ok let me try that.....
GMER 1.0.15.15125 -
http://www.gmer.netRootkit scan 2009-10-12 10:07:31
Windows 6.0.6001 Service Pack 1
Running: uhpkevjv.exe; Driver: C:\Users\Kelly\AppData\Local\Temp\kxldypog.sys
---- System - GMER 1.0.15 ----
SSDT 8AF616B4 ZwCreateThread
SSDT 8AF616A0 ZwOpenProcess
SSDT 8AF616A5 ZwOpenThread
SSDT 8AF616AF ZwTerminateProcess
---- Kernel code sections - GMER 1.0.15 ----
.text ntoskrnl.exe!KeInsertQueue + 411 81C7CA08 4 Bytes [B4, 16, F6, 8A]
.text ntoskrnl.exe!KeInsertQueue + 5E1 81C7CBD8 4 Bytes [A0, 16, F6, 8A]
.text ntoskrnl.exe!KeInsertQueue + 5FD 81C7CBF4 4 Bytes [A5, 16, F6, 8A]
.text ntoskrnl.exe!KeInsertQueue + 811 81C7CE08 4 Bytes [AF, 16, F6, 8A]
---- Devices - GMER 1.0.15 ----
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
---- Files - GMER 1.0.15 ----
File C:\WINDOWS.0\$NtUninstallKB896423$\spuninst\spuninst.exe 0 bytes
File C:\WINDOWS.0\$NtUninstallKB896423$\spuninst\spuninst.inf 0 bytes
File C:\WINDOWS.0\$NtUninstallKB896423$\spuninst\spuninst.txt 0 bytes
File C:\WINDOWS.0\$NtUninstallKB896423$\spuninst\updspapi.dll 0 bytes
---- EOF - GMER 1.0.15 ----
and here is the ComboFix
ComboFix 09-10-11.03 - Kelly 12/10/2009 10:35.1.1 - NTFSx86
Microsoft® Windows Vista™ Ultimate 6.0.6001.1.1252.2.1033.18.479.160 [GMT -4:00]
Running from: c:\users\Kelly\Desktop\Downloads\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\$recycle.bin\S-1-5-21-51003140-4199384537-3980697693-500
c:\recycler\S-1-5-21-2025429265-583907252-725345543-1004
c:\recycler\S-1-5-21-776561741-299502267-839522115-1004
.
((((((((((((((((((((((((( Files Created from 2009-09-12 to 2009-10-12 )))))))))))))))))))))))))))))))
.
2009-10-12 14:52 . 2009-10-12 14:52 -------- d-----w- c:\users\Kelly\AppData\Local\temp
2009-10-12 14:52 . 2009-10-12 14:52 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-10-09 19:18 . 2009-10-09 19:18 -------- d-----w- c:\programdata\Office Genuine Advantage
2009-10-09 13:08 . 2009-10-09 15:45 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2009-10-09 13:08 . 2009-10-09 13:09 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-08 22:08 . 2009-07-28 20:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-10-08 22:08 . 2009-03-30 14:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-10-08 22:08 . 2009-02-13 16:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-10-08 22:08 . 2009-02-13 16:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-10-08 22:08 . 2009-10-08 22:08 -------- d-----w- c:\programdata\Avira
2009-10-08 22:08 . 2009-10-08 22:08 -------- d-----w- c:\program files\Avira
2009-10-06 15:11 . 2009-08-07 02:24 44768 ----a-w- c:\windows\system32\wups2.dll
2009-10-06 15:11 . 2009-08-07 02:24 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-10-06 15:11 . 2009-08-07 02:23 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-10-06 15:11 . 2009-08-07 01:45 2421760 ----a-w- c:\windows\system32\wucltux.dll
2009-10-06 15:10 . 2009-08-07 02:24 35552 ----a-w- c:\windows\system32\wups.dll
2009-10-06 15:10 . 2009-08-07 02:23 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-10-06 15:10 . 2009-08-07 01:44 87552 ----a-w- c:\windows\system32\wudriver.dll
2009-10-06 15:09 . 2009-08-06 23:23 171608 ----a-w- c:\windows\system32\wuwebv.dll
2009-10-06 15:09 . 2009-08-06 22:44 33792 ----a-w- c:\windows\system32\wuapp.exe
2009-10-05 15:23 . 2009-10-05 15:23 -------- d-----w- c:\windows\system32\EventProviders
