UBCD4Win Forums: Plagued by a process - UBCD4Win Forums

Jump to content

Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

Plagued by a process Please help me exterminate this clever virus

#1 User is offline   RootkitMary Icon

  • Newbie
  • Pip
    • Group: Members
    • Posts: 5
    • Joined: 08-July 09

    Posted 08 July 2009 - 07:54 AM

    Hello, and thank you in advance to anyone who takes the time and effort to help me. I believe my computer is infected with a virus, even though I've been told by Microsoft technical support that my computer is clean. I will do my best to provide adequate details to explain symptoms and environment I'm dealing with. Please note that my ability to navigate the internet, download files and run files is extremely limited because of the problem I'm writing you about, and I am not in a situation where I can borrow a friend's computer to download files, either. But I will do my best to provide any information you request, or I'll at least attempt it and then tell you why I could not.

    1) Hardware
    MODEL: Dell XPS 430
    CHIP: Intel Core2 Quad (2.50Mhz)
    RAM: 6Gb DDR3
    OS: It WAS Vista SP2, but at the moment I'm booted in UBCD4Win with the hard drive disconnected
    NETWORK: I am not networked to any other computers or external devices, except a cable modem. I'm not using a router or any wireless networking devices.

    2) Symptoms
    This is not an all-inclusive list, but here are some of the more obvious ones:
    -User preferences and settings do not survive a reboot, INCLUDING CMOS SETTINGS
    -Any attempts to access anti-virus Web sites or download driver updates or anti-virus apps are redirected to 404 error
    -CPU kicks into high gear when I try to uninstall, update, roll back or disable/remove any device driver
    -Group policy settings lock me out of system settings, management tools and folders, even if I change them to grant myself access
    -Computer settings indicate my location as being on a LAN or WAN, but I'm not
    -Remote login/user/access/registry programs constantly starting up on their own
    -Memory processes persist even after reboot that I did not start and cannot kill

    3) Drivers currently installed (according to System Information for Windows app.) Keep in mind that I am running UBCD4 with no on-board or external hard drives connected. I apologize for the messy formatting.

    Name Description Version Type Status Start Path File Description
    Afd AFD Networking Support Environment 5.1.2600.2180 Kernel Driver Running Demand Start X:\I386\SYSTEM32\DRIVERS\AFD.SYS Ancillary Function Driver for WinSock / Microsoft® Windows® Operating System
    AsyncMac RAS Asynchronous Media Driver 5.1.2600.2180 Kernel Driver Stopped Demand Start System32\DRIVERS\asyncmac.sys MS Remote Access serial network driver / Microsoft® Windows® Operating System
    avgio avgio Kernel Driver Stopped System Start \??\B:\AntiVir\avgio.sys
    avgntflt avgntflt File System Driver Stopped Demand Start \??\B:\AntiVir\avgntflt.sys
    avipbb avipbb 1.0.2.22 Kernel Driver Running System Start system32\DRIVERS\avipbb.sys Avira Driver for RootKit Detection
    Beep Beep Kernel Driver Running System Start
    dmboot dmboot Kernel Driver Running Demand Start dmboot.sys
    dmio dmio Kernel Driver Running Demand Start dmio.sys
    dmload dmload Kernel Driver Running Demand Start dmload.sys
    giveio giveio Kernel Driver Stopped Boot Start X:\I386\SYSTEM32\GIVEIO.SYS
    hidusb hidusb 5.1.2600.0 Kernel Driver Running Demand Start system32\DRIVERS\hidusb.sys USB Miniport Driver for Input Devices / Microsoft® Windows® Operating System
    IpNat IpNat 5.1.2600.2180 Kernel Driver Stopped Demand Start system32\drivers\ipnat.sys IP Network Address Translator / Microsoft® Windows® Operating System
    kbdhid Keyboard HID Driver 5.1.2600.2180 Kernel Driver Running Demand Start System32\DRIVERS\kbdhid.sys HID Mouse Filter Driver / Microsoft® Windows® Operating System
    meiudf meiudf 4.0.8.0 File System Driver Running System Start System32\Drivers\meiudf.sys DVD-RAM UDF File System Driver
    Modem Modem Kernel Driver Stopped Demand Start
    MODEMCSA Unimodem Stream Filter Device 5.1.2600.0 Kernel Driver Stopped Demand Start system32\drivers\MODEMCSA.sys Unimodem CSA Filter / Microsoft® Windows® Operating System
    mouhid Mouse HID Driver 5.1.2600.0 Kernel Driver Running Demand Start system32\DRIVERS\mouhid.sys HID Mouse Filter Driver / Microsoft® Windows® Operating System
    Msfs Msfs File System Driver Running System Start
    Mup Mup File System Driver Running Demand Start mup.sys
    Ndis NDIS System Driver Kernel Driver Running Demand Start ndis.sys
    NdisTapi Remote Access NDIS TAPI Driver 5.1.2600.0 Kernel Driver Stopped Demand Start System32\DRIVERS\ndistapi.sys NDIS 3.0 connection wrapper driver / Microsoft® Windows® Operating System
    Ndisuio NDIS Usermode I/O Protocol 5.1.2600.2180 Kernel Driver Stopped Demand Start System32\DRIVERS\ndisuio.sys NDIS User mode I/O Driver / Microsoft® Windows® Operating System
    NdisWan NDIS WAN 5.1.2600.2180 Kernel Driver Stopped Demand Start System32\DRIVERS\ndiswan.sys MS PPP Framing Driver (Strong Encryption) / Microsoft® Windows® Operating System
    NDProxy NDIS Proxy Kernel Driver Stopped Demand Start
    Npfs Npfs File System Driver Running System Start
    Null Null Kernel Driver Running System Start
    RAMDriv Ramdisk [ UBCD4WIN ] 5.3.1.6 Kernel Driver Running Demand Start system32\drivers\RAMDriv.sys UBCD4Win RAMDrive Enterprise / UBCD4Win RAM Disk
    RasAcd Remote Access Auto Connection Driver 5.1.2600.0 Kernel Driver Running System Start System32\DRIVERS\rasacd.sys RAS Automatic Connection Driver / Microsoft® Windows® Operating System
    ROOTMODEM Microsoft Legacy Modem Driver 5.1.2600.0 Kernel Driver Stopped Demand Start System32\Drivers\RootMdm.sys Legacy Non-Pnp Modem Device Driver / Microsoft® Windows® Operating System
    serenum serenum Kernel Driver Stopped Demand Start serenum.sys
    serial Serial port driver Kernel Driver Stopped Demand Start serial.sys
    sermouse Serial Mouse Driver 5.1.2600.0 Kernel Driver Stopped Demand Start System32\drivers\sermouse.sys Serial Mouse Filter Driver / Microsoft® Windows® Operating System
    speedfan speedfan 1.0.0.0 Kernel Driver Stopped Boot Start X:\I386\SYSTEM32\SPEEDFAN.SYS SpeedFan Device Driver / Windows ® Server 2003 DDK driver
    ssmdrv ssmdrv 7.0.1.1 Kernel Driver Running System Start system32\DRIVERS\ssmdrv.sys AVIRA SnapShot Driver
    swenum Software Device Enumerator Driver 5.3.2600.2180 Kernel Driver Running Demand Start System32\DRIVERS\swenum.sys Plug and Play Software Device Enumerator / Microsoft® Windows® Operating System
    Udfs Udfs File System Driver Running System Start
    usbccgp USB Composite Device 5.1.2600.2180 Kernel Driver Running Demand Start system32\DRIVERS\usbccgp.sys USB Common Class Generic Parent Driver / Microsoft® Windows® Operating System
    VgaSave VgaSave 5.1.2600.2180 Kernel Driver Running System Start X:\I386\SYSTEM32\DRIVERS\VGA.SYS VGA/Super VGA Video Driver / Microsoft® Windows® Operating System
    e1express Intel® PRO/1000 PCI Express Network Connection Driver 9.10.8.0 Kernel Driver Running Demand Start system32\DRIVERS\e1e5132.sys Intel® PRO/1000 Adapter NDIS 5.2 deserialized driver / Intel® PRO/1000 Adapter
    Tcpip TCP/IP Protocol Driver 5.1.2600.2180 Kernel Driver Running System Start system32\DRIVERS\tcpip.sys TCP/IP Protocol Driver / Microsoft® Windows® Operating System
    IPSec IPSEC driver 5.1.2600.2180 Kernel Driver Running System Start system32\DRIVERS\ipsec.sys IPSec Driver / Microsoft® Windows® Operating System
    Atmarpc ATM ARP Client Protocol 5.1.2600.2180 Kernel Driver Stopped Demand Start system32\DRIVERS\atmarpc.sys IP/ATM Arp Client / Microsoft® Windows® Operating System
    NetBT NetBios over Tcpip 5.1.2600.2180 Kernel Driver Running System Start system32\DRIVERS\netbt.sys MBT Transport driver / Microsoft® Windows® Operating System
    Rdbss Rdbss 5.1.2600.2180 File System Driver Running System Start system32\DRIVERS\rdbss.sys Redirected Drive Buffering SubSystem Driver / Microsoft® Windows® Operating System
    MrxSmb MrxSmb 5.1.2600.2180 File System Driver Running System Start system32\DRIVERS\mrxsmb.sys Windows NT SMB Minirdr / Microsoft® Windows® Operating System
    NetBIOS NetBIOS Interface 5.1.2600.2180 File System Driver Running System Start system32\DRIVERS\netbios.sys NetBIOS interface driver / Microsoft® Windows® Operating System
    SIWIO SIW low-level I/O driver Kernel Driver Running Demand Start \??\B:\SiwIo.sys

