[RootkitMary]

Hello, and thank you in advance to anyone who takes the time and effort to help me. I believe my computer is infected with a virus, even though I've been told by Microsoft technical support that my computer is clean. I will do my best to provide adequate details to explain symptoms and environment I'm dealing with. Please note that my ability to navigate the internet, download files and run files is extremely limited because of the problem I'm writing you about, and I am not in a situation where I can borrow a friend's computer to download files, either. But I will do my best to provide any information you request, or I'll at least attempt it and then tell you why I could not.

1) Hardware
MODEL: Dell XPS 430
CHIP: Intel Core2 Quad (2.50Mhz)
RAM: 6Gb DDR3
OS: It WAS Vista SP2, but at the moment I'm booted in UBCD4Win with the hard drive disconnected
NETWORK: I am not networked to any other computers or external devices, except a cable modem. I'm not using a router or any wireless networking devices.

2) Symptoms
This is not an all-inclusive list, but here are some of the more obvious ones:
-User preferences and settings do not survive a reboot, INCLUDING CMOS SETTINGS
-Any attempts to access anti-virus Web sites or download driver updates or anti-virus apps are redirected to 404 error
-CPU kicks into high gear when I try to uninstall, update, roll back or disable/remove any device driver
-Group policy settings lock me out of system settings, management tools and folders, even if I change them to grant myself access
-Computer settings indicate my location as being on a LAN or WAN, but I'm not
-Remote login/user/access/registry programs constantly starting up on their own
-Memory processes persist even after reboot that I did not start and cannot kill

3) Drivers currently installed (according to System Information for Windows app.) Keep in mind that I am running UBCD4 with no on-board or external hard drives connected. I apologize for the messy formatting.

Name Description Version Type Status Start Path File Description
Afd AFD Networking Support Environment 5.1.2600.2180 Kernel Driver Running Demand Start X:\I386\SYSTEM32\DRIVERS\AFD.SYS Ancillary Function Driver for WinSock / Microsoft® Windows® Operating System
AsyncMac RAS Asynchronous Media Driver 5.1.2600.2180 Kernel Driver Stopped Demand Start System32\DRIVERS\asyncmac.sys MS Remote Access serial network driver / Microsoft® Windows® Operating System
avgio avgio Kernel Driver Stopped System Start \??\B:\AntiVir\avgio.sys
avgntflt avgntflt File System Driver Stopped Demand Start \??\B:\AntiVir\avgntflt.sys
avipbb avipbb 1.0.2.22 Kernel Driver Running System Start system32\DRIVERS\avipbb.sys Avira Driver for RootKit Detection
Beep Beep Kernel Driver Running System Start
dmboot dmboot Kernel Driver Running Demand Start dmboot.sys
dmio dmio Kernel Driver Running Demand Start dmio.sys
dmload dmload Kernel Driver Running Demand Start dmload.sys
giveio giveio Kernel Driver Stopped Boot Start X:\I386\SYSTEM32\GIVEIO.SYS
hidusb hidusb 5.1.2600.0 Kernel Driver Running Demand Start system32\DRIVERS\hidusb.sys USB Miniport Driver for Input Devices / Microsoft® Windows® Operating System
IpNat IpNat 5.1.2600.2180 Kernel Driver Stopped Demand Start system32\drivers\ipnat.sys IP Network Address Translator / Microsoft® Windows® Operating System
kbdhid Keyboard HID Driver 5.1.2600.2180 Kernel Driver Running Demand Start System32\DRIVERS\kbdhid.sys HID Mouse Filter Driver / Microsoft® Windows® Operating System
meiudf meiudf 4.0.8.0 File System Driver Running System Start System32\Drivers\meiudf.sys DVD-RAM UDF File System Driver
Modem Modem Kernel Driver Stopped Demand Start
MODEMCSA Unimodem Stream Filter Device 5.1.2600.0 Kernel Driver Stopped Demand Start system32\drivers\MODEMCSA.sys Unimodem CSA Filter / Microsoft® Windows® Operating System
mouhid Mouse HID Driver 5.1.2600.0 Kernel Driver Running Demand Start system32\DRIVERS\mouhid.sys HID Mouse Filter Driver / Microsoft® Windows® Operating System
Msfs Msfs File System Driver Running System Start
Mup Mup File System Driver Running Demand Start mup.sys
Ndis NDIS System Driver Kernel Driver Running Demand Start ndis.sys
NdisTapi Remote Access NDIS TAPI Driver 5.1.2600.0 Kernel Driver Stopped Demand Start System32\DRIVERS\ndistapi.sys NDIS 3.0 connection wrapper driver / Microsoft® Windows® Operating System
Ndisuio NDIS Usermode I/O Protocol 5.1.2600.2180 Kernel Driver Stopped Demand Start System32\DRIVERS\ndisuio.sys NDIS User mode I/O Driver / Microsoft® Windows® Operating System
NdisWan NDIS WAN 5.1.2600.2180 Kernel Driver Stopped Demand Start System32\DRIVERS\ndiswan.sys MS PPP Framing Driver (Strong Encryption) / Microsoft® Windows® Operating System
NDProxy NDIS Proxy Kernel Driver Stopped Demand Start
Npfs Npfs File System Driver Running System Start
Null Null Kernel Driver Running System Start
RAMDriv Ramdisk [ UBCD4WIN ] 5.3.1.6 Kernel Driver Running Demand Start system32\drivers\RAMDriv.sys UBCD4Win RAMDrive Enterprise / UBCD4Win RAM Disk
RasAcd Remote Access Auto Connection Driver 5.1.2600.0 Kernel Driver Running System Start System32\DRIVERS\rasacd.sys RAS Automatic Connection Driver / Microsoft® Windows® Operating System
ROOTMODEM Microsoft Legacy Modem Driver 5.1.2600.0 Kernel Driver Stopped Demand Start System32\Drivers\RootMdm.sys Legacy Non-Pnp Modem Device Driver / Microsoft® Windows® Operating System
serenum serenum Kernel Driver Stopped Demand Start serenum.sys
serial Serial port driver Kernel Driver Stopped Demand Start serial.sys
sermouse Serial Mouse Driver 5.1.2600.0 Kernel Driver Stopped Demand Start System32\drivers\sermouse.sys Serial Mouse Filter Driver / Microsoft® Windows® Operating System
speedfan speedfan 1.0.0.0 Kernel Driver Stopped Boot Start X:\I386\SYSTEM32\SPEEDFAN.SYS SpeedFan Device Driver / Windows ® Server 2003 DDK driver
ssmdrv ssmdrv 7.0.1.1 Kernel Driver Running System Start system32\DRIVERS\ssmdrv.sys AVIRA SnapShot Driver
swenum Software Device Enumerator Driver 5.3.2600.2180 Kernel Driver Running Demand Start System32\DRIVERS\swenum.sys Plug and Play Software Device Enumerator / Microsoft® Windows® Operating System
Udfs Udfs File System Driver Running System Start
usbccgp USB Composite Device 5.1.2600.2180 Kernel Driver Running Demand Start system32\DRIVERS\usbccgp.sys USB Common Class Generic Parent Driver / Microsoft® Windows® Operating System
VgaSave VgaSave 5.1.2600.2180 Kernel Driver Running System Start X:\I386\SYSTEM32\DRIVERS\VGA.SYS VGA/Super VGA Video Driver / Microsoft® Windows® Operating System
e1express Intel® PRO/1000 PCI Express Network Connection Driver 9.10.8.0 Kernel Driver Running Demand Start system32\DRIVERS\e1e5132.sys Intel® PRO/1000 Adapter NDIS 5.2 deserialized driver / Intel® PRO/1000 Adapter
Tcpip TCP/IP Protocol Driver 5.1.2600.2180 Kernel Driver Running System Start system32\DRIVERS\tcpip.sys TCP/IP Protocol Driver / Microsoft® Windows® Operating System
IPSec IPSEC driver 5.1.2600.2180 Kernel Driver Running System Start system32\DRIVERS\ipsec.sys IPSec Driver / Microsoft® Windows® Operating System
Atmarpc ATM ARP Client Protocol 5.1.2600.2180 Kernel Driver Stopped Demand Start system32\DRIVERS\atmarpc.sys IP/ATM Arp Client / Microsoft® Windows® Operating System
NetBT NetBios over Tcpip 5.1.2600.2180 Kernel Driver Running System Start system32\DRIVERS\netbt.sys MBT Transport driver / Microsoft® Windows® Operating System
Rdbss Rdbss 5.1.2600.2180 File System Driver Running System Start system32\DRIVERS\rdbss.sys Redirected Drive Buffering SubSystem Driver / Microsoft® Windows® Operating System
MrxSmb MrxSmb 5.1.2600.2180 File System Driver Running System Start system32\DRIVERS\mrxsmb.sys Windows NT SMB Minirdr / Microsoft® Windows® Operating System
NetBIOS NetBIOS Interface 5.1.2600.2180 File System Driver Running System Start system32\DRIVERS\netbios.sys NetBIOS interface driver / Microsoft® Windows® Operating System
SIWIO SIW low-level I/O driver Kernel Driver Running Demand Start \??\B:\SiwIo.sys

