Windows Update Fails (Vista, Error 80080005) / Windows Modules Installer Service Cannot Start

Hi NemensisDB,

Going by your post count I dont think I really need to Welcome you to the Dell Community Forum's :emotion-2: But Welcome all the Same.

Welcome to Dell Community Malware Removal Forums,

I'm K27 and i will be reviewing your log for you.

Please DO NOT run any scans/tools/fixes on your own as this will conflict with the tools we are going to use.

Please Print or Save to Notepad all instructions and please follow them carefully and if there's something you don't understand or that will not work please let me know and we will go through it together.

Please DO NOT use this system for anything apart from visiting this forum and other sites I direct you too, as this will only make the cleanup process all the more diffecult.

Failure to reply in three (3) days will result in this topic being marked as inactive, in you need more time then that is fine, but please let me know.

I have made a personnel decision to not offer help to those with P2P programs or cracked software installed, if you have it installed please remove it now. If you have it installed and do not know how to remove it, let me know and will will remove it for you.

 

There are various infections that can cause Windows Update to fail. Lets do some digging.

Please Disable all real time protection before running the next tool

• Please download Rootkit Unhooker and save it to your desktop.
  
• Double-click RKUnhookerLE.exe to run it.
• Click the Report tab, then click Scan
• Check Drivers, Stealth Code, Files, and Code Hooks
• Uncheck the rest, then click OK
• When prompted to Select Disks for Scan, make sure C:\ is checked and click OK
• Wait till the scanner has finished then go File > Save Report
• Save the report somewhere you can find it. Click Close
• This log may be very large so please use as many post as necessary.

 

Note** you may get the following warning. It is ok, just ignore it.

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"

Please post the RKU log back to me.

Thanks.

K27, thank you so much for helping me, I really appreciate it. 

[Edit: I received the parasite message and hit cancel -- if that matters -- there was no "ignore"]

RKU log is as follows:

RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows Vista
Version 6.0.6002 (Service Pack 2)
Number of processors #2
==============================================
>Drivers
==============================================
0x8C80B000 C:\Windows\system32\DRIVERS\igdkmd32.sys 7065600 bytes (Intel Corporation, Intel Graphics Kernel Mode Driver)
0x8E601000 C:\Windows\system32\DRIVERS\kl1.sys 5373952 bytes (Kaspersky Lab, Kaspersky Unified Driver)
0x84415000 C:\Windows\system32\ntkrnlpa.exe 3903488 bytes (Microsoft Corporation, NT Kernel & System)
0x84415000 PnpManager 3903488 bytes
0x84415000 RAW 3903488 bytes
0x84415000 WMIxWDM 3903488 bytes
0x8D401000 C:\Windows\system32\DRIVERS\bcmwl5.sys 2699264 bytes (Broadcom Corporation, Broadcom 802.11 Network Adapter wireless driver)
0x94CB0000 Win32k 2105344 bytes
0x94CB0000 C:\Windows\System32\win32k.sys 2105344 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0x88C03000 C:\Windows\System32\Drivers\Ntfs.sys 1114112 bytes (Microsoft Corporation, NT File System Driver)
0x88807000 C:\Windows\system32\drivers\ndis.sys 1093632 bytes (Microsoft Corporation, NDIS 6.0 wrapper driver)
0x8E20B000 C:\Windows\system32\DRIVERS\HSX_DPV.sys 1060864 bytes (Conexant Systems, Inc., HSF_DP driver)
0x88A06000 C:\Windows\System32\drivers\tcpip.sys 958464 bytes (Microsoft Corporation, TCP/IP Driver)
0x806D7000 C:\Windows\system32\CI.dll 917504 bytes (Microsoft Corporation, Code Integrity Module)
0xAC602000 C:\Windows\system32\drivers\peauth.sys 909312 bytes (Microsoft Corporation, Protected Environment Authentication and Authorization Export Driver)
0x88B0B000 C:\Windows\System32\Drivers\dump_iaStor.sys 892928 bytes
0x88608000 C:\Windows\system32\DRIVERS\iaStor.sys 892928 bytes (Intel Corporation, Intel Matrix Storage Manager driver - ia32)
0x8E30E000 C:\Windows\system32\DRIVERS\HSX_CNXT.sys 741376 bytes (Conexant Systems, Inc., HSF_CNXT driver)
0x8162A000 C:\Windows\system32\drivers\spsys.sys 720896 bytes (Microsoft Corporation, security processor)
0x8CEC8000 C:\Windows\System32\drivers\dxgkrnl.sys 659456 bytes (Microsoft Corporation, DirectX Graphics Kernel)
0x83B14000 C:\Windows\system32\Drivers\CVPNDRVA.sys 589824 bytes (Cisco Systems, Inc., Cisco Systems VPN Client IPSec Driver)
0x8D000000 C:\Windows\system32\DRIVERS\HDAudBus.sys 577536 bytes (Microsoft Corporation, High Definition Audio Bus Driver)
0x8875C000 C:\Windows\System32\Drivers\ksecdd.sys 462848 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0x84A0E000 C:\Windows\system32\drivers\Wdf01000.sys 462848 bytes (Microsoft Corporation, Kernel Mode Driver Framework Runtime)
0x8060D000 C:\Windows\system32\mcupdate_GenuineIntel.dll 458752 bytes (Microsoft Corporation, Intel Microcode Update Library)
0x81731000 C:\Windows\system32\drivers\HTTP.sys 446464 bytes (Microsoft Corporation, HTTP Protocol Stack)
0x84BA5000 C:\Windows\system32\DRIVERS\klif.sys 331776 bytes (Kaspersky Lab, Klif Mini-Filter [fre_wlh_x86])
0x83AC6000 C:\Windows\System32\DRIVERS\srv.sys 319488 bytes (Microsoft Corporation, Server driver)
0x84B36000 C:\Windows\System32\drivers\volmgrx.sys 303104 bytes (Microsoft Corporation, Volume Manager Extension Driver)
0x8EB35000 C:\Windows\system32\drivers\afd.sys 294912 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0x84A8D000 C:\Windows\system32\drivers\acpi.sys 286720 bytes (Microsoft Corporation, ACPI Driver for NT)
0x80696000 C:\Windows\system32\CLFS.SYS 266240 bytes (Microsoft Corporation, Common Log File System Driver)
0x8D08D000 C:\Windows\system32\DRIVERS\storport.sys 266240 bytes (Microsoft Corporation, Microsoft Storage Port Driver)
0x88988000 C:\Windows\system32\DRIVERS\HSXHWAZL.sys 253952 bytes (Conexant Systems, Inc., HSF_HWAZL WDM driver)
0x8D69F000 C:\Windows\system32\DRIVERS\USBPORT.SYS 253952 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0x807B7000 C:\Windows\system32\DRIVERS\rdbss.sys 245760 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0x8893D000 C:\Windows\system32\drivers\NETIO.SYS 241664 bytes (Microsoft Corporation, Network I/O Subsystem)
0x83A4E000 C:\Windows\system32\DRIVERS\mrxsmb10.sys 233472 bytes (Microsoft Corporation, Longhorn SMB Downlevel SubRdr)
0x88D13000 C:\Windows\system32\drivers\volsnap.sys 233472 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0x8D71D000 C:\Windows\system32\DRIVERS\SynTP.sys 225280 bytes (Synaptics Incorporated, Synaptics Touchpad Driver)
0x8D18E000 C:\Windows\system32\DRIVERS\usbhub.sys 217088 bytes (Microsoft Corporation, Default Hub Driver for USB)
0x847CE000 ACPI_HAL 208896 bytes
0x8CF75000 C:\Windows\system32\drivers\CHDRT32.sys 208896 bytes (Conexant Systems Inc., High Definition Audio Function Driver)
0x847CE000 C:\Windows\system32\hal.dll 208896 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0x88711000 C:\Windows\system32\drivers\fltmgr.sys 204800 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0x8EB7D000 C:\Windows\System32\DRIVERS\netbt.sys 204800 bytes (Microsoft Corporation, MBT Transport driver)
0x8D7A6000 C:\Windows\system32\DRIVERS\msiscsi.sys 192512 bytes (Microsoft Corporation, Microsoft iSCSI Initiator Driver)
0x8CFA8000 C:\Windows\system32\drivers\portcls.sys 184320 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0x88912000 C:\Windows\system32\drivers\msrpc.sys 176128 bytes (Microsoft Corporation, Kernel Remote Procedure Call Provider)
0x8D144000 C:\Windows\system32\DRIVERS\ks.sys 172032 bytes (Microsoft Corporation, Kernel CSA Library)
0x816EA000 C:\Windows\system32\DRIVERS\nwifi.sys 172032 bytes (Microsoft Corporation, NativeWiFi Miniport Driver)
0x88D70000 C:\Windows\System32\drivers\ecache.sys 159744 bytes (Microsoft Corporation, Special Memory Device Cache)
0x84AE4000 C:\Windows\system32\drivers\pci.sys 159744 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0x83A9F000 C:\Windows\System32\DRIVERS\srv2.sys 159744 bytes (Microsoft Corporation, Smb 2.0 Server driver)
0x8D1D4000 C:\Windows\system32\drivers\drmk.sys 151552 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0x8D0D9000 C:\Windows\system32\DRIVERS\ndiswan.sys 143360 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0x88DA8000 C:\Windows\system32\drivers\CLASSPNP.SYS 135168 bytes (Microsoft Corporation, SCSI Class System Dll)
0x83A0E000 C:\Windows\system32\drivers\mrxdav.sys 135168 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0x8CFD5000 C:\Windows\System32\drivers\VIDEOPRT.SYS 135168 bytes (Microsoft Corporation, Video Port Driver)
0x83A2F000 C:\Windows\system32\DRIVERS\mrxsmb.sys 126976 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0x886EA000 C:\Windows\system32\drivers\ataport.SYS 122880 bytes (Microsoft Corporation, ATAPI Driver Extension)
0x8D788000 C:\Windows\system32\DRIVERS\dne2000.sys 122880 bytes (Deterministic Networks, Inc., Deterministic Network Enhancer)
0x8179E000 C:\Windows\System32\DRIVERS\srvnet.sys 118784 bytes (Microsoft Corporation, Server Network driver)
0x88AF0000 C:\Windows\System32\drivers\fwpkclnt.sys 110592 bytes (Microsoft Corporation, FWP/IPsec Kernel-Mode API)
0x81607000 C:\Windows\system32\drivers\luafv.sys 110592 bytes (Microsoft Corporation, LUA File Virtualization Filter Driver)
0x817BB000 C:\Windows\system32\DRIVERS\bowser.sys 102400 bytes (Microsoft Corporation, NT Lan Manager Datagram Receiver Driver)
0x8D76A000 C:\Windows\system32\DRIVERS\cdrom.sys 98304 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0x83A87000 C:\Windows\system32\DRIVERS\mrxsmb20.sys 98304 bytes (Microsoft Corporation, Longhorn SMB 2.0 Redirector)
0x887CD000 C:\Windows\System32\Drivers\dfsc.sys 94208 bytes (Microsoft Corporation, DFS Namespace Client Driver)
0x8D7E0000 C:\Windows\system32\DRIVERS\rasl2tp.sys 94208 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xAC6FE000 C:\Windows\system32\DRIVERS\cdfs.sys 90112 bytes (Microsoft Corporation, CD-ROM File System Driver)
0x8EBAF000 C:\Windows\system32\DRIVERS\pacer.sys 90112 bytes (Microsoft Corporation, QoS Packet Scheduler)
0x889D4000 C:\Windows\system32\DRIVERS\tdx.sys 90112 bytes (Microsoft Corporation, TDI Translation Driver)
0x817D4000 C:\Windows\System32\drivers\mpsdrv.sys 86016 bytes (Microsoft Corporation, Microsoft Protection Service Driver)
0x8D11F000 C:\Windows\system32\DRIVERS\rassstp.sys 86016 bytes (Microsoft Corporation, RAS SSTP Miniport Call Manager)
0x8D10B000 C:\Windows\system32\DRIVERS\raspptp.sys 81920 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0x8EB21000 C:\Windows\system32\DRIVERS\smb.sys 81920 bytes (Microsoft Corporation, SMB Transport driver)
0x8D6FF000 C:\Windows\system32\DRIVERS\i8042prt.sys 77824 bytes (Microsoft Corporation, i8042 Port Driver)
0x8171E000 C:\Windows\system32\DRIVERS\rspndr.sys 77824 bytes (Microsoft Corporation, Link-Layer Topology Responder Driver for NDIS 6)
0x8EBDC000 C:\Windows\system32\DRIVERS\wanarp.sys 77824 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0x88D97000 C:\Windows\system32\drivers\disk.sys 69632 bytes (Microsoft Corporation, PnP Disk Driver)
0x8D1C3000 C:\Windows\System32\Drivers\NDProxy.SYS 69632 bytes (Microsoft Corporation, NDIS Proxy)
0x8067D000 C:\Windows\system32\PSHED.dll 69632 bytes (Microsoft Corporation, Platform Specific Hardware Error Driver)
0x88743000 C:\Windows\system32\drivers\fileinfo.sys 65536 bytes (Microsoft Corporation, FileInfo Filter Driver)
0x88978000 C:\Windows\system32\DRIVERS\HIDCLASS.SYS 65536 bytes (Microsoft Corporation, Hid Class Library)
0x816DA000 C:\Windows\system32\DRIVERS\lltdio.sys 65536 bytes (Microsoft Corporation, Link-Layer Topology Mapper I/O Driver)
0x84B95000 C:\Windows\System32\drivers\mountmgr.sys 65536 bytes (Microsoft Corporation, Mount Point Manager)
0x8D134000 C:\Windows\system32\DRIVERS\termdd.sys 65536 bytes (Microsoft Corporation, Terminal Server Driver)
0x88BE5000 C:\Windows\system32\DRIVERS\intelppm.sys 61440 bytes (Microsoft Corporation, Processor Device Driver)
0x887E4000 C:\Windows\system32\DRIVERS\monitor.sys 61440 bytes (Microsoft Corporation, Monitor Driver)
0x88D54000 C:\Windows\System32\Drivers\mup.sys 61440 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0x84B0B000 C:\Windows\System32\drivers\partmgr.sys 61440 bytes (Microsoft Corporation, Partition Management Driver)
0x8D0FC000 C:\Windows\system32\DRIVERS\raspppoe.sys 61440 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0x8D6EC000 C:\Windows\system32\DRIVERS\Rtnicxp.sys 61440 bytes (Realtek Semiconductor Corporation                           , Realtek 10/100 NDIS 5.1 Driver                         )
0x8D6DD000 C:\Windows\system32\DRIVERS\usbehci.sys 61440 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0x84B27000 C:\Windows\system32\drivers\volmgr.sys 61440 bytes (Microsoft Corporation, Volume Manager Driver)
0x94EF0000 C:\Windows\System32\cdd.dll 57344 bytes (Microsoft Corporation, Canonical Display Driver)
0x8EBCC000 C:\Windows\system32\DRIVERS\netbios.sys 57344 bytes (Microsoft Corporation, NetBIOS interface driver)
0x889C6000 C:\Windows\System32\Drivers\Npfs.SYS 57344 bytes (Microsoft Corporation, NPFS Driver)
0x84B87000 C:\Windows\system32\drivers\PCIIDEX.SYS 57344 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0x84A7F000 C:\Windows\system32\drivers\WDFLDR.SYS 57344 bytes (Microsoft Corporation, Kernel Mode Driver Framework Loader)
0x88DD2000 C:\Windows\System32\Drivers\crashdmp.sys 53248 bytes (Microsoft Corporation, Crash Dump Driver)
0x88D63000 C:\Windows\system32\drivers\klbg.sys 53248 bytes (Kaspersky Lab, Kaspersky Lab Boot Guard Driver)
0x8E3C3000 C:\Windows\system32\drivers\modem.sys 53248 bytes (Microsoft Corporation, Modem Device Driver)
0x8D178000 C:\Windows\system32\DRIVERS\umbus.sys 53248 bytes (Microsoft Corporation, User-Mode Bus Enumerator)
0xAC6EA000 C:\Windows\System32\drivers\tcpipreg.sys 49152 bytes (Microsoft Corporation, TCP/IP Registry Compatibility Driver)
0x8E3E7000 C:\Windows\System32\drivers\vga.sys 49152 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0x8CF69000 C:\Windows\System32\drivers\watchdog.sys 49152 bytes (Microsoft Corporation, Watchdog Driver)
0x8D712000 C:\Windows\system32\DRIVERS\kbdclass.sys 45056 bytes (Microsoft Corporation, Keyboard Class Driver)
0x8D75F000 C:\Windows\system32\DRIVERS\mouclass.sys 45056 bytes (Microsoft Corporation, Mouse Class Driver)
0x8C800000 C:\Windows\System32\Drivers\Msfs.SYS 45056 bytes (Microsoft Corporation, Mailslot driver)
0x8D0CE000 C:\Windows\system32\DRIVERS\ndistapi.sys 45056 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0x8D7D5000 C:\Windows\system32\DRIVERS\TDI.SYS 45056 bytes (Microsoft Corporation, TDI Wrapper)
0x88DDF000 C:\Windows\system32\DRIVERS\tunnel.sys 45056 bytes (Microsoft Corporation, Microsoft Tunnel Interface Driver)
0x8D694000 C:\Windows\system32\DRIVERS\usbuhci.sys 45056 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0x84B1D000 C:\Windows\system32\DRIVERS\BATTC.SYS 40960 bytes (Microsoft Corporation, Battery Class Driver)
0x889EA000 C:\Windows\System32\drivers\Dxapi.sys 40960 bytes (Microsoft Corporation, DirectX API Driver)
0x8D16E000 C:\Windows\system32\DRIVERS\mssmbios.sys 40960 bytes (Microsoft Corporation, System Management BIOS Driver)
0x81714000 C:\Windows\system32\DRIVERS\ndisuio.sys 40960 bytes (Microsoft Corporation, NDIS User mode I/O driver)
0x8EBEF000 C:\Windows\system32\drivers\nsiproxy.sys 40960 bytes (Microsoft Corporation, NSI Proxy)
0xAC6E0000 C:\Windows\System32\Drivers\secdrv.SYS 40960 bytes (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K., Macrovision SECURITY Driver)
0x88DC9000 C:\Windows\system32\drivers\crcdisk.sys 36864 bytes (Microsoft Corporation, Disk Block Verification Filter Driver)
0x8E3D0000 C:\Windows\System32\Drivers\Fs_Rec.SYS 36864 bytes (Microsoft Corporation, File System Recognizer Driver)
0x8D185000 C:\Windows\system32\DRIVERS\kbdhid.sys 36864 bytes (Microsoft Corporation, HID Keyboard Filter Driver)
0x8D756000 C:\Windows\system32\DRIVERS\klmouflt.sys 36864 bytes (Kaspersky Lab, KLMOUFLT Mouse Device Filter [fre_wlh_x86])
0x88708000 C:\Windows\system32\drivers\msahci.sys 36864 bytes (Microsoft Corporation, MS AHCI 1.0 Standard Driver)
0xAC714000 C:\Windows\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0x88753000 C:\Windows\System32\Drivers\PxHelp20.sys 36864 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)