    4) DLLs currently loaded

    Module Name Path Version Description Handle Size
    ntdll.dll X:\I386\SYSTEM32\ 5.1.2600.2180 NT Layer DLL / Microsoft® Windows® Operating System 7C900000 720896
    kernel32.dll X:\I386\SYSTEM32\ 5.1.2600.2180 Windows NT BASE API Client DLL / Microsoft® Windows® Operating System 7C800000 999424
    user32.dll X:\I386\SYSTEM32\ 5.1.2600.2180 Windows XP USER API Client DLL / Microsoft® Windows® Operating System 77D40000 589824
    GDI32.dll X:\I386\SYSTEM32\ 5.1.2600.2180 GDI Client DLL / Microsoft® Windows® Operating System 77F10000 286720
    LPK.DLL X:\I386\SYSTEM32\ 5.1.2600.2180 Language Pack / Microsoft® Windows® Operating System 629C0000 36864
    USP10.dll X:\I386\SYSTEM32\ 1.420.2600.2180 Uniscribe Unicode script processor / Microsoft® Uniscribe Unicode script processor 74D90000 438272
    msvcrt.dll X:\I386\SYSTEM32\ 7.0.2600.2180 Windows NT CRT DLL / Microsoft® Windows® Operating System 77C10000 360448
    ADVAPI32.dll X:\I386\SYSTEM32\ 5.1.2600.2180 Advanced Windows 32 Base API / Microsoft® Windows® Operating System 77DD0000 634880
    RPCRT4.dll X:\I386\SYSTEM32\ 5.1.2600.2180 Remote Procedure Call Runtime / Microsoft® Windows® Operating System 77E70000 593920
    VERSION.dll X:\I386\SYSTEM32\ 5.1.2600.2180 Version Checking and File Installation Libraries / Microsoft® Windows® Operating System 77C00000 32768
    WINMM.dll X:\I386\SYSTEM32\ 5.1.2600.2180 MCI API DLL / Microsoft® Windows® Operating System 76B40000 184320
    COMDLG32.dll X:\I386\SYSTEM32\ 6.0.2900.2180 Common Dialogs DLL / Microsoft® Windows® Operating System 763B0000 299008
    SHLWAPI.dll X:\I386\SYSTEM32\ 6.0.2900.2833 Shell Light-weight Utility Library / Microsoft® Windows® Operating System 77F60000 483328
    COMCTL32.dll X:\I386\WINSXS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\ 6.0.2600.0 User Experience Controls Library / Microsoft® Windows® Operating System 71950000 933888
    SHELL32.dll X:\I386\SYSTEM32\ 6.0.2900.2180 Windows Shell Common Dll / Microsoft® Windows® Operating System 7C9C0000 8470528
    WINSPOOL.DRV X:\I386\SYSTEM32\ 5.1.2600.2180 Windows Spooler Driver / Microsoft® Windows® Operating System 73000000 155648
    WS2_32.dll X:\I386\SYSTEM32\ 5.1.2600.2180 Windows Socket 2.0 32-Bit DLL / Microsoft® Windows® Operating System 71AB0000 94208
    WS2HELP.dll X:\I386\SYSTEM32\ 5.1.2600.2180 Windows Socket 2.0 Helper for Windows NT / Microsoft® Windows® Operating System 71AA0000 32768
    ole32.dll X:\I386\SYSTEM32\ 5.1.2600.2180 Microsoft OLE for Windows / Microsoft® Windows® Operating System 774E0000 1294336
    psapi.dll X:\I386\SYSTEM32\ 5.1.2600.2180 Process Status Helper / Microsoft® Windows® Operating System 76BF0000 45056
    UxTheme.dll X:\I386\SYSTEM32\ 6.0.2900.2180 Microsoft UxTheme Library / Microsoft® Windows® Operating System 5AD70000 229376
    OLEAUT32.dll X:\I386\SYSTEM32\ 5.1.2600.2180 77120000 573440
    MouseHook.dll X:\PROGRAMS\rocketdock\ 10000000 20480
    CRTDLL.dll X:\I386\SYSTEM32\ 4.0.1183.1 Microsoft C Runtime Library / Microsoft® Windows NT" Operating System 73D90000 159744
    appHelp.dll X:\I386\SYSTEM32\ 5.1.2600.2180 Application Compatibility Client Library / Microsoft® Windows® Operating System 77B40000 139264
    netapi32.dll X:\I386\SYSTEM32\ 5.1.2600.2180 Net Win32 API DLL / Microsoft® Windows® Operating System 5B860000 344064
    MPR.dll X:\I386\SYSTEM32\ 5.1.2600.2180 Multiple Provider Router DLL / Microsoft® Windows® Operating System 71B20000 73728
    ntlanman.dll X:\I386\SYSTEM32\ 5.1.2600.2180 Microsoft® Lan Manager / Microsoft® Windows® Operating System 71C10000 57344
    NETUI0.dll X:\I386\SYSTEM32\ 5.1.2600.2180 NT LM UI Common Code - GUI Classes / Microsoft® Windows® Operating System 71CD0000 94208
    NETUI1.dll X:\I386\SYSTEM32\ 5.1.2600.2180 NT LM UI Common Code - Networking classes / Microsoft® Windows® Operating System 71C90000 262144
    NETRAP.dll X:\I386\SYSTEM32\ 5.1.2600.2180 Net Remote Admin Protocol DLL / Microsoft® Windows® Operating System 71C80000 28672
    SAMLIB.dll X:\I386\SYSTEM32\ 5.1.2600.2180 SAM Library DLL / Microsoft® Windows® Operating System 71BF0000 77824
    SETUPAPI.dll X:\I386\SYSTEM32\ 5.1.2600.2180 Windows Setup API / Microsoft® Windows® Operating System 77920000 995328
    ShellHook.dll X:\PROGRAMS\geoshell\ 4.11.0.0 The GeoShell Shell Hook module. / GeoShell 017D0000 32768
    inetmib1.dll X:\I386\SYSTEM32\ 5.1.2600.2180 Microsoft MIB-II subagent / Microsoft® Windows® Operating System 666F0000 45056
    iphlpapi.dll X:\I386\SYSTEM32\ 5.1.2600.2180 IP Helper API / Microsoft® Windows® Operating System 76D60000 102400
    snmpapi.dll X:\I386\SYSTEM32\ 5.1.2600.2180 SNMP Utility Library / Microsoft® Windows® Operating System 71F60000 32768
    WSOCK32.dll X:\I386\SYSTEM32\ 5.1.2600.2180 Windows Socket 32-Bit DLL / Microsoft® Windows® Operating System 71AD0000 36864
    Dnsapi.dll X:\I386\SYSTEM32\ 5.1.2600.2180 DNS Client API DLL / Microsoft® Windows® Operating System 76F20000 159744
    Wininet.dll X:\I386\SYSTEM32\ 6.0.2900.2180 Internet Extensions for Win32 / Microsoft® Windows® Operating System 771B0000 679936
    CRYPT32.dll X:\I386\SYSTEM32\ 5.131.2600.2180 Crypto API32 / Microsoft® Windows® Operating System 77A80000 606208
    MSASN1.dll X:\I386\SYSTEM32\ 5.1.2600.2180 ASN.1 Runtime APIs / Microsoft® Windows® Operating System 77B20000 73728
    MSI.dll X:\I386\SYSTEM32\ 3.0.3790.2180 Windows Installer / Windows Installer - Unicode 7D1E0000 2826240
    USERENV.dll X:\I386\SYSTEM32\ 5.1.2600.2180 Userenv / Microsoft® Windows® Operating System 769C0000 733184
    cfgmgr32.dll X:\I386\SYSTEM32\ 5.1.2600.2180 Configuration Manager Forwarder DLL / Microsoft® Windows® Operating System 74AE0000 28672
    xpsp2res.dll X:\I386\SYSTEM32\ 5.1.2600.2180 Service Pack 2 Messages / Microsoft® Windows® Operating System 20000000 2904064
    perfos.dll X:\I386\SYSTEM32\ 5.1.2600.2180 Windows System Performance Objects DLL / Microsoft® Windows® Operating System 5E760000 40960
    rsvpperf.dll X:\I386\SYSTEM32\ 5.1.2600.0 Microsoft® Windows" RSVP Performance Monitor / Microsoft® Windows® Operating System 5D400000 24576
    tapiperf.dll X:\I386\SYSTEM32\ 5.1.2600.0 Microsoft® Windows" Telephony Performance Monitor / Microsoft® Windows® Operating System 5B7E0000 20480
    Perfctrs.dll X:\I386\SYSTEM32\ 5.1.2600.2180 Performance Counters / Microsoft® Windows® Operating System 5E7A0000 53248
    MPRAPI.dll X:\I386\SYSTEM32\ 5.1.2600.2180 Windows NT MP Router Administration DLL / Microsoft® Windows® Operating System 76D40000 98304
    ACTIVEDS.dll X:\I386\SYSTEM32\ 5.1.2600.2180 ADs Router Layer DLL / Microsoft® Windows® Operating System 77CC0000 204800
