can I delete System Security from XP system

CA will still be found to be active, but in safe mode, it's less intrusive, so it's fine to run it in safe mode.

ComboFix 09-06-15.04 - USER1 06/19/2009 12:29.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.895.476 [GMT -4:00]
Running from: C:\Combo-Fix.exe
AV: eTrust ITM *On-access scanning enabled* (Updated) {33EA71EA-56CF-40B5-A06B-BD3A27397C44}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\SKYNETpwmdtgbw.sys
c:\windows\system32\drivers\UACcmcrjipmbmoobvc.sys
c:\windows\system32\UACksvjelemovbsswu.dat
c:\windows\system32\UAClfamdturatnsesx.dll
c:\windows\system32\drivers\SKYNETpwmdtgbw.sys
c:\windows\system32\drivers\UACcmcrjipmbmoobvc.sys
c:\windows\system32\SKYNETaieabbpf.dll
c:\windows\system32\SKYNETjupaordb.dll
c:\windows\system32\SKYNETnjgrneos.dll
c:\windows\system32\SKYNETorenemui.dll
c:\windows\system32\SKYNETpofyabdw.dat
c:\windows\system32\SKYNETtyubmhil.dat
c:\windows\system32\tmp.reg
c:\windows\system32\UAClfamdturatnsesx.dll
c:\windows\system32\uactmp.db

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys
-------\Service_SKYNETjbgsilxt


((((((((((((((((((((((((( Files Created from 2009-05-19 to 2009-06-19 )))))))))))))))))))))))))))))))
.

2009-06-18 20:34 . 2009-06-15 22:49 3027283 ----a-r- C:\Combo-Fix.exe
2009-06-17 12:26 . 2009-06-17 12:26 -------- d-----w- c:\documents and settings\USER1\Application Data\Malwarebytes
2009-06-15 19:09 . 2009-06-15 19:17 -------- d-----w- C:\SmitfraudFix
2009-06-15 19:09 . 2009-06-15 19:09 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-06-15 16:24 . 2009-05-26 17:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-15 16:24 . 2009-06-15 16:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-15 16:24 . 2009-06-15 16:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-15 16:24 . 2009-05-26 17:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-12 20:11 . 2009-06-12 20:11 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Identities
2009-06-12 17:09 . 2009-06-12 17:52 -------- d-----w- c:\documents and settings\All Users\Application Data\10501094
2009-06-11 16:41 . 2009-06-11 16:41 676224 ----a-w- c:\windows\system32\ogacheckcontrol.dll
2009-06-11 14:43 . 2009-06-11 14:43 -------- d-----w- c:\windows\system32\wbem\Repository
2009-05-29 17:59 . 2009-05-29 17:59 845800 ----a-w- c:\documents and settings\USER1\Application Data\MSNInstaller\msnauins.exe
2009-05-29 17:59 . 2009-05-29 17:59 -------- d-----w- c:\documents and settings\USER1\Application Data\MSNInstaller

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-12 14:18 . 2007-09-29 16:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdminWorks Tray"="c:\acer\LANScope Agent\awtray.exe" [2007-05-22 1459992]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2006-11-14 52832]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]
"Realtime Monitor"="c:\program files\CA\eTrustITM\realmon.exe" [2008-02-08 407368]
"SiSPower"="SiSPower.dll" - c:\windows\system32\SiSPower.dll [2007-08-03 53248]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-07-05 16380416]

c:\documents and settings\USER1\Start Menu\Programs\Startup\
Outlook Express.lnk - c:\program files\Outlook Express\msimn.exe [2004-8-4 60416]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Utility Tray.lnk - c:\windows\system32\sistray.exe [2008-5-22 262144]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acer Empowering Technology.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acer Empowering Technology.lnk
backup=c:\windows\pss\Acer Empowering Technology.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD\\OLRSubmission\\OLRSubmission.exe"=
"c:\\Program Files\\CA\\eTrustITM\\InoRpc.exe"=
"c:\\Program Files\\CA\\eTrustITM\\Realmon.exe"=
"c:\\Program Files\\CA\\eTrustITM\\Shellscn.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9999:UDP"= 9999:UDP:LANScope UDP Port
"2804:TCP"= 2804:TCP:LANScope TCP Port
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R2 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [4/14/2006 1:07 PM 28933976]
R2 netlimiter;netlimiter;c:\windows\system32\drivers\NetLimiter.sys [10/3/2006 2:03 PM 18072]
R2 netlock;netlock;c:\windows\system32\drivers\NetLock.sys [5/30/2007 6:30 PM 14616]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-installnet.exe - c:\acer\LANScope Agent\Installnet.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.kbctools.com/can/main.cfm
uInternet Connection Wizard,ShellNext = hxxp://en.ca.acer.yahoo.com/
uSearchURL,(Default) = hxxp://ca.rd.yahoo.com/customize/ycomp/defaults/su/*http://ca.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {BCED07BB-62BB-4239-B92A-9380A4066C90} = 204.50.251.17,201.107.254.9
TCP: {CFA6B775-0E90-4FFF-BC04-A6B99288DB53} = 204.50.251.17,201.107.254.9
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-19 12:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3364)
c:\windows\system32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\acer\Empowering Technology\ePerformance\MemCheck.exe
c:\acer\LANScope Agent\awServ.exe
c:\program files\CA\SharedComponents\iTechnology\igateway.exe
c:\program files\CA\eTrustITM\InoRPC.exe
c:\program files\CA\eTrustITM\InoRT.exe
c:\program files\CA\eTrustITM\InoTask.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\acer\LANScope Agent\lockkm.exe
c:\windows\system32\wscntfy.exe
c:\program files\Messenger\msmsgs.exe
.
**************************************************************************
.
Completion time: 2009-06-19 12:45 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-19 16:45

Pre-Run: 28,853,694,464 bytes free
Post-Run: 29,002,002,432 bytes free

150

Hello.
This looks so much better now.

