Logfile of HijackThis v1.97.7
Scan saved at 4:29:35 AM, on 5/21/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\drivers\CDAC11BA.EXE
C:\WINNT\System32\cisvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
D:\McAfee\McAfee Firewall\CPD.EXE
C:\WINNT\Explorer.EXE
D:\McAfee\McAfee Firewall\CPD.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\WINNT\system32\ctfmon.exe
C:\WINNT\system32\taskmgr.exe
C:\WINNT\System32\cidaemon.exe
C:\WINNT\System32\cidaemon.exe
C:\Documents and Settings\Administrator\Desktop\HiJACK THiS\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Winamp\winamp.exe
C:\WINNT\msagent\AgentSvr.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\oephome.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\oephome.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\oephome.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\oephome.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\oephome.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\oephome.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {971F740B-4E6B-4A60-88CB-923C0E32390B} - C:\WINNT\system32\oephome.dll
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Ad-watch] C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [HydarVisionDesktopManager] desk95.exe
O4 - HKLM\..\Run: [HydarVisionViewport] viewport.exe
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O8 - Extra context menu item: Download with GetRight - D:\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\OFFICE~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - D:\GetRight\GRbrowse.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Research (HKLM)
O17 - HKLM\System\CCS\Services\Tcpip\..\{C433FE03-1F97-4FB8-A7AB-5CCB078B268E}: NameServer = 216.138.0.4 216.138.0.11

Click here to download and install Registrar Lite. Install, run, copy and paste this line to reglite's address bar:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

and hit the "go" tab. Find: "Appinit_Dlls" value on the right side panel, DoubleClick, copy and post here the information in the 'Value' field.

C:\WINNT\system32\wdmg.dll

i already check to see if the file was in system32 and its not there.

Use the Registrar Lite program again. Navigate to (you can type the line directly into reglite address bar and hit 'go'):

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

Rename the Windows key in the left pane to something else - for example:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NotWindows

(You should now be able to clear the hidden contents of the AppInit_DLLs value in the right pane without being undone by the hidden process.)

DoubleClick "Appinit_Dlls" value on right pane and erase the data on the lower box (in value field):

"C:\WINNT\System32\wdmg.dll", hit 'apply' and 'ok' to set.

Rename NotWindows back to Windows in the left pane, close Registrar Lite and reboot the computer. If all goes well the hidden process will not run at startup and you should now be able to find and *see* the wdmg.dll in C:\WINNT\System32.

Using Explorer go to your root drive: C:\ and create new folder, name it: 'Junk'. Unzip and run Winfile from here. Open it up, click File>Move...

Copy and paste this into the 'From' box: C:\WINNT\System32\wdmg.dll
Copy and paste this into the 'To' box: C:\Junk\wdmg.dll

Hit OK. Close Winfile and check in C:\Junk for that file - let me know what's there. If it's there, click here to download CWShredder by Merijn Bellekom and run it, hit 'fix' as opposed to 'scan only'. Reboot when done. Run HJT and post a new log for the next steps.

Logfile of HijackThis v1.97.7
Scan saved at 5:45:40 AM, on 5/22/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\drivers\CDAC11BA.EXE
C:\WINNT\System32\cisvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
D:\McAfee\McAfee Firewall\CPD.EXE
C:\WINNT\System32\cidaemon.exe
C:\WINNT\System32\cidaemon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\ctfmon.exe
C:\WINNT\system32\taskmgr.exe
D:\Registrar Lite\rl.exe
C:\Documents and Settings\Administrator\Desktop\HiJACK THiS\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\cffanp.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\cffanp.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\cffanp.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\cffanp.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\cffanp.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\cffanp.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {20E81745-9FAD-4BA5-AAAC-3A86F8AA3902} - C:\WINNT\system32\cffanp.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{C433FE03-1F97-4FB8-A7AB-5CCB078B268E}: NameServer = 216.138.0.4 216.138.0.11

Download this zip.

http://tools.zerosrealm.com/pv.zip
Please unzip it to the desktop. It will not work if you run it from inside the zip.

After unzipped go to the desktop. Open the pv folder. Double click on the runme.bat

A dos window will open. Please select option 1 for explorer dll's by typing 1 and then pressing enter.


Notepad will open with a log in it. Please copy and paste the log into this post.

Did you move that file?

If so, click here to download Ad-Aware and install. Before scanning click on "check for updates now" to make sure you have the latest reference file. Then click the gear wheel at the top and check these options:

General> activate these: "Automatically save log-file" and "Automatically quarantine objects prior to removal"

Scanning > activate these: "Scan within archives", "Scan active processes", "Scan registry", "Deep scan registry", "Scan my IE Favorites for banned sites" and "Scan my Hosts file"

Tweaks > Scanning Engine> activate this: "Unload recognized processes during scanning."

Tweaks > Cleaning Engine: activate these: "Automatically try to unregister objects prior to deletion" and "Let Windows remove files in use after reboot."

Click "Proceed" to save your settings, then click "Start", make sure "Activate in-depth scan" is ticked green then scan your system. When the scan is finished, the screen will tell you if anything has been found, click "Next". The bad files will be listed, right click the pane and click "Select all objects" - this will put a check mark in the box at the side, click "Next" again and click "OK" at the prompt "# objects will be removed. Continue?".