    adsldpc.dll X:\I386\SYSTEM32\ 5.1.2600.2180 ADs LDAP Provider C DLL / Microsoft® Windows® Operating System 76E10000 151552
    WLDAP32.dll X:\I386\SYSTEM32\ 5.1.2600.2180 Win32 LDAP API DLL / Microsoft® Windows® Operating System 76F60000 180224
    ATL.DLL X:\I386\SYSTEM32\ 3.5.2284.0 ATL Module for Windows XP (Unicode) / Microsoft ® Visual C++ 76B20000 69632
    rtutils.dll X:\I386\SYSTEM32\ 5.1.2600.2180 Routing Utilities / Microsoft® Windows® Operating System 76E80000 57344
    SiwTaskDlg.dll B:\ 1.0.6.1 XTaskDlg 01B30000 176128
    sfc_os.dll X:\I386\SYSTEM32\ 5.1.2600.2180 Windows File Protection / Microsoft® Windows® Operating System 76C60000 172032
    WINTRUST.dll X:\I386\SYSTEM32\ 5.131.2600.2180 Microsoft Trust Verification APIs / Microsoft® Windows® Operating System 76C30000 188416
    IMAGEHLP.dll X:\I386\SYSTEM32\ 5.1.2600.2180 Windows NT Image Helper / Microsoft® Windows® Operating System 76C90000 163840
    ODBC32.dll X:\I386\SYSTEM32\ 3.525.1117.0 Microsoft Data Access - ODBC Driver Manager / Microsoft Data Access Components 74320000 249856
    odbcint.dll X:\I386\SYSTEM32\ 3.525.1117.0 Microsoft Data Access - ODBC Resources / Microsoft Data Access Components 01DB0000 94208
    CSRSRV.dll X:\I386\SYSTEM32\ 5.1.2600.2180 Client Server Runtime Process / Microsoft® Windows® Operating System 75B40000 45056
    basesrv.dll X:\I386\SYSTEM32\ 5.1.2600.2180 Windows NT BASE API Server DLL / Microsoft® Windows® Operating System 75B50000 65536
    winsrv.dll X:\I386\SYSTEM32\ 5.1.2600.2180 Windows Server DLL / Microsoft® Windows® Operating System 75B60000 303104
    sxs.dll X:\I386\SYSTEM32\ 5.1.2600.2180 Fusion 2.5 / Microsoft® Windows® Operating System 75E90000 720896
    SCESRV.dll X:\I386\SYSTEM32\ 5.1.2600.2180 Windows Security Configuration Editor Engine / Microsoft® Windows® Operating System 758E0000 327680
    AUTHZ.dll X:\I386\SYSTEM32\ 5.1.2600.2180 Authorization Framework / Microsoft® Windows® Operating System 776C0000 69632
    umpnpmgr.dll X:\I386\SYSTEM32\ 5.1.2600.2180 User-mode Plug-and-Play Service / Microsoft® Windows® Operating System 758C0000 126976
    WINSTA.dll X:\I386\SYSTEM32\ 5.1.2600.2180 Winstation Library / Microsoft® Windows® Operating System 76360000 65536
    NCObjAPI.DLL X:\I386\SYSTEM32\ 5.1.2600.2180 Microsoft® Windows® Operating System 5F770000 49152
    MSVCP60.dll X:\I386\SYSTEM32\ 6.2.3104.0 Microsoft ® C++ Runtime Library / Microsoft ® Visual C++ 76080000 413696
    secur32.dll X:\I386\SYSTEM32\ 5.1.2600.2180 Security Support Provider Interface / Microsoft® Windows® Operating System 77FE0000 69632
    eventlog.dll X:\I386\SYSTEM32\ 5.1.2600.2180 Event Logging Service / Microsoft® Windows® Operating System 77B70000 69632
    LSASRV.dll X:\I386\SYSTEM32\ 5.1.2600.2180 LSA Server DLL / Microsoft® Windows® Operating System 75730000 737280
    SAMSRV.dll X:\I386\SYSTEM32\ 5.1.2600.2180 SAM Server DLL / Microsoft® Windows® Operating System 74440000 434176
    cryptdll.dll X:\I386\SYSTEM32\ 5.1.2600.2180 Cryptography Manager / Microsoft® Windows® Operating System 76790000 49152
    NTDSAPI.dll X:\I386\SYSTEM32\ 5.1.2600.2180 NT5DS / Microsoft® Windows® Operating System 767A0000 77824
    msprivs.dll X:\I386\SYSTEM32\ 5.1.2600.2180 Microsoft Privilege Translations / Microsoft® Windows® Operating System 20000000 57344
    kerberos.dll X:\I386\SYSTEM32\ 5.1.2600.2180 Kerberos Security Package / Microsoft® Windows® Operating System 71CF0000 307200
    msv1_0.dll X:\I386\SYSTEM32\ 5.1.2600.2180 Microsoft Authentication Package v1.0 / Microsoft® Windows® Operating System 77C70000 143360
    netlogon.dll X:\I386\SYSTEM32\ 5.1.2600.2180 Net Logon Services DLL / Microsoft® Windows® Operating System 744B0000 413696
    w32time.dll X:\I386\SYSTEM32\ 5.1.2600.2180 Windows Time Service / Microsoft® Windows® Operating System 767C0000 180224
    schannel.dll X:\I386\SYSTEM32\ 5.1.2600.2180 TLS / SSL Security Provider / Microsoft® Windows® Operating System 767F0000 159744
    rsaenh.dll X:\I386\SYSTEM32\ 5.1.2600.2161 Microsoft Enhanced Cryptographic Provider / Microsoft® Windows® Operating System 0FFD0000 163840
    pstorsvc.dll X:\I386\SYSTEM32\ 5.1.2600.2180 Protected storage server / Microsoft® Windows® Operating System 743A0000 45056
    rpcss.dll X:\I386\SYSTEM32\ 5.1.2600.2180 Distributed COM Services / Microsoft® Windows® Operating System 76A80000 405504
    mswsock.dll X:\I386\SYSTEM32\ 5.1.2600.2180 Microsoft Windows Sockets 2.0 Service Provider / Microsoft® Windows® Operating System 71A50000 258048
    hnetcfg.dll X:\I386\SYSTEM32\ 5.1.2600.2180 Home Networking Configuration Manager / Microsoft® Windows® Operating System 662B0000 360448
    wshtcpip.dll X:\I386\SYSTEM32\ 5.1.2600.2180 Windows Sockets Helper DLL / Microsoft® Windows® Operating System 71A90000 32768
    winrnr.dll X:\I386\SYSTEM32\ 5.1.2600.2180 LDAP RnR Provider DLL / Microsoft® Windows® Operating System 76FB0000 32768
    rasadhlp.dll X:\I386\SYSTEM32\ 5.1.2600.2180 Remote Access AutoDial Helper / Microsoft® Windows® Operating System 76FC0000 24576
    COMCTL32.dll X:\I386\SYSTEM32\ 5.82.2900.2180 Common Controls Library / Microsoft® Windows® Operating System 5D090000 618496
    GeoLib.dll X:\PROGRAMS\geoshell\ 4.11.0.3 The GeoShell Library module. / GeoShell 10000000 40960
    SHDOCVW.DLL X:\I386\SYSTEM32\ 6.0.2900.2853 Shell Doc Object and Control Library / Microsoft® Windows® Operating System 77760000 1499136
    CRYPTUI.dll X:\I386\SYSTEM32\ 5.131.2600.2180 Microsoft Trust UI Provider / Microsoft® Windows® Operating System 754D0000 524288
    stobject.dll X:\I386\SYSTEM32\ 5.1.2600.2180 Systray shell service object / Microsoft® Windows® Operating System 76280000 135168
    BatMeter.dll X:\I386\SYSTEM32\ 6.0.2900.2180 Battery Meter Helper DLL / Microsoft® Windows® Operating System 74AF0000 40960
    POWRPROF.dll X:\I386\SYSTEM32\ 6.0.2900.2180 Power Profile Helper DLL / Microsoft® Windows® Operating System 74AD0000 32768
    WTSAPI32.dll X:\I386\SYSTEM32\ 5.1.2600.2180 Windows Terminal Server SDK APIs / Microsoft® Windows® Operating System 76F50000 32768
    netshell.dll X:\I386\SYSTEM32\ 5.1.2600.2180 Network Connections Shell / Microsoft® Windows® Operating System 76400000 1728512
    credui.dll X:\I386\SYSTEM32\ 5.1.2600.2180 Credential Manager User Interface / Microsoft® Windows® Operating System 76C00000 188416
    cscui.dll X:\I386\SYSTEM32\ 5.1.2600.2180 Client Side Caching UI / Microsoft® Windows® Operating System 77A20000 344064
    CSCDLL.dll X:\I386\SYSTEM32\ 5.1.2600.2180 Offline Network Agent / Microsoft® Windows® Operating System 76600000 118784
    ShellUI.dll X:\PROGRAMS\geoshell\ 4.11.0.0 The GeoShell User Interface module. / GeoShell 00C50000 53248
    geOTile.dll X:\PROGRAMS\geoshell\PLUGINS\ 2.0.0.4 geOShell plugin / geOTile - geOShell plugin 00C60000 32768
