Figured out why I couldn't delete the RC install (special rights inherited from the parent folder). Cleared the rights and was finally able to delete the files.
Reran CF and let it install RC again. It installed the files but it's still not updating BOOT.INI. I mentioned that there are several "Access is denied" lines before it starts scanning -- I noticed that after it unpacked the RC files, there was a line "SED: can't read C:\Boot.bak: No such file or directory"
Here's the log-
============================
ComboFix 09-08-10.06 - Owner 08/14/2009 0:42.14.1 - NTFSx86
Running from: c:\documents and settings\Owner.YOUR-25A3BD3417\Desktop\COMBOF1X.exe.exe
AV: Trend Micro Internet Security Pro *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro Personal Firewall *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
.
((((((((((((((((((((((((( Files Created from 2009-07-14 to 2009-08-14 )))))))))))))))))))))))))))))))
.
2009-08-11 07:04 . 2009-08-11 07:04 -------- d-----w- c:\program files\ESET
2009-08-11 06:43 . 2009-08-11 06:43 -------- d-----w- c:\program files\Common Files\Adobe
2009-08-11 06:42 . 2009-02-12 09:35 38208 ----a-w- c:\documents and settings\Owner.YOUR-25A3BD3417\Application Data\Macromedia\Flash Player\http://www.macromedia.com\bin\airapp...pinstaller.exe
2009-08-11 06:42 . 2009-08-11 06:42 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-08-11 06:42 . 2009-08-11 06:42 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2009-08-11 06:41 . 2009-08-11 18:04 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-08-11 06:41 . 2009-08-11 18:04 -------- d-----w- c:\program files\NOS
2009-08-10 16:49 . 2009-08-10 16:49 -------- d-----w- c:\documents and settings\Owner.YOUR-25A3BD3417\Application Data\Malwarebytes
2009-08-10 16:49 . 2009-08-03 20:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-10 16:49 . 2009-08-10 16:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-10 16:49 . 2009-08-03 20:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-10 16:48 . 2009-08-10 16:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-08 16:17 . 2009-08-08 16:17 -------- d-----w- c:\documents and settings\Administrator\log
2009-08-08 08:21 . 2009-08-14 07:37 -------- d-----w- C:\CFIx
2009-08-06 21:37 . 2009-08-06 21:44 -------- d-s---w- C:\test
2009-08-06 19:42 . 2009-08-06 19:42 0 ----a-w- C:\settings.dat
2009-08-06 19:42 . 2009-08-06 19:42 1055676 ----a-w- C:\RootkitBuster2.52.0.1013.zip
2009-08-06 19:33 . 2009-08-06 21:36 -------- d-----w- C:\Autoruns
2009-08-06 19:33 . 2009-08-06 19:33 576280 ----a-w- C:\Autoruns.zip
2009-08-06 19:15 . 2009-08-06 19:15 -------- d-----w- c:\windows\system32\Service
2009-08-06 19:04 . 2009-08-06 19:04 -------- d-----w- c:\documents and settings\Administrator\Application Data\SupportSoft
2009-08-06 18:10 . 2009-08-06 18:10 -------- d-----w- c:\documents and settings\Owner.YOUR-25A3BD3417\Application Data\SupportSoft
2009-08-06 18:07 . 2009-08-06 18:07 -------- d-----w- c:\program files\tmRemoteProdPID
2009-08-06 18:07 . 2009-08-06 18:07 -------- d-----w- c:\program files\Common Files\supportsoft
2009-08-05 18:54 . 2009-08-05 18:54 -------- d-----w- C:\rsit
2009-08-05 18:52 . 2009-08-08 09:19 -------- d-----w- C:\Pesticide
2009-08-04 00:49 . 2009-08-08 08:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-04 00:49 . 2009-08-04 00:49 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-02 09:15 . 2009-08-02 09:15 -------- d-----w- c:\documents and settings\Owner.YOUR-25A3BD3417\.housecall6.6
2009-08-02 07:50 . 2009-08-02 07:50 578560 -c--a-w- c:\windows\system32\dllcache\user32.dll
2009-08-02 07:49 . 2009-08-02 07:49 -------- d-----w- c:\windows\ERUNT
2009-08-01 22:28 . 2009-04-02 23:08 50192 ----a-w- c:\windows\system32\tmactmon.sys
2009-08-01 22:28 . 2009-04-02 23:08 50192 ----a-w- c:\windows\system32\tmevtmgr.sys
2009-08-01 22:28 . 2009-04-02 23:08 153104 ----a-w- c:\windows\system32\tmcomm.sys
2009-08-01 22:10 . 2009-08-01 22:10 -------- d-----w- c:\documents and settings\Owner.YOUR-25A3BD3417\log
