Windows Update Fails (Vista, Error 80080005) / Windows Modules Installer Service Cannot Start

I am attempting to fix a family member's HP laptop.  Windows Vista Home Premium SP2 cannot currently check for Windows Updates or install any such updates that are manually downloaded.  The computer has Kaspersky Internet Security installed.  It does not report any current threats (for what that's worth).  The AV was disabled at the time of the HJT scan.

The last truely successful Windows Updates appears to have been from April 2010, judging from the update history.  Since that time, KB979683 has been reinstalled several more times (as recently as a few days ago).

When I attempt to check for new updates, I receive an error code of 80080005 "Windows Update encountered an Unknown Error."  I have tried both Windows and Microsoft Update.  Updates downloaded manually also fail.  From my own troubleshooting (along with some help from google), I noticed that the Windows Modules Installer Service could not be started.  Attempting to manually start the service results in "Error 126: The specified module could not be found."

I noted that the Windows Installer Service was effectively TrustedInstaller.exe.  I attempted to start the program manually with process monitor enabled.  I used the default filters and also filtered for process equal to TrustedInstaller.exe.  I would attach the results but they are too large for this forum and dell does not like the file type.  If anyone would like to see them, please PM me an email address or tell me a better place to host (they are around 1mb, or 120k zipped).  Of note, towards the end, there was a path not found error for C:\Windows\servicing\\cbscore.dll .  I found one other poor soul with this problem on MS forums, but the replies did not seem helpful.

HP did not provide me with physical media.  All I can do is restore from a hidden HD partition (which would wipe all data).  I have OEM Dell Vista media if that would be helpful.

At the end of the day, this problem may not be malware, but I would like to rule it out.  Along the way, if anyone has a solution to the problem, that would be great as well.

HJT Log Follows:

Hi NemensisDB,

Going by your post count I dont think I really need to Welcome you to the Dell Community Forum's :emotion-2: But Welcome all the Same.

Welcome to Dell Community Malware Removal Forums,

I'm K27 and i will be reviewing your log for you.

Please DO NOT run any scans/tools/fixes on your own as this will conflict with the tools we are going to use.

Please Print or Save to Notepad all instructions and please follow them carefully and if there's something you don't understand or that will not work please let me know and we will go through it together.

Please DO NOT use this system for anything apart from visiting this forum and other sites I direct you too, as this will only make the cleanup process all the more diffecult.

Failure to reply in three (3) days will result in this topic being marked as inactive, in you need more time then that is fine, but please let me know.

I have made a personnel decision to not offer help to those with P2P programs or cracked software installed, if you have it installed please remove it now. If you have it installed and do not know how to remove it, let me know and will will remove it for you.


There are various infections that can cause Windows Update to fail. Lets do some digging.

Please Disable all real time protection before running the next tool

  • Please download Rootkit Unhooker and save it to your desktop.
  • Double-click RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan
  • Check Drivers, Stealth Code, Files, and Code Hooks
  • Uncheck the rest, then click OK
  • When prompted to Select Disks for Scan, make sure C:\ is checked and click OK
  • Wait till the scanner has finished then go File > Save Report
  • Save the report somewhere you can find it. Click Close
  • This log may be very large so please use as many post as necessary.


Note** you may get the following warning. It is ok, just ignore it.

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?

Please post the RKU log back to me.


K27, thank you so much for helping me, I really appreciate it. 

[Edit: I received the parasite message and hit cancel -- if that matters -- there was no "ignore"]

RKU log is as follows:

RkU Version: 3.8.388.590, Type LE (SR2)
OS Name: Windows Vista
Version 6.0.6002 (Service Pack 2)
Number of processors #2
Hi NemesisDB,

No problem, You are more then Welcome.

The RKU log is not giving away alot, lets try this.

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.

MBAM will automatically start and you will be asked to update the program before performing a scan.

  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.

On the Scanner tab:

  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.

Back at the main Scanner screen:

  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.

Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.


I need to see some additional information about what is happening in your machine.
Please perform the following scan:

  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool.
  • When done, DDS will open two (2) logs
1. DDS.txt
2. Attach.txt
  • Save both reports to your desktop.
  • The instructions here ask you to attach the Attach.txt.

  • Instead of attaching, please copy/past both logs into your next reply.

  • Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run.After downloading the tool, disconnect from the internet and disable all antivirus protection.
Run the scan, enable your A/V and reconnect to the internet.
Information on A/V control HERE

Please COPY/PASTE the MBAM log and BOTH DDS logs.


Thanks for the very prompt reply.  The logs are attached below.

--------------------------------MBAM Log:

Malwarebytes' Anti-Malware 1.46

Database version: 4431

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18904

8/14/2010 7:54:44 PM
mbam-log-2010-08-14 (19-54-44).txt

Scan type: Quick scan
Objects scanned: 135551
Time elapsed: 8 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)




============== Pseudo HJT Report ===============

uStart Page = hxxp://
mStart Page = hxxp://
mDefault_Page_URL = hxxp://
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky internet security 2010\ievkbd.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: FilterBHO Class: {e33cf602-d945-461a-83f0-819f76a199f8} - c:\program files\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll
uRun: [HPAdvisor] c:\program files\hewlett-packard\hp advisor\HPAdvisor.exe autoRun
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [RMClock] "c:\program files\rmclock\RMClockLauncher.exe"
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
mRun: [HP Health Check Scheduler] c:\program files\hewlett-packard\hp health check\HPHC_Scheduler.exe
mRun: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
mRun: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky internet security 2010\avp.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\users\ebryan\appdata\roaming\micros~1\windows\startm~1\programs\startup\stickies.lnk - c:\program files\stickies\stickies.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{ccbaa1f7-e5e1-48b2-9ed9-a79c6a37ce78}\Icon3E5562ED7.ico
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - c:\program files\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\program files\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://
DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} - hxxp://
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://
Notify: igfxcui - igfxdev.dll
Notify: klogon - c:\windows\system32\klogon.dll
AppInit_DLLs: c:\progra~1\kasper~1\kasper~2\mzvkbd3.dll

============= SERVICES / DRIVERS ===============

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2009-10-14 36880]
R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\drivers\klim6.sys [2009-9-14 21520]
R2 SlingAgentService;SlingAgentService;c:\program files\sling media\slingagent\SlingAgentService.exe [2009-9-25 93960]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2009-10-2 19472]
S2 AVP;Kaspersky Internet Security;c:\program files\kaspersky lab\kaspersky internet security 2010\avp.exe [2009-10-20 340456]
S2 gupdate1c9a45adccb2256;Google Update Service (gupdate1c9a45adccb2256);c:\program files\google\update\GoogleUpdate.exe [2009-3-13 133104]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-3-18 21504]
S3 KEONWFGIX;KEONWFGIX;c:\users\ebryan\appdata\local\temp\KEONWFGIX.exe [2010-8-13 420736]

============= FINISH: 20:22:38.33 ===============





DDS (Ver_10-03-17.01)

Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 5/29/2007 11:07:21 AM
System Uptime: 8/14/2010 7:23:30 PM (1 hours ago)

Motherboard: Hewlett-Packard  |  | 30C6
Processor: Genuine Intel(R) CPU           T2080  @ 1.73GHz | U1 | 1067/mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 66 GiB total, 27.895 GiB free.
D: is FIXED (NTFS) - 8 GiB total, 1.805 GiB free.
E: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Cisco Systems VPN Adapter
Device ID: ROOT\NET\0000
Manufacturer: Cisco Systems
Name: Cisco Systems VPN Adapter
PNP Device ID: ROOT\NET\0000
Service: CVirtA

==== System Restore Points ===================

RP854: 8/5/2010 9:39:53 PM - Scheduled Checkpoint
RP855: 8/6/2010 10:41:25 AM - Scheduled Checkpoint
RP856: 8/7/2010 6:07:53 AM - Windows Update
RP857: 8/8/2010 11:41:58 AM - Windows Update
RP858: 8/9/2010 9:24:51 PM - Scheduled Checkpoint
RP859: 8/10/2010 7:58:36 PM - Scheduled Checkpoint
RP860: 8/11/2010 9:05:34 PM - Scheduled Checkpoint
RP861: 8/12/2010 9:10:31 PM - Scheduled Checkpoint
RP862: 8/13/2010 11:10:24 AM - Removed Java(TM) 6 Update 18
RP863: 8/13/2010 11:26:03 AM - Installed Java(TM) 6 Update 21
RP864: 8/13/2010 11:31:31 AM - Installed HiJackThis
RP865: 8/13/2010 11:39:40 AM - Device Driver Package Install: Apple, Inc. Universal Serial Bus controllers
RP866: 8/13/2010 11:40:14 AM - Device Driver Package Install: Apple Network adapters
RP867: 8/13/2010 6:32:46 PM - Installed Microsoft Fix it 50202
RP868: 8/14/2010 8:14:30 PM - Scheduled Checkpoint

