Malwarebytes runs for 2 seconds, then shuts down

I know that multple people have already had this problem before, but I need help with it now. Im not that experienced in computers, so I might not catch on quick. A laptop that I use has been infected with Antivirus Live (2010). It stopped me from doing anything in normal mode, so I went on safe mode to run Malwarebytes. I used malwarebytes before to get rid of internet security 2010. It worked fine. However, this time, it runs for 2 seconds, then shuts down almost immediately. I know that this is the cause of a malware, but I need help removing it. I need to get the malware off quickly, so I would be extremely grateful to anyone who tries to help me. My laptop uses Windows XP (just thought I should throw that out there). If you reply, Im wondering if I should use Combofix, but then Doctor Inferno wrote in an announcement not to do that without supervision first by a professional or a GeekPolice staff member. Please help me!

Thanks!

*Edit* Should I keep my laptop turned on or off? Does it matter?

Please download RootRepeal from GooglePages.com.

• Extract the program file to your Desktop.
  
• Run the program RootRepeal.exe and go to the Report tab and click on the Scan button.
  
  
  
• Select ALL of the checkboxes and then click OK and it will start scanning your system.
  
  
• If you have multiple drives you only need to check the C: drive or the one Windows is installed on.
  
• When done, click on Save Report
  
• Save it to the Desktop.
  
• Please copy/paste the contents of the report in your next reply.
  

Please remove any e-mail address in the RootRepeal report (if present).

So here are the results.

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2010/01/29 16:59
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB86FD000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: Volume C:\
Status: MBR Rootkit Detected!

Path: c:\windows\temp\hlktmp
Status: Allocation size mismatch (API: 17297408, Raw: 0)

Stealth Objects
-------------------
Object: hȋdden Code [Driver: ACPI, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x877cd7c0 Size: 218

hȋdden Services
-------------------
Service Name:
Image Path: C:\WINDOWS\system32\drivers\浍湉ff訐淀訉ȅ瑎䥦ై訇.sys

==EOF==

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix when you've accomplished that.

Here are the results. (Appreciate the help )

ComboFix 10-01-29.05 - Jay Juon 9/2010 Fri 23:19:57.1.2 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.949.82.1033.18.2045.1792 [GMT -6:00]
Running from: c:\documents and settings\Jay Juon\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.
Error: Cfiles.dat

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Jay Juon\Local Settings\Application Data\sbiged
c:\documents and settings\Jay Juon\Local Settings\Application Data\sbiged\jnbhsysguard.exe
c:\documents and settings\Jay Juon\Local Settings\Temporary Internet Files\NPI 및 업무개선 관련 토의_090828.xls
c:\program files\Shared
c:\windows\system32\bepaleju.dll
c:\windows\system32\drivers\E50f3.sys
c:\windows\system32\fuhazepi.dll
c:\windows\system32\jasesuyo.dll
c:\windows\system32\nahatona.dll
c:\windows\system32\rewetuyo.dll
c:\windows\system32\sanotoyi.dll
c:\windows\system32\sijusafo.dll
c:\windows\system32\wehojavi.dll
c:\windows\system32\wojawiho.dll
c:\windows\system32\wutunoyu.dll
c:\windows\system32\zibuvugo.dll

----- BITS: Possible infected sites -----

hxxp://82.98.235.39
Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :p
.
original MBR restored successfully !
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_E50f3
-------\Service_E50f3


((((((((((((((((((((((((( Files Created from 2009-12-28 to 2010-01-30 )))))))))))))))))))))))))))))))
.