Reboot when done.

Make sure that you have no browser windows open as this could prevent the fix from working properly. Open HijackThis, scan and when complete, remove the following entries by checking the box to the left and clicking 'fixed checked':

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\cffanp.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\cffanp.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\cffanp.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\cffanp.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\cffanp.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\cffanp.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {20E81745-9FAD-4BA5-AAAC-3A86F8AA3902} - C:\WINNT\system32\cffanp.dll

Reboot when done, rescan with HJT and post a new log here for a final check over.

Also could you try to delete the C:\Junk folder - this may be difficult, let me know how you get on.

Module information for 'Explorer.EXE'
MODULE BASE SIZE PATH
Explorer.EXE 400000 253952 C:\WINNT\Explorer.EXE 5.00.3700.6690 Windows Explorer
ntdll.dll 77f80000 512000 C:\WINNT\system32\ntdll.dll 5.00.2195.6899 NT Layer DLL
ADVAPI32.DLL 7c2d0000 401408 C:\WINNT\system32\ADVAPI32.DLL 5.00.2195.6876 Advanced Windows 32 Base API
KERNEL32.DLL 7c570000 753664 C:\WINNT\system32\KERNEL32.DLL 5.00.2195.6897 Windows NT BASE API Client DLL
RPCRT4.DLL 77d30000 450560 C:\WINNT\system32\RPCRT4.DLL 5.00.2195.6802 Remote Procedure Call Runtime
GDI32.DLL 77f40000 253952 C:\WINNT\system32\GDI32.DLL 5.00.2195.6898 GDI Client DLL
USER32.DLL 77e10000 413696 C:\WINNT\system32\USER32.DLL 5.00.2195.6897 Windows 2000 USER API Client DLL
SHLWAPI.DLL 70a70000 413696 C:\WINNT\system32\SHLWAPI.DLL 6.00.2800.1276 Shell Light-weight Utility Library
msvcrt.dll 78000000 282624 C:\WINNT\system32\msvcrt.dll 6.10.9844.0 Microsoft ® C Runtime Library
COMCTL32.DLL 71710000 540672 C:\WINNT\system32\COMCTL32.DLL 5.81 Common Controls Library
IMM32.DLL 75e60000 106496 C:\WINNT\system32\IMM32.DLL 5.00.2195.6655 Windows 2000 IMM32 API Client DLL
shim.dll 732e0000 151552 C:\WINNT\system32\shim.dll 5.00.2195.6717 Shim Engine DLL
AcLayers.DLL 23000000 352256 C:\WINNT\AppPatch\AcLayers.DLL 5.00.2195.6717 Windows 2000 Shim Accessory DLL
WS2_32.DLL 75030000 81920 C:\WINNT\system32\WS2_32.DLL 5.00.2195.6601 Windows Socket 2.0 32-Bit DLL
WS2HELP.DLL 75020000 32768 C:\WINNT\system32\WS2HELP.DLL 5.00.2134.1 Windows Socket 2.0 Helper for Windows NT
OLE32.DLL 77a50000 966656 C:\WINNT\system32\OLE32.DLL 5.00.2195.6810 Microsoft OLE for Windows
SHELL32.dll 782f0000 2392064 C:\WINNT\system32\SHELL32.dll 5.00.3700.6705 Windows Shell Common Dll
CLBCATQ.DLL 775a0000 548864 C:\WINNT\system32\CLBCATQ.DLL 2000.2.3504.0
OLEAUT32.dll 779b0000 634880 C:\WINNT\system32\OLEAUT32.dll 2.40.4522
AcSignIcon.dll 62830000 155648 C:\WINNT\system32\AcSignIcon.dll 16.0.0.86 AcSignIcon Module
WINSPOOL.DRV 77800000 122880 C:\WINNT\system32\WINSPOOL.DRV 5.00.2195.6659 Windows Spooler Driver
MPR.DLL 76620000 65536 C:\WINNT\system32\MPR.DLL 5.00.2195.6824 Multiple Provider Router DLL
OLEACC.dll 69640000 126976 C:\WINNT\system32\OLEACC.dll 4.2.3100.0 Active Accessibility Core Component
cscui.dll 77840000 253952 C:\WINNT\system32\cscui.dll 5.00.2195.6705 Client Side Caching UI
CSCDLL.DLL 770c0000 143360 C:\WINNT\system32\CSCDLL.DLL 5.00.2195.6713 Offline Network Agent
SHDOCVW.DLL e60000 1347584 C:\WINNT\system32\SHDOCVW.DLL 6.00.2800.1276 Shell Doc Object and Control Library
browseui.dll 71160000 1036288 C:\WINNT\System32\browseui.dll 6.00.2800.1106 Shell Browser UI Library