    geOLaunch.dll X:\PROGRAMS\geoshell\PLUGINS\ 01390000 24576
    GeoTasks.dll X:\PROGRAMS\geoshell\PLUGINS\ 013A0000 28672
    geOSpacer.dll X:\PROGRAMS\geoshell\PLUGINS\ 2.0.0.0 GeoSpacer puts empty space on a bar / GeoSpacer 013B0000 24576
    MSVCR71.dll X:\I386\SYSTEM32\ 7.10.3052.4 Microsoft® C Runtime Library / Microsoft® Visual Studio .NET 7C340000 352256
    geOTray.dll X:\PROGRAMS\geoshell\PLUGINS\ 013D0000 20480
    geODateTime.dll X:\PROGRAMS\geoshell\PLUGINS\ 013E0000 36864
    urlmon.dll X:\I386\SYSTEM32\ 6.0.2900.2823 OLE32 Extensions for Win32 / Microsoft® Windows® Operating System 77260000 655360
    NTMARTA.DLL X:\I386\SYSTEM32\ 5.1.2600.2180 Windows NT MARTA provider / Microsoft® Windows® Operating System 77690000 135168
    netman.dll x:\I386\SYSTEM32\ 5.1.2600.2180 Network Connections Manager / Microsoft® Windows® Operating System 77D00000 208896
    RASAPI32.dll x:\I386\SYSTEM32\ 5.1.2600.2180 Remote Access API / Microsoft® Windows® Operating System 76EE0000 245760
    rasman.dll x:\I386\SYSTEM32\ 5.1.2600.2180 Remote Access Connection Manager / Microsoft® Windows® Operating System 76E90000 73728
    TAPI32.dll x:\I386\SYSTEM32\ 5.1.2600.2180 Microsoft® Windows" Telephony API Client DLL / Microsoft® Windows® Operating System 76EB0000 192512
    WZCSvc.DLL x:\I386\SYSTEM32\ 5.1.2600.2180 Wireless Zero Configuration Service / Microsoft® Windows® Operating System 77620000 450560
    WMI.dll x:\I386\SYSTEM32\ 5.1.2600.2180 WMI DC and DP functionality / Microsoft® Windows® Operating System 76D30000 16384
    DHCPCSVC.DLL x:\I386\SYSTEM32\ 5.1.2600.2180 DHCP Client Service / Microsoft® Windows® Operating System 76D80000 122880
    ESENT.dll x:\I386\SYSTEM32\ 5.1.2600.2180 Server Database Storage Engine / Microsoft® Windows® Operating System 606B0000 1101824
    WZCSAPI.DLL x:\I386\SYSTEM32\ 5.1.2600.2180 Wireless Zero Configuration service API / Microsoft® Windows® Operating System 73030000 65536
    RASDLG.dll X:\I386\SYSTEM32\ 5.1.2600.2180 Remote Access Common Dialog API / Microsoft® Windows® Operating System 768D0000 671744
    wkssvc.dll x:\I386\SYSTEM32\ 5.1.2600.2180 Workstation Service DLL / Microsoft® Windows® Operating System 76E40000 143360
    netcfgx.dll X:\I386\SYSTEM32\ 5.1.2600.2180 Network Configuration Objects / Microsoft® Windows® Operating System 755F0000 630784
    CLUSAPI.dll X:\I386\SYSTEM32\ 5.1.2600.2180 Cluster API Library / Microsoft® Windows® Operating System 76D10000 69632
    gdiplus.dll X:\I386\WINSXS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.0.0_x-ww_8d353f13\ 5.1.3102.2180 Microsoft GDI+ / Microsoft® Windows® Operating System 4EC50000 1716224
    lmhsvc.dll x:\I386\SYSTEM32\ 5.1.2600.2180 TCPIP NetBios Transport Services DLL / Microsoft® Windows® Operating System 74C40000 24576
    hhctrl.ocx X:\I386\SYSTEM32\ 5.2.3790.1194 Microsoft® HTML Help Control / HTML Help 5D300000 544768
    ITSS.DLL X:\I386\SYSTEM32\ 5.2.3790.1221 Microsoft® InfoTech Storage System Library / Microsoft® Windows® Operating System 65E20000 147456
    shdoclc.dll X:\I386\SYSTEM32\ 6.0.2900.2180 Shell Doc Object and Control Library / Microsoft® Windows® Operating System 20000000 557056
    mshtml.dll X:\I386\SYSTEM32\ 6.0.2900.2853 Microsoft ® HTML Viewer / Microsoft® Windows® Operating System 7DC30000 3072000
    msls31.dll X:\I386\SYSTEM32\ 3.10.349.0 Microsoft Line Services library file / Microsoft® Line Services 746C0000 159744
    mlang.dll X:\I386\SYSTEM32\ 6.0.2900.2180 Multi Language Support DLL / Microsoft® Windows® Operating System 75CF0000 593920
    IMM32.DLL X:\I386\SYSTEM32\ 5.1.2600.2180 Windows XP IMM32 API Client DLL / Microsoft® Windows® Operating System 76390000 118784
    mshtmled.dll X:\I386\SYSTEM32\ 6.0.2900.2180 Microsoft ® HTML Editing Component / Microsoft® Windows® Operating System 76200000 462848
    jscript.dll X:\I386\SYSTEM32\ 5.6.0.8820 Microsoft ® JScript 75C50000 450560
    BROWSEUI.dll X:\I386\SYSTEM32\ 6.0.2900.2853 Shell Browser UI Library / Microsoft® Windows® Operating System 75F80000 1036288
    browselc.dll X:\I386\SYSTEM32\ 6.0.2900.2180 Shell Browser UI Library / Microsoft® Windows® Operating System 00A10000 73728
    DUSER.dll X:\I386\SYSTEM32\ 5.1.2600.2180 Windows DirectUser Engine / Microsoft® Windows® Operating System 6C1B0000 315392
    MSGINA.dll X:\I386\SYSTEM32\ 5.1.2600.2180 Windows NT Logon GINA DLL / Microsoft® Windows® Operating System 75970000 1011712
    ntshrui.dll X:\I386\SYSTEM32\ 5.1.2600.2180 Shell extensions for sharing / Microsoft® Windows® Operating System 76990000 151552
    IZArcCM.dll X:\PROGRAMS\IZArc\ 016A0000 634880
    olepro32.dll X:\I386\SYSTEM32\ 5.1.2600.2180 5EDD0000 94208
    7-zip.dll X:\PROGRAMS\7-zip\ 4.57.0.0 7-Zip Shell Extension / 7-Zip 01280000 77824
    shgina.dll X:\I386\SYSTEM32\ 6.0.2900.2180 Windows Shell User Logon / Microsoft® Windows® Operating System 73D70000 77824
    mydocs.dll X:\I386\SYSTEM32\ 6.0.2900.2180 My Documents Folder UI / Microsoft® Windows® Operating System 72410000 106496
    cdfview.dll X:\I386\SYSTEM32\ 6.0.2900.2180 Channel Definition File Viewer / Microsoft® Windows® Operating System 6FAA0000 159744
    xpsp1res.dll X:\I386\SYSTEM32\ 5.1.2600.2180 Service Pack 1 Messages / Microsoft® Windows® Operating System 012A0000 192512
    ImgUtil.dll X:\I386\SYSTEM32\ 6.0.2900.2180 IE plugin image decoder support DLL / Microsoft® Windows® Operating System 66880000 49152
    pngfilt.dll X:\I386\SYSTEM32\ 6.0.2900.2180 IE PNG plugin image decoder / Microsoft® Windows® Operating System 5E310000 49152
    inetcpl.cpl X:\I386\SYSTEM32\ 6.0.2900.2180 Internet Control Panel / Microsoft® Windows® Operating System 5A620000 380928
    inetcplc.dll X:\I386\SYSTEM32\ 6.0.2600.0 Internet Control Panel / Microsoft® Windows® Operating System 667D0000 118784
    OCCache.DLL X:\I386\SYSTEM32\ 6.0.2900.2180 Object Control Viewer / Microsoft® Windows® Operating System 5F050000 106496
    msxml.dll X:\I386\SYSTEM32\ 8.0.7002.0 XML OM for Win32 / Microsoft XML Core Services 73F70000 532480
    vbscript.dll X:\I386\SYSTEM32\ 5.6.0.8820 Microsoft ® VBScript 73300000 421888
    MFC42.DLL X:\I386\SYSTEM32\ 6.2.4131.0 MFCDLL Shared Library - Retail Version / Microsoft ® Visual C++ 73DD0000 1040384
    iepeers.dll X:\I386\SYSTEM32\ 6.0.2900.2833 Internet Explorer Peer Objects / Microsoft® Windows® Operating System 66E50000 262144
    actxprxy.dll X:\I386\SYSTEM32\ 6.0.2900.2180 ActiveX Interface Marshaling Library / Microsoft® Windows® Operating System 71D40000 114688
    VDMDBG.dll X:\I386\SYSTEM32\ 5.1.2600.2180 VDMDBG.DLL / Microsoft® Windows® Operating System 5AD60000 40960
    oledlg.dll X:\I386\SYSTEM32\ 5.1.2600.0 Microsoft Windows" OLE 2.0 User Interface Support 74D30000 131072