2010-01-29 03:29 . 2010-01-07 22:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-29 03:29 . 2010-01-29 03:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-29 02:38 . 2010-01-07 22:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-26 23:01 . 2010-01-26 23:01 -------- d-----w- c:\documents and settings\HelpAssistant\EurekaLog
2010-01-25 04:55 . 2010-01-25 04:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Musicnotes
2010-01-24 02:06 . 2010-01-24 02:06 -------- d-----w- c:\documents and settings\Jay Juon\Application Data\Malwarebytes
2010-01-24 02:06 . 2010-01-24 02:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-24 01:58 . 2010-01-24 01:58 -------- d-----w- c:\documents and settings\All Users\Application Data\TEMP
2010-01-23 22:23 . 2010-01-23 22:23 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\AdobeUM
2010-01-22 01:04 . 2010-01-22 01:04 0 ----a-w- c:\windows\system32\drivers\.sys
2010-01-21 02:23 . 2010-01-21 02:23 -------- d-s---w- c:\windows\system32\config\systemprofile\UserData
2010-01-05 19:14 . 2010-01-30 05:14 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-01-01 19:31 . 2010-01-08 02:18 0 ---ha-w- c:\windows\system32\wupd.dat
2010-01-01 18:50 . 2010-01-05 23:29 6435 ----a-w- c:\windows\system32\WORK.DAT