4) DLLs currently loaded

Module Name Path Version Description Handle Size
ntdll.dll X:\I386\SYSTEM32\ 5.1.2600.2180 NT Layer DLL / Microsoft® Windows® Operating System 7C900000 720896
kernel32.dll X:\I386\SYSTEM32\ 5.1.2600.2180 Windows NT BASE API Client DLL / Microsoft® Windows® Operating System 7C800000 999424
user32.dll X:\I386\SYSTEM32\ 5.1.2600.2180 Windows XP USER API Client DLL / Microsoft® Windows® Operating System 77D40000 589824
GDI32.dll X:\I386\SYSTEM32\ 5.1.2600.2180 GDI Client DLL / Microsoft® Windows® Operating System 77F10000 286720
LPK.DLL X:\I386\SYSTEM32\ 5.1.2600.2180 Language Pack / Microsoft® Windows® Operating System 629C0000 36864
USP10.dll X:\I386\SYSTEM32\ 1.420.2600.2180 Uniscribe Unicode script processor / Microsoft® Uniscribe Unicode script processor 74D90000 438272
msvcrt.dll X:\I386\SYSTEM32\ 7.0.2600.2180 Windows NT CRT DLL / Microsoft® Windows® Operating System 77C10000 360448
ADVAPI32.dll X:\I386\SYSTEM32\ 5.1.2600.2180 Advanced Windows 32 Base API / Microsoft® Windows® Operating System 77DD0000 634880
RPCRT4.dll X:\I386\SYSTEM32\ 5.1.2600.2180 Remote Procedure Call Runtime / Microsoft® Windows® Operating System 77E70000 593920
VERSION.dll X:\I386\SYSTEM32\ 5.1.2600.2180 Version Checking and File Installation Libraries / Microsoft® Windows® Operating System 77C00000 32768
WINMM.dll X:\I386\SYSTEM32\ 5.1.2600.2180 MCI API DLL / Microsoft® Windows® Operating System 76B40000 184320
COMDLG32.dll X:\I386\SYSTEM32\ 6.0.2900.2180 Common Dialogs DLL / Microsoft® Windows® Operating System 763B0000 299008
SHLWAPI.dll X:\I386\SYSTEM32\ 6.0.2900.2833 Shell Light-weight Utility Library / Microsoft® Windows® Operating System 77F60000 483328
COMCTL32.dll X:\I386\WINSXS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\ 6.0.2600.0 User Experience Controls Library / Microsoft® Windows® Operating System 71950000 933888
SHELL32.dll X:\I386\SYSTEM32\ 6.0.2900.2180 Windows Shell Common Dll / Microsoft® Windows® Operating System 7C9C0000 8470528
WINSPOOL.DRV X:\I386\SYSTEM32\ 5.1.2600.2180 Windows Spooler Driver / Microsoft® Windows® Operating System 73000000 155648
WS2_32.dll X:\I386\SYSTEM32\ 5.1.2600.2180 Windows Socket 2.0 32-Bit DLL / Microsoft® Windows® Operating System 71AB0000 94208
WS2HELP.dll X:\I386\SYSTEM32\ 5.1.2600.2180 Windows Socket 2.0 Helper for Windows NT / Microsoft® Windows® Operating System 71AA0000 32768
ole32.dll X:\I386\SYSTEM32\ 5.1.2600.2180 Microsoft OLE for Windows / Microsoft® Windows® Operating System 774E0000 1294336
psapi.dll X:\I386\SYSTEM32\ 5.1.2600.2180 Process Status Helper / Microsoft® Windows® Operating System 76BF0000 45056
UxTheme.dll X:\I386\SYSTEM32\ 6.0.2900.2180 Microsoft UxTheme Library / Microsoft® Windows® Operating System 5AD70000 229376
OLEAUT32.dll X:\I386\SYSTEM32\ 5.1.2600.2180 77120000 573440
MouseHook.dll X:\PROGRAMS\rocketdock\ 10000000 20480
CRTDLL.dll X:\I386\SYSTEM32\ 4.0.1183.1 Microsoft C Runtime Library / Microsoft® Windows NT" Operating System 73D90000 159744
appHelp.dll X:\I386\SYSTEM32\ 5.1.2600.2180 Application Compatibility Client Library / Microsoft® Windows® Operating System 77B40000 139264
netapi32.dll X:\I386\SYSTEM32\ 5.1.2600.2180 Net Win32 API DLL / Microsoft® Windows® Operating System 5B860000 344064
MPR.dll X:\I386\SYSTEM32\ 5.1.2600.2180 Multiple Provider Router DLL / Microsoft® Windows® Operating System 71B20000 73728
ntlanman.dll X:\I386\SYSTEM32\ 5.1.2600.2180 Microsoft® Lan Manager / Microsoft® Windows® Operating System 71C10000 57344
NETUI0.dll X:\I386\SYSTEM32\ 5.1.2600.2180 NT LM UI Common Code - GUI Classes / Microsoft® Windows® Operating System 71CD0000 94208
NETUI1.dll X:\I386\SYSTEM32\ 5.1.2600.2180 NT LM UI Common Code - Networking classes / Microsoft® Windows® Operating System 71C90000 262144
NETRAP.dll X:\I386\SYSTEM32\ 5.1.2600.2180 Net Remote Admin Protocol DLL / Microsoft® Windows® Operating System 71C80000 28672
SAMLIB.dll X:\I386\SYSTEM32\ 5.1.2600.2180 SAM Library DLL / Microsoft® Windows® Operating System 71BF0000 77824
SETUPAPI.dll X:\I386\SYSTEM32\ 5.1.2600.2180 Windows Setup API / Microsoft® Windows® Operating System 77920000 995328
ShellHook.dll X:\PROGRAMS\geoshell\ 4.11.0.0 The GeoShell Shell Hook module. / GeoShell 017D0000 32768
inetmib1.dll X:\I386\SYSTEM32\ 5.1.2600.2180 Microsoft MIB-II subagent / Microsoft® Windows® Operating System 666F0000 45056
iphlpapi.dll X:\I386\SYSTEM32\ 5.1.2600.2180 IP Helper API / Microsoft® Windows® Operating System 76D60000 102400
snmpapi.dll X:\I386\SYSTEM32\ 5.1.2600.2180 SNMP Utility Library / Microsoft® Windows® Operating System 71F60000 32768
WSOCK32.dll X:\I386\SYSTEM32\ 5.1.2600.2180 Windows Socket 32-Bit DLL / Microsoft® Windows® Operating System 71AD0000 36864
Dnsapi.dll X:\I386\SYSTEM32\ 5.1.2600.2180 DNS Client API DLL / Microsoft® Windows® Operating System 76F20000 159744