NETSHELL.dll 76f20000 487424 C:\WINNT\system32\NETSHELL.dll 5.00.2195.6604 Network Connections Shell
USERENV.DLL 7c0f0000 397312 C:\WINNT\system32\USERENV.DLL 5.00.2195.6794 Userenv
URLMON.DLL 1a400000 499712 C:\WINNT\system32\URLMON.DLL 6.00.2800.1282 OLE32 Extensions for Win32
VERSION.dll 77820000 28672 C:\WINNT\system32\VERSION.dll 5.00.2195.6623 Version Checking and File Installation Libraries
LZ32.DLL 759b0000 24576 C:\WINNT\system32\LZ32.DLL 5.00.2195.6611 LZ Expand/Compress API DLL
mlang.dll 70440000 585728 C:\WINNT\system32\mlang.dll 6.00.2800.1106 Multi Language Support DLL
mshtml.dll 63580000 2822144 C:\WINNT\system32\mshtml.dll 6.00.2800.1276 Microsoft ® HTML Viewer
WININET.DLL 70200000 610304 C:\WINNT\system32\WININET.DLL 6.00.2800.1106 Internet Extensions for Win32
CRYPT32.dll 7c740000 552960 C:\WINNT\system32\CRYPT32.dll 5.131.2195.6824 Crypto API32
MSASN1.DLL 77430000 65536 C:\WINNT\system32\MSASN1.DLL 5.00.2195.6905 ASN.1 Runtime APIs
RASAPI32.DLL 774e0000 208896 C:\WINNT\system32\RASAPI32.DLL 5.00.2195.6625 Remote Access API
RASMAN.DLL 774c0000 69632 C:\WINNT\system32\RASMAN.DLL 5.00.2195.6738 Remote Access Connection Manager
TAPI32.DLL 77530000 139264 C:\WINNT\system32\TAPI32.DLL 5.00.2195.6664 Microsoft® Windows™ Telephony API Client DLL
RTUTILS.DLL 77830000 57344 C:\WINNT\system32\RTUTILS.DLL 5.00.2168.1 Routing Utilities
sensapi.dll 75ab0000 20480 C:\WINNT\system32\sensapi.dll 5.00.2195.6627 SENS Connectivity API DLL
PDM.DLL 51660000 180224 C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\PDM.DLL 7.00.9466 Process Debug Manager
shdoclc.dll 718c0000 540672 C:\WINNT\system32\shdoclc.dll 6.00.2800.1106 Shell Doc Object and Control Library
MSDBG2.DLL 51580000 176128 C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MSDBG2.DLL 7.00.9466 Active Debugging Proxy/Stub
mydocs.dll 76df0000 69632 C:\WINNT\system32\mydocs.dll 5.00.3502.6601 My Documents Folder UI
ntshrui.dll 76fa0000 61440 C:\WINNT\system32\ntshrui.dll 5.00.2134.1 Shell extensions for sharing
ATL.DLL 773e0000 86016 C:\WINNT\system32\ATL.DLL 3.00.9435 ATL Module for Windows NT (Unicode)
NETAPI32.DLL 75170000 323584 C:\WINNT\system32\NETAPI32.DLL 5.00.2195.6897 Net Win32 API DLL
SECUR32.DLL 7c340000 61440 C:\WINNT\system32\SECUR32.DLL 5.00.2195.6695 Security Support Provider Interface
NETRAP.DLL 751c0000 24576 C:\WINNT\system32\NETRAP.DLL 5.00.2134.1 Net Remote Admin Protocol DLL
SAMLIB.DLL 75150000 61440 C:\WINNT\system32\SAMLIB.DLL 5.00.2195.6897 SAM Library DLL
WLDAP32.DLL 77950000 172032 C:\WINNT\system32\WLDAP32.DLL 5.00.2195.6666 Win32 LDAP API DLL
DNSAPI.DLL 77980000 147456 C:\WINNT\system32\DNSAPI.DLL 5.00.2195.6824 DNS Client API DLL
WSOCK32.DLL 75050000 32768 C:\WINNT\system32\WSOCK32.DLL 5.00.2195.6603 Windows Socket 32-Bit DLL
AcSignCore16.dll 628e0000 233472 C:\Program Files\Common Files\Autodesk Shared\AcSignCore16.dll 16.0.0.86 AcSignCore Module
msimtf.dll 60280000 176128 C:\WINNT\system32\msimtf.dll 1.00.2409.7 built by: Lab06_N Active IMM Server DLL
MSCTF.dll 60000000 282624 C:\WINNT\system32\MSCTF.dll 1.00.2409.7 built by: Lab06_N MSUIM Server DLL
MSLS31.DLL 75ac0000 163840 C:\WINNT\system32\MSLS31.DLL 3.10.337.0 Microsoft Line Services library file
ntlanman.dll 75160000 49152 C:\WINNT\System32\ntlanman.dll 5.00.2195.6601 Microsoft® Lan Manager
NETUI0.DLL 75210000 86016 C:\WINNT\System32\NETUI0.DLL 5.00.2195.6601 NT LM UI Common Code - GUI Classes
NETUI1.DLL 751d0000 229376 C:\WINNT\System32\NETUI1.DLL 5.00.2134.1 NT LM UI Common Code - Networking classes
webcheck.dll 70340000 266240 C:\WINNT\System32\webcheck.dll 6.00.2800.1106 Web Site Monitor
