I have Hidden Kernel Modules that don't look right

[guestolo]

Here's the OTL Log. And by the way, I didn't download a new Combofix when I ran the last one in case that's an issue.

No, that's ok

We're just about done here, just a couple more steps
Stay with me, I want to try installing SP3 later, don't try yet
[color=\"blue\"]Updating Java:[/color]

• Download the latest version of  Java Runtime Environment (JRE) 6.
  
• Scroll down to where it says "JRE 6 Update 17".
  
• Click the "Download" button to the right.
  
• In the Window that opens, select Windows, beside PLATFORM:>>Check the "agree" box and click Continue.
  
• Click on the link to download Windows Offline Installation and save to your desktop.
  
• Then from your desktop double click on jre-6u17-windows-i586.exe that you downloaded, to install the newest version.
  

NOTE: Java may install a Quick Starter service to run on startup which is really not needed
After installation, simply open the Java icon in Control Panel
Under Advanced tab, expand Miscellaneous, untick "Java Quick Starter" if selected
Apply and Ok it, then exit the Java control panel
A reboot will be required to properly disable the Quick Starter service
We'll reboot later

After you have installed the latest version of Java
I want to see one more log from ComboFix
Navigate to the following folder
C:\Qoobox>>this is created by ComboFix
Inside that folder look for this file
ComboFix-quarantined-files.txt
Can you post the contents

I just want to check to see that ComboFix didn't remove a file related to Outpost

[Flim]

All Done. Took a little longer. The Java install had error 25099. Sun's not sure of the reason for it (could not unzip package) but they have a fix that works (delete the \jre6 contents). Obviously not an MS program.

Here's the log you requested.


2009-11-15 01:24:57 . 2009-11-15 01:24:57                0 ----a-w-  C:\Qoobox\Quarantine\catchme.txt
2009-11-01 20:38:08 . 2009-11-01 20:38:08            1,548 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\AddRemove-Audio Record Wizard_is1.reg.dat
2009-11-01 20:37:44 . 2009-11-01 20:37:44            4,212 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\Notify-AutorunsDisabled.reg.dat
2009-11-01 20:09:03 . 2009-11-15 22:26:34              510 ----a-w-  C:\Qoobox\Quarantine\catchme.log
2009-01-26 23:37:48 . 2009-01-26 23:37:48            1,592 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\Notify-WgaLogon.reg.dat
2009-01-26 23:28:42 . 2009-11-15 22:35:53           19,831 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2008-11-25 14:16:29 . 2008-11-25 14:23:39               75 ----a-w-  C:\Qoobox\Quarantine\C\WINDOWS\system32\mp3codec32win.dll.vir
2008-01-04 22:36:27 . 2008-01-04 22:36:51           87,608 ----a-w-  C:\Qoobox\Quarantine\C\Documents and Settings\B4BD\Application Data\inst.exe.vir
2007-02-18 14:56:25 . 2007-02-18 14:56:25          286,720 ----a-w-  C:\Qoobox\Quarantine\C\WINDOWS\PATCH.EXE.vir
2006-05-19 13:34:19 . 2006-03-21 03:23:12           23,040 ----a-w-  C:\Qoobox\Quarantine\C\WINDOWS\kb913800.exe.vir

[Flim]

I need to go out for about an hour. Will be right back.

[guestolo]

Good work, I take it you got Java installed then

Go ahead and delete ComboFix on your desktop and cfscript.txt
Delete SystemLook.exe and it's text file systemlook.txt on desktop
Delete MBR.exe on desktop
Delete ComboFix related folder
C:\Qoobox
and it's text files created in the C:\ folder
ComboFix091101.txt
ComboFix2.txt
ComboFix3.txt
ComboFix4.txt
ComboFix5.txt

You can also delete OTL.exe on desktop and it's folder
C:\_OTL

Please download [color=\"blue\"]OTC.exe[/color] by OldTimer:

• Save it to your Desktop.
  
• Double click OTC.exe.
  
• Click the CleanUp! button.
  
• If you are prompted to Reboot during the cleanup, select Yes.
  
• The tool will delete itself once it finishes.

