Polaris,

I also had seen the strings you are reporting ... in fact I tried seeing if those domains have web sites (they don't) .... on my machine as soon as those files where downloaded and I identified them I renamed them all and tried deleting them .... child.dll was locked so looking among the running processes I found 3 suspicious instances of rundll32. As soon as I killed them I was able to delete the dll.

What I don't understand is why this dll creates files on the "infected" machine's desktop ... it gives away its presence too easily.

Anyhow, all my compliments to Microsoft ... even having set medium or high levels of security on all areas (internet, local internet, trusted sites and restricted sites) in my browser and having applications that should further protect me from downloading unwanted binaries (popup blocker and spyware blaster) my great Microsoft browser downloaded what could have well been viruses.

This is not the first time I find dlls somehow downloaded on my machine by the browser and I think I have identified the exploit that is being used: if you brutally kill a browser instance terminating its process while there is an activex download request dialog box open the said activex GETS downloaded. This exploit is utilized on those sites where suddendly tens of browser windows get opened in a few seconds. That is why I got myself a popup blocker .... which is clearly not enough.

One other thing that surprised me is that I found no registry entries under the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ or HKEY_LOCAL_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ keys ... these kinds of applications usually register themselves to be restarted at next machine boot.


yaa