0x8CFF6000 C:\Windows\System32\DRIVERS\rasacd.sys 36864 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0x94ED0000 C:\Windows\System32\TSDDD.dll 36864 bytes (Microsoft Corporation, Framebuffer Display Driver)
0x88DEA000 C:\Windows\system32\DRIVERS\tunmp.sys 36864 bytes (Microsoft Corporation, Microsoft Tunnel Interface Driver)
0x88BF4000 C:\Windows\system32\DRIVERS\wmiacpi.sys 36864 bytes (Microsoft Corporation, Windows Management Interface for ACPI)
0x84AD3000 C:\Windows\system32\drivers\WMILIB.SYS 36864 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0x886E2000 C:\Windows\system32\drivers\atapi.sys 32768 bytes (Microsoft Corporation, ATAPI IDE Miniport Driver)
0x8068E000 C:\Windows\system32\BOOTVID.dll 32768 bytes (Microsoft Corporation, VGA Boot Driver)
0x84ADC000 C:\Windows\system32\drivers\msisadrv.sys 32768 bytes (Microsoft Corporation, ISA Driver)
0x8E3F3000 C:\Windows\System32\DRIVERS\RDPCDD.sys 32768 bytes (Microsoft Corporation, RDP Miniport)
0x8E200000 C:\Windows\system32\drivers\rdpencdd.sys 32768 bytes (Microsoft Corporation, RDP Miniport)
0x88D4C000 C:\Windows\System32\Drivers\spldr.sys 32768 bytes (Microsoft Corporation, loader for security processor)
0xAC6F6000 C:\Windows\system32\DRIVERS\xaudio.sys 32768 bytes (Conexant Systems, Inc., Modem Audio Device Driver)
0x8E3E0000 C:\Windows\System32\Drivers\Beep.SYS 28672 bytes (Microsoft Corporation, BEEP Driver)
0x88DF6000 C:\Windows\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0x84B80000 C:\Windows\system32\drivers\intelide.sys 28672 bytes (Microsoft Corporation, Intel PCI IDE Driver)
0x80606000 C:\Windows\system32\kdcom.dll 28672 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0x8EBC5000 C:\Windows\system32\DRIVERS\klim6.sys 28672 bytes (Kaspersky Lab, Kaspersky Lab Intermediate Network Driver)
0x8E3D9000 C:\Windows\System32\Drivers\Null.SYS 28672 bytes (Microsoft Corporation, NULL Driver)
0x8D782000 C:\Windows\system32\DRIVERS\GEARAspiWDM.sys 24576 bytes (GEAR Software Inc., CD DVD Filter)
0x8D6FB000 C:\Windows\system32\DRIVERS\CmBatt.sys 16384 bytes (Microsoft Corporation, Control Method Battery Driver)
0x83BA4000 C:\Windows\system32\DRIVERS\mdmxsdk.sys 16384 bytes (Conexant, Diagnostic Interface x86 Driver)
0x84B1A000 C:\Windows\system32\DRIVERS\compbatt.sys 12288 bytes (Microsoft Corporation, Composite Battery Driver)
0x88DF3000 C:\Windows\system32\DRIVERS\cpqbttn.sys 12288 bytes (Hewlett-Packard Development Company, L.P., HP Tablet PC Key Button HID Driver)
0x8EBDA000 C:\Windows\system32\DRIVERS\eabfiltr.sys 8192 bytes (Hewlett-Packard Development Company, L.P., QLB PS/2 Keyboard filter driver)
0x8D7F7000 C:\Windows\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0x8D754000 C:\Windows\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
==============================================
>Stealth
==============================================
0x00B10000 Hidden Image-->HP.ActiveSupportLibrary.dll [ EPROCESS 0x862D3020 ] PID: 2072, 110592 bytes
==============================================
>Files
==============================================
!-->[Hidden] C:\ProgramData\Microsoft\Windows\WER\ReportQueue\Report10c19731\Report.wer
!-->[Hidden] C:\ProgramData\Microsoft\Windows\WER\ReportQueue\Report10c19731\Report.wer
!-->[Hidden] C:\ProgramData\Microsoft\Windows\WER\ReportQueue\Report10c19731\Report.wer
!-->[Hidden] C:\Users\EBryan\AppData\Local\Temp\~DF1022.tmp::$DATA
!-->[Hidden] C:\Users\EBryan\AppData\Local\Temp\~DF1029.tmp::$DATA
!-->[Hidden] C:\Users\EBryan\AppData\Local\Temp\~DF1088.tmp::$DATA
!-->[Hidden] C:\Users\EBryan\AppData\Local\Temp\~DF108F.tmp::$DATA
!-->[Hidden] C:\Users\EBryan\AppData\Local\Temp\~DF10B7.tmp::$DATA
!-->[Hidden] C:\Users\EBryan\AppData\Local\Temp\~DF10BF.tmp::$DATA
!-->[Hidden] C:\Users\EBryan\AppData\Local\Temp\~DF17F0.tmp::$DATA
!-->[Hidden] C:\Users\EBryan\AppData\Local\Temp\~DF17F7.tmp::$DATA
!-->[Hidden] C:\Users\EBryan\AppData\Local\Temp\~DF1852.tmp::$DATA
!-->[Hidden] C:\Users\EBryan\AppData\Local\Temp\~DF1859.tmp::$DATA
!-->[Hidden] C:\Users\EBryan\AppData\Local\Temp\~DF187F.tmp::$DATA
!-->[Hidden] C:\Users\EBryan\AppData\Local\Temp\~DF1886.tmp::$DATA
!-->[Hidden] C:\Users\EBryan\AppData\Local\Temp\~DF2B37.tmp::$DATA
!-->[Hidden] C:\Users\EBryan\AppData\Local\Temp\~DF2E6D.tmp::$DATA
!-->[Hidden] C:\Users\EBryan\AppData\Local\Temp\~DF3279.tmp::$DATA
!-->[Hidden] C:\Users\EBryan\AppData\Local\Temp\~DF3D16.tmp::$DATA
!-->[Hidden] C:\Users\EBryan\AppData\Local\Temp\~DF3E56.tmp::$DATA
!-->[Hidden] C:\Users\EBryan\AppData\Local\Temp\~DF3EF6.tmp::$DATA
!-->[Hidden] C:\Users\EBryan\AppData\Local\Temp\~DF3F47.tmp::$DATA
!-->[Hidden] C:\Users\EBryan\AppData\Local\Temp\~DF3FAA.tmp::$DATA
!-->[Hidden] C:\Users\EBryan\AppData\Local\Temp\~DF3FB1.tmp::$DATA
!-->[Hidden] C:\Users\EBryan\AppData\Local\Temp\~DF4326.tmp::$DATA
!-->[Hidden] C:\Users\EBryan\AppData\Local\Temp\~DF48B2.tmp::$DATA
!-->[Hidden] C:\Users\EBryan\AppData\Local\Temp\~DF4FDF.tmp::$DATA
!-->[Hidden] C:\Users\EBryan\AppData\Local\Temp\~DF6624.tmp::$DATA
!-->[Hidden] C:\Users\EBryan\AppData\Local\Temp\~DF8934.tmp::$DATA
!-->[Hidden] C:\Users\EBryan\AppData\Local\Temp\~DFA43A.tmp::$DATA
!-->[Hidden] C:\Users\EBryan\AppData\Local\Temp\~DFA94F.tmp::$DATA
!-->[Hidden] C:\Users\EBryan\AppData\Local\Temp\~DFAC6.tmp::$DATA
!-->[Hidden] C:\Users\EBryan\AppData\Local\Temp\~DFACCC.tmp::$DATA
!-->[Hidden] C:\Users\EBryan\AppData\Local\Temp\~DFACD.tmp::$DATA
!-->[Hidden] C:\Users\EBryan\AppData\Local\Temp\~DFACD3.tmp::$DATA
!-->[Hidden] C:\Users\EBryan\AppData\Local\Temp\~DFAE16.tmp::$DATA
!-->[Hidden] C:\Users\EBryan\AppData\Local\Temp\~DFAE17.tmp::$DATA
!-->[Hidden] C:\Users\EBryan\AppData\Local\Temp\~DFAE1D.tmp::$DATA
!-->[Hidden] C:\Users\EBryan\AppData\Local\Temp\~DFAE4D.tmp::$DATA
!-->[Hidden] C:\Users\EBryan\AppData\Local\Temp\~DFAE54.tmp::$DATA
!-->[Hidden] C:\Users\EBryan\AppData\Local\Temp\~DFBC7B.tmp::$DATA
!-->[Hidden] C:\Users\EBryan\AppData\Local\Temp\~DFC13A.tmp::$DATA
!-->[Hidden] C:\Users\EBryan\AppData\Local\Temp\~DFC14.tmp::$DATA
!-->[Hidden] C:\Users\EBryan\AppData\Local\Temp\~DFC1B.tmp::$DATA
!-->[Hidden] C:\Users\EBryan\AppData\Local\Temp\~DFC29E.tmp::$DATA
!-->[Hidden] C:\Users\EBryan\AppData\Local\Temp\~DFC2B2.tmp::$DATA
!-->[Hidden] C:\Users\EBryan\AppData\Local\Temp\~DFC659.tmp::$DATA
!-->[Hidden] C:\Users\EBryan\AppData\Local\Temp\~DFC660.tmp::$DATA
!-->[Hidden] C:\Users\EBryan\AppData\Local\Temp\~DFC7F4.tmp::$DATA
!-->[Hidden] C:\Users\EBryan\AppData\Local\Temp\~DFC9E8.tmp::$DATA
!-->[Hidden] C:\Users\EBryan\AppData\Local\Temp\~DFC9F5.tmp::$DATA
!-->[Hidden] C:\Users\EBryan\AppData\Local\Temp\~DFCC6.tmp::$DATA
!-->[Hidden] C:\Users\EBryan\AppData\Local\Temp\~DFCD0.tmp::$DATA
!-->[Hidden] C:\Users\EBryan\AppData\Local\Temp\~DFD0FE.tmp::$DATA
!-->[Hidden] C:\Users\EBryan\AppData\Local\Temp\~DFDA66.tmp::$DATA
!-->[Hidden] C:\Users\EBryan\AppData\Local\Temp\~DFDB7E.tmp::$DATA
!-->[Hidden] C:\Users\EBryan\AppData\Local\Temp\~DFDD09.tmp::$DATA
!-->[Hidden] C:\Users\EBryan\AppData\Local\Temp\~DFEAB8.tmp::$DATA
==============================================
>Hooks
==============================================
ntkrnlpa.exe+0x000A87AA, Type: Inline - RelativeJump 0x844BD7AA-->844BD7B1 [ntkrnlpa.exe]
ntkrnlpa.exe+0x000ACA18, Type: Inline - RelativeJump 0x844C1A18-->844C1A7B [ntkrnlpa.exe]
ntkrnlpa.exe+0x000ACA50, Type: Inline - RelativeJump 0x844C1A50-->844C19DC [ntkrnlpa.exe]
ntkrnlpa.exe+0x000ACB10, Type: Inline - RelativeJump 0x844C1B10-->844C1AD2 [ntkrnlpa.exe]
ntkrnlpa.exe+0x000ACC14, Type: Inline - RelativeJump 0x844C1C14-->844C1B9A [ntkrnlpa.exe]
ntkrnlpa.exe+0x000ACC9C, Type: Inline - RelativeJump 0x844C1C9C-->844C1C5F [ntkrnlpa.exe]
ntkrnlpa.exe+0x000ACD34, Type: Inline - RelativeJump 0x844C1D34-->844C1CF6 [ntkrnlpa.exe]
ntkrnlpa.exe+0x000ACD7D, Type: Inline - RelativeJump 0x844C1D7D-->844C1D3F [ntkrnlpa.exe]
[1132]svchost.exe-->advapi32.dll-->GetTokenInformation, Type: IAT modification 0x010010FC-->00000000 [unknown_code_page]
[1132]svchost.exe-->advapi32.dll-->InitializeSecurityDescriptor, Type: IAT modification 0x01001100-->00000000 [unknown_code_page]
[1132]svchost.exe-->advapi32.dll-->OpenProcessToken, Type: IAT modification 0x0100113C-->00000000 [unknown_code_page]
[1132]svchost.exe-->advapi32.dll-->RegCloseKey, Type: IAT modification 0x01001130-->00000000 [unknown_code_page]
[1132]svchost.exe-->advapi32.dll-->RegDisablePredefinedCacheEx, Type: IAT modification 0x01001118-->00000000 [unknown_code_page]
[1132]svchost.exe-->advapi32.dll-->RegisterServiceCtrlHandlerW, Type: IAT modification 0x01001134-->00000000 [unknown_code_page]
[1132]svchost.exe-->advapi32.dll-->RegOpenKeyExW, Type: IAT modification 0x0100112C-->00000000 [unknown_code_page]
[1132]svchost.exe-->advapi32.dll-->RegQueryValueExW, Type: IAT modification 0x01001128-->00000000 [unknown_code_page]
[1132]svchost.exe-->advapi32.dll-->SetEntriesInAclW, Type: IAT modification 0x0100110C-->00000000 [unknown_code_page]
[1132]svchost.exe-->advapi32.dll-->SetSecurityDescriptorDacl, Type: IAT modification 0x01001110-->00000000 [unknown_code_page]
[1132]svchost.exe-->advapi32.dll-->SetSecurityDescriptorGroup, Type: IAT modification 0x01001108-->00000000 [unknown_code_page]
[1132]svchost.exe-->advapi32.dll-->SetSecurityDescriptorOwner, Type: IAT modification 0x01001104-->00000000 [unknown_code_page]
[1132]svchost.exe-->advapi32.dll-->SetServiceStatus, Type: IAT modification 0x01001138-->00000000 [unknown_code_page]
[1132]svchost.exe-->advapi32.dll-->StartServiceCtrlDispatcherW, Type: IAT modification 0x01001114-->00000000 [unknown_code_page]
[1132]svchost.exe-->kernel32.dll-->ActivateActCtx, Type: IAT modification 0x0100109C-->00000000 [unknown_code_page]
[1132]svchost.exe-->kernel32.dll-->CloseHandle, Type: IAT modification 0x01001074-->00000000 [unknown_code_page]
[1132]svchost.exe-->kernel32.dll-->CreateActCtxW, Type: IAT modification 0x01001008-->00000000 [unknown_code_page]
[1132]svchost.exe-->kernel32.dll-->DeactivateActCtx, Type: IAT modification 0x01001090-->00000000 [unknown_code_page]
[1132]svchost.exe-->kernel32.dll-->DelayLoadFailureHook, Type: IAT modification 0x01001018-->00000000 [unknown_code_page]
[1132]svchost.exe-->kernel32.dll-->ExitProcess, Type: IAT modification 0x01001050-->00000000 [unknown_code_page]
[1132]svchost.exe-->kernel32.dll-->ExpandEnvironmentStringsW, Type: IAT modification 0x01001004-->00000000 [unknown_code_page]
[1132]svchost.exe-->kernel32.dll-->FreeLibrary, Type: IAT modification 0x01001084-->00000000 [unknown_code_page]
[1132]svchost.exe-->kernel32.dll-->GetCommandLineW, Type: IAT modification 0x0100104C-->00000000 [unknown_code_page]
[1132]svchost.exe-->kernel32.dll-->GetCurrentProcess, Type: IAT modification 0x01001044-->00000000 [unknown_code_page]
[1132]svchost.exe-->kernel32.dll-->GetCurrentProcessId, Type: IAT modification 0x01001038-->00000000 [unknown_code_page]
[1132]svchost.exe-->kernel32.dll-->GetCurrentThreadId, Type: IAT modification 0x01001034-->00000000 [unknown_code_page]
[1132]svchost.exe-->kernel32.dll-->GetLastError, Type: IAT modification 0x01001098-->00000000 [unknown_code_page]
[1132]svchost.exe-->kernel32.dll-->GetModuleHandleA, Type: IAT modification 0x01001028-->00000000 [unknown_code_page]
[1132]svchost.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x0100108C-->00000000 [unknown_code_page]
[1132]svchost.exe-->kernel32.dll-->GetProcessHeap, Type: IAT modification 0x0100105C-->00000000 [unknown_code_page]
[1132]svchost.exe-->kernel32.dll-->GetSystemTimeAsFileTime, Type: IAT modification 0x0100103C-->00000000 [unknown_code_page]
[1132]svchost.exe-->kernel32.dll-->GetTickCount, Type: IAT modification 0x01001030-->00000000 [unknown_code_page]
[1132]svchost.exe-->kernel32.dll-->HeapFree, Type: IAT modification 0x01001068-->00000000 [unknown_code_page]
[1132]svchost.exe-->kernel32.dll-->HeapSetInformation, Type: IAT modification 0x01001000-->00000000 [unknown_code_page]
[1132]svchost.exe-->kernel32.dll-->InterlockedCompareExchange, Type: IAT modification 0x01001080-->00000000 [unknown_code_page]
[1132]svchost.exe-->kernel32.dll-->InterlockedExchange, Type: IAT modification 0x0100101C-->00000000 [unknown_code_page]
[1132]svchost.exe-->kernel32.dll-->LCMapStringW, Type: IAT modification 0x01001010-->00000000 [unknown_code_page]
[1132]svchost.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x0100107C-->00000000 [unknown_code_page]
[1132]svchost.exe-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x01001094-->00000000 [unknown_code_page]
[1132]svchost.exe-->kernel32.dll-->LocalAlloc, Type: IAT modification 0x01001078-->00000000 [unknown_code_page]
[1132]svchost.exe-->kernel32.dll-->LocalFree, Type: IAT modification 0x01001070-->00000000 [unknown_code_page]
[1132]svchost.exe-->kernel32.dll-->lstrcmpiW, Type: IAT modification 0x010010AC-->00000000 [unknown_code_page]
[1132]svchost.exe-->kernel32.dll-->lstrcmpW, Type: IAT modification 0x010010A4-->00000000 [unknown_code_page]
[1132]svchost.exe-->kernel32.dll-->lstrlenW, Type: IAT modification 0x01001014-->00000000 [unknown_code_page]
[1132]svchost.exe-->kernel32.dll-->QueryPerformanceCounter, Type: IAT modification 0x0100102C-->00000000 [unknown_code_page]
[1132]svchost.exe-->kernel32.dll-->RegisterWaitForSingleObject, Type: IAT modification 0x01001020-->00000000 [unknown_code_page]
[1132]svchost.exe-->kernel32.dll-->ReleaseActCtx, Type: IAT modification 0x0100100C-->00000000 [unknown_code_page]
[1132]svchost.exe-->kernel32.dll-->SetErrorMode, Type: IAT modification 0x01001060-->00000000 [unknown_code_page]
[1132]svchost.exe-->kernel32.dll-->SetProcessAffinityUpdateMode, Type: IAT modification 0x01001054-->00000000 [unknown_code_page]
[1132]svchost.exe-->kernel32.dll-->SetUnhandledExceptionFilter, Type: IAT modification 0x01001024-->00000000 [unknown_code_page]
[1132]svchost.exe-->kernel32.dll-->Sleep, Type: IAT modification 0x01001088-->00000000 [unknown_code_page]
[1132]svchost.exe-->kernel32.dll-->TerminateProcess, Type: IAT modification 0x01001040-->00000000 [unknown_code_page]
[1132]svchost.exe-->kernel32.dll-->UnhandledExceptionFilter, Type: IAT modification 0x01001048-->00000000 [unknown_code_page]
