d%33%32%5c%66%6e%70%61%67%6b%66%2e%64%6c%6c/%73%70%2e%68%74%6d%6c") added in Browser page!
5/25/2004 4:36:39 PM Denied value "Search Page" (new data: "res://%43%3a%5c%57%49%4e%44%4f%57%53%5c%53%79%73%74%65%6d%33%32%5c%66%6e%70%61%67%6b%66%2e%64%6c%6c/%73%70%2e%68%74%6d%6c") added in Browser page!
5/25/2004 4:36:41 PM Denied value "Search Bar" (new data: "res://%43%3a%5c%57%49%4e%44%4f%57%53%5c%53%79%73%74%65%6d%33%32%5c%66%6e%70%61%67%6b%66%2e%64%6c%6c/%73%70%2e%68%74%6d%6c") added in Browser page!
5/25/2004 4:36:42 PM Denied value "SearchAssistant" (new data: "res://%43%3a%5c%57%49%4e%44%4f%57%53%5c%53%79%73%74%65%6d%33%32%5c%66%6e%70%61%67%6b%66%2e%64%6c%6c/%73%70%2e%68%74%6d%6c") changed in Browser page!
5/26/2004 4:47:12 PM Denied value "{6D7269DD-44A6-45BE-9B7D-574AFD873899}" (new data: "") added in Browser Helper Object!
5/26/2004 4:47:14 PM Denied value "Search Page" (new data: "res://%43%3a%5c%57%49%4e%44%4f%57%53%5c%53%79%73%74%65%6d%33%32%5c%66%6f%64%6b%6f%6e%6b%2e%64%6c%6c/%73%70%2e%68%74%6d%6c") added in Browser page!
5/26/2004 4:47:15 PM Denied value "Search Bar" (new data: "res://%43%3a%5c%57%49%4e%44%4f%57%53%5c%53%79%73%74%65%6d%33%32%5c%66%6f%64%6b%6f%6e%6b%2e%64%6c%6c/%73%70%2e%68%74%6d%6c") added in Browser page!
5/26/2004 4:47:17 PM Denied value "Search Page" (new data: "res://%43%3a%5c%57%49%4e%44%4f%57%53%5c%53%79%73%74%65%6d%33%32%5c%66%6f%64%6b%6f%6e%6b%2e%64%6c%6c/%73%70%2e%68%74%6d%6c") added in Browser page!
5/26/2004 4:47:18 PM Denied value "Search Bar" (new data: "res://%43%3a%5c%57%49%4e%44%4f%57%53%5c%53%79%73%74%65%6d%33%32%5c%66%6f%64%6b%6f%6e%6b%2e%64%6c%6c/%73%70%2e%68%74%6d%6c") added in Browser page!
5/26/2004 4:47:20 PM Denied value "SearchAssistant" (new data: "res://%43%3a%5c%57%49%4e%44%4f%57%53%5c%53%79%73%74%65%6d%33%32%5c%66%6f%64%6b%6f%6e%6b%2e%64%6c%6c/%73%70%2e%68%74%6d%6c") changed in Browser page!
----------------

I'm hoping somebody might recognize the BHO's CLSID. It seems to change! I wonder if one of these BHOs is the virus itself. When Teatimer blocks anything, it usually will block about 5 or 6 items including the BHO, start page change, search assitant change and others, I tell it to remember the decision.

Does anybody have any ideas about this now?

 

Hi zacktech,

I don't know how you managed to escape our attention.

Can we please start from the beginning?
Update Windows and IE, Scan with AdAware and post a new HjiackThis log (please don't fix anything yet)

Regards,

Pieter

 

Well hello! I wasn't sure why nobody was responding. Well I guess there's no harm in starting over, maybe the fix has been found?

I did Windows updates, there were 3 new critical updates, did those and restarted.

I closed some of my unneeded background progs and updated and ran ad-aware, I fixed all the items in the picture.

Then here is the hijackthis log, unchanged:
----
Logfile of HijackThis v1.97.3
Scan saved at 2:06:00 PM, on 5/27/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\mysql\bin\mysqld-nt.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\Pavsrv51.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\AVENGINE.EXE
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\Program Files\KeyFocus\KFWS\bin\kfwsmon.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE
C:\Program Files\NotesImp\NotesImp.exe
C:\Program Files\KeyFocus\KFWS\bin\kfwserv.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\WebProxy.exe
C:\Documents and Settings\Zacktech\Desktop\hijack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\fodkonk.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Zack has locked you down sucka!
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O4 - HKLM\..\Run: [NvMixerTray] C:\Program Files\NVIDIA Corporation\NvMixer\NvMixerTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [KFWebServer] C:\Program Files\KeyFocus\KFWS\bin\kfwsmon.exe
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE" /s
O4 - HKCU\..\Run: [NotesImp] C:\Program Files\NotesImp\NotesImp.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\mozilla.org\Mozilla\Mozilla.exe" -turbo
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Download with Star Downloader - C:\Program Files\Star Downloader\sdie.htm
O8 - Extra context menu item: Enqueue in Star Downloader - C:\Program Files\Star Downloader\sdieenq.htm
O8 - Extra context menu item: Fill Forms &] - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Leech with Star Downloader - C:\Program Files\Star Downloader\leechie.htm
O8 - Extra context menu item: Save Forms &[ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ieSpell (HKLM)
O9 - Extra 'Tools' menuitem: ieSpell (HKLM)
O9 - Extra 'Tools' menuitem: ieSpell Options (HKLM)
O9 - Extra button: Fill Forms (HKLM)
O9 - Extra 'Tools' menuitem: Fill Forms &] (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} -
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} -
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} -
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://tsweb.thepcworks.com/msrdp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B24B34FD-20C1-4024-BD43-824DF9DE3454}: NameServer = 192.168.0.1
---------------

So what do make of it? You'll get a real good history if you spend a couple days and read this post. hehe

Thanks for responding. This is driving me mad.

 

If everything goes according to plan AdAware removed the protocol hooks and the updates will prevent them from returning.

Now, please download and unzip http://www.rokop-security.de/main/download.php?op=getit&lid=59

Close as many programs as possible and click *Desinfektion starten*
Your computer should reboot almost immediately. If nothing happens initiate the reboot yourself and let me know.

If the program works after the reboot it will start first and be displayed. End the program with the same button (different name)

Then run HijackThis again and Fix:
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\fodkonk.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

Regards,

Pieter

 

Okay. I closed the background progs, ran the program and it restarted. It ran again on startup and finished.

I then opened HJT but the entries were already gone. Here is the log from the program:
-----
5/28/2004 10:28:59 AM SPhjFix started v1.07
5/28/2004 10:28:59 AM Stealth-String found
5/28/2004 10:29:00 AM Restart
5/28/2004 10:30:14 AM 2nd Step
5/28/2004 10:30:15 AM Error while deleting Hijack-DLL
5/28/2004 10:30:15 AM BHO-DLL: (not found)
5/28/2004 10:30:15 AM Bad IE-pages found:
5/28/2004 10:30:21 AM Cleaned
--------

I think it errored because Panda probably deleted the DLL. But what "Stealth-String" is it talking about? And what "Bad IE-pages" is it talking about? Not the same bad IE pages the CWS looks for?

Tell me then, what just happened here? I'll let you know if I get reinfected.

 

A lengthy description of the manual removal of this variant can be found here:
https://www.wilderssecurity.com/showpost.php?p=162440&postcount=4

The Stealth-String found probablt refers to the key in the registry where this malware starts from:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
It hides itself there by starting the pointer with a "The End" string

Since there are no Bad pages listed I think none were found.

Regards,

Pieter