Wininet.dll X:\I386\SYSTEM32\ 6.0.2900.2180 Internet Extensions for Win32 / Microsoft® Windows® Operating System 771B0000 679936
CRYPT32.dll X:\I386\SYSTEM32\ 5.131.2600.2180 Crypto API32 / Microsoft® Windows® Operating System 77A80000 606208
MSASN1.dll X:\I386\SYSTEM32\ 5.1.2600.2180 ASN.1 Runtime APIs / Microsoft® Windows® Operating System 77B20000 73728
MSI.dll X:\I386\SYSTEM32\ 3.0.3790.2180 Windows Installer / Windows Installer - Unicode 7D1E0000 2826240
USERENV.dll X:\I386\SYSTEM32\ 5.1.2600.2180 Userenv / Microsoft® Windows® Operating System 769C0000 733184
cfgmgr32.dll X:\I386\SYSTEM32\ 5.1.2600.2180 Configuration Manager Forwarder DLL / Microsoft® Windows® Operating System 74AE0000 28672
xpsp2res.dll X:\I386\SYSTEM32\ 5.1.2600.2180 Service Pack 2 Messages / Microsoft® Windows® Operating System 20000000 2904064
perfos.dll X:\I386\SYSTEM32\ 5.1.2600.2180 Windows System Performance Objects DLL / Microsoft® Windows® Operating System 5E760000 40960
rsvpperf.dll X:\I386\SYSTEM32\ 5.1.2600.0 Microsoft® Windows" RSVP Performance Monitor / Microsoft® Windows® Operating System 5D400000 24576
tapiperf.dll X:\I386\SYSTEM32\ 5.1.2600.0 Microsoft® Windows" Telephony Performance Monitor / Microsoft® Windows® Operating System 5B7E0000 20480
Perfctrs.dll X:\I386\SYSTEM32\ 5.1.2600.2180 Performance Counters / Microsoft® Windows® Operating System 5E7A0000 53248
MPRAPI.dll X:\I386\SYSTEM32\ 5.1.2600.2180 Windows NT MP Router Administration DLL / Microsoft® Windows® Operating System 76D40000 98304
ACTIVEDS.dll X:\I386\SYSTEM32\ 5.1.2600.2180 ADs Router Layer DLL / Microsoft® Windows® Operating System 77CC0000 204800
adsldpc.dll X:\I386\SYSTEM32\ 5.1.2600.2180 ADs LDAP Provider C DLL / Microsoft® Windows® Operating System 76E10000 151552
WLDAP32.dll X:\I386\SYSTEM32\ 5.1.2600.2180 Win32 LDAP API DLL / Microsoft® Windows® Operating System 76F60000 180224
ATL.DLL X:\I386\SYSTEM32\ 3.5.2284.0 ATL Module for Windows XP (Unicode) / Microsoft ® Visual C++ 76B20000 69632
rtutils.dll X:\I386\SYSTEM32\ 5.1.2600.2180 Routing Utilities / Microsoft® Windows® Operating System 76E80000 57344
SiwTaskDlg.dll B:\ 1.0.6.1 XTaskDlg 01B30000 176128
sfc_os.dll X:\I386\SYSTEM32\ 5.1.2600.2180 Windows File Protection / Microsoft® Windows® Operating System 76C60000 172032
WINTRUST.dll X:\I386\SYSTEM32\ 5.131.2600.2180 Microsoft Trust Verification APIs / Microsoft® Windows® Operating System 76C30000 188416
IMAGEHLP.dll X:\I386\SYSTEM32\ 5.1.2600.2180 Windows NT Image Helper / Microsoft® Windows® Operating System 76C90000 163840
ODBC32.dll X:\I386\SYSTEM32\ 3.525.1117.0 Microsoft Data Access - ODBC Driver Manager / Microsoft Data Access Components 74320000 249856
odbcint.dll X:\I386\SYSTEM32\ 3.525.1117.0 Microsoft Data Access - ODBC Resources / Microsoft Data Access Components 01DB0000 94208
CSRSRV.dll X:\I386\SYSTEM32\ 5.1.2600.2180 Client Server Runtime Process / Microsoft® Windows® Operating System 75B40000 45056
basesrv.dll X:\I386\SYSTEM32\ 5.1.2600.2180 Windows NT BASE API Server DLL / Microsoft® Windows® Operating System 75B50000 65536
winsrv.dll X:\I386\SYSTEM32\ 5.1.2600.2180 Windows Server DLL / Microsoft® Windows® Operating System 75B60000 303104
sxs.dll X:\I386\SYSTEM32\ 5.1.2600.2180 Fusion 2.5 / Microsoft® Windows® Operating System 75E90000 720896
SCESRV.dll X:\I386\SYSTEM32\ 5.1.2600.2180 Windows Security Configuration Editor Engine / Microsoft® Windows® Operating System 758E0000 327680
AUTHZ.dll X:\I386\SYSTEM32\ 5.1.2600.2180 Authorization Framework / Microsoft® Windows® Operating System 776C0000 69632
umpnpmgr.dll X:\I386\SYSTEM32\ 5.1.2600.2180 User-mode Plug-and-Play Service / Microsoft® Windows® Operating System 758C0000 126976
WINSTA.dll X:\I386\SYSTEM32\ 5.1.2600.2180 Winstation Library / Microsoft® Windows® Operating System 76360000 65536
NCObjAPI.DLL X:\I386\SYSTEM32\ 5.1.2600.2180 Microsoft® Windows® Operating System 5F770000 49152
MSVCP60.dll X:\I386\SYSTEM32\ 6.2.3104.0 Microsoft ® C++ Runtime Library / Microsoft ® Visual C++ 76080000 413696
secur32.dll X:\I386\SYSTEM32\ 5.1.2600.2180 Security Support Provider Interface / Microsoft® Windows® Operating System 77FE0000 69632
eventlog.dll X:\I386\SYSTEM32\ 5.1.2600.2180 Event Logging Service / Microsoft® Windows® Operating System 77B70000 69632
LSASRV.dll X:\I386\SYSTEM32\ 5.1.2600.2180 LSA Server DLL / Microsoft® Windows® Operating System 75730000 737280
SAMSRV.dll X:\I386\SYSTEM32\ 5.1.2600.2180 SAM Server DLL / Microsoft® Windows® Operating System 74440000 434176
cryptdll.dll X:\I386\SYSTEM32\ 5.1.2600.2180 Cryptography Manager / Microsoft® Windows® Operating System 76790000 49152
NTDSAPI.dll X:\I386\SYSTEM32\ 5.1.2600.2180 NT5DS / Microsoft® Windows® Operating System 767A0000 77824
msprivs.dll X:\I386\SYSTEM32\ 5.1.2600.2180 Microsoft Privilege Translations / Microsoft® Windows® Operating System 20000000 57344
kerberos.dll X:\I386\SYSTEM32\ 5.1.2600.2180 Kerberos Security Package / Microsoft® Windows® Operating System 71CF0000 307200