[1132]svchost.exe-->kernel32.dll-->WideCharToMultiByte, Type: IAT modification 0x0100106C-->00000000 [unknown_code_page]
[1132]svchost.exe-->ntdll.dll-->RtlAllocateHeap, Type: IAT modification 0x01001158-->00000000 [unknown_code_page]
[1132]svchost.exe-->ntdll.dll-->RtlCopySid, Type: IAT modification 0x0100114C-->00000000 [unknown_code_page]
[1132]svchost.exe-->ntdll.dll-->RtlFreeHeap, Type: IAT modification 0x01001148-->00000000 [unknown_code_page]
[1132]svchost.exe-->ntdll.dll-->RtlImageNtHeader, Type: IAT modification 0x01001160-->00000000 [unknown_code_page]
[1132]svchost.exe-->ntdll.dll-->RtlInitializeCriticalSection, Type: IAT modification 0x0100116C-->00000000 [unknown_code_page]
[1132]svchost.exe-->ntdll.dll-->RtlInitializeSid, Type: IAT modification 0x0100115C-->00000000 [unknown_code_page]
[1132]svchost.exe-->ntdll.dll-->RtlLengthRequiredSid, Type: IAT modification 0x01001154-->00000000 [unknown_code_page]
[1132]svchost.exe-->ntdll.dll-->RtlSetProcessIsCritical, Type: IAT modification 0x01001164-->00000000 [unknown_code_page]
[1132]svchost.exe-->ntdll.dll-->RtlSubAuthorityCountSid, Type: IAT modification 0x01001150-->00000000 [unknown_code_page]
[1132]svchost.exe-->ntdll.dll-->RtlSubAuthoritySid, Type: IAT modification 0x01001144-->00000000 [unknown_code_page]
[1132]svchost.exe-->ntdll.dll-->RtlUnhandledExceptionFilter, Type: IAT modification 0x01001168-->00000000 [unknown_code_page]
[1588]iexplore.exe-->advapi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77C814BC-->00000000 [IEShims.dll]
[1588]iexplore.exe-->gdi32.dll-->kernel32.dll-->CopyFileW, Type: IAT modification 0x77B61130-->00000000 [IEShims.dll]
[1588]iexplore.exe-->gdi32.dll-->kernel32.dll-->CreateFileW, Type: IAT modification 0x77B6119C-->00000000 [IEShims.dll]
[1588]iexplore.exe-->gdi32.dll-->kernel32.dll-->DeleteFileW, Type: IAT modification 0x77B611BC-->00000000 [IEShims.dll]
[1588]iexplore.exe-->gdi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77B61170-->00000000 [IEShims.dll]
[1588]iexplore.exe-->gdi32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x77B6111C-->00000000 [IEShims.dll]
[1588]iexplore.exe-->gdi32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x77B61110-->00000000 [IEShims.dll]
[1588]iexplore.exe-->gdi32.dll-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x77B61174-->00000000 [IEShims.dll]
[1588]iexplore.exe-->gdi32.dll-->kernel32.dll-->SearchPathW, Type: IAT modification 0x77B611AC-->00000000 [IEShims.dll]
[1588]iexplore.exe-->mswsock.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x6D64123C-->00000000 [IEShims.dll]
[1588]iexplore.exe-->shell32.dll-->kernel32.dll-->CopyFileW, Type: IAT modification 0x768E125C-->00000000 [IEShims.dll]
[1588]iexplore.exe-->shell32.dll-->kernel32.dll-->CreateDirectoryW, Type: IAT modification 0x768E13B0-->00000000 [IEShims.dll]
[1588]iexplore.exe-->shell32.dll-->kernel32.dll-->CreateFileW, Type: IAT modification 0x768E1460-->00000000 [IEShims.dll]
[1588]iexplore.exe-->shell32.dll-->kernel32.dll-->CreateHardLinkW, Type: IAT modification 0x768E11A4-->00000000 [IEShims.dll]
[1588]iexplore.exe-->shell32.dll-->kernel32.dll-->CreateProcessW, Type: IAT modification 0x768E12E8-->00000000 [IEShims.dll]
[1588]iexplore.exe-->shell32.dll-->kernel32.dll-->DeleteFileW, Type: IAT modification 0x768E13B4-->00000000 [IEShims.dll]
[1588]iexplore.exe-->shell32.dll-->kernel32.dll-->FindClose, Type: IAT modification 0x768E132C-->00000000 [IEShims.dll]
[1588]iexplore.exe-->shell32.dll-->kernel32.dll-->FindFirstFileW, Type: IAT modification 0x768E1328-->00000000 [IEShims.dll]
[1588]iexplore.exe-->shell32.dll-->kernel32.dll-->FindNextFileW, Type: IAT modification 0x768E1114-->00000000 [IEShims.dll]
[1588]iexplore.exe-->shell32.dll-->kernel32.dll-->GetBinaryTypeW, Type: IAT modification 0x768E1280-->00000000 [IEShims.dll]
[1588]iexplore.exe-->shell32.dll-->kernel32.dll-->GetFileAttributesA, Type: IAT modification 0x768E1370-->00000000 [IEShims.dll]
[1588]iexplore.exe-->shell32.dll-->kernel32.dll-->GetFileAttributesExW, Type: IAT modification 0x768E14A4-->00000000 [IEShims.dll]
[1588]iexplore.exe-->shell32.dll-->kernel32.dll-->GetFileAttributesW, Type: IAT modification 0x768E13BC-->00000000 [IEShims.dll]
[1588]iexplore.exe-->shell32.dll-->kernel32.dll-->GetLongPathNameW, Type: IAT modification 0x768E14EC-->00000000 [IEShims.dll]
[1588]iexplore.exe-->shell32.dll-->kernel32.dll-->GetPrivateProfileIntW, Type: IAT modification 0x768E1390-->00000000 [IEShims.dll]
[1588]iexplore.exe-->shell32.dll-->kernel32.dll-->GetPrivateProfileSectionNamesW, Type: IAT modification 0x768E1164-->00000000 [IEShims.dll]
[1588]iexplore.exe-->shell32.dll-->kernel32.dll-->GetPrivateProfileSectionW, Type: IAT modification 0x768E1100-->00000000 [IEShims.dll]
[1588]iexplore.exe-->shell32.dll-->kernel32.dll-->GetPrivateProfileStringW, Type: IAT modification 0x768E13A0-->00000000 [IEShims.dll]
[1588]iexplore.exe-->shell32.dll-->kernel32.dll-->GetShortPathNameA, Type: IAT modification 0x768E136C-->00000000 [IEShims.dll]
[1588]iexplore.exe-->shell32.dll-->kernel32.dll-->GetShortPathNameW, Type: IAT modification 0x768E1428-->00000000 [IEShims.dll]
[1588]iexplore.exe-->shell32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x768E14E0-->00000000 [IEShims.dll]
[1588]iexplore.exe-->shell32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x768E1284-->00000000 [IEShims.dll]
[1588]iexplore.exe-->shell32.dll-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x768E1448-->00000000 [IEShims.dll]
[1588]iexplore.exe-->shell32.dll-->kernel32.dll-->MoveFileExW, Type: IAT modification 0x768E13C0-->00000000 [IEShims.dll]
[1588]iexplore.exe-->shell32.dll-->kernel32.dll-->MoveFileW, Type: IAT modification 0x768E130C-->00000000 [IEShims.dll]
[1588]iexplore.exe-->shell32.dll-->kernel32.dll-->RemoveDirectoryW, Type: IAT modification 0x768E13AC-->00000000 [IEShims.dll]
[1588]iexplore.exe-->shell32.dll-->kernel32.dll-->ReplaceFileW, Type: IAT modification 0x768E1140-->00000000 [IEShims.dll]
[1588]iexplore.exe-->shell32.dll-->kernel32.dll-->SearchPathW, Type: IAT modification 0x768E1384-->00000000 [IEShims.dll]
[1588]iexplore.exe-->shell32.dll-->kernel32.dll-->SetCurrentDirectoryW, Type: IAT modification 0x768E124C-->00000000 [IEShims.dll]
[1588]iexplore.exe-->shell32.dll-->kernel32.dll-->SetFileAttributesW, Type: IAT modification 0x768E13B8-->00000000 [IEShims.dll]
[1588]iexplore.exe-->shell32.dll-->kernel32.dll-->WritePrivateProfileSectionW, Type: IAT modification 0x768E1168-->00000000 [IEShims.dll]
[1588]iexplore.exe-->shell32.dll-->kernel32.dll-->WritePrivateProfileStringW, Type: IAT modification 0x768E116C-->00000000 [IEShims.dll]
[1588]iexplore.exe-->shell32.dll-->ntdll.dll-->NtQueryDirectoryFile, Type: IAT modification 0x768E2320-->00000000 [IEShims.dll]
[1588]iexplore.exe-->shell32.dll-->user32.dll-->LoadImageW, Type: IAT modification 0x768E1890-->00000000 [IEShims.dll]
[1588]iexplore.exe-->shell32.dll-->user32.dll-->PrivateExtractIconsW, Type: IAT modification 0x768E1A6C-->00000000 [IEShims.dll]
[1588]iexplore.exe-->shell32.dll-->user32.dll-->WinHelpW, Type: IAT modification 0x768E191C-->00000000 [IEShims.dll]
[1588]iexplore.exe-->user32.dll-->advapi32.dll-->RegCloseKey, Type: IAT modification 0x77D5154C-->00000000 [IEShims.dll]
[1588]iexplore.exe-->user32.dll-->advapi32.dll-->RegCreateKeyExW, Type: IAT modification 0x77D51548-->00000000 [IEShims.dll]
[1588]iexplore.exe-->user32.dll-->advapi32.dll-->RegDeleteKeyW, Type: IAT modification 0x77D51544-->00000000 [IEShims.dll]
[1588]iexplore.exe-->user32.dll-->advapi32.dll-->RegEnumValueW, Type: IAT modification 0x77D51524-->00000000 [IEShims.dll]
[1588]iexplore.exe-->user32.dll-->advapi32.dll-->RegOpenKeyExW, Type: IAT modification 0x77D51528-->00000000 [IEShims.dll]
[1588]iexplore.exe-->user32.dll-->advapi32.dll-->RegQueryInfoKeyW, Type: IAT modification 0x77D51520-->00000000 [IEShims.dll]
[1588]iexplore.exe-->user32.dll-->advapi32.dll-->RegQueryValueExW, Type: IAT modification 0x77D5152C-->00000000 [IEShims.dll]
[1588]iexplore.exe-->user32.dll-->CallNextHookEx, Type: Inline - RelativeJump 0x761F8E3B-->00000000 [ieframe.dll]
[1588]iexplore.exe-->user32.dll-->CreateDialogIndirectParamA, Type: Inline - RelativeJump 0x762126F1-->00000000 [ieframe.dll]
[1588]iexplore.exe-->user32.dll-->CreateDialogIndirectParamW, Type: Inline - RelativeJump 0x76219A62-->00000000 [ieframe.dll]
[1588]iexplore.exe-->user32.dll-->CreateDialogParamA, Type: Inline - RelativeJump 0x762117AA-->00000000 [ieframe.dll]
[1588]iexplore.exe-->user32.dll-->CreateDialogParamW, Type: Inline - RelativeJump 0x761F72A2-->00000000 [ieframe.dll]
[1588]iexplore.exe-->user32.dll-->CreateWindowExW, Type: Inline - RelativeJump 0x76201305-->00000000 [ieframe.dll]
[1588]iexplore.exe-->user32.dll-->DialogBoxIndirectParamA, Type: Inline - RelativeJump 0x7623847D-->00000000 [ieframe.dll]
[1588]iexplore.exe-->user32.dll-->DialogBoxIndirectParamW, Type: Inline - RelativeJump 0x76222EF5-->00000000 [ieframe.dll]
[1588]iexplore.exe-->user32.dll-->DialogBoxParamA, Type: Inline - RelativeJump 0x76238152-->00000000 [ieframe.dll]
[1588]iexplore.exe-->user32.dll-->DialogBoxParamW, Type: Inline - RelativeJump 0x762210B0-->00000000 [ieframe.dll]
[1588]iexplore.exe-->user32.dll-->EnableWindow, Type: Inline - RelativeJump 0x761FCD8B-->00000000 [ieframe.dll]
[1588]iexplore.exe-->user32.dll-->EndDialog, Type: Inline - RelativeJump 0x7622326E-->00000000 [ieframe.dll]
[1588]iexplore.exe-->user32.dll-->GetAsyncKeyState, Type: Inline - RelativeJump 0x761F863C-->00000000 [ieframe.dll]
[1588]iexplore.exe-->user32.dll-->GetKeyState, Type: Inline - RelativeJump 0x76208CB1-->00000000 [ieframe.dll]
[1588]iexplore.exe-->user32.dll-->IsDialogMessage, Type: Inline - RelativeJump 0x76211847-->00000000 [ieframe.dll]
[1588]iexplore.exe-->user32.dll-->IsDialogMessageW, Type: Inline - RelativeJump 0x76210745-->00000000 [ieframe.dll]
[1588]iexplore.exe-->user32.dll-->kernel32.dll-->CopyFileW, Type: IAT modification 0x77D511A8-->00000000 [IEShims.dll]
[1588]iexplore.exe-->user32.dll-->kernel32.dll-->CreateFileW, Type: IAT modification 0x77D512B8-->00000000 [IEShims.dll]
[1588]iexplore.exe-->user32.dll-->kernel32.dll-->CreateProcessW, Type: IAT modification 0x77D511B4-->00000000 [IEShims.dll]
[1588]iexplore.exe-->user32.dll-->kernel32.dll-->DeleteFileW, Type: IAT modification 0x77D511B0-->00000000 [IEShims.dll]
[1588]iexplore.exe-->user32.dll-->kernel32.dll-->FindClose, Type: IAT modification 0x77D511E4-->00000000 [IEShims.dll]
[1588]iexplore.exe-->user32.dll-->kernel32.dll-->FindFirstFileW, Type: IAT modification 0x77D511EC-->00000000 [IEShims.dll]
[1588]iexplore.exe-->user32.dll-->kernel32.dll-->FindNextFileW, Type: IAT modification 0x77D511E8-->00000000 [IEShims.dll]
[1588]iexplore.exe-->user32.dll-->kernel32.dll-->GetPrivateProfileStringW, Type: IAT modification 0x77D51328-->00000000 [IEShims.dll]
[1588]iexplore.exe-->user32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77D51300-->00000000 [IEShims.dll]
[1588]iexplore.exe-->user32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x77D51250-->00000000 [IEShims.dll]
[1588]iexplore.exe-->user32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x77D5115C-->00000000 [IEShims.dll]
[1588]iexplore.exe-->user32.dll-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x77D512FC-->00000000 [IEShims.dll]
[1588]iexplore.exe-->user32.dll-->kernel32.dll-->MoveFileW, Type: IAT modification 0x77D511AC-->00000000 [IEShims.dll]
[1588]iexplore.exe-->user32.dll-->kernel32.dll-->SearchPathW, Type: IAT modification 0x77D51154-->00000000 [IEShims.dll]
[1588]iexplore.exe-->user32.dll-->kernel32.dll-->SetCurrentDirectoryW, Type: IAT modification 0x77D511D8-->00000000 [IEShims.dll]
[1588]iexplore.exe-->user32.dll-->kernel32.dll-->WritePrivateProfileStringW, Type: IAT modification 0x77D512BC-->00000000 [IEShims.dll]
[1588]iexplore.exe-->user32.dll-->keybd_event, Type: Inline - RelativeJump 0x7624D972-->00000000 [ieframe.dll]
[1588]iexplore.exe-->user32.dll-->MessageBoxExA, Type: Inline - RelativeJump 0x7624D639-->00000000 [ieframe.dll]
[1588]iexplore.exe-->user32.dll-->MessageBoxExW, Type: Inline - RelativeJump 0x7624D65D-->00000000 [ieframe.dll]
[1588]iexplore.exe-->user32.dll-->MessageBoxIndirectA, Type: Inline - RelativeJump 0x7624D4D9-->00000000 [ieframe.dll]
[1588]iexplore.exe-->user32.dll-->MessageBoxIndirectW, Type: Inline - RelativeJump 0x7624D5D3-->00000000 [ieframe.dll]
[1588]iexplore.exe-->user32.dll-->SendInput, Type: Inline - RelativeJump 0x76222F75-->00000000 [ieframe.dll]
[1588]iexplore.exe-->user32.dll-->SetCursorPos, Type: Inline - RelativeJump 0x76236FB2-->00000000 [ieframe.dll]
[1588]iexplore.exe-->user32.dll-->SetKeyboardState, Type: Inline - RelativeJump 0x76220987-->00000000 [ieframe.dll]
[1588]iexplore.exe-->user32.dll-->SetWindowsHookExW, Type: Inline - RelativeJump 0x761F87AD-->00000000 [ieframe.dll]
[1588]iexplore.exe-->user32.dll-->UnhookWindowsHookEx, Type: Inline - RelativeJump 0x761F98DB-->00000000 [ieframe.dll]
[1588]iexplore.exe-->wininet.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x704114B0-->00000000 [IEShims.dll]
[1588]iexplore.exe-->ws2_32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x4B0D11E8-->00000000 [IEShims.dll]
[2460]iexplore.exe-->user32.dll-->CreateWindowExW, Type: Inline - RelativeJump 0x76201305-->00000000 [ieframe.dll]
[2460]iexplore.exe-->user32.dll-->DialogBoxIndirectParamA, Type: Inline - RelativeJump 0x7623847D-->00000000 [ieframe.dll]
[2460]iexplore.exe-->user32.dll-->DialogBoxIndirectParamW, Type: Inline - RelativeJump 0x76222EF5-->00000000 [ieframe.dll]
[2460]iexplore.exe-->user32.dll-->DialogBoxParamA, Type: Inline - RelativeJump 0x76238152-->00000000 [ieframe.dll]
[2460]iexplore.exe-->user32.dll-->DialogBoxParamW, Type: Inline - RelativeJump 0x762210B0-->00000000 [ieframe.dll]
[2460]iexplore.exe-->user32.dll-->MessageBoxExA, Type: Inline - RelativeJump 0x7624D639-->00000000 [ieframe.dll]
[2460]iexplore.exe-->user32.dll-->MessageBoxExW, Type: Inline - RelativeJump 0x7624D65D-->00000000 [ieframe.dll]
[2460]iexplore.exe-->user32.dll-->MessageBoxIndirectA, Type: Inline - RelativeJump 0x7624D4D9-->00000000 [ieframe.dll]
[2460]iexplore.exe-->user32.dll-->MessageBoxIndirectW, Type: Inline - RelativeJump 0x7624D5D3-->00000000 [ieframe.dll]