    5) Running processes

    PID Image Name Version Name Parent PID Threads Priority Window Title Creation Time Running Time Kernel Time User Time Size File Name and Path
    0 [System Process] <file not found> 0 1 0 0
    4 System <file not found> 0 51 8 212,992
    260 csrss.exe <file not found> 220 9 13 02/20/2009 @ 00:13:53 0d 02h 29m 30s 0h 00m 13s 0h 00m 00s 4,550,656 \??\X:\I386\system32\csrss.exe
    320 SERVICES.EXE 5.1.2600.2180 Services and Controller app / Microsoft® Windows® Operating System 280 14 9 02/20/2009 @ 00:14:18 0d 02h 29m 05s 0h 00m 00s 0h 00m 00s 2,666,496 X:\I386\SYSTEM32\SERVICES.EXE
    332 LSASS.EXE 5.1.2600.2180 LSA Shell (Export Version) / Microsoft® Windows® Operating System 280 13 9 02/20/2009 @ 00:14:19 0d 02h 29m 04s 0h 00m 00s 0h 00m 00s 700,416 X:\I386\SYSTEM32\LSASS.EXE
    452 SVCHOST.EXE 5.1.2600.2180 Generic Host Process for Win32 Services / Microsoft® Windows® Operating System 320 5 8 02/20/2009 @ 00:14:30 0d 02h 28m 53s 0h 00m 00s 0h 00m 00s 1,802,240 X:\I386\SYSTEM32\SVCHOST.EXE
    536 SVCHOST.EXE 5.1.2600.2180 Generic Host Process for Win32 Services / Microsoft® Windows® Operating System 320 8 8 02/20/2009 @ 00:14:35 0d 02h 28m 48s 0h 00m 00s 0h 00m 00s 2,797,568 X:\I386\SYSTEM32\SVCHOST.EXE
    600 nu2menu.exe 0.3.4.9 Nu2Menu Dynamic shell / menu 584 1 8 02/20/2009 @ 00:15:51 0d 02h 27m 32s 0h 00m 00s 0h 00m 00s 3,207,168 X:\PROGRAMS\nu2menu\nu2menu.exe
    652 GEOSHELL.EXE 4.11.0.3 The GeoShell Core module. / GeoShell 644 6 10 GeoShell :: Calm Your Desktop 02/20/2009 @ 00:16:00 0d 02h 27m 23s 0h 00m 01s 0h 00m 00s 7,757,824 X:\PROGRAMS\geoshell\GEOSHELL.EXE
    724 SVCHOST.EXE 5.1.2600.2180 Generic Host Process for Win32 Services / Microsoft® Windows® Operating System 320 10 8 02/20/2009 @ 00:16:08 0d 02h 27m 15s 0h 00m 00s 0h 00m 00s 6,258,688 X:\I386\SYSTEM32\SVCHOST.EXE
    912 RocketDock.exe 904 4 8 GDI+ Window 02/20/2009 @ 00:16:35 0d 02h 26m 48s 0h 00m 02s 0h 00m 01s 9,097,216 X:\PROGRAMS\rocketdock\RocketDock.exe
    1196 SVCHOST.EXE 5.1.2600.2180 Generic Host Process for Win32 Services / Microsoft® Windows® Operating System 320 3 8 02/20/2009 @ 00:19:14 0d 02h 24m 09s 0h 00m 00s 0h 00m 00s 1,748,992 X:\I386\SYSTEM32\SVCHOST.EXE
    1340 HH.EXE 5.2.3790.1159 Microsoft® HTML Help Executable / HTML Help 600 2 8 UBCD4WIN List of Tools 02/20/2009 @ 00:20:54 0d 02h 22m 29s 0h 00m 31s 0h 00m 00s 13,197,312 X:\I386\SYSTEM32\HH.EXE
    1632 EXPLORER.EXE 6.0.2900.2180 Windows Explorer / Microsoft® Windows® Operating System 600 6 13 Proxy Desktop 02/20/2009 @ 00:27:39 0d 02h 15m 44s 0h 00m 26s 0h 00m 03s 9,076,736 X:\I386\EXPLORER.EXE
    648 IEXPLORE.EXE 6.0.2900.2180 Internet Explorer / Microsoft® Windows® Operating System 452 6 8 Posting New Topic - UBCD4Win Forums - Microsoft Internet Explorer 02/20/2009 @ 00:52:33 0d 01h 50m 50s 0h 01m 39s 0h 00m 45s 59,154,432 X:\I386\IEXPLORE.EXE
    1552 TASKMGR.EXE 5.1.2600.2180 Windows TaskManager / Microsoft® Windows® Operating System 652 3 13 Windows Task Manager 02/20/2009 @ 01:17:37 0d 01h 25m 46s 0h 00m 03s 0h 00m 00s 5,263,360 X:\I386\SYSTEM32\TASKMGR.EXE
    1712 NOTEPAD.EXE 5.1.2600.2180 Notepad / Microsoft® Windows® Operating System 1632 1 8 Untitled - Notepad 02/20/2009 @ 01:18:39 0d 01h 24m 44s 0h 00m 06s 0h 00m 00s 3,506,176 X:\I386\SYSTEM32\NOTEPAD.EXE
    1436 AgentRansack.exe 1.0.0.1 AgentRansack (MFC Application) / Agent Ransack -- Professional file searching utility 600 1 8 Agent Ransack - [Search1] 02/20/2009 @ 01:24:13 0d 01h 19m 10s 0h 00m 05s 0h 00m 03s 9,158,656 X:\PROGRAMS\AgentRansack\AgentRansack.exe
    1896 siw.exe 2008.4.2.0 System Information / System Information for Windows 600 2 8 SIW_Splash 02/20/2009 @ 02:01:48 0d 00h 41m 35s 0h 00m 41s 0h 00m 04s 15,134,720 X:\PROGRAMS\SysInfo\siw.exe

    6) NT Processes running (Again, bear in mind that the hard drive containing all Vista boot data was disconnected before I rebooted to UBCD4.)

