For the record, the "PHAROS" thing that the ComboFix is suspicious of is actually a perfectly legitimate application for printing on campus printers. It allows me to print to the school print servers from my laptop without having to use a computer lab computer.
Here's the ComboFix log (the other requested files are attached):
ComboFix 08-12-14.05 - jaddison 2008-12-15 21:47:57.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1282 [GMT -5:00]
Running from: c:\documents and settings\jaddison\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\jaddison\Desktop\CFScript.txt
* Created a new restore point
.
The following files were disabled during the run:
c:\progra~1\PHAROS~1\Core\PRNTRACK.DLL
((((((((((((((((((((((((( Files Created from 2008-11-16 to 2008-12-16 )))))))))))))))))))))))))))))))
.
No new files created in this timespan
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-06-21 23:38 30,280 ----a-w c:\program files\mozilla firefox\plugins\cgpcfg.dll
2007-06-21 23:38 79,432 ----a-w c:\program files\mozilla firefox\plugins\CgpCore.dll
2007-06-21 23:38 71,240 ----a-w c:\program files\mozilla firefox\plugins\confmgr.dll
2007-06-21 23:38 140,872 ----a-w c:\program files\mozilla firefox\plugins\ctxmui.dll
2007-06-21 23:39 38,472 ----a-w c:\program files\mozilla firefox\plugins\icafile.dll
2007-06-21 23:39 46,664 ----a-w c:\program files\mozilla firefox\plugins\icalogon.dll
2007-06-21 23:39 34,376 ----a-w c:\program files\mozilla firefox\plugins\logging.dll
2007-06-21 23:39 685,640 ----a-w c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2007-06-21 23:40 30,280 ----a-w c:\program files\mozilla firefox\plugins\TcpPServ.dll
.
((((((((((((((((((((((((((((( snapshot@2008-12-06_12.14.03.36 )))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"tunebite.exe"="c:\program files\Tunebite\tunebite.exe" [2007-08-15 1014272]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Google Update"="c:\documents and settings\jaddison\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-12-05 133104]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2008-07-29 331776]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2008-07-29 208896]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-03-04 487424]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2008-03-24 68464]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2008-06-05 242976]
"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2008-07-05 425984]
"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2008-07-04 143360]
"LPManager"="c:\progra~1\THINKV~2\PrdCtr\LPMGR.exe" [2008-06-09 165208]
"LPMailChecker"="c:\progra~1\THINKV~2\PrdCtr\LPMLCHK.exe" [2008-06-09 124248]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"TP4EX"="tp4ex.exe" [2005-10-17 c:\windows\system32\TP4EX.exe]
"TpShocks"="TpShocks.exe" [2008-06-06 c:\windows\system32\TpShocks.exe]
"Mouse Suite 98 Daemon"="ICO.EXE" [2005-04-13 c:\windows\system32\ico.exe]
c:\documents and settings\jaddison\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-07 101440]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\ThinkPad\Bluetooth Software\BTTray.exe [2006-08-18 561213]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-09-08 50688]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"AllowMultipleTSSessions"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2007-08-14 14:54 89600 c:\windows\system32\psqlpwd.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2006-09-06 15:37 34344 c:\program files\Lenovo\HOTKEY\notifyf2.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2008-03-17 15:02 34080 c:\program files\Lenovo\HOTKEY\tphklock.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli ACGina psqlpwd
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Steam\\SteamApps\\matrix@moscowmail.com\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\Spadester\\spades.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Ruckus Player\\Ruckus.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\PharosSystems\\Core\\CTskMstr.exe"=
"c:\\Program Files\\MoRUN.net\\Sticker Lite\\sticker.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"2967:UDP"= 2967:UDP:Symantec AntiVirus Managed Client (2967:UDP)
"7001:UDP"= 7001:UDP:AFS CacheManager Callback (7001:UDP)
"2967:TCP"= 2967:TCP:Symantec AntiVirus Managed Client (2967:TCP)
"7001:TCP"= 7001:TCP:AFS CacheManager Callback (7001:TCP)
.
Contents of the 'Scheduled Tasks' folder
2008-12-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
2008-12-16 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\documents and settings\jaddison\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-05 20:52]
2008-12-16 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2008-07-29 00:43]
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-IUWORK - c:\iuwork\LAUNCH.LNK
.
------- Supplementary Scan -------
.
uStart Page =
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
IE: Send to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2008-12-15 21:54:20
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mchInjDrv]
"ImagePath"="\??\c:\windows\TEMP\mc21.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1132)
c:\windows\system32\vrlogon.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\psqlpwd.dll
c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
c:\program files\ThinkVantage Fingerprint Software\infra.dll
c:\program files\ThinkVantage Fingerprint Software\homepass.dll
c:\program files\ThinkVantage Fingerprint Software\bio.dll
c:\program files\ThinkVantage Fingerprint Software\ps2css.dll
c:\program files\ThinkVantage Fingerprint Software\remote.dll
c:\program files\Lenovo\HOTKEY\tphklock.dll
c:\program files\ThinkVantage Fingerprint Software\pscssint.dll
c:\program files\ThinkVantage Fingerprint Software\crypto.dll
- - - - - - - > 'lsass.exe'(1188)
c:\program files\ThinkPad\ConnectUtilities\ACGina.dll
c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll
c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll
c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll
c:\program files\ThinkPad\ConnectUtilities\ACON.dll
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgr.dll
c:\program files\ThinkPad\ConnectUtilities\AcCryptHlpr.dll
c:\program files\ThinkPad\ConnectUtilities\ACTurinSupport.dll
c:\program files\ThinkPad\ConnectUtilities\AcSmBiosHelper.dll
c:\program files\ThinkPad\ConnectUtilities\AcAdaptersInfo.dll
c:\windows\system32\psqlpwd.dll
c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
c:\program files\ThinkVantage Fingerprint Software\infra.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\ThinkPad\Bluetooth Software\bin\btwdins.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
c:\windows\system32\acs.exe
c:\program files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\progra~1\PHAROS~1\Core\CTskMstr.exe
c:\program files\Symantec AntiVirus\SavRoam.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
c:\windows\system32\TPHDEXLG.exe
c:\windows\system32\TpKmpSvc.exe
c:\program files\Lenovo\Client Security Solution\tvttcsd.exe
c:\program files\Lenovo\Rescue and Recovery\rrservice.exe
c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe
c:\program files\Lenovo\Rescue and Recovery\ADM\IUService.exe
c:\program files\Viewpoint\Common\ViewpointService.exe
c:\program files\Common Files\Lenovo\Logger\logmon.exe
c:\program files\ThinkPad\Utilities\PWMDBSVC.exe
c:\program files\Lenovo\System Update\SUService.exe
c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\FSRremoS.EXE
c:\program files\Lenovo\HOTKEY\TPONSCR.exe
c:\program files\Lenovo\ZOOM\TpScrex.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
.
**************************************************************************
.
Completion time: 2008-12-15 22:02:38 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-16 03:02:31
ComboFix2.txt 2008-12-15 19:47:27
ComboFix3.txt 2008-12-07 16:03:13
ComboFix4.txt 2008-12-06 18:48:51
ComboFix5.txt 2008-12-16 02:46:49
Pre-Run: 32,570,634,240 bytes free
Post-Run: 32,548,646,400 bytes free
205 --- E O F --- 2008-12-12 21:57:59