Ensure Outpost does not interfere with this process

Prepare your computer for SP3
You have CCleaner installed, can you open it and use "Run Cleaner" to clean temp files, etc
Run Disk Defragmenter on your C: drive
START>>All Programs>>Accessories>>System tools>>Disk Defragmenter
Select C: drive and then Defragment
Let this finish, when done, you can defragment any other Volume you wish, but I'm more concerned about C: at the moment
When finished
Reboot the computer

I suggest that you try the complete Network install of SP3
If you have High speed internet, it shouldn't take too long to download
Go to the following link:
http://www.microsoft.com/downloads/details...;displaylang=en

Select the Download button and save the installer to your desktop, don't install yet

Instead: Temporarily disable Outpost and AVG protections so they won't interfere with this install
With AVG, do the following
# Click on Open AVG Interface.
# Double click on Resident Shield
# Deselect the option to "Enable Resident Shield."
# Save changes, and exit the application.

Now try installing Service pack 3 from the installer on desktop
Follow the prompts, reboot when required
When done, enable protections with Outpost and AVG
Come back here and let me know how things are running

[Flim]

[quote name=\'guestolo\' post=\'466341\' date=\'Nov 15 2009, 04:05 PM\']Good work, I take it you got Java installed then

I did.

I'm going to also make another disk image before I install SP3, I've found it the simplest way to get back to work if it fails.[/quote]

[Flim]

Well, we've found a different way for SP3 to fail at least. It's never had this problem before for me.

Before I get into that I wanted to mention that the last couple of days (since before I installed a few apps) I've noticed an Install shield process running after bootup all the time - IDriverT.exe. Can't find where it loads from yet.


SP3 - I downloaded the fullfile version (I already had a copy but thought we'd go fresh) and followed all the other steps and ran the installer. It ran for a while and ran into problems while copying the new files into the system directories with an "Access Denied" screen - no more info than that. Then a window saying the install didn't complete and it was going to undo the changes. After that it says the install didn't complete and XP has been partially updated and may not work properly. Exit that and the system reboots.

The install extracted the install files to a temp directory on one of my removable drives I noticed (I've noticed that happening with some installers for a while). I thought that might be an issue so just to be sure I shut down and disconnected all that kind of stuff, started up again and had another try at installing SP3. Got the same result.

I'm now running back on my image from before the SP installs. I made an image of the disk after those attempts for reference. I can mount them and get at files easy enough.

Here is a segment of the updspapi.log. Didn't put it all in here as it's the same stuff happening over and over with all the files. This just shows what is going on before, during and after the errors occur.