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-30 05:27 . 2009-07-17 11:57 -------- d-----w- c:\program files\Symantec AntiVirus
2010-01-29 01:27 . 2009-07-29 00:33 -------- d-----w- c:\documents and settings\Jay Juon\Application Data\StarOffice8
2010-01-29 00:25 . 2009-07-17 03:59 -------- d-----w- c:\program files\lg_swupdate
2010-01-15 03:05 . 2009-07-17 18:07 -------- d-----w- c:\documents and settings\Jay Juon\Application Data\AdobeUM
2010-01-05 00:49 . 2009-08-20 13:18 53352 ---ha-w- c:\windows\system32\mlfcache.dat
2010-01-02 19:47 . 2009-11-08 02:45 258352 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\unicows.dll
2010-01-02 19:47 . 2009-11-08 02:45 118784 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\nxgameus.dll
2010-01-02 19:47 . 2009-11-08 02:45 561152 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGMDll.dll
2010-01-02 19:47 . 2009-11-08 02:45 393216 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGMResource.dll
2010-01-02 19:47 . 2009-11-08 02:45 167936 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGM.exe
2010-01-02 17:53 . 2009-11-08 02:11 -------- d-----w- c:\documents and settings\All Users\Application Data\PMB Files
2010-01-01 20:01 . 2009-11-08 02:45 90112 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
2009-12-22 05:42 . 2004-08-04 05:56 662016 ----a-w- c:\windows\system32\wininet.dll
2009-12-22 05:42 . 2004-08-04 05:56 81920 ------w- c:\windows\system32\ieencode.dll
2009-12-22 04:12 . 2009-12-22 04:12 1790688 ----a-w- c:\documents and settings\All Users\Application Data\Nexon\Common\NMService.exe
2009-12-22 04:12 . 2009-12-22 04:12 1700584 ----a-w- c:\documents and settings\All Users\Application Data\Nexon\Common\nmconew.dll
2009-12-19 17:28 . 2009-07-17 04:40 58952 ----a-w- c:\documents and settings\Jay Juon\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-19 17:06 . 2009-11-08 02:45 -------- d-----w- c:\documents and settings\All Users\Application Data\NexonUS
2009-12-19 17:06 . 2009-12-19 17:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Nexon
2009-12-09 01:56 . 2009-12-09 01:56 -------- d-----w- c:\documents and settings\Jay Juon\Application Data\Nexon
2009-11-21 16:36 . 2004-08-04 05:56 470528 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-14 17:23 . 2009-11-14 17:23 45056 ----a-r- c:\documents and settings\Jay Juon\Application Data\Microsoft\Installer\{A6CCAEF5-F141-4BBE-A6DA-EA8A8362C7A6}\MapleStory.exe1_A6CCAEF5F1414BBEA6DAEA8A8362C7A6.exe
2009-11-14 17:23 . 2009-11-14 17:23 45056 ----a-r- c:\documents and settings\Jay Juon\Application Data\Microsoft\Installer\{A6CCAEF5-F141-4BBE-A6DA-EA8A8362C7A6}\MapleStory.exe_A6CCAEF5F1414BBEA6DAEA8A8362C7A6.exe
2009-11-14 17:23 . 2009-11-14 17:23 10134 ----a-r- c:\documents and settings\Jay Juon\Application Data\Microsoft\Installer\{A6CCAEF5-F141-4BBE-A6DA-EA8A8362C7A6}\ARPPRODUCTICON.exe
2008-02-08 02:46 . 2008-02-08 02:46 13624 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2008-02-08 02:46 . 2008-02-08 02:46 87360 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2008-02-08 02:46 . 2008-02-08 02:46 91448 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2008-02-08 02:46 . 2008-02-08 02:46 21824 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
2008-02-08 02:46 . 2008-02-08 02:46 206136 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2008-02-08 02:46 . 2008-02-08 02:46 31544 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2008-02-08 02:46 . 2008-02-08 02:46 40248 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2007-03-16 22:27 . 2007-03-16 22:27 479232 ----a-w- c:\program files\mozilla firefox\plugins\msvcm80.dll
2007-03-16 22:27 . 2007-03-16 22:27 548864 ----a-w- c:\program files\mozilla firefox\plugins\msvcp80.dll
2007-03-16 22:27 . 2007-03-16 22:27 626688 ----a-w- c:\program files\mozilla firefox\plugins\msvcr80.dll
2007-07-20 17:47 . 2007-07-20 17:47 981170 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2008-02-08 02:46 . 2008-02-08 02:46 24384 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
1601-01-01 00:03 . 1601-01-01 00:03 55296 --sha-w- c:\windows\system32\lelutayo.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c42da175-cdb4-4ca8-b1c2-7b3c7220f162}]
1601-01-01 00:03 55296 --sha-w- c:\windows\system32\lelutayo.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"Yahoo!Mini"="c:\program files\Yahoo!\Mini\YMiniUpdat2.exe" [2009-09-01 777728]
"cdloader"="c:\documents and settings\Jay Juon\Application Data\mjusbsp\cdloader2.exe" [2009-08-01 50520]
"Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2010-01-01 2935480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"LG Intelligent Update"="c:\program files\lg_swupdate\autoupdate.exe" [2008-07-17 126976]
"RTHDCPL"="RTHDCPL.EXE" [2008-11-17 17676288]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-02-11 13594624]
"nwiz"="nwiz.exe" [2009-02-11 1657376]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-06 1024000]
"LG Magnifier"="c:\program files\LG Software\LG Magnifier\MagnifyingGlass.exe" [2008-02-28 851968]
"KeybdUtility"="c:\program files\LG Software\On Screen Display\HotKey.exe" [2009-01-10 2830336]
"zOSD"="c:\program files\LG Software\On Screen Display\HotKey.exe" [2009-01-10 2830336]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-06-10 66680]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2004-10-06 161096]
"AirPort Base Station Agent"="c:\program files\AirPort\APAgent.exe" [2009-05-27 753664]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\Jay Juon\Start Menu\Programs\Startup\
StarOffice 8.lnk - c:\program files\Sun\StarOffice 8\program\quickstart.exe [2008-1-21 122880]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-5-15 217193]
BTTray.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-12-20 576104]
EmEditor v3.lnk - c:\program files\EmEditor3\EMEDTRAY.EXE [2001-12-13 49152]
VPN Client.lnk - c:\windows\Installer\{14FCFE7C-AB86-428A-9D2E-BFB6F5A7AA6E}\Icon3E5562ED7.ico [2009-8-5 6144]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\GlobalSCAPE\\CuteFTP\\cutftp32.exe"=
"c:\\Program Files\\AirPort\\APAgent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\IDOCTOR\\PLUSUP_2.9\\AGENT\\ServiceiDoctorPro.exe"=
"c:\\Program Files\\Common Files\\SafeNet Sentinel\\Sentinel Keys Server\\sntlkeyssrvr.exe"=
"c:\\Program Files\\Common Files\\SafeNet Sentinel\\Sentinel Protection Server\\WinNT\\spnsrvnt.exe"=
"c:\\Documents and Settings\\Jay Juon\\Application Data\\mjusbsp\\magicJack.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Nexon\\DFO\\DFO.exe"=
"c:\nexon\Combat Arms\CombatArms.exe"= c:\nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe
"c:\\Nexon\\Combat Arms\\NMService.exe"=
"c:\nexon\Combat Arms\Engine.exe"= c:\nexon\Combat Arms\Engine.exe:*Enabled:Engine.exe
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:UDP"= 5353:UDP:Bonjour
"56682:TCP"= 56682:TCP:Pando Media Booster
"56682:UDP"= 56682:UDP:Pando Media Booster
"59026:TCP"= 59026:TCP:Pando Media Booster
"59026:UDP"= 59026:UDP:Pando Media Booster
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"3246:TCP"= 3246:TCP:Services
"2479:TCP"= 2479:TCP:Services

