Please advise! Rogue IE toolbar problems 2

[spavined]

My machine was overrun yesterday with a proliferation of spy files, most of which I have been able to clean off using Adaware, Stinger, CWshredder, Spybot,and Hijackthis.

I'm stuck on what's causing my last few problems(related):

--I have a second "Search" toolbar in my Explorer bar that is present everytime IE is opened.
--I have a good deal of pop-ups, both while using and closing IE

Any advice is appreciated, thanks in advance!

Hyjackthis log file shows:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - C:\WINNT\bi.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {0CAC6918-C01F-4DC4-813B-4E3C53029846} - C:\WINNT\system32\isnign32.dll
O2 - BHO: (no name) - {2CF0B992-5EEB-4143-99C0-5297EF71F443} - C:\WINNT\system32\stlbdist.DLL
O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
O4 - HKLM\..\Run: [3EP2XRW3E8TJLB] C:\WINNT\system32\Slnt.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C0-5297EF71F444}] rundll32.exe C:\WINNT\system32\stlbdist.DLL,DllRunMain
O4 - HKLM\..\Run: [UpdateStats] C:\Program Files\Media\Media\UpdateStats.exe
O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
O4 - HKLM\..\Run: [TotalRecorderScheduler] C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [RunWindowsUpdate] C:\WINNT\uptodate.exe
O4 - HKLM\..\Run: [OrbitView] C:\Program Files\Orbit\view.exe
O4 - HKLM\..\Run: [OrbitUpdate] C:\Program Files\Orbit\update.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NVIDIA nForce APU1 Utilities] NVATray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\Navnt\defalert.exe
O4 - HKLM\..\Run: [AutoUpdater] C:\PROGRA~1\AUTOUP~1\AUTOUP~1.EXE
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [Ad-aware] C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe +c
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~2\PSFREE.EXE"
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: LightSurf.lnk = C:\Program Files\LightSurf\Common\IconMgr.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} -

http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -

http://active.macromedia.com/director/cabs/sw.cab

O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} -

http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -

http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -

http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab

O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) -

http://www.installengine.com/engine/isetup.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -

http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37728.0180324074

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -

http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) -

http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab

 

[bcastner]

Did you first disable System Restore before running all those cleaners?

Did you first update all those cleaners to the newest versions available?

 

[spavined]

I did not disable system restore, but did check for all updates with each cleaner before using.

 

[bcastner]

faq608-4620

 

[spavined]

I apologize, but I'm not sure what I'm supposed to get from this FAQ. It reads "Try using RGB color palette and possibly use a Select Case function in place of an IF or SUMIF" as a 'Best of Excel' tip.

 

[herrslime]

Check out the information here:

http://www.doxdesk.com/parasite/Transponder.html

One of the items you have listed is bi.dll and that could be your problem. Did you go into your startup and see if there was anything in there that you don't want?

In WIn98 go to start|rin and type in msconfig. Go to the startup tab and uncheck anything on the list you don't want. I don't know hoew to do this in other Windows versions but there should be a way to do this.

Hope this helps

 

[bcastner]

typo, my apologies. faq608-4650

 

[spavined]

bcastner,

I've gone through all the steps in the faq you forwarded (thanks!), and the problem is still there, any ideas from the Hijack this log?

herrslime,

I run W2K, but procured the XP msconfig to run it - there are a few items I don't recognize, but I'm not fully certain whether they are something to delete. I'll look into that .dll you noted, thanks.

 

[spavined]

With a start from herrslime and some continued searching I was able to find the root of the problem - it was a startium toolbar hijack that I've now resolved.

Thanks for all of your help.

 

[bcastner]

Your toolbar is coming from one or more of these files:

stlbdist.dll
stlbupdt.dll
stlbad.dll

Close all IE sessions.

Use Hijack to remove:

O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - C:\WINNT\bi.dll

O2 - BHO: (no name) - {0CAC6918-C01F-4DC4-813B-4E3C53029846} - C:\WINNT\system32\isnign32.dll
O2 - BHO: (no name) - {2CF0B992-5EEB-4143-99C0-5297EF71F443} - C:\WINNT\system32\stlbdist.DLL
O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
O4 - HKLM\..\Run: [3EP2XRW3E8TJLB] C:\WINNT\system32\Slnt.exe

O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C0-5297EF71F444}] rundll32.exe C:\WINNT\system32\stlbdist.DLL,DllRunMain
O4 - HKLM\..\Run: [UpdateStats] C:\Program Files\Media\Media\UpdateStats.exe

O4 - HKLM\..\Run: [OrbitView] C:\Program Files\Orbit\view.exe
O4 - HKLM\..\Run: [OrbitUpdate] C:\Program Files\Orbit\update.exe

Finally, do a search for all three files I mentioned at the beginning and delete them.

Reboot.

 

[bcastner]

Note:

This entry:
O4 - HKLM\..\Run: [3EP2XRW3E8TJLB] C:\WINNT\system32\Slnt.exe

Is not installed except deliberatly. It is a keyboard logger. You might want to keep it if you intended it to be there.

 

[spavined]

Thanks - I had found that, and it did the trick. I appreciate the insight on the other files, however.

I have a follow-up problem, however. I've deleted the stlbdist.dll file from my machine, but I now get the following RUNDLL error:

"Error loading C:\...stlbdist.dll The specific module cannot be found"

This happens whenever I reboot. Any clue how I can keep the machine from looking for this at boot up?

 

[bcastner]

Check that this entry was removed by Hijack:
O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C0-5297EF71F444}] rundll32.exe C:\WINNT\system32\stlbdist.DLL,DllRunMain

Then:

Start, Run, CMD
c:
cd \winnt
regsvr32 /u stlbdist.dll
exit