If you would like us to check the system for malware, please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

When you have finished, leave the logs for review in your next reply .

Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.

Looks like you have a Rootkit going here!

Please download ComboFix from Here and save to your Desktop.

• 
  [1]. Do NOT rename Combofix unless instructed.
  [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3].Close any open browsers.
  [4]. Double click combofix.exe & follow the prompts to run.
• NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
  [5]. If Combofix asks you to install Recovery Console, please allow it.
  [6]. If Combofix asks you to update the program, always allow.
• Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  [7]. A report will be generated after the scan. Please paste the C:\ComboFix.txt in next reply.

Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note: Make sure you re-enable your security programs, when you're done with Combofix..
Re-enable your Antivirus software.
==================================
Run Eset NOD32 Online AntiVirus scan HERE

1. Tick the box next to YES, I accept the Terms of Use.
2. Click Start
3. When asked, allow the Active X control to install
4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
5. Click Start
6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
7. Click Scan
8. Wait for the scan to finish
9. Re-enable your Antivirus software.
10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

Please go ahead with the Eset scan.

From bleepingcomputer.

Try uninstalling Combofix, then reinstalling as follows:

Uninstall ComboFix and all Backups of the files it deleted

• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  

====================================
Please download ComboFix HERE and save to your desktop:

Please disable all security programs, such as antiviruses, antispywares, and firewalls.

• Double click on the setup file on the desktop to run
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
• When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  (Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.)
  
• Query- Recovery Console image
  
  
• Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
  
  
• Click on Yes, to continue scanning for malware.
  
• When finished, it will produce a log.Please include the C:\ComboFix.txt in your next reply.

Notes:

• 
  1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
  2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
  3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
  4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

I left more images in this download in case you see any of them. See if you can get a scan.

Related to rdprefmp.sys RDP Reflector Driver Miniport from Microsoft Corporation.
But it was infected and Combofix handled it:
Infected copy of c:\windows\system32\drivers\rdprefmp.sys was found and disinfected
=================================
Please download OTMovit by Old Timer and save to your desktop.

• Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  
  Code:

  :Processes	
  
  :Services
  
  :Reg
  
  :Files 
  C:\$Recycle.Bin\S-1-5-21-3180167293-174922687-3939198346-1000\$RZZ21S0\‰¤‘‹*§E«J‰¤—\_A9E5CFE1.exe	
  C:\Users\Tommy\Documents\Downloads\‰¤‘‹*§E«J‰¤—\_A9E5CFE1.exe
  
  :Commands
  [purity]
  [emptytemp]
  [start explorer]
  [Reboot]

• Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt3

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
=========================================
Please empty the Recycle Bin

I'd like you to open your Combofix logs and look in the following section:
---- LOCKED REGISTRY KEYS -----
It looks like you are specifying File Handlers for File Extensions:
OpenWithList
OpenWithProgids
Some I can read such as:
"a"="firefox.exe"
"MRUList"="ba"
"b"="uTorrent.exe"
others I cannot identify.

What is *1*0tmcE04l@w
It is an identity? Another language?

And there is a different entry here:
c:\users\Tommy\AppData\Roaming\—ßìƒTƒfƒBƒXƒeƒBƒbƒN SaveData

Can you identify the following?
c:\program files\millefeuille (7/15/2010) (a cream puff??)
C:\ZERO (7/2/2010)
\ouaoqdbwb (possibly Quick Books?)
c:\program files\Project64 1.6 (7/5/2010)


Do we have a language problem here?

Please remove the directories you no longer use. Then run the script below and paste the new log it creates in the next reply.

Custom CFScript

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad and copy/paste the text in the code below into it:

Code:

File::
Driver::
FCopy::
C:\WINDOWS\ServicePackFiles\i386\atapi.sys | C:\Windows\System32\drivers\atapi.sys

Save this as CFScript.txt, in the same location as ComboFix.exe


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
====================

Did you run Combofix in Safe Mode? Why?

Okay, Combofix is indicating that it was run in - REDUCED FUNCTIONALITY MODE -

Please review the information here and tell me which applies to your system:
http://support.microsoft.com/kb/925582

If I had known the OS was pirated, the support would have stopped then.

Then it should have been a genuine copy. I seriously doubt that your university is handing out pirated copies of a Windows operating system.