Hi NemesisDB,

No problem, You are more then Welcome.

The RKU log is not giving away alot, lets try this.

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

• Make sure you are connected to the Internet.
• Double-click on mbam-setup.exe to install the application.
• When the installation begins, follow the prompts and do not make any changes to default settings.
• When installation has finished, make sure you leave both of these checked:
  • Update Malwarebytes' Anti-Malware
  • Launch Malwarebytes' Anti-Malware
• Then click Finish.

MBAM will automatically start and you will be asked to update the program before performing a scan.

• If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
• If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.

On the Scanner tab:

• Make sure the "Perform Quick Scan" option is selected.
• Then click on the Scan button.
• If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
• The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
• When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
• Click OK to close the message box and continue with the removal process.

Back at the main Scanner screen:

• Click on the Show Results button to see a list of any malware that was found.
• Make sure that everything is checked, and click Remove Selected.
• When removal is completed, a log report will open in Notepad.
• The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
• Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
• Exit MBAM when done.

Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

.

I need to see some additional information about what is happening in your machine.
Please perform the following scan:

• Download DDS by sUBs from one of the following links. Save it to your desktop.
  • DDS.scr
  • DDS.pif
• Double click on the DDS icon, allow it to run.
• A small box will open, with an explanation about the tool.
• When done, DDS will open two (2) logs

1. DDS.txt
2. Attach.txt

• Save both reports to your desktop.
• The instructions here ask you to attach the Attach.txt.

• Instead of attaching, please copy/past both logs into your next reply.

• Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run.After downloading the tool, disconnect from the internet and disable all antivirus protection.
Run the scan, enable your A/V and reconnect to the internet.
Information on A/V control HERE

Please COPY/PASTE the MBAM log and BOTH DDS logs.

Thanks,
K27.

Thanks for the very prompt reply.  The logs are attached below.

--------------------------------MBAM Log:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4431

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18904

8/14/2010 7:54:44 PM
mbam-log-2010-08-14 (19-54-44).txt

Scan type: Quick scan
Objects scanned: 135551
Time elapsed: 8 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

 

 

--------------------------------DDS.TXT

DDS (Ver_10-03-17.01) - NTFSx86 
Run by EBryan at 20:19:37.80 on Sat 08/14/2010
Internet Explorer: 8.0.6001.18904
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.1013.175 [GMT -5:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hp\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Hp\HP Software Update\hpwuSchd2.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\igfxtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\stickies\stickies.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtblfs.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10i_ActiveX.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\EBryan\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=PRESARIO&pf=laptop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=PRESARIO&pf=laptop
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky internet security 2010\ievkbd.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: FilterBHO Class: {e33cf602-d945-461a-83f0-819f76a199f8} - c:\program files\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll
uRun: [HPAdvisor] c:\program files\hewlett-packard\hp advisor\HPAdvisor.exe autoRun
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [RMClock] "c:\program files\rmclock\RMClockLauncher.exe"
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
mRun: [HP Health Check Scheduler] c:\program files\hewlett-packard\hp health check\HPHC_Scheduler.exe
mRun: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
mRun: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky internet security 2010\avp.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\users\ebryan\appdata\roaming\micros~1\windows\startm~1\programs\startup\stickies.lnk - c:\program files\stickies\stickies.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{ccbaa1f7-e5e1-48b2-9ed9-a79c6a37ce78}\Icon3E5562ED7.ico
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - c:\program files\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\program files\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://a1540.g.akamai.net/7/1540/52/20070711/qtinstall.info.apple.com/qtactivex/qtplugin.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: igfxcui - igfxdev.dll
Notify: klogon - c:\windows\system32\klogon.dll
AppInit_DLLs: c:\progra~1\kasper~1\kasper~2\mzvkbd3.dll

============= SERVICES / DRIVERS ===============

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2009-10-14 36880]
R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\drivers\klim6.sys [2009-9-14 21520]
R2 SlingAgentService;SlingAgentService;c:\program files\sling media\slingagent\SlingAgentService.exe [2009-9-25 93960]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2009-10-2 19472]
S2 AVP;Kaspersky Internet Security;c:\program files\kaspersky lab\kaspersky internet security 2010\avp.exe [2009-10-20 340456]
S2 gupdate1c9a45adccb2256;Google Update Service (gupdate1c9a45adccb2256);c:\program files\google\update\GoogleUpdate.exe [2009-3-13 133104]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-3-18 21504]
S3 KEONWFGIX;KEONWFGIX;c:\users\ebryan\appdata\local\temp\KEONWFGIX.exe [2010-8-13 420736]

=============== Created Last 30 ================

2010-08-15 00:44:46 0 d-----w- c:\users\ebryan\appdata\roaming\Malwarebytes
2010-08-15 00:44:35 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-15 00:44:34 0 d-----w- c:\programdata\Malwarebytes
2010-08-15 00:44:33 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-15 00:44:33 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-14 03:13:37 0 d-----w- c:\windows\system32\catroot2
2010-08-13 22:14:39 0 d-----w- c:\program files\Sophos
2010-08-13 16:47:48 0 d-----w- c:\program files\iPod
2010-08-13 16:47:36 0 d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-08-13 16:47:36 0 d-----w- c:\program files\iTunes
2010-08-13 16:39:06 0 d-----w- c:\program files\Bonjour
2010-08-13 16:32:16 0 d-----w- c:\program files\Trend Micro
2010-08-13 16:27:33 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-08-02 02:11:43 0 d-----w- C:\9db2c28bb1f191e8ea2de122eed9
2010-08-02 01:44:09 49152 ----a-w- c:\windows\ocsetup_install_MicrosoftWindowsPowerShell.etl
2010-08-02 01:44:09 16384 ----a-w- c:\windows\ocsetup_cbs_install_MicrosoftWindowsPowerShell2.perf
2010-08-02 01:44:09 16384 ----a-w- c:\windows\ocsetup_cbs_install_MicrosoftWindowsPowerShell2.dpx
2010-08-02 01:44:09 16384 ----a-w- c:\windows\ocsetup_cbs_install_MicrosoftWindowsPowerShell.perf
2010-08-02 01:44:09 16384 ----a-w- c:\windows\ocsetup_cbs_install_MicrosoftWindowsPowerShell.dpx
2010-08-02 01:44:08 49152 ----a-w- c:\windows\ocsetup_install_MicrosoftWindowsPowerShell2.etl

