Neil wrote:

There are several instances of win32k.sys in various folders, and even
more "win32k.sys.mui.c_xxxx" in other folders (about 2 dozen in total).
What would I be looking for in those files that could shed light on
their control of on-line access?

The kernel runs in Ring0.

Drivers run in Ring0.

Your network service comes via a driver (at the lowest level).
A protocol stack rests on top.

The kernel fields calls from Ring3 userland,
and eventually, a driver might be used to
satisfy the call.

It's unlikely to be Win32k.sys, and more likely
to be a hardware driver, a change tn an AV
product, a change to the Windows Firewall or a
third party firewall.

The possibilities are endless. Including the
presence of malware.

There was one update Microsoft sent, quite a while
ago now, where it appeared they changed a file on
purpose, to "uncover" malware. TDSS root kit changes
atapi.sys. So Microsoft decided it would be cool
to update atapi.sys. Anyone with TDSS on the computer
had a crash (because TDSS patches atapi.sys as
part of its attack). It took the TDSS developer
almost two days to patch the mess and using
the command and control center, push out an update
to his victims, so that any other people suffering
from his malware, would not crash when the MS Update
installs. In some cases, the end-user is a tennis ball
in an unwitting game of tennis.

You'll have to review more than just some KBs,
to find an answer.

Paul