stobject.dll 766d0000 98304 C:\WINNT\system32\stobject.dll 5.00.2195.6601 Systray shell service object
BATMETER.DLL 76740000 32768 C:\WINNT\system32\BATMETER.DLL 5.00.3502.6601 Battery Meter Helper DLL
SETUPAPI.DLL 77880000 581632 C:\WINNT\system32\SETUPAPI.DLL 5.00.2195.6622 Windows Setup API
POWRPROF.DLL 766f0000 28672 C:\WINNT\system32\POWRPROF.DLL 5.00.3502.6601 Power Profile Helper DLL
WINMM.DLL 77570000 196608 C:\WINNT\system32\WINMM.DLL 5.00.2161.1 MCI API DLL
serwvdrv.dll 681a0000 28672 C:\WINNT\system32\serwvdrv.dll 5.00.2134.1 Unimodem Serial Wave driver
umdmxfrm.dll 66740000 28672 C:\WINNT\system32\umdmxfrm.dll 5.00.2134.1 Unimodem Tranform Module
MSI.DLL 27c0000 2113536 C:\WINNT\system32\MSI.DLL 2.0.2600.1183 Windows Installer
wdmaud.drv 77560000 32768 C:\WINNT\system32\wdmaud.drv 5.00.2195.6673 WDM Audio driver mapper
msacm32.drv 77400000 32768 C:\WINNT\system32\msacm32.drv 5.00.2134.1 Microsoft Sound Mapper
MSACM32.dll 77410000 77824 C:\WINNT\system32\MSACM32.dll 5.00.2134.1 Microsoft ACM Audio Filter
browselc.dll 71960000 73728 C:\WINNT\System32\browselc.dll 6.00.2800.1106 Shell Browser UI Library
imgutil.dll 70510000 40960 C:\WINNT\system32\imgutil.dll 6.00.2800.1106 IE plugin image decoder support DLL
WINTRUST.dll 76930000 176128 C:\WINNT\system32\WINTRUST.dll 5.131.2195.6824 Microsoft Trust Verification APIs
IMAGEHLP.dll 77920000 143360 C:\WINNT\system32\IMAGEHLP.dll 5.00.2195.6613 Windows NT Image Helper
jscript.dll 6b700000 589824 C:\WINNT\System32\jscript.dll 5.6.0.8513 Microsoft ® JScript
INPUT.CPL 3980000 122880 C:\WINNT\system32\INPUT.CPL 1.00.2409.7 built by: Lab06_N Text Input DLL
powercfg.cpl 65050000 110592 C:\WINNT\system32\powercfg.cpl 5.00.3502.6601 Power Management Configuration Control Panel Applet
plotman.cpl 60c10000 229376 C:\WINNT\system32\plotman.cpl 8.0.16.86 Autodesk Hardcopy Plotter Manager
comdlg32.dll 76b30000 253952 C:\WINNT\system32\comdlg32.dll 5.00.3700.6693 Common Dialogs DLL
styleman.cpl 60710000 229376 C:\WINNT\system32\styleman.cpl 8.0.16.86 Autodesk Hardcopy Plot Style Manager
PRINTUI.DLL 75360000 393216 C:\WINNT\system32\PRINTUI.DLL 5.00.2195.6702 Print UI DLL
ACTIVEDS.dll 773b0000 192512 C:\WINNT\system32\ACTIVEDS.dll 5.00.2195.6601 ADs Router Layer DLL
ADSLDPC.DLL 77380000 143360 C:\WINNT\system32\ADSLDPC.DLL 5.00.2195.6701 ADs LDAP Provider C DLL
mscms.dll 3f90000 77824 C:\WINNT\system32\mscms.dll 5.00.2180.1 Microsoft Color Matching System DLL
CFGMGR32.dll 770b0000 28672 C:\WINNT\system32\CFGMGR32.dll 5.00.2134.1 Configuration Manager Forwarder DLL
docprop2.dll 71f00000 315392 C:\WINNT\System32\docprop2.dll 5.00.2178.1 DocProp2
MSVFW32.DLL 6a8f0000 131072 C:\WINNT\System32\MSVFW32.DLL 5.00.2195.6612 Microsoft Video for Windows DLL
AVIFIL32.DLL 74870000 90112 C:\WINNT\System32\AVIFIL32.DLL 5.00.2195.6612 Microsoft AVI File support library
faxshell.dll 70020000 20480 C:\WINNT\system32\faxshell.dll 5.00.2134.1 Fax Tiff Data Column Provider
mmcshext.dll 76700000 36864 C:\WINNT\system32\mmcshext.dll 5.00.2153.1 MMC Shell Extension DLL
MFC42u.DLL 76fb0000 1028096 C:\WINNT\system32\MFC42u.DLL 6.00.9586.0 MFCDLL Shared Library - Retail Version
MSVCP50.dll 780c0000 577536 C:\WINNT\system32\MSVCP50.dll 5.00.7051 Microsoft ® C++ Runtime Library
hhsetup.dll 76720000 53248 C:\WINNT\system32\hhsetup.dll 5.2.3644.0 Microsoft® HTML Help
RASDLG.dll 75870000 536576 C:\WINNT\system32\RASDLG.dll 5.00.2195.6625 Remote Access Common Dialog API
MPRAPI.dll 77320000 94208 C:\WINNT\system32\MPRAPI.dll 5.00.2181.1 Windows NT MP Router Administration DLL