msv1_0.dll X:\I386\SYSTEM32\ 5.1.2600.2180 Microsoft Authentication Package v1.0 / Microsoft® Windows® Operating System 77C70000 143360
netlogon.dll X:\I386\SYSTEM32\ 5.1.2600.2180 Net Logon Services DLL / Microsoft® Windows® Operating System 744B0000 413696
w32time.dll X:\I386\SYSTEM32\ 5.1.2600.2180 Windows Time Service / Microsoft® Windows® Operating System 767C0000 180224
schannel.dll X:\I386\SYSTEM32\ 5.1.2600.2180 TLS / SSL Security Provider / Microsoft® Windows® Operating System 767F0000 159744
rsaenh.dll X:\I386\SYSTEM32\ 5.1.2600.2161 Microsoft Enhanced Cryptographic Provider / Microsoft® Windows® Operating System 0FFD0000 163840
pstorsvc.dll X:\I386\SYSTEM32\ 5.1.2600.2180 Protected storage server / Microsoft® Windows® Operating System 743A0000 45056
rpcss.dll X:\I386\SYSTEM32\ 5.1.2600.2180 Distributed COM Services / Microsoft® Windows® Operating System 76A80000 405504
mswsock.dll X:\I386\SYSTEM32\ 5.1.2600.2180 Microsoft Windows Sockets 2.0 Service Provider / Microsoft® Windows® Operating System 71A50000 258048
hnetcfg.dll X:\I386\SYSTEM32\ 5.1.2600.2180 Home Networking Configuration Manager / Microsoft® Windows® Operating System 662B0000 360448
wshtcpip.dll X:\I386\SYSTEM32\ 5.1.2600.2180 Windows Sockets Helper DLL / Microsoft® Windows® Operating System 71A90000 32768
winrnr.dll X:\I386\SYSTEM32\ 5.1.2600.2180 LDAP RnR Provider DLL / Microsoft® Windows® Operating System 76FB0000 32768
rasadhlp.dll X:\I386\SYSTEM32\ 5.1.2600.2180 Remote Access AutoDial Helper / Microsoft® Windows® Operating System 76FC0000 24576
COMCTL32.dll X:\I386\SYSTEM32\ 5.82.2900.2180 Common Controls Library / Microsoft® Windows® Operating System 5D090000 618496
GeoLib.dll X:\PROGRAMS\geoshell\ 4.11.0.3 The GeoShell Library module. / GeoShell 10000000 40960
SHDOCVW.DLL X:\I386\SYSTEM32\ 6.0.2900.2853 Shell Doc Object and Control Library / Microsoft® Windows® Operating System 77760000 1499136
CRYPTUI.dll X:\I386\SYSTEM32\ 5.131.2600.2180 Microsoft Trust UI Provider / Microsoft® Windows® Operating System 754D0000 524288
stobject.dll X:\I386\SYSTEM32\ 5.1.2600.2180 Systray shell service object / Microsoft® Windows® Operating System 76280000 135168
BatMeter.dll X:\I386\SYSTEM32\ 6.0.2900.2180 Battery Meter Helper DLL / Microsoft® Windows® Operating System 74AF0000 40960
POWRPROF.dll X:\I386\SYSTEM32\ 6.0.2900.2180 Power Profile Helper DLL / Microsoft® Windows® Operating System 74AD0000 32768
WTSAPI32.dll X:\I386\SYSTEM32\ 5.1.2600.2180 Windows Terminal Server SDK APIs / Microsoft® Windows® Operating System 76F50000 32768
netshell.dll X:\I386\SYSTEM32\ 5.1.2600.2180 Network Connections Shell / Microsoft® Windows® Operating System 76400000 1728512
credui.dll X:\I386\SYSTEM32\ 5.1.2600.2180 Credential Manager User Interface / Microsoft® Windows® Operating System 76C00000 188416
cscui.dll X:\I386\SYSTEM32\ 5.1.2600.2180 Client Side Caching UI / Microsoft® Windows® Operating System 77A20000 344064
CSCDLL.dll X:\I386\SYSTEM32\ 5.1.2600.2180 Offline Network Agent / Microsoft® Windows® Operating System 76600000 118784
ShellUI.dll X:\PROGRAMS\geoshell\ 4.11.0.0 The GeoShell User Interface module. / GeoShell 00C50000 53248
geOTile.dll X:\PROGRAMS\geoshell\PLUGINS\ 2.0.0.4 geOShell plugin / geOTile - geOShell plugin 00C60000 32768
geOLaunch.dll X:\PROGRAMS\geoshell\PLUGINS\ 01390000 24576
GeoTasks.dll X:\PROGRAMS\geoshell\PLUGINS\ 013A0000 28672
geOSpacer.dll X:\PROGRAMS\geoshell\PLUGINS\ 2.0.0.0 GeoSpacer puts empty space on a bar / GeoSpacer 013B0000 24576
MSVCR71.dll X:\I386\SYSTEM32\ 7.10.3052.4 Microsoft® C Runtime Library / Microsoft® Visual Studio .NET 7C340000 352256
geOTray.dll X:\PROGRAMS\geoshell\PLUGINS\ 013D0000 20480
geODateTime.dll X:\PROGRAMS\geoshell\PLUGINS\ 013E0000 36864
urlmon.dll X:\I386\SYSTEM32\ 6.0.2900.2823 OLE32 Extensions for Win32 / Microsoft® Windows® Operating System 77260000 655360
NTMARTA.DLL X:\I386\SYSTEM32\ 5.1.2600.2180 Windows NT MARTA provider / Microsoft® Windows® Operating System 77690000 135168
netman.dll x:\I386\SYSTEM32\ 5.1.2600.2180 Network Connections Manager / Microsoft® Windows® Operating System 77D00000 208896
RASAPI32.dll x:\I386\SYSTEM32\ 5.1.2600.2180 Remote Access API / Microsoft® Windows® Operating System 76EE0000 245760
rasman.dll x:\I386\SYSTEM32\ 5.1.2600.2180 Remote Access Connection Manager / Microsoft® Windows® Operating System 76E90000 73728
TAPI32.dll x:\I386\SYSTEM32\ 5.1.2600.2180 Microsoft® Windows" Telephony API Client DLL / Microsoft® Windows® Operating System 76EB0000 192512
WZCSvc.DLL x:\I386\SYSTEM32\ 5.1.2600.2180 Wireless Zero Configuration Service / Microsoft® Windows® Operating System 77620000 450560
WMI.dll x:\I386\SYSTEM32\ 5.1.2600.2180 WMI DC and DP functionality / Microsoft® Windows® Operating System 76D30000 16384
DHCPCSVC.DLL x:\I386\SYSTEM32\ 5.1.2600.2180 DHCP Client Service / Microsoft® Windows® Operating System 76D80000 122880