#-336 Copying file "f:\eebc62828ee80c1a3dd9fbb8fd7700\i386\wuauserv.dl_" to "C:\WINDOWS\system32\wuauserv.dll" via temporary file "C:\WINDOWS\system32\SET128E.tmp".
#W190 File "C:\WINDOWS\system32\SET128E.tmp" marked to be moved to "C:\WINDOWS\system32\wuauserv.dll" on next reboot.
#-336 Copying file "f:\eebc62828ee80c1a3dd9fbb8fd7700\i386\wscsvc.dl_" to "C:\WINDOWS\system32\wscsvc.dll" via temporary file "C:\WINDOWS\system32\SET1291.tmp".
#W190 File "C:\WINDOWS\system32\SET1291.tmp" marked to be moved to "C:\WINDOWS\system32\wscsvc.dll" on next reboot.
#-336 Copying file "f:\eebc62828ee80c1a3dd9fbb8fd7700\i386\wscntfy.ex_" to "C:\WINDOWS\system32\wscntfy.exe" via temporary file "C:\WINDOWS\system32\SET1292.tmp".
#W190 File "C:\WINDOWS\system32\SET1292.tmp" marked to be moved to "C:\WINDOWS\system32\wscntfy.exe" on next reboot.
#-336 Copying file "f:\eebc62828ee80c1a3dd9fbb8fd7700\i386\winhttp.dl_" to "C:\WINDOWS\system32\winhttp.dll" via temporary file "C:\WINDOWS\system32\SET1296.tmp".
#W190 File "C:\WINDOWS\system32\SET1296.tmp" marked to be moved to "C:\WINDOWS\system32\winhttp.dll" on next reboot.
#-336 Copying file "f:\eebc62828ee80c1a3dd9fbb8fd7700\i386\sbeio.dl_" to "C:\WINDOWS\system32\sbeio.dll" via temporary file "C:\WINDOWS\system32\SET12AA.tmp".
#W190 File "C:\WINDOWS\system32\SET12AA.tmp" marked to be moved to "C:\WINDOWS\system32\sbeio.dll" on next reboot.
#-336 Copying file "f:\eebc62828ee80c1a3dd9fbb8fd7700\i386\msctfime.im_" to "C:\WINDOWS\system32\msctfime.ime" via temporary file "C:\WINDOWS\system32\SET12C6.tmp".
#W190 File "C:\WINDOWS\system32\SET12C6.tmp" marked to be moved to "C:\WINDOWS\system32\msctfime.ime" on next reboot.
#-336 Copying file "f:\eebc62828ee80c1a3dd9fbb8fd7700\i386\encapi.dl_" to "C:\WINDOWS\system32\encapi.dll" via temporary file "C:\WINDOWS\system32\SET12F2.tmp".
#W190 File "C:\WINDOWS\system32\SET12F2.tmp" marked to be moved to "C:\WINDOWS\system32\encapi.dll" on next reboot.
#-336 Copying file "f:\eebc62828ee80c1a3dd9fbb8fd7700\i386\ip\tabletoc.dl_" to "C:\WINDOWS\system32\Setup\tabletoc.dll" via temporary file "C:\WINDOWS\system32\Setup\SET1353.tmp".
#W190 File "C:\WINDOWS\system32\Setup\SET1353.tmp" marked to be moved to "C:\WINDOWS\system32\Setup\tabletoc.dll" on next reboot.
#E008 Setting registry value HKCR\.xbm\PersistentHandler
#E033 Error 5: Access is denied.
#E065 Parsing AddReg section [Product.Add.Reg] in "f:\eebc62828ee80c1a3dd9fbb8fd7700\i386\update\update.inf" failed. Error 5: Access is denied.
#E064 Parsing install section [ProductInstall.GlobalRegistryChanges.Install] in "f:\eebc62828ee80c1a3dd9fbb8fd7700\i386\update\update.inf" failed. Error 5: Access is denied.
#E008 Setting registry value HKCR\.xbm\PersistentHandler
#E033 Error 5: Access is denied.
#E065 Parsing AddReg section [Product.Add.Reg] in "f:\eebc62828ee80c1a3dd9fbb8fd7700\i386\update\update.inf" failed. Error 5: Access is denied.
#E064 Parsing install section [ProductInstall.GlobalRegistryChanges.Install] in "f:\eebc62828ee80c1a3dd9fbb8fd7700\i386\update\update.inf" failed. Error 5: Access is denied.
[2009/11/16 04:31:25 2056.1]
#-336 Copying file "C:\WINDOWS\$NtServicePackUninstall$\msader15.dll" to "c:\program files\common files\system\ado\msader15.dll" via temporary file "c:\program files\common files\system\ado\SET1413.tmp".
#W190 File "c:\program files\common files\system\ado\SET1413.tmp" marked to be moved to "c:\program files\common files\system\ado\msader15.dll" on next reboot.
#-336 Copying file "C:\WINDOWS\$NtServicePackUninstall$\msado15.dll" to "c:\program files\common files\system\ado\msado15.dll" via temporary file "c:\program files\common files\system\ado\SET1414.tmp".
#W190 File "c:\program files\common files\system\ado\SET1414.tmp" marked to be moved to "c:\program files\common files\system\ado\msado15.dll" on next reboot.
#-336 Copying file "C:\WINDOWS\$NtServicePackUninstall$\msado20.tlb" to "c:\program files\common files\system\ado\msado20.tlb" via temporary file "c:\program files\common files\system\ado\SET1415.tmp".
#W190 File "c:\program files\common files\system\ado\SET1415.tmp" marked to be moved to "c:\program files\common files\system\ado\msado20.tlb" on next reboot.
#-336 Copying file "C:\WINDOWS\$NtServicePackUninstall$\msado21.tlb" to "c:\program files\common files\system\ado\msado21.tlb" via temporary file "c:\program files\common files\system\ado\SET1416.tmp".
#W190 File "c:\program files\common files\system\ado\SET1416.tmp" marked to be moved to "c:\program files\common files\system\ado\msado21.tlb" on next reboot.
#-336 Copying file "C:\WINDOWS\$NtServicePackUninstall$\msado25.tlb" to "c:\program files\common files\system\ado\msado25.tlb" via temporary file "c:\program files\common files\system\ado\SET1417.tmp".