==================== Find3M  ====================

2010-08-13 16:41:14 51200 ----a-w- c:\windows\inf\infpub.dat
2010-08-13 16:41:14 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-08-13 16:41:14 143360 ----a-w- c:\windows\inf\infstor.dat
2010-07-30 01:23:49 97549 ----a-w- c:\windows\system32\drivers\klick.dat
2010-07-30 01:23:49 113933 ----a-w- c:\windows\system32\drivers\klin.dat
2010-05-18 21:35:16 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 21:35:16 197920 ----a-w- c:\windows\system32\dnssdX.dll
2010-05-18 21:35:16 107808 ----a-w- c:\windows\system32\dns-sd.exe
2009-11-18 04:14:29 665600 ----a-w- c:\windows\inf\drvindex.dat
2008-03-18 23:55:32 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2010-02-08 20:55:58 245760 --sha-w- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2009-12-28 23:34:34 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2009-12-28 23:34:34 32768 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2009-12-28 23:34:34 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\cookies\index.dat
2009-11-09 00:34:50 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2010-04-15 01:55:29 16384 --sha-w- c:\windows\system32\%appdata%\microsoft\windows\ietldcache\index.dat

============= FINISH: 20:22:38.33 ===============

 

 

--------------------------------ATTACH.TXT

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 5/29/2007 11:07:21 AM
System Uptime: 8/14/2010 7:23:30 PM (1 hours ago)

Motherboard: Hewlett-Packard  |  | 30C6
Processor: Genuine Intel(R) CPU           T2080  @ 1.73GHz | U1 | 1067/mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 66 GiB total, 27.895 GiB free.
D: is FIXED (NTFS) - 8 GiB total, 1.805 GiB free.
E: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Cisco Systems VPN Adapter
Device ID: ROOT\NET\0000
Manufacturer: Cisco Systems
Name: Cisco Systems VPN Adapter
PNP Device ID: ROOT\NET\0000
Service: CVirtA

==== System Restore Points ===================

RP854: 8/5/2010 9:39:53 PM - Scheduled Checkpoint
RP855: 8/6/2010 10:41:25 AM - Scheduled Checkpoint
RP856: 8/7/2010 6:07:53 AM - Windows Update
RP857: 8/8/2010 11:41:58 AM - Windows Update
RP858: 8/9/2010 9:24:51 PM - Scheduled Checkpoint
RP859: 8/10/2010 7:58:36 PM - Scheduled Checkpoint
RP860: 8/11/2010 9:05:34 PM - Scheduled Checkpoint
RP861: 8/12/2010 9:10:31 PM - Scheduled Checkpoint
RP862: 8/13/2010 11:10:24 AM - Removed Java(TM) 6 Update 18
RP863: 8/13/2010 11:26:03 AM - Installed Java(TM) 6 Update 21
RP864: 8/13/2010 11:31:31 AM - Installed HiJackThis
RP865: 8/13/2010 11:39:40 AM - Device Driver Package Install: Apple, Inc. Universal Serial Bus controllers
RP866: 8/13/2010 11:40:14 AM - Device Driver Package Install: Apple Network adapters
RP867: 8/13/2010 6:32:46 PM - Installed Microsoft Fix it 50202
RP868: 8/14/2010 8:14:30 PM - Scheduled Checkpoint

==== Installed Programs ======================

7-Zip 4.65
Activation Assistant for the 2007 Microsoft Office suites
ActiveCheck component for HP Active Support Library
Adobe Flash Player 10 ActiveX
Adobe Reader 9.3.3
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Bonjour
Cisco Systems VPN Client 5.0.00.0340
Conexant HD Audio
ESU for Microsoft Vista
Google Earth
Google Update Helper
HDAUDIO Soft Data Fax Modem with SmartCP
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HP Active Support Library
HP Active Support Library 32 bit components
HP Doc Viewer
HP DVD Play 3.2
HP Easy Setup - Frontend
HP Help and Support
HP Photosmart Essential 2.0
HP Photosmart Essential2.5
HP Product Detection
HP Quick Launch Buttons 6.20 D3
HP Update
HP User Guides 0079
HP Wireless Assistant
HPAsset component for HP Active Support Library
HPNetworkAssistant
Intel(R) Graphics Media Accelerator Driver
Intel® Matrix Storage Manager
iTunes
Java Auto Updater
Java(TM) 6 Update 21
Kaspersky Internet Security 2010
LightScribe  1.4.136.1
Malwarebytes' Anti-Malware
Microsoft .NET Framework 3.5 SP1
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Outlook Connector
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Save as PDF or XPS Add-in for 2007 Microsoft Office programs
Microsoft Silverlight
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
MSCU for Microsoft Vista
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
muvee autoProducer 6.0
My HP Games
OGA Notifier 2.0.0048.0
PDFCreator
PSSWCORE
QuickTime
Rhapsody Player Engine
Roxio Activation Module
Roxio Creator Audio
Roxio Creator Basic v9
Roxio Creator Copy
Roxio Creator Data
Roxio Creator EasyArchive
Roxio Creator Tools
Roxio Express Labeler 3
Roxio MyDVD Basic v9
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB978380)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Office Excel 2007 (KB978382)
Security Update for Microsoft Office Outlook 2007 (KB972363)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office Publisher 2007 (KB980470)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
SlingPlayer
Stickies 7.0b
Synaptics Pointing Device Driver
Update for 2007 Microsoft Office System (KB967642)
Update for 2007 Microsoft Office System (KB981715)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office InfoPath 2007 (KB976416)
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 (KB974561)
Update for Microsoft Office Word 2007 Help (KB963665)
Update for Outlook 2007 Junk Email Filter (kb981433)

==== Event Viewer Messages From Past Week ========

8/9/2010 7:48:55 PM, Error: EventLog [6008]  - The previous system shutdown at 7:45:27 PM on 8/9/2010 was unexpected.
8/8/2010 7:03:44 PM, Error: EventLog [6008]  - The previous system shutdown at 6:57:11 PM on 8/8/2010 was unexpected.
8/8/2010 5:33:15 PM, Error: Service Control Manager [7011]  - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the ShellHWDetection service.
8/14/2010 7:25:36 PM, Error: Service Control Manager [7026]  - The following boot-start or system-start driver(s) failed to load:  vflt
8/14/2010 7:25:36 PM, Error: Service Control Manager [7023]  - The Windows Modules Installer service terminated with the following error:  The specified module could not be found.
8/13/2010 6:05:16 PM, Error: Service Control Manager [7030]  - The FNFUPP service is marked as an interactive service.  However, the system is configured to not allow interactive services.  This service may not function properly.
8/13/2010 6:05:13 PM, Error: Service Control Manager [7009]  - A timeout was reached (30000 milliseconds) while waiting for the KEONWFGIX service to connect.
8/13/2010 6:05:13 PM, Error: Service Control Manager [7000]  - The KEONWFGIX service failed to start due to the following error:  The service did not respond to the start or control request in a timely fashion.
8/13/2010 6:04:44 PM, Error: Service Control Manager [7030]  - The KEONWFGIX service is marked as an interactive service.  However, the system is configured to not allow interactive services.  This service may not function properly.
8/13/2010 11:41:54 AM, Error: Service Control Manager [7031]  - The Apple Mobile Device service terminated unexpectedly.  It has done this 2 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.
8/13/2010 11:39:21 AM, Error: Service Control Manager [7031]  - The Apple Mobile Device service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.
8/13/2010 10:13:38 PM, Error: Server [2505]  - The server could not bind to the transport \Device\NetBT_Tcpip_{708D3928-7CA5-43F2-8D32-9C184DB35740} because another computer on the network has the same name.  The server could not start.
8/11/2010 9:49:09 PM, Error: Service Control Manager [7043]  - The Windows Update service did not shut down properly after receiving a preshutdown control.

==== End Of File ===========================

Hi NemesisDB,

Good work, It looks as if we have found the culprit.

 

PLEASE BE SURE TO DISABLE ALL PROTECTIVE SOFTWARE THAT IS RUNNING ON YOUR MACHINE BEFORE RUNNING COMBO-FIX, SO THAT COMBO-FIX IS NOT HINDERED IN ITS REMOVAL PROCESS

Please Disable all Anti-virus/Anti-Spyware/FireWall on your machine(instructions via links below)

• Anti Virus
• Anti Spyware
• Firewall

 

Please download ComboFix.exe. Please visit THIS webpage for download links, and instructions for running the tool:

Combo-fix MUST be save to your desktop before running the tool

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

When prompted to install the recovery console please make sure to do so as the is a VERY IMPORTANT backup of Combo-fix XP only

You will need to be conected to the net to install the recovery console, if you can not install it DO NOT run Combo-Fix,
Post back and we will install it manually.

DO NOT mouse click when Combo-Fix is running as this will cause Combo-Fix to Stall and it will not work as it should

Please include the C:\ComboFix.txt in your next reply for further review.

 

If Combofix gives a warning about Rootkit activity and ask to reboot the system, please allow it to do so.

Upon reboot the screen may stay black for a minute or two, this is normal.

If you receive any type of warning message when trying to open programs AFTER running Combofix, please manually reboot the system.

 

Please post the Combofix log back to me.

Thanks,
K27.

Thanks again.  Care to share what you found?  For what it's worth, windows update still is not working. 

Combofix log is as follows:

ComboFix 10-08-14.06 - EBryan 08/15/2010  10:00:09.1.2 - x86
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.1013.332 [GMT -5:00]
Running from: c:\users\EBryan\Desktop\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\%appdata%

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_PROCEXP141

(((((((((((((((((((((((((   Files Created from 2010-07-15 to 2010-08-15  )))))))))))))))))))))))))))))))
.

2010-08-15 15:15 . 2010-08-15 15:15 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-08-15 00:44 . 2010-08-15 00:44 -------- d-----w- c:\users\EBryan\AppData\Roaming\Malwarebytes
2010-08-15 00:44 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-15 00:44 . 2010-08-15 00:44 -------- d-----w- c:\programdata\Malwarebytes
2010-08-15 00:44 . 2010-08-15 00:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-15 00:44 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-14 03:13 . 2010-08-14 03:18 -------- d-----w- c:\windows\system32\catroot2
2010-08-13 22:14 . 2010-08-14 19:54 -------- d-----w- c:\program files\Sophos
2010-08-13 16:47 . 2010-08-13 16:47 -------- d-----w- c:\program files\iPod
2010-08-13 16:47 . 2010-08-13 16:48 -------- d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-08-13 16:47 . 2010-08-13 16:48 -------- d-----w- c:\program files\iTunes
2010-08-13 16:44 . 2010-08-13 16:44 -------- d-----w- c:\program files\QuickTime
2010-08-13 16:39 . 2010-08-13 16:39 -------- d-----w- c:\program files\Bonjour
2010-08-13 16:32 . 2010-08-13 16:32 -------- d-----w- c:\program files\Trend Micro
2010-08-13 16:28 . 2010-08-13 16:28 -------- d-----w- c:\program files\Common Files\Java
2010-08-13 16:27 . 2010-08-13 16:26 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-08-02 02:11 . 2010-08-02 02:14 -------- d-----w- C:\9db2c28bb1f191e8ea2de122eed9

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-15 15:20 . 2007-07-23 05:14 -------- d-----w- c:\users\EBryan\AppData\Roaming\stickies
2010-08-15 14:49 . 2008-11-27 02:47 -------- d-----w- c:\programdata\Kaspersky Lab
2010-08-13 16:47 . 2008-10-31 18:14 -------- d-----w- c:\program files\Common Files\Apple
2010-08-13 16:35 . 2010-08-13 16:35 73000 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.2.1.5\SetupAdmin.exe
2010-08-13 16:32 . 2010-08-13 16:32 388096 ----a-r- c:\users\EBryan\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-07-30 01:23 . 2009-11-27 04:39 97549 ----a-w- c:\windows\system32\drivers\klick.dat
2010-07-30 01:23 . 2009-11-27 04:39 113933 ----a-w- c:\windows\system32\drivers\klin.dat
2010-06-16 01:30 . 2010-06-16 01:30 133648 ----a-w- c:\programdata\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.736\mmpprtc.dll
2010-06-16 01:30 . 2010-06-16 01:30 133720 ----a-w- c:\programdata\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.736\mmpprtc.dll
2010-05-18 21:35 . 2010-05-18 21:35 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 21:35 . 2010-05-18 21:35 197920 ----a-w- c:\windows\system32\dnssdX.dll
2010-05-18 21:35 . 2010-05-18 21:35 107808 ----a-w- c:\windows\system32\dns-sd.exe
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-08-28 1557800]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2007-03-29 176128]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-03-06 180224]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-10-09 75008]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-03-01 472776]
"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-10 317128]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-06-05 186904]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-18 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-18 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-18 133656]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-19 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]

c:\users\EBryan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Stickies.lnk - c:\program files\stickies\stickies.exe [2008-8-28 1101824]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
VPN Client.lnk - c:\windows\Installer\{CCBAA1F7-E5E1-48B2-9ED9-A79C6A37CE78}\Icon3E5562ED7.ico [2009-11-29 6144]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\KASPER~1\KASPER~2\mzvkbd3.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):e5,1a,5d,15,e1,13,ca,01