ESENT.dll x:\I386\SYSTEM32\ 5.1.2600.2180 Server Database Storage Engine / Microsoft® Windows® Operating System 606B0000 1101824
WZCSAPI.DLL x:\I386\SYSTEM32\ 5.1.2600.2180 Wireless Zero Configuration service API / Microsoft® Windows® Operating System 73030000 65536
RASDLG.dll X:\I386\SYSTEM32\ 5.1.2600.2180 Remote Access Common Dialog API / Microsoft® Windows® Operating System 768D0000 671744
wkssvc.dll x:\I386\SYSTEM32\ 5.1.2600.2180 Workstation Service DLL / Microsoft® Windows® Operating System 76E40000 143360
netcfgx.dll X:\I386\SYSTEM32\ 5.1.2600.2180 Network Configuration Objects / Microsoft® Windows® Operating System 755F0000 630784
CLUSAPI.dll X:\I386\SYSTEM32\ 5.1.2600.2180 Cluster API Library / Microsoft® Windows® Operating System 76D10000 69632
gdiplus.dll X:\I386\WINSXS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.0.0_x-ww_8d353f13\ 5.1.3102.2180 Microsoft GDI+ / Microsoft® Windows® Operating System 4EC50000 1716224
lmhsvc.dll x:\I386\SYSTEM32\ 5.1.2600.2180 TCPIP NetBios Transport Services DLL / Microsoft® Windows® Operating System 74C40000 24576
hhctrl.ocx X:\I386\SYSTEM32\ 5.2.3790.1194 Microsoft® HTML Help Control / HTML Help 5D300000 544768
ITSS.DLL X:\I386\SYSTEM32\ 5.2.3790.1221 Microsoft® InfoTech Storage System Library / Microsoft® Windows® Operating System 65E20000 147456
shdoclc.dll X:\I386\SYSTEM32\ 6.0.2900.2180 Shell Doc Object and Control Library / Microsoft® Windows® Operating System 20000000 557056
mshtml.dll X:\I386\SYSTEM32\ 6.0.2900.2853 Microsoft ® HTML Viewer / Microsoft® Windows® Operating System 7DC30000 3072000
msls31.dll X:\I386\SYSTEM32\ 3.10.349.0 Microsoft Line Services library file / Microsoft® Line Services 746C0000 159744
mlang.dll X:\I386\SYSTEM32\ 6.0.2900.2180 Multi Language Support DLL / Microsoft® Windows® Operating System 75CF0000 593920
IMM32.DLL X:\I386\SYSTEM32\ 5.1.2600.2180 Windows XP IMM32 API Client DLL / Microsoft® Windows® Operating System 76390000 118784
mshtmled.dll X:\I386\SYSTEM32\ 6.0.2900.2180 Microsoft ® HTML Editing Component / Microsoft® Windows® Operating System 76200000 462848
jscript.dll X:\I386\SYSTEM32\ 5.6.0.8820 Microsoft ® JScript 75C50000 450560
BROWSEUI.dll X:\I386\SYSTEM32\ 6.0.2900.2853 Shell Browser UI Library / Microsoft® Windows® Operating System 75F80000 1036288
browselc.dll X:\I386\SYSTEM32\ 6.0.2900.2180 Shell Browser UI Library / Microsoft® Windows® Operating System 00A10000 73728
DUSER.dll X:\I386\SYSTEM32\ 5.1.2600.2180 Windows DirectUser Engine / Microsoft® Windows® Operating System 6C1B0000 315392
MSGINA.dll X:\I386\SYSTEM32\ 5.1.2600.2180 Windows NT Logon GINA DLL / Microsoft® Windows® Operating System 75970000 1011712
ntshrui.dll X:\I386\SYSTEM32\ 5.1.2600.2180 Shell extensions for sharing / Microsoft® Windows® Operating System 76990000 151552
IZArcCM.dll X:\PROGRAMS\IZArc\ 016A0000 634880
olepro32.dll X:\I386\SYSTEM32\ 5.1.2600.2180 5EDD0000 94208
7-zip.dll X:\PROGRAMS\7-zip\ 4.57.0.0 7-Zip Shell Extension / 7-Zip 01280000 77824
shgina.dll X:\I386\SYSTEM32\ 6.0.2900.2180 Windows Shell User Logon / Microsoft® Windows® Operating System 73D70000 77824
mydocs.dll X:\I386\SYSTEM32\ 6.0.2900.2180 My Documents Folder UI / Microsoft® Windows® Operating System 72410000 106496
cdfview.dll X:\I386\SYSTEM32\ 6.0.2900.2180 Channel Definition File Viewer / Microsoft® Windows® Operating System 6FAA0000 159744
xpsp1res.dll X:\I386\SYSTEM32\ 5.1.2600.2180 Service Pack 1 Messages / Microsoft® Windows® Operating System 012A0000 192512
ImgUtil.dll X:\I386\SYSTEM32\ 6.0.2900.2180 IE plugin image decoder support DLL / Microsoft® Windows® Operating System 66880000 49152
pngfilt.dll X:\I386\SYSTEM32\ 6.0.2900.2180 IE PNG plugin image decoder / Microsoft® Windows® Operating System 5E310000 49152
inetcpl.cpl X:\I386\SYSTEM32\ 6.0.2900.2180 Internet Control Panel / Microsoft® Windows® Operating System 5A620000 380928
inetcplc.dll X:\I386\SYSTEM32\ 6.0.2600.0 Internet Control Panel / Microsoft® Windows® Operating System 667D0000 118784
OCCache.DLL X:\I386\SYSTEM32\ 6.0.2900.2180 Object Control Viewer / Microsoft® Windows® Operating System 5F050000 106496
msxml.dll X:\I386\SYSTEM32\ 8.0.7002.0 XML OM for Win32 / Microsoft XML Core Services 73F70000 532480
vbscript.dll X:\I386\SYSTEM32\ 5.6.0.8820 Microsoft ® VBScript 73300000 421888
MFC42.DLL X:\I386\SYSTEM32\ 6.2.4131.0 MFCDLL Shared Library - Retail Version / Microsoft ® Visual C++ 73DD0000 1040384
iepeers.dll X:\I386\SYSTEM32\ 6.0.2900.2833 Internet Explorer Peer Objects / Microsoft® Windows® Operating System 66E50000 262144
actxprxy.dll X:\I386\SYSTEM32\ 6.0.2900.2180 ActiveX Interface Marshaling Library / Microsoft® Windows® Operating System 71D40000 114688
VDMDBG.dll X:\I386\SYSTEM32\ 5.1.2600.2180 VDMDBG.DLL / Microsoft® Windows® Operating System 5AD60000 40960
oledlg.dll X:\I386\SYSTEM32\ 5.1.2600.0 Microsoft Windows" OLE 2.0 User Interface Support 74D30000 131072