    Name Description Version Type Status Start Path File Description
    AntiVirScheduler AntiVir Personal Scheduler Win32_Own_Process (Interactive) Stopped Auto Start B:\AntiVir\sched.exe
    AntiVirService Avira AntiVir Personal – Free Antivirus Guard Win32_Own_Process (Interactive) Stopped Disabled B:\AntiVir\avguard.exe
    DcomLaunch DCOM Services Win32_Share_Process Running Auto Start svchost -k DcomLaunch
    dmadmin Logical Disk Manager Administrative Service Win32_Share_Process Stopped Demand Start X:\I386\System32\dmadmin.exe /com
    dmserver Logical Disk Manager Win32_Share_Process Stopped Auto Start X:\I386\System32\svchost.exe -k netsvcs
    EventLog EventLog 5.1.2600.2180 Win32_Share_Process Running Demand Start X:\I386\SYSTEM32\SERVICES.EXE Services and Controller app / Microsoft® Windows® Operating System
    EventSystem COM+ Events Win32_Share_Process Stopped Demand Start X:\I386\System32\svchost.exe -k netsvcs
    MSDTC Distributed Transaction Coordinator Win32_Own_Process Stopped Demand Start X:\I386\System32\msdtc.exe
    NetDDE Network DDE Win32_Share_Process Stopped Disabled X:\I386\system32\netdde.exe
    NetDDEdsdm Network DDE DSDM Win32_Share_Process Stopped Disabled X:\I386\system32\netdde.exe
    Netman Network Connections Win32_Share_Process (Interactive) Running Demand Start X:\I386\System32\svchost.exe -k netsvcs
    PlugPlay Plug and Play 5.1.2600.2180 Win32_Share_Process Running Auto Start X:\I386\SYSTEM32\SERVICES.EXE Services and Controller app / Microsoft® Windows® Operating System
    ProtectedStorage Protected Storage 5.1.2600.2180 Win32_Share_Process (Interactive) Stopped Auto Start X:\I386\SYSTEM32\LSASS.EXE LSA Shell (Export Version) / Microsoft® Windows® Operating System
    RasAuto Remote Access Auto Connection Manager Win32_Share_Process Stopped Demand Start X:\I386\System32\svchost.exe -k netsvcs
    RasMan Remote Access Connection Manager Win32_Share_Process Stopped Demand Start X:\I386\System32\svchost.exe -k netsvcs
    RpcSs Remote Procedure Call (RPC) Win32_Share_Process Running Auto Start X:\I386\system32\svchost -k rpcss
    RSVP QoS RSVP 5.1.2600.0 Win32_Own_Process Stopped Demand Start X:\I386\SYSTEM32\RSVP.EXE Microsoft RSVP / Microsoft® Windows® Operating System
    SamSs Security Accounts Manager 5.1.2600.2180 Win32_Share_Process Running Auto Start X:\I386\SYSTEM32\LSASS.EXE LSA Shell (Export Version) / Microsoft® Windows® Operating System
    Spooler Print Spooler 5.1.2600.2180 Win32_Own_Process (Interactive) Stopped Demand Start X:\I386\SYSTEM32\SPOOLSV.EXE Spooler SubSystem App / Microsoft® Windows® Operating System
    TapiSrv Telephony Win32_Share_Process Stopped Auto Start X:\I386\System32\svchost.exe -k netsvcs
    Themes Themes Win32_Share_Process Stopped Auto Start X:\I386\System32\svchost.exe -k netsvcs
    vds Virtual Disk Service Win32_Own_Process Stopped Demand Start X:\I386\System32\vds.exe
    PolicyAgent IPSEC Services 5.1.2600.2180 Win32_Share_Process Stopped Auto Start X:\I386\SYSTEM32\LSASS.EXE LSA Shell (Export Version) / Microsoft® Windows® Operating System
    Dhcp DHCP Client Win32_Share_Process Running Auto Start X:\I386\system32\svchost.exe -k netsvcs
    Nla Network Location Awareness (NLA) Win32_Share_Process Running Auto Start X:\I386\system32\svchost.exe -k netsvcs
    LmHosts TCP/IP NetBIOS Helper Win32_Share_Process Running Auto Start X:\I386\system32\svchost.exe -k LocalService
    alerter alerter Win32_Share_Process Stopped Demand Start X:\I386\system32\svchost.exe -k LocalService
    Browser Computer Browser Win32_Share_Process Stopped Demand Start X:\I386\system32\svchost.exe -k netsvcs
    LanmanWorkstation Workstation Win32_Share_Process Running Auto Start X:\I386\system32\svchost.exe -k netsvcs
    Netlogon Net Logon 5.1.2600.2180 Win32_Share_Process Stopped Demand Start X:\I386\SYSTEM32\LSASS.EXE LSA Shell (Export Version) / Microsoft® Windows® Operating System
    Messenger Messenger Win32_Share_Process Stopped Auto Start X:\I386\system32\svchost.exe -k LocalService
    NtLmSsp NT LM Security Support Provider 5.1.2600.2180 Win32_Share_Process Stopped Demand Start X:\I386\SYSTEM32\LSASS.EXE LSA Shell (Export Version) / Microsoft® Windows® Operating System
    RpcLocator Remote Procedure Call (RPC) Locator 5.1.2600.2180 Win32_Own_Process Stopped Demand Start X:\I386\SYSTEM32\LOCATOR.EXE Rpc Locator / Microsoft® Windows® Operating System



    7) HijackThis scan results

    Logfile of Trend Micro HijackThis v2.0.0 (BETA)
    Scan saved at 2:48:35 AM, on 2/20/2009
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    Boot mode: Normal

    Running processes:
    X:\I386\system32\csrss.exe
    X:\I386\system32\services.exe
    X:\I386\system32\lsass.exe
    X:\I386\system32\svchost.exe
    X:\I386\system32\svchost.exe
    X:\Programs\Nu2Menu\nu2menu.exe
    X:\programs\geoshell\GEOSHELL.EXE
    X:\I386\System32\svchost.exe
    X:\programs\rocketdock\RocketDock.exe
    X:\I386\system32\svchost.exe
    X:\I386\system32\hh.exe
    X:\I386\EXPLORER.EXE
    X:\I386\iexplore.exe
    X:\I386\System32\taskmgr.exe
    X:\I386\system32\notepad.exe
    X:\Programs\AgentRansack\AgentRansack.exe
    X:\Programs\SysInfo\siw.exe
    X:\PROGRAMS\HijackThis\HijackThis.exe
    X:\I386\system32\NOTEPAD.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...=ie&ar=iesearch
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft...er=6&ar=msnhome
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft...=ie&ar=iesearch
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...=ie&ar=iesearch
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft...B_PVER}&ar=home
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.ubcd4win.com/forum
    F2 - REG:system.ini: Shell=preshell.exe
    O13 - DefaultPrefix:
    O13 - WWW Prefix:
    O13 - Home Prefix:
    O13 - Mosaic Prefix:
    O13 - FTP Prefix:
    O13 - Gopher Prefix:
    O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone (HKLM)
    O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone (HKLM)
    O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone (HKLM)
    O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
    O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone (HKLM)
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - X:\I386\System32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - X:\I386\System32\browseui.dll
    O23 - Service: AntiVir Personal Scheduler (AntiVirScheduler) - Unknown owner - B:\AntiVir\sched.exe (file missing)
    O23 - Service: DCOM Services (DcomLaunch) - Unknown owner - svchost.exe (file missing)
    O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - X:\I386\System32\msdtc.exe (file missing)
    O23 - Service: Virtual Disk Service (vds) - Unknown owner - X:\I386\System32\vds.exe (file missing)

    --
    End of file - 3083 bytes

    -------------------------------------------------

    That's probably an excessive amount of information already, but please let me know if there is any specific information you would like to see. I was running Kaspersky Internet Security 2009 fully updated when this problem began, and Kaspersky did not detect any viruses. I also have tried a licensed copy of Trend Micro Internet Security, fully updated, and it did not find a virus, either. I already have performed three COMPLETE FACTORY REINSTALLS of Vista using the OEM copy DVD provided by Dell, but the problem has not gone away. Lest you assume it's a hardware issue, I can assure you that up until the point this started happening, I had absolutely no hardware problems -- my computer was running fantastically.