rsabase.dll 7ca00000 143360 C:\WINNT\system32\rsabase.dll 5.00.2195.6619 Microsoft Base Cryptographic Provider (Export Version)
rsaenh.dll 5af0000 143360 C:\WINNT\system32\rsaenh.dll 5.00.2195.6611 Microsoft Enhanced Cryptographic Provider (US/Canada Only, Not for Export)
rarext.dll 6410000 167936 C:\Program Files\WinRAR\rarext.dll
shext.dll 10000000 53248 C:\Program Files\Network Associates\VirusScan\shext.dll 7.0.0.511 Shell Extension
ShExtRes.dll 6950000 12288 C:\Program Files\Network Associates\VirusScan\Res09\ShExtRes.dll 7.0.0.511 English(09) Shell Extension Resources
LINKINFO.DLL 76710000 36864 C:\WINNT\system32\LINKINFO.DLL 5.00.2134.1 Windows Volume Tracking
dsquery.dll 717f0000 172032 C:\WINNT\system32\dsquery.dll 5.00.2195.6622 Directory Service Find
dsuiext.dll 717c0000 122880 C:\WINNT\system32\dsuiext.dll 5.00.2195.6611 Directory Service Common UI
NTDSAPI.dll 77bf0000 69632 C:\WINNT\system32\NTDSAPI.dll 5.00.2195.6666 NT5DS
USP10.DLL 66650000 344064 C:\WINNT\system32\USP10.DLL 1.0325.2195.6692 Uniscribe Unicode script processor
NTMARTA.DLL 69bf0000 118784 C:\WINNT\system32\NTMARTA.DLL 5.00.2195.6666 Windows NT MARTA provider
QUERY.DLL 785d0000 1454080 C:\WINNT\system32\QUERY.DLL 5.00.2195.6664 Content Index Utility DLL
actxprxy.dll 703d0000 110592 C:\WINNT\System32\actxprxy.dll 6.00.2800.1106 ActiveX Interface Marshaling Library
arcext.dll eea0000 200704 C:\Program Files\WinAce\arcext.dll 2.1.0.0 WinAce-Archiver Shell Extension
ace.dll eee0000 897024 C:\Program Files\WinAce\ace.dll 2.2.0.0 WinAce ACE Dynamic Link Library
ue32ctmn.dll 10110000 45056 D:\UltraEdit\ue32ctmn.dll 1, 0, 0, 1 Shell Extension DLL
ContextMenu.dll 10230000 413696 D:\Adobe\Acrobat 6.0\Acrobat Elements\ContextMenu.dll 1.0.0.2003051500 Adobe Acrobat Elements
MFC42.DLL 6c370000 1028096 C:\WINNT\system32\MFC42.DLL 6.00.9586.0 MFCDLL Shared Library - Retail Version
MSVCP60.dll 102a0000 397312 C:\WINNT\system32\MSVCP60.dll 6.00.8972.0 Microsoft ® C++ Runtime Library
cffanp.dll 18be0000 45056 C:\WINNT\system32\cffanp.dll
msohev.dll 325c0000 73728 D:\Office 2003\OFFICE11\msohev.dll 11.0.5510 Microsoft Office 2003 component
webvw.dll 658f0000 1130496 C:\WINNT\System32\webvw.dll 5.00.2920.0000 Shell WebView Content & Control Library
mshtmled.dll 70f30000 450560 C:\WINNT\System32\mshtmled.dll 6.00.2800.1106 Microsoft ® HTML Editing Component
msxml3.dll 19aa0000 1134592 C:\WINNT\System32\msxml3.dll 8.30.9926.0 MSXML 3.0 SP 3
MSONSEXT.DLL 49090000 1396736 C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL 11.0.5510.0 Microsoft Web Folders
pkmws.dll 49970000 86016 C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\pkmws.dll 11.0.5510.0 SharePoint Portal Server Windows API Stub Library
hlink.dll 76b70000 81920 C:\WINNT\system32\hlink.dll 5.0.4513 Microsoft Hyperlink Library
oledb32.dll 1f9c0000 483328 C:\Program Files\Common Files\System\Ole DB\oledb32.dll 2.53.6200.0 Microsoft Data Access - OLE DB Core Services
MSDART32.DLL 3ae0000 24576 C:\WINNT\system32\MSDART32.DLL 2.53.6200.0 Microsoft Data Access - OLE DB Runtime Routines
OLEDB32R.DLL 1fa50000 65536 C:\Program Files\Common Files\System\Ole DB\OLEDB32R.DLL 2.53.6200.0 Microsoft Data Access - OLE DB Core Services Resources
nsextint.dll 492e0000 49152 C:\Program Files\Common Files\Microsoft Shared\Web Folders\1033\nsextint.dll 11.0.5510.0 SharePoint Portal Server
mstask.dll 6ac20000 225280 C:\WINNT\System32\mstask.dll 4.71.2195.6704 Task Scheduler interface DLL
thumbvw.dll 66d20000 200704 C:\WINNT\System32\thumbvw.dll 5.00.3502.6601 Thumbnail View Extension