2009-08-01 19:13 . 2009-08-01 19:13 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Trend Micro
2009-08-01 19:02 . 2009-08-01 19:02 -------- d-----w- c:\documents and settings\Owner.YOUR-25A3BD3417\Local Settings\Application Data\Trend Micro
2009-08-01 18:59 . 2009-08-01 18:59 -------- d-----w- c:\windows\LocalSSL
2009-08-01 18:59 . 2009-08-01 18:59 -------- d-----w- c:\documents and settings\postgres\Local Settings\Application Data\Trend Micro
2009-07-25 19:10 . 2009-07-25 19:17 -------- d-----w- c:\documents and settings\Owner.YOUR-25A3BD3417\Application Data\GetRightToGo
2009-07-25 06:51 . 2009-08-11 18:30 -------- d-----w- c:\program files\Hero Editor
2009-07-25 06:51 . 2009-08-11 18:29 249856 ------w- c:\windows\Setup1.exe
2009-07-25 06:51 . 2009-08-11 18:29 73216 ----a-w- c:\windows\ST6UNST.EXE
2009-07-25 04:55 . 2009-07-25 05:50 -------- d-----w- c:\program files\Shared
2009-07-20 17:41 . 2009-07-20 17:42 -------- d-----w- c:\program files\DoylesRoom
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-14 02:40 . 2009-07-13 18:43 -------- d-----w- c:\program files\Diablo II
2009-08-13 23:15 . 2008-03-23 02:51 -------- d-----w- c:\program files\PokerStars
2009-08-13 16:41 . 2009-07-01 21:37 -------- d-----w- c:\program files\Tiger Gaming
2009-08-11 06:54 . 2009-02-27 02:03 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-11 06:33 . 2006-11-24 14:59 -------- d-----w- c:\program files\Java
2009-08-05 22:52 . 2008-11-19 04:52 -------- d-----w- c:\documents and settings\Owner.YOUR-25A3BD3417\Application Data\Skype
2009-08-05 15:14 . 2008-11-19 04:58 -------- d-----w- c:\documents and settings\Owner.YOUR-25A3BD3417\Application Data\skypePM
2009-08-01 19:22 . 2008-11-06 18:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Trend Micro
2009-08-01 18:59 . 2006-11-24 15:56 -------- d-----w- c:\program files\Trend Micro
2009-07-13 20:41 . 2009-07-13 18:55 35715 ----a-w- c:\windows\DIIUnin.dat
2009-07-13 20:39 . 2009-07-13 19:16 21840 ----atw- c:\windows\system32\SIntfNT.dll
2009-07-13 20:39 . 2009-07-13 19:16 17212 ----atw- c:\windows\system32\SIntf32.dll
2009-07-13 20:39 . 2009-07-13 19:16 12067 ----atw- c:\windows\system32\SIntf16.dll
2009-07-13 18:55 . 2009-07-13 18:55 94208 ----a-w- c:\windows\DIIUnin.exe
2009-07-13 18:55 . 2009-07-13 18:55 2829 ----a-w- c:\windows\DIIUnin.pif
2009-07-13 17:26 . 2009-07-13 17:26 -------- d-----w- c:\program files\Poker Pal Pro Edition
2009-07-13 07:06 . 2009-07-06 00:29 -------- d-----w- c:\program files\Diablo II Shareware
2009-07-10 16:05 . 2009-07-10 16:04 12692 ----a-w- c:\windows\W3DemoUnin.dat
2009-07-10 16:04 . 2009-07-10 16:04 2829 ----a-w- c:\windows\W3DemoUnin.pif
2009-07-10 16:04 . 2009-07-10 16:04 126976 ----a-w- c:\windows\W3DemoUnin.exe
2009-07-10 16:04 . 2009-07-10 16:04 -------- d-----w- c:\program files\Warcraft III Demo
2009-07-08 18:28 . 2009-07-08 18:28 -------- d-----w- c:\program files\Gateway
2009-07-06 00:29 . 2009-07-06 00:29 19143 ----a-w- c:\windows\DIIDUnin.dat
2009-07-06 00:29 . 2009-07-06 00:29 102400 ----a-w- c:\windows\DIIDUnin.exe
2009-07-06 00:29 . 2009-07-06 00:29 2829 ----a-w- c:\windows\DIIDUnin.pif
2009-07-04 09:16 . 2008-04-12 06:03 -------- d-----w- c:\program files\Poker Drill Master
2009-07-04 08:28 . 2006-11-24 14:56 -------- d-----w- c:\program files\Google
2009-06-29 16:12 . 2006-11-24 14:33 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2006-11-24 14:29 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2006-11-24 14:27 17408 ------w- c:\windows\system32\corpol.dll
2009-06-26 23:27 . 2009-06-26 23:27 -------- d-----w- c:\program files\PopCap Games
2009-06-26 03:02 . 2008-07-02 00:19 -------- d-----w- c:\program files\UltimateBet
2009-06-26 02:10 . 2009-06-26 02:10 -------- d-----w- c:\program files\_uninstallation_info
2009-06-25 19:47 . 2009-05-26 16:33 -------- d-----w- c:\program files\FullTiltShortcuts
2009-06-25 19:47 . 2008-11-07 04:32 -------- d-----w- c:\program files\Cake Poker
2009-06-25 19:46 . 2008-06-28 03:43 -------- d-----w- c:\program files\Full Tilt Poker