5) Running processes

PID Image Name Version Name Parent PID Threads Priority Window Title Creation Time Running Time Kernel Time User Time Size File Name and Path
0 [System Process] <file not found> 0 1 0 0
4 System <file not found> 0 51 8 212,992
260 csrss.exe <file not found> 220 9 13 02/20/2009 @ 00:13:53 0d 02h 29m 30s 0h 00m 13s 0h 00m 00s 4,550,656 \??\X:\I386\system32\csrss.exe
320 SERVICES.EXE 5.1.2600.2180 Services and Controller app / Microsoft® Windows® Operating System 280 14 9 02/20/2009 @ 00:14:18 0d 02h 29m 05s 0h 00m 00s 0h 00m 00s 2,666,496 X:\I386\SYSTEM32\SERVICES.EXE
332 LSASS.EXE 5.1.2600.2180 LSA Shell (Export Version) / Microsoft® Windows® Operating System 280 13 9 02/20/2009 @ 00:14:19 0d 02h 29m 04s 0h 00m 00s 0h 00m 00s 700,416 X:\I386\SYSTEM32\LSASS.EXE
452 SVCHOST.EXE 5.1.2600.2180 Generic Host Process for Win32 Services / Microsoft® Windows® Operating System 320 5 8 02/20/2009 @ 00:14:30 0d 02h 28m 53s 0h 00m 00s 0h 00m 00s 1,802,240 X:\I386\SYSTEM32\SVCHOST.EXE
536 SVCHOST.EXE 5.1.2600.2180 Generic Host Process for Win32 Services / Microsoft® Windows® Operating System 320 8 8 02/20/2009 @ 00:14:35 0d 02h 28m 48s 0h 00m 00s 0h 00m 00s 2,797,568 X:\I386\SYSTEM32\SVCHOST.EXE
600 nu2menu.exe 0.3.4.9 Nu2Menu Dynamic shell / menu 584 1 8 02/20/2009 @ 00:15:51 0d 02h 27m 32s 0h 00m 00s 0h 00m 00s 3,207,168 X:\PROGRAMS\nu2menu\nu2menu.exe
652 GEOSHELL.EXE 4.11.0.3 The GeoShell Core module. / GeoShell 644 6 10 GeoShell :: Calm Your Desktop 02/20/2009 @ 00:16:00 0d 02h 27m 23s 0h 00m 01s 0h 00m 00s 7,757,824 X:\PROGRAMS\geoshell\GEOSHELL.EXE
724 SVCHOST.EXE 5.1.2600.2180 Generic Host Process for Win32 Services / Microsoft® Windows® Operating System 320 10 8 02/20/2009 @ 00:16:08 0d 02h 27m 15s 0h 00m 00s 0h 00m 00s 6,258,688 X:\I386\SYSTEM32\SVCHOST.EXE
912 RocketDock.exe 904 4 8 GDI+ Window 02/20/2009 @ 00:16:35 0d 02h 26m 48s 0h 00m 02s 0h 00m 01s 9,097,216 X:\PROGRAMS\rocketdock\RocketDock.exe
1196 SVCHOST.EXE 5.1.2600.2180 Generic Host Process for Win32 Services / Microsoft® Windows® Operating System 320 3 8 02/20/2009 @ 00:19:14 0d 02h 24m 09s 0h 00m 00s 0h 00m 00s 1,748,992 X:\I386\SYSTEM32\SVCHOST.EXE
1340 HH.EXE 5.2.3790.1159 Microsoft® HTML Help Executable / HTML Help 600 2 8 UBCD4WIN List of Tools 02/20/2009 @ 00:20:54 0d 02h 22m 29s 0h 00m 31s 0h 00m 00s 13,197,312 X:\I386\SYSTEM32\HH.EXE
1632 EXPLORER.EXE 6.0.2900.2180 Windows Explorer / Microsoft® Windows® Operating System 600 6 13 Proxy Desktop 02/20/2009 @ 00:27:39 0d 02h 15m 44s 0h 00m 26s 0h 00m 03s 9,076,736 X:\I386\EXPLORER.EXE
648 IEXPLORE.EXE 6.0.2900.2180 Internet Explorer / Microsoft® Windows® Operating System 452 6 8 Posting New Topic - UBCD4Win Forums - Microsoft Internet Explorer 02/20/2009 @ 00:52:33 0d 01h 50m 50s 0h 01m 39s 0h 00m 45s 59,154,432 X:\I386\IEXPLORE.EXE
1552 TASKMGR.EXE 5.1.2600.2180 Windows TaskManager / Microsoft® Windows® Operating System 652 3 13 Windows Task Manager 02/20/2009 @ 01:17:37 0d 01h 25m 46s 0h 00m 03s 0h 00m 00s 5,263,360 X:\I386\SYSTEM32\TASKMGR.EXE
1712 NOTEPAD.EXE 5.1.2600.2180 Notepad / Microsoft® Windows® Operating System 1632 1 8 Untitled - Notepad 02/20/2009 @ 01:18:39 0d 01h 24m 44s 0h 00m 06s 0h 00m 00s 3,506,176 X:\I386\SYSTEM32\NOTEPAD.EXE
1436 AgentRansack.exe 1.0.0.1 AgentRansack (MFC Application) / Agent Ransack -- Professional file searching utility 600 1 8 Agent Ransack - [Search1] 02/20/2009 @ 01:24:13 0d 01h 19m 10s 0h 00m 05s 0h 00m 03s 9,158,656 X:\PROGRAMS\AgentRansack\AgentRansack.exe
1896 siw.exe 2008.4.2.0 System Information / System Information for Windows 600 2 8 SIW_Splash 02/20/2009 @ 02:01:48 0d 00h 41m 35s 0h 00m 41s 0h 00m 04s 15,134,720 X:\PROGRAMS\SysInfo\siw.exe

6) NT Processes running (Again, bear in mind that the hard drive containing all Vista boot data was disconnected before I rebooted to UBCD4.)

Name Description Version Type Status Start Path File Description
AntiVirScheduler AntiVir Personal Scheduler Win32_Own_Process (Interactive) Stopped Auto Start B:\AntiVir\sched.exe
AntiVirService Avira AntiVir Personal – Free Antivirus Guard Win32_Own_Process (Interactive) Stopped Disabled B:\AntiVir\avguard.exe
DcomLaunch DCOM Services Win32_Share_Process Running Auto Start svchost -k DcomLaunch
dmadmin Logical Disk Manager Administrative Service Win32_Share_Process Stopped Demand Start X:\I386\System32\dmadmin.exe /com
dmserver Logical Disk Manager Win32_Share_Process Stopped Auto Start X:\I386\System32\svchost.exe -k netsvcs
EventLog EventLog 5.1.2600.2180 Win32_Share_Process Running Demand Start X:\I386\SYSTEM32\SERVICES.EXE Services and Controller app / Microsoft® Windows® Operating System
EventSystem COM+ Events Win32_Share_Process Stopped Demand Start X:\I386\System32\svchost.exe -k netsvcs
MSDTC Distributed Transaction Coordinator Win32_Own_Process Stopped Demand Start X:\I386\System32\msdtc.exe
NetDDE Network DDE Win32_Share_Process Stopped Disabled X:\I386\system32\netdde.exe
NetDDEdsdm Network DDE DSDM Win32_Share_Process Stopped Disabled X:\I386\system32\netdde.exe
Netman Network Connections Win32_Share_Process (Interactive) Running Demand Start X:\I386\System32\svchost.exe -k netsvcs
PlugPlay Plug and Play 5.1.2600.2180 Win32_Share_Process Running Auto Start X:\I386\SYSTEM32\SERVICES.EXE Services and Controller app / Microsoft® Windows® Operating System
ProtectedStorage Protected Storage 5.1.2600.2180 Win32_Share_Process (Interactive) Stopped Auto Start X:\I386\SYSTEM32\LSASS.EXE LSA Shell (Export Version) / Microsoft® Windows® Operating System
RasAuto Remote Access Auto Connection Manager Win32_Share_Process Stopped Demand Start X:\I386\System32\svchost.exe -k netsvcs
RasMan Remote Access Connection Manager Win32_Share_Process Stopped Demand Start X:\I386\System32\svchost.exe -k netsvcs
RpcSs Remote Procedure Call (RPC) Win32_Share_Process Running Auto Start X:\I386\system32\svchost -k rpcss
RSVP QoS RSVP 5.1.2600.0 Win32_Own_Process Stopped Demand Start X:\I386\SYSTEM32\RSVP.EXE Microsoft RSVP / Microsoft® Windows® Operating System
SamSs Security Accounts Manager 5.1.2600.2180 Win32_Share_Process Running Auto Start X:\I386\SYSTEM32\LSASS.EXE LSA Shell (Export Version) / Microsoft® Windows® Operating System
Spooler Print Spooler 5.1.2600.2180 Win32_Own_Process (Interactive) Stopped Demand Start X:\I386\SYSTEM32\SPOOLSV.EXE Spooler SubSystem App / Microsoft® Windows® Operating System
TapiSrv Telephony Win32_Share_Process Stopped Auto Start X:\I386\System32\svchost.exe -k netsvcs
Themes Themes Win32_Share_Process Stopped Auto Start X:\I386\System32\svchost.exe -k netsvcs
vds Virtual Disk Service Win32_Own_Process Stopped Demand Start X:\I386\System32\vds.exe
PolicyAgent IPSEC Services 5.1.2600.2180 Win32_Share_Process Stopped Auto Start X:\I386\SYSTEM32\LSASS.EXE LSA Shell (Export Version) / Microsoft® Windows® Operating System
Dhcp DHCP Client Win32_Share_Process Running Auto Start X:\I386\system32\svchost.exe -k netsvcs
Nla Network Location Awareness (NLA) Win32_Share_Process Running Auto Start X:\I386\system32\svchost.exe -k netsvcs
LmHosts TCP/IP NetBIOS Helper Win32_Share_Process Running Auto Start X:\I386\system32\svchost.exe -k LocalService
alerter alerter Win32_Share_Process Stopped Demand Start X:\I386\system32\svchost.exe -k LocalService
Browser Computer Browser Win32_Share_Process Stopped Demand Start X:\I386\system32\svchost.exe -k netsvcs
LanmanWorkstation Workstation Win32_Share_Process Running Auto Start X:\I386\system32\svchost.exe -k netsvcs
Netlogon Net Logon 5.1.2600.2180 Win32_Share_Process Stopped Demand Start X:\I386\SYSTEM32\LSASS.EXE LSA Shell (Export Version) / Microsoft® Windows® Operating System
Messenger Messenger Win32_Share_Process Stopped Auto Start X:\I386\system32\svchost.exe -k LocalService
NtLmSsp NT LM Security Support Provider 5.1.2600.2180 Win32_Share_Process Stopped Demand Start X:\I386\SYSTEM32\LSASS.EXE LSA Shell (Export Version) / Microsoft® Windows® Operating System
RpcLocator Remote Procedure Call (RPC) Locator 5.1.2600.2180 Win32_Own_Process Stopped Demand Start X:\I386\SYSTEM32\LOCATOR.EXE Rpc Locator / Microsoft® Windows® Operating System