R3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [7/16/2009 10:09 PM 158720]
S1 {C166FB67-755A-446A-B788-301F84B7FA76};{C166FB67-755A-446A-B788-301F84B7FA76};\??\c:\windows\system32\drivers\Services\Tcpip\Parameters\Interfaces\{C166FB67-755A-446A-B788-301F84B7FA76}.sys --> c:\windows\system32\drivers\Services\Tcpip\Parameters\Interfaces\{C166FB67-755A-446A-B788-301F84B7FA76}.sys [?]
S2 SentinelKeysServer;Sentinel Keys Server;c:\program files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe [8/22/2006 12:00 AM 316992]
S2 SRS_PostInstaller;SRS PostInstaller Service;c:\program files\SRS Labs\WOWHD and TSXT Driver\SRS_PostInstaller.exe [8/10/2007 8:37 AM 69632]
S3 cpuz132;cpuz132;c:\windows\system32\drivers\cpuz132_x32.sys [7/26/2009 7:26 AM 12672]
S3 npkakl;npkakl;\??\c:\windows\system32\npkakl.sys --> c:\windows\system32\npkakl.sys [?]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [7/16/2009 10:04 PM 41376]
S3 NWUSBCDFIL;Novatel Wireless Installation CD;c:\windows\system32\drivers\NwUsbCdFil.sys [7/7/2008 11:23 AM 20480]
S3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\drivers\nwusbser2.sys [5/9/2008 10:08 AM 174336]
S3 Rts516xIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys --> c:\windows\system32\DRIVERS\Rts516xIR.sys [?]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [10/6/2004 4:56 PM 173392]
S3 wowfilter;WOW XT Filter Driver;c:\windows\system32\drivers\WOWFilter.sys [8/10/2007 8:35 AM 22528]
.
Contents of the 'Scheduled Tasks' folder

2010-01-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-01-28 c:\windows\Tasks\SyncBackSE Design Works 1.job
- c:\program files\2BrightSparks\SyncBackSE\SyncBackSE.exe [2009-09-21 20:59]