==== Installed Programs ======================

7-Zip 4.65
Activation Assistant for the 2007 Microsoft Office suites
ActiveCheck component for HP Active Support Library
Adobe Flash Player 10 ActiveX
Adobe Reader 9.3.3
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Cisco Systems VPN Client
Conexant HD Audio
ESU for Microsoft Vista
Google Earth
Google Update Helper
HDAUDIO Soft Data Fax Modem with SmartCP
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HP Active Support Library
HP Active Support Library 32 bit components
HP Doc Viewer
HP DVD Play 3.2
HP Easy Setup - Frontend
HP Help and Support
HP Photosmart Essential 2.0
HP Photosmart Essential2.5
HP Product Detection
HP Quick Launch Buttons 6.20 D3
HP Update
HP User Guides 0079
HP Wireless Assistant
HPAsset component for HP Active Support Library
Intel(R) Graphics Media Accelerator Driver
Intel® Matrix Storage Manager
Java Auto Updater
Java(TM) 6 Update 21
Kaspersky Internet Security 2010
Malwarebytes' Anti-Malware
Microsoft .NET Framework 3.5 SP1
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Outlook Connector
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Save as PDF or XPS Add-in for 2007 Microsoft Office programs
Microsoft Silverlight
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
MSCU for Microsoft Vista
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
muvee autoProducer 6.0
My HP Games
OGA Notifier 2.0.0048.0
Rhapsody Player Engine
Roxio Activation Module
Roxio Creator Audio
Roxio Creator Basic v9
Roxio Creator Copy
Roxio Creator Data
Roxio Creator EasyArchive
Roxio Creator Tools
Roxio Express Labeler 3
Roxio MyDVD Basic v9
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB978380)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Office Excel 2007 (KB978382)
Security Update for Microsoft Office Outlook 2007 (KB972363)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office Publisher 2007 (KB980470)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Stickies 7.0b
Synaptics Pointing Device Driver
Update for 2007 Microsoft Office System (KB967642)
Update for 2007 Microsoft Office System (KB981715)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office InfoPath 2007 (KB976416)
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 (KB974561)
Update for Microsoft Office Word 2007 Help (KB963665)
Update for Outlook 2007 Junk Email Filter (kb981433)

==== Event Viewer Messages From Past Week ========

8/9/2010 7:48:55 PM, Error: EventLog [6008]  - The previous system shutdown at 7:45:27 PM on 8/9/2010 was unexpected.
8/8/2010 7:03:44 PM, Error: EventLog [6008]  - The previous system shutdown at 6:57:11 PM on 8/8/2010 was unexpected.
8/8/2010 5:33:15 PM, Error: Service Control Manager [7011]  - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the ShellHWDetection service.
8/14/2010 7:25:36 PM, Error: Service Control Manager [7026]  - The following boot-start or system-start driver(s) failed to load:  vflt
8/14/2010 7:25:36 PM, Error: Service Control Manager [7023]  - The Windows Modules Installer service terminated with the following error:  The specified module could not be found.
8/13/2010 6:05:16 PM, Error: Service Control Manager [7030]  - The FNFUPP service is marked as an interactive service.  However, the system is configured to not allow interactive services.  This service may not function properly.
8/13/2010 6:05:13 PM, Error: Service Control Manager [7009]  - A timeout was reached (30000 milliseconds) while waiting for the KEONWFGIX service to connect.
8/13/2010 6:05:13 PM, Error: Service Control Manager [7000]  - The KEONWFGIX service failed to start due to the following error:  The service did not respond to the start or control request in a timely fashion.
8/13/2010 6:04:44 PM, Error: Service Control Manager [7030]  - The KEONWFGIX service is marked as an interactive service.  However, the system is configured to not allow interactive services.  This service may not function properly.
8/13/2010 11:41:54 AM, Error: Service Control Manager [7031]  - The Apple Mobile Device service terminated unexpectedly.  It has done this 2 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.
8/13/2010 11:39:21 AM, Error: Service Control Manager [7031]  - The Apple Mobile Device service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.
8/13/2010 10:13:38 PM, Error: Server [2505]  - The server could not bind to the transport \Device\NetBT_Tcpip_{708D3928-7CA5-43F2-8D32-9C184DB35740} because another computer on the network has the same name.  The server could not start.
8/11/2010 9:49:09 PM, Error: Service Control Manager [7043]  - The Windows Update service did not shut down properly after receiving a preshutdown control.