    Any thoughts on what could be happening, or what I can do to disgnose/fix it?

    Thanks again for any help or advice you can give me.
    0

    #2 User is offline   bengt Icon

    • Skeptic
    • PipPipPipPipPipPip
      • Group: Donator/Beta Tester
      • Posts: 1,261
      • Joined: 16-December 05
      • Gender:Male
      • Location:Bork, bork, bork

      Posted 08 July 2009 - 10:20 AM

      Funny... X:\
      0

      #3 User is offline   pcuser Icon

      • Project Programmer
      • PipPipPipPipPipPipPip
        • Group: Moderator & Development
        • Posts: 3,889
        • Joined: 20-November 04
        • Gender:Male
        • Location:Kneebrasskee

        Posted 08 July 2009 - 11:06 AM

        Why on earth did you post all that information about what's running while you're booted from UBCD4Win???

        For everyone else that takes the time to read this post, this is the only part that's relevant:

        Quote

        Hello, and thank you in advance to anyone who takes the time and effort to help me. I believe my computer is infected with a virus, even though I've been told by Microsoft technical support that my computer is clean. I will do my best to provide adequate details to explain symptoms and environment I'm dealing with. Please note that my ability to navigate the internet, download files and run files is extremely limited because of the problem I'm writing you about, and I am not in a situation where I can borrow a friend's computer to download files, either. But I will do my best to provide any information you request, or I'll at least attempt it and then tell you why I could not.

        1) Hardware
        MODEL: Dell XPS 430
        CHIP: Intel Core2 Quad (2.50Mhz)
        RAM: 6Gb DDR3
        OS: It WAS Vista SP2, but at the moment I'm booted in UBCD4Win with the hard drive disconnected
        NETWORK: I am not networked to any other computers or external devices, except a cable modem. I'm not using a router or any wireless networking devices.

        2) Symptoms
        This is not an all-inclusive list, but here are some of the more obvious ones:
        -User preferences and settings do not survive a reboot, INCLUDING CMOS SETTINGS
        -Any attempts to access anti-virus Web sites or download driver updates or anti-virus apps are redirected to 404 error
        -CPU kicks into high gear when I try to uninstall, update, roll back or disable/remove any device driver
        -Group policy settings lock me out of system settings, management tools and folders, even if I change them to grant myself access
        -Computer settings indicate my location as being on a LAN or WAN, but I'm not
        -Remote login/user/access/registry programs constantly starting up on their own
        -Memory processes persist even after reboot that I did not start and cannot kill

        That's probably an excessive amount of information already, but please let me know if there is any specific information you would like to see. I was running Kaspersky Internet Security 2009 fully updated when this problem began, and Kaspersky did not detect any viruses. I also have tried a licensed copy of Trend Micro Internet Security, fully updated, and it did not find a virus, either. I already have performed three COMPLETE FACTORY REINSTALLS of Vista using the OEM copy DVD provided by Dell, but the problem has not gone away. Lest you assume it's a hardware issue, I can assure you that up until the point this started happening, I had absolutely no hardware problems -- my computer was running fantastically.

        Any thoughts on what could be happening, or what I can do to disgnose/fix it?

        Thanks again for any help or advice you can give me.

        If you're afraid of taking any chances then the chances are great that you will never learn anything

        Multiboot Plugins - UBUSB (Ultimate Boot USB) - EzPcFix - RootKitty - Network Configuration Utility - UnIsoFS - A Small Linux Distro - SELogger - HashME - WSock - My Paypal
        0

        #4 User is offline   bengt Icon

        • Skeptic
        • PipPipPipPipPipPip
          • Group: Donator/Beta Tester
          • Posts: 1,261
          • Joined: 16-December 05
          • Gender:Male
          • Location:Bork, bork, bork

          Posted 08 July 2009 - 11:16 AM

          View Postpcuser, on 08 July 2009 - 06:06 PM, said:

          Why on earth did you post all that information about what's running while you're booted from UBCD4Win???


          It made my day and I laughed out loud :D, sorry, but it did
          0

          #5 User is offline   mbarnes Icon

          • Ultimate Member
          • PipPipPipPipPip
            • Group: Members
            • Posts: 506
            • Joined: 13-November 05

            Posted 08 July 2009 - 04:02 PM

            Hi RootkitMary

            assuming this is a genuine problem and not a wind up

            User preferences and settings do not survive a reboot, This is standard if running Ubcd4win or BartPE CD (or any other Win PE CD)


            INCLUDING CMOS SETTINGS This is the real problem

            ranging from a flat cmos battery (usually a lithium coin battery on modern PC's) or
            could be caused by cmos clearance jumper set to clear cmos (I saw this once) (in some cases this can damage motherboard)

            regards
            Mike Barnes
            0

            #6 User is offline   RootkitMary Icon

            • Newbie
            • Pip
              • Group: Members
              • Posts: 5
              • Joined: 08-July 09

              Posted 08 July 2009 - 05:20 PM

              View Postpcuser, on 08 July 2009 - 11:06 AM, said:

              Why on earth did you post all that information about what's running while you're booted from UBCD4Win???

              For everyone else that takes the time to read this post, this is the only part that's relevant:

              Quote

              Hello, and thank you in advance to anyone who takes the time and effort to help me. I believe my computer is infected with a virus, even though I've been told by Microsoft technical support that my computer is clean. I will do my best to provide adequate details to explain symptoms and environment I'm dealing with. Please note that my ability to navigate the internet, download files and run files is extremely limited because of the problem I'm writing you about, and I am not in a situation where I can borrow a friend's computer to download files, either. But I will do my best to provide any information you request, or I'll at least attempt it and then tell you why I could not.

              1) Hardware
              MODEL: Dell XPS 430
              CHIP: Intel Core2 Quad (2.50Mhz)
              RAM: 6Gb DDR3
              OS: It WAS Vista SP2, but at the moment I'm booted in UBCD4Win with the hard drive disconnected
              NETWORK: I am not networked to any other computers or external devices, except a cable modem. I'm not using a router or any wireless networking devices.

              2) Symptoms
              This is not an all-inclusive list, but here are some of the more obvious ones:
              -User preferences and settings do not survive a reboot, INCLUDING CMOS SETTINGS
              -Any attempts to access anti-virus Web sites or download driver updates or anti-virus apps are redirected to 404 error
              -CPU kicks into high gear when I try to uninstall, update, roll back or disable/remove any device driver
              -Group policy settings lock me out of system settings, management tools and folders, even if I change them to grant myself access
              -Computer settings indicate my location as being on a LAN or WAN, but I'm not
              -Remote login/user/access/registry programs constantly starting up on their own
              -Memory processes persist even after reboot that I did not start and cannot kill

              That's probably an excessive amount of information already, but please let me know if there is any specific information you would like to see. I was running Kaspersky Internet Security 2009 fully updated when this problem began, and Kaspersky did not detect any viruses. I also have tried a licensed copy of Trend Micro Internet Security, fully updated, and it did not find a virus, either. I already have performed three COMPLETE FACTORY REINSTALLS of Vista using the OEM copy DVD provided by Dell, but the problem has not gone away. Lest you assume it's a hardware issue, I can assure you that up until the point this started happening, I had absolutely no hardware problems -- my computer was running fantastically.

              Any thoughts on what could be happening, or what I can do to disgnose/fix it?