2010-01-28 c:\windows\Tasks\SyncBackSE OutLook 1.job
- c:\program files\2BrightSparks\SyncBackSE\SyncBackSE.exe [2009-09-21 20:59]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride =
IE: Bluetooth 장치로 보내기(&... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Bluetooth로 보내기 - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: lginnotek.com
Trusted Zone: sun.com
TCP: {E8077C1D-21D7-453B-9325-1EA7E4B52FD5} = 10.0.1.1
TCP: {F9BB1889-2F73-4C0A-A2D8-13CF12E5F052} = 10.0.1.1
DPF: {286A75C3-11FB-4FB4-AC4A-4DD1B0750050} - hxxp://sso.lginnotek.com/initech/plugin/down/INIS60.cab
DPF: {56B0DCF5-77B9-49F6-AD2F-F367D22A7136} - hxxp://mail0.lginnotek.com/kcols/kcolsresource.nsf/BWordAxU.cab
DPF: {599735FD-7340-487C-AD77-85F9838F2E2C} - hxxp://www.my-lg070.net/gnr_misc/lg_voicetest/LGVoipQualityX.cab
DPF: {6A05EEAE-72F8-4288-A5A2-FAC831DC0AC1} - hxxp://mail0.lginnotek.com/kcols/kcolsresource.nsf/FX-FileUpDnMass.cab
DPF: {80572992-B565-4644-A14F-A6BFDEA55599} - hxxp://pro.i-doctor.co.kr/idoctor/IDLiveU.cab
DPF: {9FC84F7D-D177-4A75-A7BB-429DA5BD0A3E}
DPF: {A540427E-B803-4842-BC53-9DB140968449} - hxxp://mail0.lginnotek.com/kcols/kcolsresource.nsf/KCOLSAddressBook.cab
DPF: {B6F0F9BC-AF60-41B4-BFB4-897617910207} - hxxp://sso.lginnotek.com/netclient/n5uaEx.CAB
DPF: {BBB0FC2D-1D95-45CA-BDCF-03B53F247FCC} - hxxp://neis.mest.go.kr/cab/ewsinstaller_full.cab
DPF: {CBEAB323-33C7-43A1-8642-412206DD16DF} - hxxp://mail0.lginnotek.com/kcols/kcolsresource.nsf/FX-FileUpDn.cab
DPF: {DC4207CE-C03E-4449-ACB1-032CA4137053} - hxxp://update.nprotect.net/nprotect2007/neisold/npz.cab
FF - ProfilePath - c:\documents and settings\Jay Juon\Application Data\Mozilla\Firefox\Profiles\wob39s4u.default\
FF - prefs.js: browser.startup.homepage -
FF - prefs.js: network.proxy.ftp - webcache.sfbay.sun.com
FF - prefs.js: network.proxy.ftp_port - 8080
FF - prefs.js: network.proxy.gopher - webcache.sfbay.sun.com
FF - prefs.js: network.proxy.gopher_port - 8080
FF - prefs.js: network.proxy.http - webcache.sfbay.sun.com
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.ssl - webcache.sfbay.sun.com
FF - prefs.js: network.proxy.ssl_port - 8080
FF - prefs.js: network.proxy.type - 2
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\program files\Java\j2re1.4.2_07\bin\NPJava11.dll
FF - plugin: c:\program files\Java\j2re1.4.2_07\bin\NPJava12.dll
FF - plugin: c:\program files\Java\j2re1.4.2_07\bin\NPJava13.dll
FF - plugin: c:\program files\Java\j2re1.4.2_07\bin\NPJava14.dll
FF - plugin: c:\program files\Java\j2re1.4.2_07\bin\NPJava32.dll
FF - plugin: c:\program files\Java\j2re1.4.2_07\bin\NPJPI142_07.dll
FF - plugin: c:\program files\Java\j2re1.4.2_07\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPGomtvx_nie.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npicaN.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - hȋdden: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-test - d:\combat.arms.nx_own\Bettler.exe
HKCU-Run-axopcajs - c:\documents and settings\Jay Juon\Local Settings\Application Data\sbiged\jnbhsysguard.exe
HKLM-Run-hekajanade - bepaleju.dll
HKLM-Run-axopcajs - c:\documents and settings\Jay Juon\Local Settings\Application Data\sbiged\jnbhsysguard.exe
HKLM-Run-jujusozan - c:\windows\system32\wojawiho.dll
SharedTaskScheduler-{fa50cb30-b896-43c4-acb1-1c950db10641} - c:\windows\system32\wojawiho.dll
SSODL-gahujudal-{fa50cb30-b896-43c4-acb1-1c950db10641} - c:\windows\system32\wojawiho.dll
SafeBoot-E50f3
SafeBoot-{C166FB67-755A-446A-B788-301F84B7FA76}
SafeBoot-????淀??????