2009-10-05 15:21 . 2009-10-05 15:22 -------- d-----w- C:\9a99a7b9345a09cbcfc379
2009-10-04 02:59 . 2009-10-04 02:59 45 ----a-w- c:\users\Kelly\jagex_runescape_preferences2.dat
2009-10-04 02:57 . 2009-10-04 02:59 38 ----a-w- c:\users\Kelly\jagex_runescape_preferences.dat
2009-10-04 02:56 . 2009-10-04 02:56 -------- d-----w- C:\.jagex_cache_32
2009-10-03 03:18 . 2009-10-01 14:29 195440 ------w- c:\windows\system32\MpSigStub.exe
2009-09-17 12:42 . 2009-05-18 18:17 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-09-17 12:42 . 2008-04-17 17:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2009-09-17 12:40 . 2009-09-17 12:40 -------- d-----w- c:\program files\iPod
2009-09-17 12:40 . 2009-09-17 12:42 -------- d-----w- c:\programdata\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-17 12:40 . 2009-09-17 12:42 -------- d-----w- c:\program files\iTunes
2009-09-17 12:36 . 2009-09-17 12:36 -------- d-----w- c:\program files\QuickTime
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-12 14:22 . 2009-08-24 23:47 -------- d-----w- c:\program files\Steam
2009-10-12 14:20 . 2009-05-19 22:40 680 ----a-w- c:\users\Kelly\AppData\Local\d3d9caps.dat
2009-10-08 21:29 . 2009-08-24 23:47 -------- d-----w- c:\program files\Common Files\Steam
2009-10-05 16:48 . 2009-05-20 21:50 -------- d-----w- c:\program files\Java
2009-09-22 00:09 . 2009-05-20 21:53 -------- d-----w- c:\users\Kelly\AppData\Roaming\LimeWire
2009-09-18 20:34 . 2009-06-01 22:37 -------- d-----w- c:\users\Kelly\AppData\Roaming\Apple Computer
2009-09-17 12:40 . 2009-06-01 21:27 -------- d-----w- c:\program files\Common Files\Apple
2009-09-10 11:29 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-08-28 23:42 . 2009-08-28 23:42 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-08-28 23:42 . 2009-08-28 23:42 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-08-28 12:39 . 2009-09-02 21:41 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-08-28 10:15 . 2009-09-02 21:41 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-24 00:25 . 2009-08-24 00:18 -------- d-----w- c:\program files\Graffiti Studio 2.0
2009-08-24 00:23 . 2009-08-24 00:23 8854 ----a-r- c:\users\Kelly\AppData\Roaming\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\Uninstall_Project64__9559F7CA5E344237A2D9D856464AD727.exe
2009-08-24 00:23 . 2009-08-24 00:23 40960 ----a-r- c:\users\Kelly\AppData\Roaming\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\NewShortcut1_9559F7CA5E344237A2D9D856464AD727.exe
2009-08-24 00:23 . 2009-08-24 00:23 40960 ----a-r- c:\users\Kelly\AppData\Roaming\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\ARPPRODUCTICON.exe
2009-08-24 00:22 . 2009-08-24 00:22 -------- d-----w- c:\program files\Project64 1.6
2009-08-14 17:07 . 2009-09-10 00:48 897608 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-08-14 16:29 . 2009-09-10 00:48 104960 ----a-w- c:\windows\system32\netiohlp.dll
2009-08-14 16:29 . 2009-09-10 00:48 17920 ----a-w- c:\windows\system32\netevent.dll
2009-08-14 14:16 . 2009-09-10 00:48 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2009-08-14 14:16 . 2009-09-10 00:48 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2009-08-14 14:16 . 2009-09-10 00:48 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2009-08-14 14:16 . 2009-09-10 00:48 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2009-08-14 14:16 . 2009-09-10 00:48 19968 ----a-w- c:\windows\system32\ARP.EXE