[guestolo]

It ran for a while and ran into problems while copying the new files into the system directories with an "Access Denied" screen - no more info than that

Thanks for the info

The install extracted the install files to a temp directory on one of my removable drives I noticed (I've noticed that happening with some installers for a while). I thought that might be an issue so just to be sure I shut down and disconnected all that kind of stuff, started up again and had another try at installing SP3. Got the same result.

My bad, I should of asked you to remove any removeable devices from the computer before you started the installation
Can you try the following
Run CCleaner again removing temp files, etc...

Afterwards
I'm concerned about the following entry

Code: [Select]

#E008 Setting registry value HKCR\.xbm\PersistentHandler
#E033 Error 5: Access is denied.
Since you have a backup from Acronis>>by the way, I have it installed on my laptop
Can you go to START>>RUN>>Type in regedit
Then hit OK
Navigate to the following key
HKEY_CLASSES_ROOT\.xbm\PersistentHandler
In the registry editor

Right click on PersistentHandler and select Permissions
Under Group or user names
ensure that Administrators is highlighted

Under Permissions for Administrators, make sure that the Allow check box for the following entries are selected

    [color=\"#4169E1\"]Full Control
     Read[/color]

Click Apply, and then click OK.

Do the same for it's parent key HKEY_CLASSES_ROOT\.xbm
If it's not set this way
Exit the registry editor

Disconnect all external removeable devices from your computer
Temporarily disable protections from Outpost and AVG
Then try the SP3 install again, if no luck, we can try some other steps

[Flim]

[quote name=\'guestolo\' post=\'466363\' date=\'Nov 16 2009, 11:32 AM\']Navigate to the following key
HKEY_CLASSES_ROOT\.xbm\PersistentHandler

Do the same for it's parent key HKEY_CLASSES_ROOT\.xbm[/quote]



HKEY_CLASSES_ROOT\.xbm\PersistentHandler  - SubKey Does not exist

Only key under \.xbm is - \OpenWithProgIds that contains only the value name "Opera.Image"

[guestolo]

Is HKEY_CLASSES_ROOT\.xbm
Set to Allow for Administrators in the registry
For both Full Control and Read?

[Flim]

[quote name=\'guestolo\' post=\'466373\' date=\'Nov 16 2009, 08:41 PM\']Is HKEY_CLASSES_ROOT\.xbm
Set to Allow for Administrators in the registry
For both Full Control and Read?[/quote]


Ya sorry. I wasn't but it is now. The System user is not checked for allow or deny

Should I go ahead with the install?

[guestolo]

.xbm
Administrators shoud be ticked to ALLOW for "Full Control" and "Read"

System should be ticked ALLOW for "Full Control" and "Read"

If not, set them both that way then reboot the computer
Then try the install again

[Flim]

We did it! Smooth as could be. I've succeeded at installing it before but never without complaints. It's running very smoothly. I've reconnected everything with no problems too. Thanks for sticking with it this far.

Windows update has 18 new updates now. I guess new versions apply now of a bunch of these that look familiar. I'll go ahead and put them in.

[Flim]

Thanks for all the help with this guestolo. The IDriverT.exe process is more a question of why it gets left running I guess. I just disabled it and stopped the service. I suppose I could use sc and remove the service too but I'm not sure what the implications are sometimes.

Anyway. I guess we've got it beat. Thanks again, I learned a lot too.

[guestolo]

ItDriver.exe
A short explanation,

Related to Macrovision Corporation. Note: Located in \%Program Files%\Common Files\InstallShield\Driver\1150\Intel 32\

A legit service, could be used by HP/Compaq products, etc. for proper installation of their programs I assume
By no means am I an expert on it
I wouldn't use SC to delete the service, just keep it disabled for now, if you find you have problems with any kind of HP products, Or other software updating you'll know why
May also  be used by some third party Video/Audio software

Besides that, everything else running well, we'll lock this up and consider it resolved
Keep me informed please
I know/hope you will  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'\' />

P.s. Eset nailed a legit file by Panda as malware, it's a false positive
But you can remove Panda Online scanner from Add/Remove programs
You can also remove Eset, or run Eset occassionally, just to double check your own AV installed