R1 vflt;Shrew Soft Lightweight Filter;c:\windows\system32\DRIVERS\vfilter.sys
R2 gupdate1c9a45adccb2256;Google Update Service (gupdate1c9a45adccb2256);c:\program files\Google\Update\GoogleUpdate.exe [2009-03-14 133104]
R3 KEONWFGIX;KEONWFGIX;c:\users\EBryan\AppData\Local\Temp\KEONWFGIX.exe
R3 MEMSWEEP2;MEMSWEEP2;c:\windows\system32\A0C7.tmp
R3 vnet;Shrew Soft Virtual Adapter;c:\windows\system32\DRIVERS\virtualnet.sys
S0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2009-10-15 36880]
S1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\DRIVERS\klim6.sys [2009-09-14 21520]
S2 SlingAgentService;SlingAgentService;c:\program files\Sling Media\SlingAgent\SlingAgentService.exe [2009-09-25 93960]
S3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\DRIVERS\klmouflt.sys [2009-10-03 19472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ    FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-08-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-14 04:10]

2010-08-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-14 04:10]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=PRESARIO&pf=laptop
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-HPAdvisor - c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
HKCU-Run-RMClock - c:\program files\RMClock\RMClockLauncher.exe
HKLM-Run-WinampAgent - c:\program files\Winamp\winampa.exe

 

**************************************************************************
scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\A0C7.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Hewlett-Packard\Shared\HpqToaster.exe
c:\program files\Synaptics\SynTP\SynTPHelper.exe
c:\program files\Hewlett-Packard\HP Health Check\hphc_service.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-08-15  10:28:31 - machine was rebooted
ComboFix-quarantined-files.txt  2010-08-15 15:28

Pre-Run: 28,932,743,168 bytes free
Post-Run: 28,723,798,016 bytes free

- - End Of File - - 723DE0E3AACCC708305E1E117088E96D

Hi,

There are some oddly named files running as drivers from strange location. One has no research data at all (KEONWFGIX.exe), which is always suspect, that and the fact that it is running from a temp location and is still there after running CF. The other (A0C7.tmp), there are reports that it is rootkit related.

I want to be double sure before we start killing thing's, we don't want any accident's. This next Combofix script is going to upload the files for me to have a closer look at. I will then let you know that outcome and if they are indeed malicious, then we will take them out.

 

 

PLEASE BE SURE TO DISABLE ALL PROTECTIVE SOFTWARE THAT IS RUNNING ON YOUR MACHINE BEFORE RUNNING COMBOFIX, SO THAT COMBOFIX IS NOT HINDERED IN ITS REMOVAL PROCESS

Please Disable all Anti-virus/Anti-Spyware/FireWall on your machine(instructions via links below)

• Anti Virus
• Anti Spyware
• Firewall

 

Next we are going to run ComboFix in a slightly different way

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quote box below into it:

Quote:

http://en.community.dell.com/support-forums/virus-spyware/f/3521/p/19735622/Reply.aspx
Suspect::[108]
c:\users\EBryan\AppData\Local\Temp\KEONWFGIX.exe
c:\windows\system32\A0C7.tmp

 

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe (NOTE: You may receive a message that there is a newer version of Combofix available, please allow Combofox to update if you get this message)

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

NOTE: If ComboFix does not reboot the system, please do so manually

Thanks
K27.

 

Thank you again for the continued help.  The log is as follows:

 

ComboFix 10-08-15.01 - EBryan 08/15/2010  16:27:04.2.2 - x86
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.1013.332 [GMT -5:00]
Running from: c:\users\EBryan\Desktop\ComboFix.exe
Command switches used :: c:\users\EBryan\Desktop\CFScript.txt
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

(((((((((((((((((((((((((   Files Created from 2010-07-15 to 2010-08-15  )))))))))))))))))))))))))))))))
.

2010-08-15 21:41 . 2010-08-15 21:41 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-08-15 21:41 . 2010-08-15 21:41 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-08-15 00:44 . 2010-08-15 00:44 -------- d-----w- c:\users\EBryan\AppData\Roaming\Malwarebytes
2010-08-15 00:44 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-15 00:44 . 2010-08-15 00:44 -------- d-----w- c:\programdata\Malwarebytes
2010-08-15 00:44 . 2010-08-15 00:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-15 00:44 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-14 03:13 . 2010-08-14 03:18 -------- d-----w- c:\windows\system32\catroot2
2010-08-13 22:14 . 2010-08-14 19:54 -------- d-----w- c:\program files\Sophos
2010-08-13 16:47 . 2010-08-13 16:47 -------- d-----w- c:\program files\iPod
2010-08-13 16:47 . 2010-08-13 16:48 -------- d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-08-13 16:47 . 2010-08-13 16:48 -------- d-----w- c:\program files\iTunes
2010-08-13 16:44 . 2010-08-13 16:44 -------- d-----w- c:\program files\QuickTime
2010-08-13 16:39 . 2010-08-13 16:39 -------- d-----w- c:\program files\Bonjour
2010-08-13 16:35 . 2010-08-13 16:35 73000 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.2.1.5\SetupAdmin.exe
2010-08-13 16:32 . 2010-08-13 16:32 388096 ----a-r- c:\users\EBryan\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-08-13 16:32 . 2010-08-13 16:32 -------- d-----w- c:\program files\Trend Micro
2010-08-13 16:28 . 2010-08-13 16:28 -------- d-----w- c:\program files\Common Files\Java
2010-08-13 16:27 . 2010-08-13 16:26 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-08-02 02:11 . 2010-08-02 02:14 -------- d-----w- C:\9db2c28bb1f191e8ea2de122eed9

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-15 21:17 . 2008-11-27 02:47 -------- d-----w- c:\programdata\Kaspersky Lab
2010-08-15 21:16 . 2007-07-23 05:14 -------- d-----w- c:\users\EBryan\AppData\Roaming\stickies
2010-08-13 16:47 . 2008-10-31 18:14 -------- d-----w- c:\program files\Common Files\Apple
2010-07-30 01:23 . 2009-11-27 04:39 97549 ----a-w- c:\windows\system32\drivers\klick.dat
2010-07-30 01:23 . 2009-11-27 04:39 113933 ----a-w- c:\windows\system32\drivers\klin.dat
2010-06-16 01:30 . 2010-06-16 01:30 133648 ----a-w- c:\programdata\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.736\mmpprtc.dll
2010-06-16 01:30 . 2010-06-16 01:30 133720 ----a-w- c:\programdata\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.736\mmpprtc.dll
2010-05-18 21:35 . 2010-05-18 21:35 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 21:35 . 2010-05-18 21:35 197920 ----a-w- c:\windows\system32\dnssdX.dll
2010-05-18 21:35 . 2010-05-18 21:35 107808 ----a-w- c:\windows\system32\dns-sd.exe
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-08-28 1557800]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2007-03-29 176128]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-03-06 180224]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-10-09 75008]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-03-01 472776]
"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-10 317128]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-06-05 186904]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-18 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-18 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-18 133656]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-19 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]

c:\users\EBryan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Stickies.lnk - c:\program files\stickies\stickies.exe [2008-8-28 1101824]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
VPN Client.lnk - c:\windows\Installer\{CCBAA1F7-E5E1-48B2-9ED9-A79C6A37CE78}\Icon3E5562ED7.ico [2009-11-29 6144]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\KASPER~1\KASPER~2\mzvkbd3.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):e5,1a,5d,15,e1,13,ca,01

R1 vflt;Shrew Soft Lightweight Filter;c:\windows\system32\DRIVERS\vfilter.sys
R2 gupdate1c9a45adccb2256;Google Update Service (gupdate1c9a45adccb2256);c:\program files\Google\Update\GoogleUpdate.exe [2009-03-14 133104]
R3 KEONWFGIX;KEONWFGIX;c:\users\EBryan\AppData\Local\Temp\KEONWFGIX.exe
R3 MEMSWEEP2;MEMSWEEP2;c:\windows\system32\A0C7.tmp
R3 vnet;Shrew Soft Virtual Adapter;c:\windows\system32\DRIVERS\virtualnet.sys
S0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2009-10-15 36880]
S1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\DRIVERS\klim6.sys [2009-09-14 21520]
S2 SlingAgentService;SlingAgentService;c:\program files\Sling Media\SlingAgent\SlingAgentService.exe [2009-09-25 93960]
S3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\DRIVERS\klmouflt.sys [2009-10-03 19472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ    FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-08-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-14 04:10]

2010-08-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-14 04:10]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=PRESARIO&pf=laptop
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-15 16:41
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\A0C7.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-08-15  16:46:51
ComboFix-quarantined-files.txt  2010-08-15 21:46
ComboFix2.txt  2010-08-15 15:28

Pre-Run: 28,643,520,512 bytes free
Post-Run: 28,612,907,008 bytes free

- - End Of File - - 47905494C1496713D00C2F42AF70BA02

Hi NemesisDB,

The files failed to load to Bleeping Computer. We are going to have to do it manually.

 

I need you to upload me a file for an analyst, please go to THIS web page, once there please copy/paste the link to this thread in the dialogue box where it says Link to topic where this file was requested:.

Then please click the Browse button and then using the Windows Explorer box that opens, please navigate to this file:

c:\users\EBryan\AppData\Local\Temp\KEONWFGIX.exe

Once you have located the file please click it once so it appears in the text box at the bottom of the Windows Explorer box and then click OK. Then please click the Send File button on the web page.

Then please do the same thing for this file:

c:\windows\system32\A0C7.tmp

 

You may need to unhide system files, to be able to find the above files.

Go to Start>Search and at the top select Tools>Folder Options
Select the View tab
Look for "Hidden files and folders"
Select "Show hidden files and folders"
Click on Apply.
Next go to the side of the Search box and select All files and folders. Go down to More advanced options.
Be sure the first three boxes are selected:

 

• Search System folders
• Search Hidden Files and folders
• Search SubFolders

 

Remember to hide hidden files/folders by reversing the action when you have finished

 

Please post back and let me know when the files have been uploaded.

Thanks.
K27.

K27,

Thanks for sticking with me on this.  Unfortunately, I cannot locate the files in order to upload them.  Hidden files and OS files are both set to display.  The files do not appear in the paths indicated.  I likewise could not find them with a search.  I think I set the search options correctly, though vista sadly isn't as easy as clicking start / search (though I did search the C drive including non indexed files and system files).

What's the next step?  If the files are hiding, is there a boot CD you would recommend I use in order to grab them?  Or is that not necessary?

Hi nemesisDB.

I think Combofix failing to upload them was my fault. I left an on the end of file that should not have been there. Lets try it one more time.

I will post the full instruction's for ease of access.

 

PLEASE BE SURE TO DISABLE ALL PROTECTIVE SOFTWARE THAT IS RUNNING ON YOUR MACHINE BEFORE RUNNING COMBOFIX, SO THAT COMBOFIX IS NOT HINDERED IN ITS REMOVAL PROCESS

Please Disable all Anti-virus/Anti-Spyware/FireWall on your machine(instructions via links below)

• Anti Virus
• Anti Spyware
• Firewall

 

Next we are going to run ComboFix in a slightly different way

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quote box below into it:

Quote:

http://en.community.dell.com/support-forums/virus-spyware/f/3521/p/19735622/Reply.aspx

Suspect::[108]
c:\users\EBryan\AppData\Local\Temp\KEONWFGIX.exe
c:\windows\system32\A0C7.tmp

 

 

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe (NOTE: You may receive a message that there is a newer version of Combofix available, please allow Combofox to update if you get this message)

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

NOTE: If ComboFix does not reboot the system, please do so manually

Thanks
K27.

 

Here's the new log ...  please let me know if the upload worked:

 

ComboFix 10-08-16.01 - EBryan 08/16/2010  15:51:51.3.2 - x86
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.1013.315 [GMT -5:00]
Running from: c:\users\EBryan\Desktop\ComboFix.exe
Command switches used :: c:\users\EBryan\Desktop\CFScript.txt
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

(((((((((((((((((((((((((   Files Created from 2010-07-16 to 2010-08-16  )))))))))))))))))))))))))))))))
.