2009-08-14 14:16 . 2009-09-10 00:48 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2009-08-14 14:16 . 2009-09-10 00:48 10240 ----a-w- c:\windows\system32\finger.exe
2009-08-03 19:07 . 2009-08-03 19:07 403816 ----a-w- c:\windows\system32\OGACheckControl.dll
2009-08-03 19:07 . 2009-08-03 19:07 322928 ----a-w- c:\windows\system32\OGAAddin.dll
2009-08-03 19:07 . 2009-08-03 19:07 230768 ----a-w- c:\windows\system32\OGAEXEC.exe
2009-07-25 09:23 . 2009-05-20 21:51 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-21 21:52 . 2009-07-30 21:49 915456 ----a-w- c:\windows\system32\wininet.dll
2009-07-21 21:47 . 2009-07-30 21:49 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-07-21 21:47 . 2009-07-30 21:49 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-07-21 20:13 . 2009-07-30 21:49 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-07-17 14:35 . 2009-08-12 19:36 71680 ----a-w- c:\windows\system32\atl.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"Steam"="c:\program files\Steam\Steam.exe" [2009-10-08 1217784]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-09 305440]
"snpstd"="c:\windows\vsnpstd.exe" [2005-10-12 339968]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2008-09-10 604704]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=wdmaud.drv
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{2B0C8371-B422-428F-B4A8-3D0B78D34455}"= UDP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{75359EE5-D1C8-48E5-9C6F-7C9E7E940FA1}"= TCP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{161F933C-2DBC-43BA-A832-FC5A2D666BE1}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{BDFA201F-2256-4DBC-BB35-CED48DE5AD0B}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"TCP Query User{5BE3C98B-79FB-4A9D-9FC5-715372E471BF}c:\\program files\\java\\jre6\\bin\\java.exe"= UDP:c:\program files\java\jre6\bin\java.exe:Java Platform SE binary
"UDP Query User{112046F2-6B10-4F89-8969-E8DA407B8455}c:\\program files\\java\\jre6\\bin\\java.exe"= TCP:c:\program files\java\jre6\bin\java.exe:Java Platform SE binary
"{8B415786-72C8-4206-B29A-F98F6CB4EFA0}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{9421C22B-D4FD-4060-BAF3-9495E6139B65}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [08/10/2009 6:08 PM 108289]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [09/10/2009 9:08 AM 1153368]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7070D8E0-650A-46b3-B03C-9497582E6A74}]
%SystemRoot%\system32\soundschemes.exe /AddRegistration
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{B3688A53-AB2A-4b1d-8CEF-8F93D8C51C24}]
%SystemRoot%\system32\soundschemes2.exe /AddRegistration
.
Contents of the 'Scheduled Tasks' folder
2009-10-12 c:\windows\Tasks\User_Feed_Synchronization-{D29941CF-C13E-4F37-85F7-3EE6226E8BF4}.job
- c:\windows\system32\msfeedssync.exe [2009-07-30 20:13]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\users\Kelly\AppData\Roaming\Mozilla\Firefox\Profiles\lmz8qc7e.default\
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npsdc.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
**************************************************************************
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files:
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2009-10-12 10:58
ComboFix-quarantined-files.txt 2009-10-12 14:58
Pre-Run: 31,404,761,088 bytes free
Post-Run: 35,222,917,120 bytes free
178 --- E O F --- 2009-10-09 12:42
I hope this is what you need....
Kelly