Now open a new notepad file.
Input this into the notepad file:

Folder::
c:\documents and settings\All Users\Application Data\10501094

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.

ComboFix 09-06-15.04 - USER1 06/19/2009 13:18.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.895.486 [GMT -4:00]
Running from: c:\documents and settings\USER1\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\USER1\Desktop\CFScript.txt
AV: eTrust ITM *On-access scanning enabled* (Updated) {33EA71EA-56CF-40B5-A06B-BD3A27397C44}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\10501094
c:\documents and settings\All Users\Application Data\10501094\10501094.glu
c:\documents and settings\All Users\Application Data\10501094\pc10501094cnf
c:\documents and settings\All Users\Application Data\10501094\pc10501094ins
c:\documents and settings\All Users\Application Data\10501094\pc10501094reg

.
((((((((((((((((((((((((( Files Created from 2009-05-19 to 2009-06-19 )))))))))))))))))))))))))))))))
.

2009-06-18 20:34 . 2009-06-15 22:49 3027283 ----a-r- C:\Combo-Fix.exe
2009-06-17 12:26 . 2009-06-17 12:26 -------- d-----w- c:\documents and settings\USER1\Application Data\Malwarebytes
2009-06-15 19:09 . 2009-06-15 19:17 -------- d-----w- C:\SmitfraudFix
2009-06-15 19:09 . 2009-06-15 19:09 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-06-15 16:24 . 2009-05-26 17:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-15 16:24 . 2009-06-15 16:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-15 16:24 . 2009-06-15 16:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-15 16:24 . 2009-05-26 17:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-12 20:11 . 2009-06-12 20:11 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Identities
2009-06-11 16:41 . 2009-06-11 16:41 676224 ----a-w- c:\windows\system32\ogacheckcontrol.dll
2009-06-11 14:43 . 2009-06-11 14:43 -------- d-----w- c:\windows\system32\wbem\Repository
2009-05-29 17:59 . 2009-05-29 17:59 845800 ----a-w- c:\documents and settings\USER1\Application Data\MSNInstaller\msnauins.exe
2009-05-29 17:59 . 2009-05-29 17:59 -------- d-----w- c:\documents and settings\USER1\Application Data\MSNInstaller

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-12 14:18 . 2007-09-29 16:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdminWorks Tray"="c:\acer\LANScope Agent\awtray.exe" [2007-05-22 1459992]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2006-11-14 52832]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]
"Realtime Monitor"="c:\program files\CA\eTrustITM\realmon.exe" [2008-02-08 407368]
"SiSPower"="SiSPower.dll" - c:\windows\system32\SiSPower.dll [2007-08-03 53248]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-07-05 16380416]

c:\documents and settings\USER1\Start Menu\Programs\Startup\
Outlook Express.lnk - c:\program files\Outlook Express\msimn.exe [2004-8-4 60416]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Utility Tray.lnk - c:\windows\system32\sistray.exe [2008-5-22 262144]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acer Empowering Technology.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acer Empowering Technology.lnk
backup=c:\windows\pss\Acer Empowering Technology.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD\\OLRSubmission\\OLRSubmission.exe"=
"c:\\Program Files\\CA\\eTrustITM\\InoRpc.exe"=
"c:\\Program Files\\CA\\eTrustITM\\Realmon.exe"=
"c:\\Program Files\\CA\\eTrustITM\\Shellscn.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9999:UDP"= 9999:UDP:LANScope UDP Port
"2804:TCP"= 2804:TCP:LANScope TCP Port
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R2 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [4/14/2006 1:07 PM 28933976]
R2 netlimiter;netlimiter;c:\windows\system32\drivers\NetLimiter.sys [10/3/2006 2:03 PM 18072]
R2 netlock;netlock;c:\windows\system32\drivers\NetLock.sys [5/30/2007 6:30 PM 14616]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.kbctools.com/can/main.cfm
uInternet Connection Wizard,ShellNext = hxxp://en.ca.acer.yahoo.com/
uSearchURL,(Default) = hxxp://ca.rd.yahoo.com/customize/ycomp/defaults/su/*http://ca.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {BCED07BB-62BB-4239-B92A-9380A4066C90} = 204.50.251.17,201.107.254.9
TCP: {CFA6B775-0E90-4FFF-BC04-A6B99288DB53} = 204.50.251.17,201.107.254.9
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-19 13:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-06-19 13:20
ComboFix-quarantined-files.txt 2009-06-19 17:20
ComboFix2.txt 2009-06-19 16:45

Pre-Run: 29,011,312,640 bytes free
Post-Run: 28,963,586,048 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

122

Okay, this should be fine now.

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

How is the machine running now?

I tried as your instruction. But ComboFix /u is not work. Anyway, i already set up a new restore point by myself. I feel my computer is ok now. I will try more days & let you know if I have any problem. Please accept my sicerely thanks for your wonderful help. Your guys are great

Please delete ComboFix manually by right click-->Delete.