7) HijackThis scan results

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 2:48:35 AM, on 2/20/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
X:\I386\system32\csrss.exe
X:\I386\system32\services.exe
X:\I386\system32\lsass.exe
X:\I386\system32\svchost.exe
X:\I386\system32\svchost.exe
X:\Programs\Nu2Menu\nu2menu.exe
X:\programs\geoshell\GEOSHELL.EXE
X:\I386\System32\svchost.exe
X:\programs\rocketdock\RocketDock.exe
X:\I386\system32\svchost.exe
X:\I386\system32\hh.exe
X:\I386\EXPLORER.EXE
X:\I386\iexplore.exe
X:\I386\System32\taskmgr.exe
X:\I386\system32\notepad.exe
X:\Programs\AgentRansack\AgentRansack.exe
X:\Programs\SysInfo\siw.exe
X:\PROGRAMS\HijackThis\HijackThis.exe
X:\I386\system32\NOTEPAD.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft...=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft...B_PVER}&ar=home
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.ubcd4win.com/forum
F2 - REG:system.ini: Shell=preshell.exe
O13 - DefaultPrefix:
O13 - WWW Prefix:
O13 - Home Prefix:
O13 - Mosaic Prefix:
O13 - FTP Prefix:
O13 - Gopher Prefix:
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone (HKLM)
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - X:\I386\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - X:\I386\System32\browseui.dll
O23 - Service: AntiVir Personal Scheduler (AntiVirScheduler) - Unknown owner - B:\AntiVir\sched.exe (file missing)
O23 - Service: DCOM Services (DcomLaunch) - Unknown owner - svchost.exe (file missing)
O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - X:\I386\System32\msdtc.exe (file missing)
O23 - Service: Virtual Disk Service (vds) - Unknown owner - X:\I386\System32\vds.exe (file missing)

--
End of file - 3083 bytes

-------------------------------------------------

That's probably an excessive amount of information already, but please let me know if there is any specific information you would like to see. I was running Kaspersky Internet Security 2009 fully updated when this problem began, and Kaspersky did not detect any viruses. I also have tried a licensed copy of Trend Micro Internet Security, fully updated, and it did not find a virus, either. I already have performed three COMPLETE FACTORY REINSTALLS of Vista using the OEM copy DVD provided by Dell, but the problem has not gone away. Lest you assume it's a hardware issue, I can assure you that up until the point this started happening, I had absolutely no hardware problems -- my computer was running fantastically.

Any thoughts on what could be happening, or what I can do to disgnose/fix it?

Thanks again for any help or advice you can give me.

[bengt]

Funny... X:\

[pcuser]

Why on earth did you post all that information about what's running while you're booted from UBCD4Win???

For everyone else that takes the time to read this post, this is the only part that's relevant:

Quote

Hello, and thank you in advance to anyone who takes the time and effort to help me. I believe my computer is infected with a virus, even though I've been told by Microsoft technical support that my computer is clean. I will do my best to provide adequate details to explain symptoms and environment I'm dealing with. Please note that my ability to navigate the internet, download files and run files is extremely limited because of the problem I'm writing you about, and I am not in a situation where I can borrow a friend's computer to download files, either. But I will do my best to provide any information you request, or I'll at least attempt it and then tell you why I could not.

1) Hardware
MODEL: Dell XPS 430
CHIP: Intel Core2 Quad (2.50Mhz)
RAM: 6Gb DDR3
OS: It WAS Vista SP2, but at the moment I'm booted in UBCD4Win with the hard drive disconnected
NETWORK: I am not networked to any other computers or external devices, except a cable modem. I'm not using a router or any wireless networking devices.

2) Symptoms
This is not an all-inclusive list, but here are some of the more obvious ones:
-User preferences and settings do not survive a reboot, INCLUDING CMOS SETTINGS
-Any attempts to access anti-virus Web sites or download driver updates or anti-virus apps are redirected to 404 error
-CPU kicks into high gear when I try to uninstall, update, roll back or disable/remove any device driver
-Group policy settings lock me out of system settings, management tools and folders, even if I change them to grant myself access
-Computer settings indicate my location as being on a LAN or WAN, but I'm not
-Remote login/user/access/registry programs constantly starting up on their own
-Memory processes persist even after reboot that I did not start and cannot kill

That's probably an excessive amount of information already, but please let me know if there is any specific information you would like to see. I was running Kaspersky Internet Security 2009 fully updated when this problem began, and Kaspersky did not detect any viruses. I also have tried a licensed copy of Trend Micro Internet Security, fully updated, and it did not find a virus, either. I already have performed three COMPLETE FACTORY REINSTALLS of Vista using the OEM copy DVD provided by Dell, but the problem has not gone away. Lest you assume it's a hardware issue, I can assure you that up until the point this started happening, I had absolutely no hardware problems -- my computer was running fantastically.

Any thoughts on what could be happening, or what I can do to disgnose/fix it?

Thanks again for any help or advice you can give me.

[bengt]

pcuser, on 08 July 2009 - 06:06 PM, said:

Why on earth did you post all that information about what's running while you're booted from UBCD4Win???

It made my day and I laughed out loud , sorry, but it did

[mbarnes]

Hi RootkitMary

assuming this is a genuine problem and not a wind up

User preferences and settings do not survive a reboot, This is standard if running Ubcd4win or BartPE CD (or any other Win PE CD)


INCLUDING CMOS SETTINGS This is the real problem

ranging from a flat cmos battery (usually a lithium coin battery on modern PC's) or
could be caused by cmos clearance jumper set to clear cmos (I saw this once) (in some cases this can damage motherboard)

regards
Mike Barnes

[RootkitMary]

pcuser, on 08 July 2009 - 11:06 AM, said:

Why on earth did you post all that information about what's running while you're booted from UBCD4Win???

For everyone else that takes the time to read this post, this is the only part that's relevant:

Quote

Hello, and thank you in advance to anyone who takes the time and effort to help me. I believe my computer is infected with a virus, even though I've been told by Microsoft technical support that my computer is clean. I will do my best to provide adequate details to explain symptoms and environment I'm dealing with. Please note that my ability to navigate the internet, download files and run files is extremely limited because of the problem I'm writing you about, and I am not in a situation where I can borrow a friend's computer to download files, either. But I will do my best to provide any information you request, or I'll at least attempt it and then tell you why I could not.