==== End Of File ===========================

Hi NemesisDB,

Good work, It looks as if we have found the culprit.



Please Disable all Anti-virus/Anti-Spyware/FireWall on your machine(instructions via links below)


Please download ComboFix.exe. Please visit THIS webpage for download links, and instructions for running the tool:

Combo-fix MUST be save to your desktop before running the tool

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

When prompted to install the recovery console please make sure to do so as the is a VERY IMPORTANT backup of Combo-fix XP only

You will need to be conected to the net to install the recovery console, if you can not install it DO NOT run Combo-Fix,
Post back and we will install it manually.

DO NOT mouse click when Combo-Fix is running as this will cause Combo-Fix to Stall and it will not work as it should

Please include the C:\ComboFix.txt in your next reply for further review.


If Combofix gives a warning about Rootkit activity and ask to reboot the system, please allow it to do so.

Upon reboot the screen may stay black for a minute or two, this is normal.

If you receive any type of warning message when trying to open programs AFTER running Combofix, please manually reboot the system.


Please post the Combofix log back to me.


7.9K Posts

August 15th, 2010 09:00

Thanks again.  Care to share what you found?  For what it's worth, windows update still is not working. 

Combofix log is as follows:

ComboFix 10-08-14.06 - EBryan 08/15/2010  10:00:09.1.2 - x86
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.1013.332 [GMT -5:00]
Running from: c:\users\EBryan\Desktop\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))


(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))


(((((((((((((((((((((((((   Files Created from 2010-07-15 to 2010-08-15  )))))))))))))))))))))))))))))))

There are some oddly named files running as drivers from strange location. One has no research data at all (KEONWFGIX.exe), which is always suspect, that and the fact that it is running from a temp location and is still there after running CF. The other (A0C7.tmp), there are reports that it is rootkit related.

I want to be double sure before we start killing thing's, we don't want any accident's. This next Combofix script is going to upload the files for me to have a closer look at. I will then let you know that outcome and if they are indeed malicious, then we will take them out.




Please Disable all Anti-virus/Anti-Spyware/FireWall on your machine(instructions via links below)


Next we are going to run ComboFix in a slightly different way

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quote box below into it:



Save this as CFScript.txt, in the same location as ComboFix.exe


Refering to the picture above, drag CFScript into ComboFix.exe (NOTE: You may receive a message that there is a newer version of Combofix available, please allow Combofox to update if you get this message)

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

NOTE: If ComboFix does not reboot the system, please do so manually



7.9K Posts

August 15th, 2010 15:00

Thank you again for the continued help.  The log is as follows:


ComboFix 10-08-15.01 - EBryan 08/15/2010  16:27:04.2.2 - x86
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.1013.332 [GMT -5:00]
Running from: c:\users\EBryan\Desktop\ComboFix.exe
Command switches used :: c:\users\EBryan\Desktop\CFScript.txt
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

(((((((((((((((((((((((((   Files Created from 2010-07-15 to 2010-08-15  )))))))))))))))))))))))))))))))

Hi NemesisDB,

The files failed to load to Bleeping Computer. We are going to have to do it manually.


I need you to upload me a file for an analyst, please go to THIS web page, once there please copy/paste the link to this thread in the dialogue box where it says Link to topic where this file was requested:.

Then please click the Browse button and then using the Windows Explorer box that opens, please navigate to this file:


Once you have located the file please click it once so it appears in the text box at the bottom of the Windows Explorer box and then click OK. Then please click the Send File button on the web page.

Then please do the same thing for this file:



You may need to unhide system files, to be able to find the above files.

Go to Start>Search and at the top select Tools>Folder Options
Select the View tab
Look for "Hidden files and folders"
Select "Show hidden files and folders"
Click on Apply.
Next go to the side of the Search box and select All files and folders. Go down to More advanced options.
Be sure the first three boxes are selected:


  • Search System folders
  • Search Hidden Files and folders
  • Search SubFolders


Remember to hide hidden files/folders by reversing the action when you have finished


Please post back and let me know when the files have been uploaded.