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-29 23:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************
Binary file temp00 matches
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\

[HKEY_LOCAL_MACHINE\System\ControlSet001\Control\SafeBoot\Minimal\MmIn*?듍m ?*NtfIH?
@="Driver"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Control\SafeBoot\Network\MmIn*?듍m ?*NtfIH?
@="Driver"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MmIn*?듍m ?*NtfIH?
"ImagePath"=expand:"\\??\\c:\\WINDOWS\\system32\\drivers\\????淀?\02?????.sys"
"Start"=dword:00000001
"Type"=dword:00000001
"ErrorControl"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Citrix\ICA Client\ssonsvr.exe
c:\windows\system32\conime.exe
.
**************************************************************************
.
Completion time: 2010-01-29 23:33:53 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-30 05:33

Pre-Run: 12,188,938,240 bytes free
Post-Run: 17,377,591,296 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 0EBFB55EE05984EAF897B79F343264BE

Hi again. Please do these steps in order.

1. Please download TFC by OldTimer to your desktop

• Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  
• It will close all programs when run, so make sure you have saved all your work before you begin.
  
• Click the Start
  button to begin the process. Depending on how often you clean temp
  files, execution time should be anywhere from a few seconds to a minute
  or two. Let it run uninterrupted to completion.
  
• Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

2. Please download Malwarebytes Anti-Malware from Malwarebytes.org.
Alternate link: BleepingComputer.com.
(Note: if you already have the program installed, just follow the directions. No need to re-download or re-install!)

Double Click mbam-setup.exe to install the application.

(Note: if you already have the program installed, open Malwarebytes from the Start Menu or Desktop shortcut, click the Update tab, and click Check for Updates, before doing the scan as instructed below!)

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Full Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  
• Please save the log to a location you will remember.
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy and paste the entire report in your next reply.
  

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

3. Please visit this webpage for instructions for downloading and running SUPERAntiSpyware (SAS) to scan and remove malware from your computer:

http://www.bleepingcomputer.com/virus-removal/how-to-use-superantispyware-tutorial

Post the log from SUPERAntiSpyware when you've accomplished that.

4. Please run a free online scan with the ESET Online Scanner

• Tick the box next to YES, I accept the Terms of Use
  
• Click Start
  
• When asked, allow the ActiveX control to install
  
• Click Start
  
• Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  
• Click Scan (This scan can take several hours, so please be patient)
  
• Once the scan is completed, you may close the window
  
• Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  
• Copy and paste that log as a reply to this topic
  

5. Post the following in your next reply:

• MBAM log
  
• SAS log
  
• ESET log

And, please tell me how your computer is doing.

Sorry, I accidently posted the results for the TFC scan. (I editted it out and put this message instead.)

For some reason, it says my internet options won't allow ActiveX control, so I can't run ESET. Also, in safe mode, there is an administrator but in normal mode there isnt. Apparently the administrator is blocking the use of SAS. Any tips?

Windows XP has a hȋdden administrator, which you can only see in Safe Mode.

Please do the following, then try the scans again:

Please navigate to this webpage: http://support.microsoft.com/kb/313222 and see the section "Fix it for me" and click the Microsoft Fix-It button. This will download a fix utility to repair the security settings on your computer, due to damages of malware or other harmful system changes. Install the file after download.

When I try to install the microsoft fix it thing, it says administrator has set policies to prevent the installation.

Here are the results of the Malwarebytes scan. Im really thankful that you stuck with me on this. You're truly a good guy.

Malwarebytes' Anti-Malware 1.44
Database version: 3662
Windows 5.1.2600 Service Pack 2 (Safe Mode)
Internet Explorer 6.0.2900.2180

1/30/2010 12:10:51 PM
mbam-log-2010-01-30 (12-10-51).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 234310
Time elapsed: 21 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 14