C:\WINNT\system32\cffanp.dll

Please download TheKillbox from here: http://download.broadbandmedic.com/

Unzip the files to a folder, then double-click on Killbox.exe to run it. In the "Paste Full Path of File to Delete" box, copy and paste the following:

C:\WINNT\system32\cffanp.dll


Don't click any of the buttons though, instead please click on the Action menu and choose "Delete on Reboot". On the next screen, click on the File menu and choose "Add File". The filenameand path should show up in the window. If that's successful, choose the Action menu and select "Process and Reboot". You'll be prompted to reboot, do so.

When you're back in windows, please run the latest version of cwshredder. Post a new pv.zip explorer log along with a hijackthis log.


Edit: sorry for stepping on toes Daemon the user is in chat asking for help

This post has been edited by Atribune: May 22 2004, 05:05 AM

Logfile of HijackThis v1.97.7
Scan saved at 6:37:18 AM, on 5/22/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\drivers\CDAC11BA.EXE
C:\WINNT\System32\cisvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
D:\McAfee\McAfee Firewall\CPD.EXE
D:\McAfee\McAfee Firewall\CPD.EXE
C:\WINNT\system32\ctfmon.exe
C:\WINNT\System32\cidaemon.exe
C:\WINNT\System32\cidaemon.exe
C:\WINNT\system32\taskmgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Administrator\Desktop\HiJACK THiS\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\micdkaa.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\micdkaa.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\micdkaa.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\micdkaa.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\micdkaa.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\micdkaa.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {DE03BB95-2A23-43FD-9014-C3723DB4F0FB} - C:\WINNT\system32\micdkaa.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{C433FE03-1F97-4FB8-A7AB-5CCB078B268E}: NameServer = 216.138.0.4 216.138.0.11

There are two parallel fixes going on now - do not jump into a thread that is already being worked on.