              Thanks again for any help or advice you can give me.


              Haha -- Sorry I went overboard. I figured too much information is better than not enough information. Also, I am convinced there are processes running that should not be, and I figured someone familiar with UBCD4Win would be able to recognize a process that isn't normal.

              Do you have any idea what I might be dealing with, or a scan I can do that might catch something my antivirus software can't detect?
              0

              #7 User is offline   RootkitMary Icon

              • Newbie
              • Pip
                • Group: Members
                • Posts: 5
                • Joined: 08-July 09

                Posted 08 July 2009 - 05:28 PM

                View Postmbarnes, on 08 July 2009 - 04:02 PM, said:

                Hi RootkitMary

                assuming this is a genuine problem and not a wind up

                User preferences and settings do not survive a reboot, This is standard if running Ubcd4win or BartPE CD (or any other Win PE CD)


                INCLUDING CMOS SETTINGS This is the real problem

                ranging from a flat cmos battery (usually a lithium coin battery on modern PC's) or
                could be caused by cmos clearance jumper set to clear cmos (I saw this once) (in some cases this can damage motherboard)

                regards
                Mike Barnes


                Hi Mike --

                I should have specified that user settings did not survive a reboot when I was using Windows Vista. I thought about the battery issue and replaced the CMOS battery with a new one, so I don't think that's the issue. Also, I have not messed with the jumpers at all.

                Another symptom I forgot to mention is that whenever I launched a process in Vista that triggered the user account control for elevated privileges, the prompt would come up twice. I've heard that some viruses wait until a legitimate program is launched, and then copy the name of that program in an effort to spoof the user into granting it privileges, as well. I thought that might be what's happening, but I don't know for sure.
                0

                #8 User is offline   pcuser Icon

                • Project Programmer
                • PipPipPipPipPipPipPip
                  • Group: Moderator & Development
                  • Posts: 3,889
                  • Joined: 20-November 04
                  • Gender:Male
                  • Location:Kneebrasskee

                  Posted 08 July 2009 - 05:30 PM

                  Quote

                  and I figured someone familiar with UBCD4Win would be able to recognize a process that isn't normal.

                  We have no idea what processes are running on your system while booted into windows since you showed us a list of processes that were running while you were booted from UBCD4Win. To start with, you can try running all the anti-malware programs that are included on the cd.
                  If you're afraid of taking any chances then the chances are great that you will never learn anything

                  Multiboot Plugins - UBUSB (Ultimate Boot USB) - EzPcFix - RootKitty - Network Configuration Utility - UnIsoFS - A Small Linux Distro - SELogger - HashME - WSock - My Paypal
                  0

                  #9 User is offline   RootkitMary Icon

                  • Newbie
                  • Pip
                    • Group: Members
                    • Posts: 5
                    • Joined: 08-July 09

                    Posted 08 July 2009 - 06:09 PM

                    View Postpcuser, on 08 July 2009 - 05:30 PM, said:

                    Quote

                    and I figured someone familiar with UBCD4Win would be able to recognize a process that isn't normal.

                    We have no idea what processes are running on your system while booted into windows since you showed us a list of processes that were running while you were booted from UBCD4Win. To start with, you can try running all the anti-malware programs that are included on the cd.


                    What I'm trying to say is that I think there is a rogue process running on my system NOW, even when I'm booted into UBCD4Win. My Internet explorer STILL has the redirect problem even in UBCD4Win, even with my hard drive offline. Both the SATA and power cables were disconnected before I booted into UBCD4Win.

                    Is that even possible? I know my copy of UBCD is clean, and I booted straight from CD-ROM. Is it possible that a malicious or corrupted driver that launches pre-boot, perhaps stored in EEPROM, is launching the malicious code even with my hard drive unplugged? That's what I was trying to find out.

                    But maybe I'm getting ahead of myself. I will attempt to reconnect the hard drive and run some type of scan so I can post the results here. Most of the anti-virus programs included in UBCD4Win have been disabled -- I can't get them to run on my system because of this whatever-it-is that's messing things up.
                    0

                    #10 User is offline   rdsok Icon

                    • rdsok
                    • PipPipPipPipPipPipPipPip
                      • Group: Admin
                      • Posts: 6,037
                      • Joined: 02-October 05
                      • Gender:Male
                      • Location:Norman, Ok. USA

                      Posted 08 July 2009 - 06:14 PM

                      Create the UBCD4Win ( not UBCD ) disk on another known clean system... There is no way that something else ( ie BIOS etc ) is going to affect the disk you created, only if you had built it on an infected system could explain it.



                      Note.... to avoid confusion on what you are refering too..

                      UBCD - is a DOS based boot CD with utils to repair / recover computers

                      UBCD4Win - is a Windows based boot CD to also repair / recover computers and also can include UBCD with it...


                      So when talking about UBCD4Win please don't call it UBCD since that is another project
                      Plan A is always more effective when the device you are working on understands that Plan B involves either a large hammer or screwdriver....
                      0

                      #11 User is offline   RootkitMary Icon

                      • Newbie
                      • Pip
                        • Group: Members
                        • Posts: 5
                        • Joined: 08-July 09

                        Posted 09 July 2009 - 07:09 AM

                        View Postrdsok, on 08 July 2009 - 06:14 PM, said:

                        Create the UBCD4Win ( not UBCD ) disk on another known clean system... There is no way that something else ( ie BIOS etc ) is going to affect the disk you created, only if you had built it on an infected system could explain it.



                        Note.... to avoid confusion on what you are refering too..

                        UBCD - is a DOS based boot CD with utils to repair / recover computers

                        UBCD4Win - is a Windows based boot CD to also repair / recover computers and also can include UBCD with it...


                        So when talking about UBCD4Win please don't call it UBCD since that is another project


                        Understood -- I did not realize there was a different boot disk for DOS by that name. To clarify, all of my previous references to UBCD* have been specifically with regard to UBCD4Win.

                        As far as having a clean copy, I've got that covered. The disk was burned on another computer that I am 99.9 percent sure was clean. So if my copy isn't running as it should, the only reason would be because of a firmware or hardware issue. But I'm going to set that issue aside for now and simply attempt to run it with my hard drive connected in order to scan for obvious issues. I'll burn the logs to CD-ROM, then disconnect the drive, boot back into UBCD4Win and post them online. I cannot connect from Vista because of the issues I'm experiencing.

                        Also, thank you for taking the time to assist me in solving the problem.
                        0

                        #12 User is offline   rdsok Icon

                        • rdsok
                        • PipPipPipPipPipPipPipPip
                          • Group: Admin
                          • Posts: 6,037
                          • Joined: 02-October 05
                          • Gender:Male
                          • Location:Norman, Ok. USA

                          Posted 09 July 2009 - 10:37 AM

                          View PostRootkitMary, on 09 July 2009 - 07:09 AM, said:

                          the only reason would be because of a firmware or hardware issue.


                          BIOS infections, while possible, are extremely unlikely. Each BIOS must be customized specifically for the motherboard its going to be used on. In other words, the code must match the manufacturer, model and revision to a tee. This is so critical that normally if you take a bios code for model "x" revision one and try to use it on revision two... it will fail to boot in many if not all cases ( actually the term is post but anyway ). There are a few exceptions but they really are not exceptions, these are where a model board is released under different company/model names but this doesn't happen often. In other words brand A and B are really the same brand.

                          This means that for a malware to be able to infect a BIOS and then the motherboard still work and boot... the malware would have to be customized for just one specific make/model/rev of board. Now imagine ( if you were that malware author trying to do this ) making your malware work for each system board that exists. The author would need copies of each bios they were going to infect, they would need to study each one to see where they could inject their code so it was effective AND so the motherboard could still operate. Then repeat the process over and over for every single motherboard they wanted to infect. The size of that job alone makes it impractical if not impossible to achieve.


                          Another thing to consider about this. A programmer that has the skills needed to even pull off a small portion of the above work, would be in such high demand in the market and wouldn't have a need to perform that type of grudge work for such little gain. So it is possible if a programmer has the knowledge to do the work but it is so impractical as it would border on the ridiculous.
                          Plan A is always more effective when the device you are working on understands that Plan B involves either a large hammer or screwdriver....
                          0

                          Page 1 of 1
                          • You cannot start a new topic
                          • You cannot reply to this topic

                          1 User(s) are reading this topic
                          0 members, 1 guests, 0 anonymous users