2010-08-16 21:06 . 2010-08-16 21:06 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-08-16 21:06 . 2010-08-16 21:06 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-08-15 00:44 . 2010-08-15 00:44 -------- d-----w- c:\users\EBryan\AppData\Roaming\Malwarebytes
2010-08-15 00:44 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-15 00:44 . 2010-08-15 00:44 -------- d-----w- c:\programdata\Malwarebytes
2010-08-15 00:44 . 2010-08-15 00:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-15 00:44 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-14 03:13 . 2010-08-14 03:18 -------- d-----w- c:\windows\system32\catroot2
2010-08-13 22:14 . 2010-08-14 19:54 -------- d-----w- c:\program files\Sophos
2010-08-13 16:47 . 2010-08-13 16:47 -------- d-----w- c:\program files\iPod
2010-08-13 16:47 . 2010-08-13 16:48 -------- d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-08-13 16:47 . 2010-08-13 16:48 -------- d-----w- c:\program files\iTunes
2010-08-13 16:44 . 2010-08-13 16:44 -------- d-----w- c:\program files\QuickTime
2010-08-13 16:39 . 2010-08-13 16:39 -------- d-----w- c:\program files\Bonjour
2010-08-13 16:32 . 2010-08-13 16:32 -------- d-----w- c:\program files\Trend Micro
2010-08-13 16:28 . 2010-08-13 16:28 -------- d-----w- c:\program files\Common Files\Java
2010-08-13 16:27 . 2010-08-13 16:26 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-08-02 02:11 . 2010-08-02 02:14 -------- d-----w- C:\9db2c28bb1f191e8ea2de122eed9

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-16 20:30 . 2008-11-27 02:47 -------- d-----w- c:\programdata\Kaspersky Lab
2010-08-16 20:30 . 2007-07-23 05:14 -------- d-----w- c:\users\EBryan\AppData\Roaming\stickies
2010-08-13 16:47 . 2008-10-31 18:14 -------- d-----w- c:\program files\Common Files\Apple
2010-08-13 16:35 . 2010-08-13 16:35 73000 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.2.1.5\SetupAdmin.exe
2010-08-13 16:32 . 2010-08-13 16:32 388096 ----a-r- c:\users\EBryan\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-07-30 01:23 . 2009-11-27 04:39 97549 ----a-w- c:\windows\system32\drivers\klick.dat
2010-07-30 01:23 . 2009-11-27 04:39 113933 ----a-w- c:\windows\system32\drivers\klin.dat
2010-06-16 01:30 . 2010-06-16 01:30 133648 ----a-w- c:\programdata\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.736\mmpprtc.dll
2010-06-16 01:30 . 2010-06-16 01:30 133720 ----a-w- c:\programdata\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.736\mmpprtc.dll
2010-05-18 21:35 . 2010-05-18 21:35 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 21:35 . 2010-05-18 21:35 197920 ----a-w- c:\windows\system32\dnssdX.dll
2010-05-18 21:35 . 2010-05-18 21:35 107808 ----a-w- c:\windows\system32\dns-sd.exe
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-08-28 1557800]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2007-03-29 176128]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-03-06 180224]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-10-09 75008]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-03-01 472776]
"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-10 317128]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-06-05 186904]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-18 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-18 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-18 133656]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-19 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]

c:\users\EBryan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Stickies.lnk - c:\program files\stickies\stickies.exe [2008-8-28 1101824]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
VPN Client.lnk - c:\windows\Installer\{CCBAA1F7-E5E1-48B2-9ED9-A79C6A37CE78}\Icon3E5562ED7.ico [2009-11-29 6144]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\KASPER~1\KASPER~2\mzvkbd3.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):e5,1a,5d,15,e1,13,ca,01

R1 vflt;Shrew Soft Lightweight Filter;c:\windows\system32\DRIVERS\vfilter.sys
R2 gupdate1c9a45adccb2256;Google Update Service (gupdate1c9a45adccb2256);c:\program files\Google\Update\GoogleUpdate.exe [2009-03-14 133104]
R3 KEONWFGIX;KEONWFGIX;c:\users\EBryan\AppData\Local\Temp\KEONWFGIX.exe
R3 MEMSWEEP2;MEMSWEEP2;c:\windows\system32\A0C7.tmp
R3 vnet;Shrew Soft Virtual Adapter;c:\windows\system32\DRIVERS\virtualnet.sys
S0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2009-10-15 36880]
S1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\DRIVERS\klim6.sys [2009-09-14 21520]
S2 SlingAgentService;SlingAgentService;c:\program files\Sling Media\SlingAgent\SlingAgentService.exe [2009-09-25 93960]
S3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\DRIVERS\klmouflt.sys [2009-10-03 19472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ    FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-08-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-14 04:10]

2010-08-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-14 04:10]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=PRESARIO&pf=laptop
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-16 16:07
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\A0C7.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-08-16  16:14:07
ComboFix-quarantined-files.txt  2010-08-16 21:14
ComboFix2.txt  2010-08-15 21:46
ComboFix3.txt  2010-08-15 15:28

Pre-Run: 29,070,798,848 bytes free
Post-Run: 29,039,738,880 bytes free

- - End Of File - - C8DA5D5147D1116234598E3356D11D5F

Hi nemesisDB,

Them files are still failing to upload, which makes me belive all the more that they are malicious. Lets take them out and upload them at the same time.

 

PLEASE BE SURE TO DISABLE ALL PROTECTIVE SOFTWARE THAT IS RUNNING ON YOUR MACHINE BEFORE RUNNING COMBOFIX, SO THAT COMBOFIX IS NOT HINDERED IN ITS REMOVAL PROCESS

Please Disable all Anti-virus/Anti-Spyware/FireWall on your machine(instructions via links below)

• Anti Virus
• Anti Spyware
• Firewall

 

Next we are going to run ComboFix in a slightly different way

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quote box below into it:

Quote:

http://en.community.dell.com/support-forums/virus-spyware/f/3521/p/19342408/19735315.aspx#19735315


Driver::
KEONWFGIX
MEMSWEEP2

Collect::
c:\windows\system32\A0C7.tmp
c:\users\EBryan\AppData\Local\Temp\KEONWFGIX.exe

 

 

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe (NOTE: You may receive a message that there is a newer version of Combofix available, please allow Combofox to update if you get this message)

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

NOTE: If ComboFix does not reboot the system, please do so manually

Thanks
K27.

 

K27,  Thanks again.  I ran combofix with kaspersky disabled, but I forgot to turn auto-start off, so kaspersky was on after combofix rebooted the machine.  If this is a problem, let me know and I will re-run it.  Windows update is still reporting the error (not that I was expecting it to be fixed at this point).

Log is as follows:

ComboFix 10-08-16.04 - EBryan 08/17/2010  10:54:45.4.2 - x86
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.1013.362 [GMT -5:00]
Running from: c:\users\EBryan\Desktop\ComboFix.exe
Command switches used :: c:\users\EBryan\Desktop\CFScript.txt
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MEMSWEEP2
-------\Service_KEONWFGIX
-------\Service_MEMSWEEP2

(((((((((((((((((((((((((   Files Created from 2010-07-17 to 2010-08-17  )))))))))))))))))))))))))))))))
.

2010-08-17 16:09 . 2010-08-17 16:09 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-08-15 00:44 . 2010-08-15 00:44 -------- d-----w- c:\users\EBryan\AppData\Roaming\Malwarebytes
2010-08-15 00:44 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-15 00:44 . 2010-08-15 00:44 -------- d-----w- c:\programdata\Malwarebytes
2010-08-15 00:44 . 2010-08-15 00:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-15 00:44 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-14 03:13 . 2010-08-14 03:18 -------- d-----w- c:\windows\system32\catroot2
2010-08-13 22:14 . 2010-08-14 19:54 -------- d-----w- c:\program files\Sophos
2010-08-13 16:47 . 2010-08-13 16:47 -------- d-----w- c:\program files\iPod
2010-08-13 16:47 . 2010-08-13 16:48 -------- d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-08-13 16:47 . 2010-08-13 16:48 -------- d-----w- c:\program files\iTunes
2010-08-13 16:44 . 2010-08-13 16:44 -------- d-----w- c:\program files\QuickTime
2010-08-13 16:39 . 2010-08-13 16:39 -------- d-----w- c:\program files\Bonjour
2010-08-13 16:32 . 2010-08-13 16:32 -------- d-----w- c:\program files\Trend Micro
2010-08-13 16:28 . 2010-08-13 16:28 -------- d-----w- c:\program files\Common Files\Java
2010-08-13 16:27 . 2010-08-13 16:26 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-08-02 02:11 . 2010-08-02 02:14 -------- d-----w- C:\9db2c28bb1f191e8ea2de122eed9

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-17 16:15 . 2007-07-23 05:14 -------- d-----w- c:\users\EBryan\AppData\Roaming\stickies
2010-08-17 15:47 . 2008-11-27 02:47 -------- d-----w- c:\programdata\Kaspersky Lab
2010-08-13 16:47 . 2008-10-31 18:14 -------- d-----w- c:\program files\Common Files\Apple
2010-08-13 16:35 . 2010-08-13 16:35 73000 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.2.1.5\SetupAdmin.exe
2010-08-13 16:32 . 2010-08-13 16:32 388096 ----a-r- c:\users\EBryan\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-07-30 01:23 . 2009-11-27 04:39 97549 ----a-w- c:\windows\system32\drivers\klick.dat
2010-07-30 01:23 . 2009-11-27 04:39 113933 ----a-w- c:\windows\system32\drivers\klin.dat
2010-06-16 01:30 . 2010-06-16 01:30 133648 ----a-w- c:\programdata\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.736\mmpprtc.dll
2010-06-16 01:30 . 2010-06-16 01:30 133720 ----a-w- c:\programdata\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.736\mmpprtc.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-08-28 1557800]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2007-03-29 176128]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-03-06 180224]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-10-09 75008]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-03-01 472776]
"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-10 317128]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-06-05 186904]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-18 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-18 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-18 133656]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-19 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]

c:\users\EBryan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Stickies.lnk - c:\program files\stickies\stickies.exe [2008-8-28 1101824]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
VPN Client.lnk - c:\windows\Installer\{CCBAA1F7-E5E1-48B2-9ED9-A79C6A37CE78}\Icon3E5562ED7.ico [2009-11-29 6144]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\KASPER~1\KASPER~2\mzvkbd3.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):e5,1a,5d,15,e1,13,ca,01

R1 vflt;Shrew Soft Lightweight Filter;c:\windows\system32\DRIVERS\vfilter.sys
R2 gupdate1c9a45adccb2256;Google Update Service (gupdate1c9a45adccb2256);c:\program files\Google\Update\GoogleUpdate.exe [2009-03-14 133104]
R3 vnet;Shrew Soft Virtual Adapter;c:\windows\system32\DRIVERS\virtualnet.sys
S0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2009-10-15 36880]
S1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\DRIVERS\klim6.sys [2009-09-14 21520]
S2 SlingAgentService;SlingAgentService;c:\program files\Sling Media\SlingAgent\SlingAgentService.exe [2009-09-25 93960]
S3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\DRIVERS\klmouflt.sys [2009-10-03 19472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ    FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-08-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-14 04:10]

2010-08-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-14 04:10]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=PRESARIO&pf=laptop
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-17 11:13
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Hewlett-Packard\HP Health Check\hphc_service.exe
c:\program files\Hewlett-Packard\Shared\HpqToaster.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Synaptics\SynTP\SynTPHelper.exe
.
**************************************************************************
.
Completion time: 2010-08-17  11:26:26 - machine was rebooted
ComboFix-quarantined-files.txt  2010-08-17 16:26
ComboFix2.txt  2010-08-16 21:14
ComboFix3.txt  2010-08-15 21:46
ComboFix4.txt  2010-08-15 15:28

Pre-Run: 29,195,444,224 bytes free
Post-Run: 29,065,523,200 bytes free

- - End Of File - - 9CCD61F14A70F221DE63D613522C50E8

 

 

Hi NemesisDB,

That took the drivers out but it does not show whether or not the file's were removed. They certanly were not uploaded. And they are not in the logs.

Please hold the the Windows Key and the "R" key together and in the run box that open's, please copy/paste C:\Qoobox\ComboFix-quarantined-files.txt into it and hit enter. A notepad file will open, please post me the contents of that file.

Then please Disable All active protection and run this online scan.

 

I'd like us to scan your machine with ESET OnlineScan

1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
   ESET OnlineScan
2. Click the button.
3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
   1. Click on to download the ESET Smart Installer. Save it to your desktop.
   2. Double click on the icon on your desktop.
4. Check
5. Click the button.
6. Accept any security warnings from your browser.
7. Check
8. Push the Start button.
9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
10. When the scan completes, push
11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
12. Push the button.
13. Push

 

Also, You say that Windows Updates have not been install since April. Can you tell me when Kaspersky was installed on the system.

Thanks.
K27.