1) Hardware
MODEL: Dell XPS 430
CHIP: Intel Core2 Quad (2.50Mhz)
RAM: 6Gb DDR3
OS: It WAS Vista SP2, but at the moment I'm booted in UBCD4Win with the hard drive disconnected
NETWORK: I am not networked to any other computers or external devices, except a cable modem. I'm not using a router or any wireless networking devices.

2) Symptoms
This is not an all-inclusive list, but here are some of the more obvious ones:
-User preferences and settings do not survive a reboot, INCLUDING CMOS SETTINGS
-Any attempts to access anti-virus Web sites or download driver updates or anti-virus apps are redirected to 404 error
-CPU kicks into high gear when I try to uninstall, update, roll back or disable/remove any device driver
-Group policy settings lock me out of system settings, management tools and folders, even if I change them to grant myself access
-Computer settings indicate my location as being on a LAN or WAN, but I'm not
-Remote login/user/access/registry programs constantly starting up on their own
-Memory processes persist even after reboot that I did not start and cannot kill

That's probably an excessive amount of information already, but please let me know if there is any specific information you would like to see. I was running Kaspersky Internet Security 2009 fully updated when this problem began, and Kaspersky did not detect any viruses. I also have tried a licensed copy of Trend Micro Internet Security, fully updated, and it did not find a virus, either. I already have performed three COMPLETE FACTORY REINSTALLS of Vista using the OEM copy DVD provided by Dell, but the problem has not gone away. Lest you assume it's a hardware issue, I can assure you that up until the point this started happening, I had absolutely no hardware problems -- my computer was running fantastically.

Any thoughts on what could be happening, or what I can do to disgnose/fix it?

Thanks again for any help or advice you can give me.

Haha -- Sorry I went overboard. I figured too much information is better than not enough information. Also, I am convinced there are processes running that should not be, and I figured someone familiar with UBCD4Win would be able to recognize a process that isn't normal.

Do you have any idea what I might be dealing with, or a scan I can do that might catch something my antivirus software can't detect?

[RootkitMary]

mbarnes, on 08 July 2009 - 04:02 PM, said:

Hi RootkitMary

assuming this is a genuine problem and not a wind up

User preferences and settings do not survive a reboot, This is standard if running Ubcd4win or BartPE CD (or any other Win PE CD)


INCLUDING CMOS SETTINGS This is the real problem

ranging from a flat cmos battery (usually a lithium coin battery on modern PC's) or
could be caused by cmos clearance jumper set to clear cmos (I saw this once) (in some cases this can damage motherboard)

regards
Mike Barnes

Hi Mike --

I should have specified that user settings did not survive a reboot when I was using Windows Vista. I thought about the battery issue and replaced the CMOS battery with a new one, so I don't think that's the issue. Also, I have not messed with the jumpers at all.

Another symptom I forgot to mention is that whenever I launched a process in Vista that triggered the user account control for elevated privileges, the prompt would come up twice. I've heard that some viruses wait until a legitimate program is launched, and then copy the name of that program in an effort to spoof the user into granting it privileges, as well. I thought that might be what's happening, but I don't know for sure.

[pcuser]

Quote

and I figured someone familiar with UBCD4Win would be able to recognize a process that isn't normal.

We have no idea what processes are running on your system while booted into windows since you showed us a list of processes that were running while you were booted from UBCD4Win. To start with, you can try running all the anti-malware programs that are included on the cd.

[RootkitMary]

pcuser, on 08 July 2009 - 05:30 PM, said:

Quote

and I figured someone familiar with UBCD4Win would be able to recognize a process that isn't normal.

We have no idea what processes are running on your system while booted into windows since you showed us a list of processes that were running while you were booted from UBCD4Win. To start with, you can try running all the anti-malware programs that are included on the cd.

What I'm trying to say is that I think there is a rogue process running on my system NOW, even when I'm booted into UBCD4Win. My Internet explorer STILL has the redirect problem even in UBCD4Win, even with my hard drive offline. Both the SATA and power cables were disconnected before I booted into UBCD4Win.

Is that even possible? I know my copy of UBCD is clean, and I booted straight from CD-ROM. Is it possible that a malicious or corrupted driver that launches pre-boot, perhaps stored in EEPROM, is launching the malicious code even with my hard drive unplugged? That's what I was trying to find out.

But maybe I'm getting ahead of myself. I will attempt to reconnect the hard drive and run some type of scan so I can post the results here. Most of the anti-virus programs included in UBCD4Win have been disabled -- I can't get them to run on my system because of this whatever-it-is that's messing things up.

[rdsok]

Create the UBCD4Win ( not UBCD ) disk on another known clean system... There is no way that something else ( ie BIOS etc ) is going to affect the disk you created, only if you had built it on an infected system could explain it.



Note.... to avoid confusion on what you are refering too..

UBCD - is a DOS based boot CD with utils to repair / recover computers

UBCD4Win - is a Windows based boot CD to also repair / recover computers and also can include UBCD with it...


So when talking about UBCD4Win please don't call it UBCD since that is another project

[RootkitMary]

rdsok, on 08 July 2009 - 06:14 PM, said:

Create the UBCD4Win ( not UBCD ) disk on another known clean system... There is no way that something else ( ie BIOS etc ) is going to affect the disk you created, only if you had built it on an infected system could explain it.



Note.... to avoid confusion on what you are refering too..

UBCD - is a DOS based boot CD with utils to repair / recover computers

UBCD4Win - is a Windows based boot CD to also repair / recover computers and also can include UBCD with it...


So when talking about UBCD4Win please don't call it UBCD since that is another project

Understood -- I did not realize there was a different boot disk for DOS by that name. To clarify, all of my previous references to UBCD* have been specifically with regard to UBCD4Win.

As far as having a clean copy, I've got that covered. The disk was burned on another computer that I am 99.9 percent sure was clean. So if my copy isn't running as it should, the only reason would be because of a firmware or hardware issue. But I'm going to set that issue aside for now and simply attempt to run it with my hard drive connected in order to scan for obvious issues. I'll burn the logs to CD-ROM, then disconnect the drive, boot back into UBCD4Win and post them online. I cannot connect from Vista because of the issues I'm experiencing.

Also, thank you for taking the time to assist me in solving the problem.

[rdsok]

RootkitMary, on 09 July 2009 - 07:09 AM, said:

the only reason would be because of a firmware or hardware issue.

BIOS infections, while possible, are extremely unlikely. Each BIOS must be customized specifically for the motherboard its going to be used on. In other words, the code must match the manufacturer, model and revision to a tee. This is so critical that normally if you take a bios code for model "x" revision one and try to use it on revision two... it will fail to boot in many if not all cases ( actually the term is post but anyway ). There are a few exceptions but they really are not exceptions, these are where a model board is released under different company/model names but this doesn't happen often. In other words brand A and B are really the same brand.

This means that for a malware to be able to infect a BIOS and then the motherboard still work and boot... the malware would have to be customized for just one specific make/model/rev of board. Now imagine ( if you were that malware author trying to do this ) making your malware work for each system board that exists. The author would need copies of each bios they were going to infect, they would need to study each one to see where they could inject their code so it was effective AND so the motherboard could still operate. Then repeat the process over and over for every single motherboard they wanted to infect. The size of that job alone makes it impractical if not impossible to achieve.


Another thing to consider about this. A programmer that has the skills needed to even pull off a small portion of the above work, would be in such high demand in the market and wouldn't have a need to perform that type of grudge work for such little gain. So it is possible if a programmer has the knowledge to do the work but it is so impractical as it would border on the ridiculous.