In an effort to keep my system safe from hidden modules (i.e. modules that have been manually unlinked from PEB->LDR_MODULE), I coded up a little tool that scans the memory of my process and attempts to identify any dll's that do not resolve using normal toolhelp API. See below (apologies for large image);

This immediately aroused my suspicions, so I checked out the code section of this phantom module. See attachment.

Here's my plea. I'm confident this is some kind of trojan periodically sending off critical information pertaining to my browsing. Suffice to say, this is of gross concern.

How can I permanently delete this omnipresent module.

Regards,

Ksb

NB: If anyone takes the time to analysis the attached code, I would be very eager to hear how it functions.

potential_virus.txt

Mind PM-ing me the file? Or just a dump of it?

It seems to me it's identifying certain strings inside the link you are navigating (e.g.: "google." with strstr), then I see some encrypted strings, that do get decrypted in those CALLs.. and I lost interest, since I can't run through it :-P PM PLOX!