Module information for 'Explorer.EXE'
MODULE BASE SIZE PATH
Explorer.EXE 400000 253952 C:\WINNT\Explorer.EXE 5.00.3700.6690 Windows Explorer
ntdll.dll 77f80000 512000 C:\WINNT\system32\ntdll.dll 5.00.2195.6899 NT Layer DLL
ADVAPI32.DLL 7c2d0000 401408 C:\WINNT\system32\ADVAPI32.DLL 5.00.2195.6876 Advanced Windows 32 Base API
KERNEL32.DLL 7c570000 753664 C:\WINNT\system32\KERNEL32.DLL 5.00.2195.6897 Windows NT BASE API Client DLL
RPCRT4.DLL 77d30000 450560 C:\WINNT\system32\RPCRT4.DLL 5.00.2195.6802 Remote Procedure Call Runtime
GDI32.DLL 77f40000 253952 C:\WINNT\system32\GDI32.DLL 5.00.2195.6898 GDI Client DLL
USER32.DLL 77e10000 413696 C:\WINNT\system32\USER32.DLL 5.00.2195.6897 Windows 2000 USER API Client DLL
SHLWAPI.DLL 70a70000 413696 C:\WINNT\system32\SHLWAPI.DLL 6.00.2800.1276 Shell Light-weight Utility Library
msvcrt.dll 78000000 282624 C:\WINNT\system32\msvcrt.dll 6.10.9844.0 Microsoft ® C Runtime Library
COMCTL32.DLL 71710000 540672 C:\WINNT\system32\COMCTL32.DLL 5.81 Common Controls Library
IMM32.DLL 75e60000 106496 C:\WINNT\system32\IMM32.DLL 5.00.2195.6655 Windows 2000 IMM32 API Client DLL
shim.dll 732e0000 151552 C:\WINNT\system32\shim.dll 5.00.2195.6717 Shim Engine DLL
AcLayers.DLL 23000000 352256 C:\WINNT\AppPatch\AcLayers.DLL 5.00.2195.6717 Windows 2000 Shim Accessory DLL
WS2_32.DLL 75030000 81920 C:\WINNT\system32\WS2_32.DLL 5.00.2195.6601 Windows Socket 2.0 32-Bit DLL
WS2HELP.DLL 75020000 32768 C:\WINNT\system32\WS2HELP.DLL 5.00.2134.1 Windows Socket 2.0 Helper for Windows NT
OLE32.DLL 77a50000 966656 C:\WINNT\system32\OLE32.DLL 5.00.2195.6810 Microsoft OLE for Windows
SHELL32.dll 782f0000 2392064 C:\WINNT\system32\SHELL32.dll 5.00.3700.6705 Windows Shell Common Dll
CLBCATQ.DLL 775a0000 548864 C:\WINNT\system32\CLBCATQ.DLL 2000.2.3504.0
OLEAUT32.dll 779b0000 634880 C:\WINNT\system32\OLEAUT32.dll 2.40.4522
AcSignIcon.dll 62830000 155648 C:\WINNT\system32\AcSignIcon.dll 16.0.0.86 AcSignIcon Module
WINSPOOL.DRV 77800000 122880 C:\WINNT\system32\WINSPOOL.DRV 5.00.2195.6659 Windows Spooler Driver
MPR.DLL 76620000 65536 C:\WINNT\system32\MPR.DLL 5.00.2195.6824 Multiple Provider Router DLL
OLEACC.dll 69640000 126976 C:\WINNT\system32\OLEACC.dll 4.2.3100.0 Active Accessibility Core Component
cscui.dll 77840000 253952 C:\WINNT\system32\cscui.dll 5.00.2195.6705 Client Side Caching UI
CSCDLL.DLL 770c0000 143360 C:\WINNT\system32\CSCDLL.DLL 5.00.2195.6713 Offline Network Agent
SHDOCVW.DLL e60000 1347584 C:\WINNT\system32\SHDOCVW.DLL 6.00.2800.1276 Shell Doc Object and Control Library
browseui.dll 71160000 1036288 C:\WINNT\System32\browseui.dll 6.00.2800.1106 Shell Browser UI Library
NETSHELL.dll 76f20000 487424 C:\WINNT\system32\NETSHELL.dll 5.00.2195.6604 Network Connections Shell
USERENV.DLL 7c0f0000 397312 C:\WINNT\system32\USERENV.DLL 5.00.2195.6794 Userenv
URLMON.DLL 1a400000 499712 C:\WINNT\system32\URLMON.DLL 6.00.2800.1282 OLE32 Extensions for Win32
VERSION.dll 77820000 28672 C:\WINNT\system32\VERSION.dll 5.00.2195.6623 Version Checking and File Installation Libraries
LZ32.DLL 759b0000 24576 C:\WINNT\system32\LZ32.DLL 5.00.2195.6611 LZ Expand/Compress API DLL
mlang.dll 70440000 585728 C:\WINNT\system32\mlang.dll 6.00.2800.1106 Multi Language Support DLL
mshtml.dll 63580000 2822144 C:\WINNT\system32\mshtml.dll 6.00.2800.1276 Microsoft ® HTML Viewer
WININET.DLL 70200000 610304 C:\WINNT\system32\WININET.DLL 6.00.2800.1106 Internet Extensions for Win32
CRYPT32.dll 7c740000 552960 C:\WINNT\system32\CRYPT32.dll 5.131.2195.6824 Crypto API32
MSASN1.DLL 77430000 65536 C:\WINNT\system32\MSASN1.DLL 5.00.2195.6905 ASN.1 Runtime APIs
RASAPI32.DLL 774e0000 208896 C:\WINNT\system32\RASAPI32.DLL 5.00.2195.6625 Remote Access API
RASMAN.DLL 774c0000 69632 C:\WINNT\system32\RASMAN.DLL 5.00.2195.6738 Remote Access Connection Manager
TAPI32.DLL 77530000 139264 C:\WINNT\system32\TAPI32.DLL 5.00.2195.6664 Microsoft® Windows™ Telephony API Client DLL
RTUTILS.DLL 77830000 57344 C:\WINNT\system32\RTUTILS.DLL 5.00.2168.1 Routing Utilities
sensapi.dll 75ab0000 20480 C:\WINNT\system32\sensapi.dll 5.00.2195.6627 SENS Connectivity API DLL
PDM.DLL 51660000 180224 C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\PDM.DLL 7.00.9466 Process Debug Manager
shdoclc.dll 718c0000 540672 C:\WINNT\system32\shdoclc.dll 6.00.2800.1106 Shell Doc Object and Control Library
MSDBG2.DLL 51580000 176128 C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MSDBG2.DLL 7.00.9466 Active Debugging Proxy/Stub
webcheck.dll 70340000 266240 C:\WINNT\System32\webcheck.dll 6.00.2800.1106 Web Site Monitor
SETUPAPI.DLL 77880000 581632 C:\WINNT\system32\SETUPAPI.DLL 5.00.2195.6622 Windows Setup API
stobject.dll 766d0000 98304 C:\WINNT\system32\stobject.dll 5.00.2195.6601 Systray shell service object