2009-06-25 19:46 . 2006-11-24 14:57 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-24 11:31 . 2009-06-12 04:33 -------- d-----w- c:\program files\Poker Pro Labs
2009-06-18 09:04 . 2009-05-16 23:54 -------- d-----w- c:\program files\ClubWPT
2009-06-16 14:36 . 2006-11-24 14:33 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2006-11-24 14:29 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-14 05:54 . 2009-06-14 05:54 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-06-03 19:09 . 2006-11-24 14:32 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-05-22 08:02 . 2008-08-14 17:23 225296 ----a-w- c:\windows\system32\drivers\tmxpflt.sys
2009-05-22 08:00 . 2008-08-14 17:23 36368 ----a-w- c:\windows\system32\drivers\tmpreflt.sys
2009-05-22 07:45 . 2008-08-14 17:23 1220120 ----a-w- c:\windows\system32\drivers\vsapint.sys
.
((((((((((((((((((((((((((((( SnapShot@2009-08-14_06.10.36 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-14 07:29 . 2009-08-14 07:29 16384 c:\windows\temp\Perflib_Perfdata_440.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2008-08-14 497008]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2009-04-01 995528]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-11 149280]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2008-08-14 497008]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=c:\windows\pss\BigFix.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Harmony Remote V5.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Harmony Remote V5.lnk
backup=c:\windows\pss\Logitech Harmony Remote V5.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ose"=3 (0x3)
"MskService"=2 (0x2)
"MpfService"=3 (0x3)
"mcupdmgr.exe"=3 (0x3)
"McTskshd.exe"=2 (0x2)
"McShield"=2 (0x2)
"McDetect.exe"=2 (0x2)
"gusvc"=3 (0x3)
"AOL TopSpeedMonitor"=2 (0x2)
"AOL ACS"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Logitech\\Harmony Remote\\HarmonyClient.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Logitech\\Harmony Remote\\PatchHelper.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Apple\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2009-04-02 50192]
R2 TmPfw;Trend Micro Personal Firewall;c:\program files\Trend Micro\Internet Security\TmPfw.exe [2009-04-01 497008]
R2 tmpreflt;tmpreflt;c:\windows\system32\DRIVERS\tmpreflt.sys [2009-05-22 36368]
R2 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [2009-04-01 677128]
S2 pgsql-8.3;PostgreSQL Database Server 8.3;c:\program files\PostgreSQL\8.3\bin\pg_ctl.exe [2008-09-19 65536]
S2 Security Activity Dashboard Service;Security Activity Dashboard Service;c:\program files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe [2008-08-14 181584]
S3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\DRIVERS\TM_CFW.sys [2009-03-03 335376]
.
Contents of the 'Scheduled Tasks' folder
2006-11-24 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\system32\OOBE\oobebaln.exe [2006-11-24 00:12]
2006-11-24 c:\windows\Tasks\ISP signup reminder 2.job
- c:\windows\system32\OOBE\oobebaln.exe [2006-11-24 00:12]
2006-11-24 c:\windows\Tasks\ISP signup reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2006-11-24 00:12]
2009-08-13 c:\windows\Tasks\User_Feed_Synchronization-{CE9ECDE8-B0C0-4E0C-B2F3-A241CA8C9DE1}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 02:36]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: {{10F055B8-F443-4adf-948A-EC551E9DBCE4} - c:\documents and settings\Owner.YOUR-25A3BD3417\Start Menu\Programs\UltimateBet\UltimateBet.lnk
Trusted Zone: weather.gov\radar
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-14 00:46
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(3924)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
Completion time: 2009-08-14 0:48
ComboFix-quarantined-files.txt 2009-08-14 07:47
ComboFix2.txt 2009-08-13 06:16
Pre-Run: 60,752,646,144 bytes free
Post-Run: 60,703,936,512 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
233 --- E O F --- 2009-08-02 22:01