7.9K Posts

August 16th, 2010 11:00


Thanks for sticking with me on this.  Unfortunately, I cannot locate the files in order to upload them.  Hidden files and OS files are both set to display.  The files do not appear in the paths indicated.  I likewise could not find them with a search.  I think I set the search options correctly, though vista sadly isn't as easy as clicking start / search (though I did search the C drive including non indexed files and system files).

What's the next step?  If the files are hiding, is there a boot CD you would recommend I use in order to grab them?  Or is that not necessary?

1.5K Posts

August 16th, 2010 13:00

Hi nemesisDB.

I think Combofix failing to upload them was my fault. I left an on the end of file that should not have been there. Lets try it one more time.

I will post the full instruction's for ease of access.



Please Disable all Anti-virus/Anti-Spyware/FireWall on your machine(instructions via links below)


Next we are going to run ComboFix in a slightly different way

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quote box below into it:





Save this as CFScript.txt, in the same location as ComboFix.exe


Refering to the picture above, drag CFScript into ComboFix.exe (NOTE: You may receive a message that there is a newer version of Combofix available, please allow Combofox to update if you get this message)

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

NOTE: If ComboFix does not reboot the system, please do so manually



7.9K Posts

August 16th, 2010 15:00

Here's the new log ...  please let me know if the upload worked:


ComboFix 10-08-16.01 - EBryan 08/16/2010  15:51:51.3.2 - x86
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.1013.315 [GMT -5:00]
Running from: c:\users\EBryan\Desktop\ComboFix.exe
Command switches used :: c:\users\EBryan\Desktop\CFScript.txt
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

(((((((((((((((((((((((((   Files Created from 2010-07-16 to 2010-08-16  )))))))))))))))))))))))))))))))

Hi nemesisDB,

Them files are still failing to upload, which makes me belive all the more that they are malicious. Lets take them out and upload them at the same time.



Please Disable all Anti-virus/Anti-Spyware/FireWall on your machine(instructions via links below)


Next we are going to run ComboFix in a slightly different way

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quote box below into it:






Save this as CFScript.txt, in the same location as ComboFix.exe


Refering to the picture above, drag CFScript into ComboFix.exe (NOTE: You may receive a message that there is a newer version of Combofix available, please allow Combofox to update if you get this message)

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

NOTE: If ComboFix does not reboot the system, please do so manually



7.9K Posts

August 17th, 2010 10:00

K27,  Thanks again.  I ran combofix with kaspersky disabled, but I forgot to turn auto-start off, so kaspersky was on after combofix rebooted the machine.  If this is a problem, let me know and I will re-run it.  Windows update is still reporting the error (not that I was expecting it to be fixed at this point).

Log is as follows:

ComboFix 10-08-16.04 - EBryan 08/17/2010  10:54:45.4.2 - x86
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.1013.362 [GMT -5:00]
Running from: c:\users\EBryan\Desktop\ComboFix.exe
Command switches used :: c:\users\EBryan\Desktop\CFScript.txt
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))

(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))


(((((((((((((((((((((((((   Files Created from 2010-07-17 to 2010-08-17  )))))))))))))))))))))))))))))))

Hi NemesisDB,

That took the drivers out but it does not show whether or not the file's were removed. They certanly were not uploaded. And they are not in the logs.

Please hold the the Windows Key and the "R" key together and in the run box that open's, please copy/paste C:\Qoobox\ComboFix-quarantined-files.txt into it and hit enter. A notepad file will open, please post me the contents of that file.

Then please Disable All active protection and run this online scan.


I'd like us to scan your machine with ESET OnlineScan

  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the esetOnline.png button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the esetSmartInstallDesktopIcon.png icon on your desktop.
  4. Check esetAcceptTerms.png
  5. Click the esetStart.png button.
  6. Accept any security warnings from your browser.
  7. Check esetScanArchives.png
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push esetListThreats.png
  11. Push esetExport.png, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the esetBack.png button.
  13. Push esetFinish.png


Also, You say that Windows Updates have not been install since April. Can you tell me when Kaspersky was installed on the system.


No Events found!