BATMETER.DLL 76740000 32768 C:\WINNT\system32\BATMETER.DLL 5.00.3502.6601 Battery Meter Helper DLL
POWRPROF.DLL 766f0000 28672 C:\WINNT\system32\POWRPROF.DLL 5.00.3502.6601 Power Profile Helper DLL
WINMM.DLL 77570000 196608 C:\WINNT\system32\WINMM.DLL 5.00.2161.1 MCI API DLL
serwvdrv.dll 681a0000 28672 C:\WINNT\system32\serwvdrv.dll 5.00.2134.1 Unimodem Serial Wave driver
umdmxfrm.dll 66740000 28672 C:\WINNT\system32\umdmxfrm.dll 5.00.2134.1 Unimodem Tranform Module
mydocs.dll 76df0000 69632 C:\WINNT\system32\mydocs.dll 5.00.3502.6601 My Documents Folder UI
MSI.DLL 1e60000 2113536 C:\WINNT\system32\MSI.DLL 2.0.2600.1183 Windows Installer
ntshrui.dll 76fa0000 61440 C:\WINNT\system32\ntshrui.dll 5.00.2134.1 Shell extensions for sharing
ATL.DLL 773e0000 86016 C:\WINNT\system32\ATL.DLL 3.00.9435 ATL Module for Windows NT (Unicode)
NETAPI32.DLL 75170000 323584 C:\WINNT\system32\NETAPI32.DLL 5.00.2195.6897 Net Win32 API DLL
SECUR32.DLL 7c340000 61440 C:\WINNT\system32\SECUR32.DLL 5.00.2195.6695 Security Support Provider Interface
NETRAP.DLL 751c0000 24576 C:\WINNT\system32\NETRAP.DLL 5.00.2134.1 Net Remote Admin Protocol DLL
SAMLIB.DLL 75150000 61440 C:\WINNT\system32\SAMLIB.DLL 5.00.2195.6897 SAM Library DLL
WLDAP32.DLL 77950000 172032 C:\WINNT\system32\WLDAP32.DLL 5.00.2195.6666 Win32 LDAP API DLL
DNSAPI.DLL 77980000 147456 C:\WINNT\system32\DNSAPI.DLL 5.00.2195.6824 DNS Client API DLL
WSOCK32.DLL 75050000 32768 C:\WINNT\system32\WSOCK32.DLL 5.00.2195.6603 Windows Socket 32-Bit DLL
wdmaud.drv 77560000 32768 C:\WINNT\system32\wdmaud.drv 5.00.2195.6673 WDM Audio driver mapper
msacm32.drv 77400000 32768 C:\WINNT\system32\msacm32.drv 5.00.2134.1 Microsoft Sound Mapper
MSACM32.dll 77410000 77824 C:\WINNT\system32\MSACM32.dll 5.00.2134.1 Microsoft ACM Audio Filter
AcSignCore16.dll 628e0000 233472 C:\Program Files\Common Files\Autodesk Shared\AcSignCore16.dll 16.0.0.86 AcSignCore Module
msimtf.dll 60280000 176128 C:\WINNT\system32\msimtf.dll 1.00.2409.7 built by: Lab06_N Active IMM Server DLL
MSCTF.dll 60000000 282624 C:\WINNT\system32\MSCTF.dll 1.00.2409.7 built by: Lab06_N MSUIM Server DLL
MSLS31.DLL 75ac0000 163840 C:\WINNT\system32\MSLS31.DLL 3.10.337.0 Microsoft Line Services library file
ntlanman.dll 75160000 49152 C:\WINNT\System32\ntlanman.dll 5.00.2195.6601 Microsoft® Lan Manager
NETUI0.DLL 75210000 86016 C:\WINNT\System32\NETUI0.DLL 5.00.2195.6601 NT LM UI Common Code - GUI Classes
NETUI1.DLL 751d0000 229376 C:\WINNT\System32\NETUI1.DLL 5.00.2134.1 NT LM UI Common Code - Networking classes
es.dll 76290000 241664 C:\WINNT\System32\es.dll 2000.2.3504.0
TXFAUX.DLL 6de80000 409600 C:\WINNT\System32\TXFAUX.DLL 2000.2.3504.0 Support routines for TXF
jscript.dll 6b700000 589824 C:\WINNT\System32\jscript.dll 5.6.0.8513 Microsoft ® JScript
mshtmled.dll 70f30000 450560 C:\WINNT\System32\mshtmled.dll 6.00.2800.1106 Microsoft ® HTML Editing Component
CfgMgr32.dll 770b0000 28672 C:\WINNT\system32\CfgMgr32.dll 5.00.2134.1 Configuration Manager Forwarder DLL
vdmdbg.dll 66390000 45056 C:\WINNT\system32\vdmdbg.dll 5.00.2134.1 VDMDBG.DLL
RASDLG.dll 75870000 536576 C:\WINNT\system32\RASDLG.dll 5.00.2195.6625 Remote Access Common Dialog API
MPRAPI.dll 77320000 94208 C:\WINNT\system32\MPRAPI.dll 5.00.2181.1 Windows NT MP Router Administration DLL
ACTIVEDS.DLL 773b0000 192512 C:\WINNT\system32\ACTIVEDS.DLL 5.00.2195.6601 ADs Router Layer DLL
ADSLDPC.DLL 77380000 143360 C:\WINNT\system32\ADSLDPC.DLL 5.00.2195.6701 ADs LDAP Provider C DLL
rsabase.dll 7ca00000 143360 C:\WINNT\system32\rsabase.dll 5.00.2195.6619 Microsoft Base Cryptographic Provider (Export Version)
browselc.dll 71960000 73728 C:\WINNT\System32\browselc.dll 6.00.2800.1106 Shell Browser UI Library
msohev.dll 325c0000 73728 D:\Office 2003\OFFICE11\msohev.dll 11.0.5510 Microsoft Office 2003 component
webvw.dll 658f0000 1130496 C:\WINNT\System32\webvw.dll 5.00.2920.0000 Shell WebView Content & Control Library
docprop2.dll 71f00000 315392 C:\WINNT\System32\docprop2.dll 5.00.2178.1 DocProp2
MSVFW32.DLL 6a8f0000 131072 C:\WINNT\System32\MSVFW32.DLL 5.00.2195.6612 Microsoft Video for Windows DLL
AVIFIL32.DLL 74870000 90112 C:\WINNT\System32\AVIFIL32.DLL 5.00.2195.6612 Microsoft AVI File support library
faxshell.dll 70020000 20480 C:\WINNT\system32\faxshell.dll 5.00.2134.1 Fax Tiff Data Column Provider
imgutil.dll 70510000 40960 C:\WINNT\system32\imgutil.dll 6.00.2800.1106 IE plugin image decoder support DLL
USP10.DLL 66650000 344064 C:\WINNT\system32\USP10.DLL 1.0325.2195.6692 Uniscribe Unicode script processor
LINKINFO.DLL 76710000 36864 C:\WINNT\system32\LINKINFO.DLL 5.00.2134.1 Windows Volume Tracking

Sorry Daemon its all yours

No problem. You finish it off if you are discussing in chat. Just wanted to avoid confusion.