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c42da175-cdb4-4ca8-b1c2-7b3c7220f162} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c42da175-cdb4-4ca8-b1c2-7b3c7220f162} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\lelutayo.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\bepaleju.dll.vir (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\jasesuyo.dll.vir (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\E50f3.sys.vir (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CB0B1509-7D6B-474D-AA1B-B8FB19603A14}\RP3\A0007110.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CB0B1509-7D6B-474D-AA1B-B8FB19603A14}\RP3\A0007116.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CB0B1509-7D6B-474D-AA1B-B8FB19603A14}\RP3\A0007126.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CB0B1509-7D6B-474D-AA1B-B8FB19603A14}\RP3\A0008126.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CB0B1509-7D6B-474D-AA1B-B8FB19603A14}\RP6\A0019239.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CB0B1509-7D6B-474D-AA1B-B8FB19603A14}\RP6\A0019269.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CB0B1509-7D6B-474D-AA1B-B8FB19603A14}\RP6\A0019270.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CB0B1509-7D6B-474D-AA1B-B8FB19603A14}\RP6\A0019272.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CB0B1509-7D6B-474D-AA1B-B8FB19603A14}\RP6\A0019317.sys (Malware.Trace) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{CB0B1509-7D6B-474D-AA1B-B8FB19603A14}\RP6\A0019345.com (Trojan.Agent) -> Quarantined and deleted successfully.

Also, my computer has now gotten rid of Antivirus Live, and is working fine in normal mode. (Alot slower though, but it'll have to suffice)

SysProt Antirootkit

Download
SysProt Antirootkit from the link below (you will find it at the bottom
of the page under attachments, or you can get it from one of the
mirrors).

http://sites.google.com/site/sysprotantirootkit/

Unzip it into a folder on your desktop.

• Double click Sysprot.exe to start the program.
  
• Click on the Log tab.
  
• In the Write to log box select the following items.
  
  
  
  • Process << Selected
    
  • Kernel Modules << Selected
    
  • SSDT << Selected
    
  • Kernel Hooks << Selected
    
  • IRP Hooks << NOT Selected
    
  • Ports << NOT Selected
    
  • hȋdden Files << Selected
    
  
  
• At the bottom of the page
  
  
  
  • hȋdden Objects Only << Selected
    
  
  
• Click on the Create Log button on the bottom right.
  
• After a few seconds a new window should appear.
  
• Select Scan Root Drive. Click on the Start button.
  
• When it is complete a new window will appear to indicate that the scan is finished.
  
• The
  log will be saved automatically in the same folder Sysprot.exe was
  extracted to. Open the text file and copy/paste the log here.
  

Here are the results.

SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

No hȋdden Processes found

******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \??\C:\WINDOWS\system32\drivers\????
Service Name: ????
Module Base: ---
Module End: ---
hȋdden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys
Service Name: ---
Module Base: B4F9C000
Module End: B4FB4000
hȋdden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_WMILIB.SYS
Service Name: ---
Module Base: F79C9000
Module End: F79CB000
hȋdden: Yes

******************************************************************************************
******************************************************************************************
SSDT:
Function Name: ZwConnectPort
Address: E1865C08
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

******************************************************************************************
******************************************************************************************
No Kernel Hooks found

******************************************************************************************
******************************************************************************************

Please re-open Malwarebytes, click the Update tab, and click Check for Updates. Then, click the Scanner tab, select Perform Quick Scan, and press Scan. Remove selected, and post the log in your next reply.

Here are the results. Im still dumbfounded about how you know what to do.

Malwarebytes' Anti-Malware 1.44
Database version: 3664
Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

1/30/2010 5:37:17 PM
mbam-log-2010-01-30 (17-37-17).txt

Scan type: Quick Scan
Objects scanned: 120262
Time elapsed: 4 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Time to check for rootkits.

Please download Stealth MBR Rootkit Detector by GMER from GMER.net, and save to your Desktop.

• Double-click mbr.exe to start the program.
  
• When done scanning, it will save a log on the Desktop called mbr.log.
  
• Please post the contents of that log in your next reply.

Here are the results.


Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x01D1C06C0
malicious code @ sector 0x01D1C06C3 !
PE file found in sector at 0x01D1C06D9 !

Please download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

• Click NO
  
• In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
  
• Now click the Scan button.
  Once the scan is complete, you may receive another notice about rootkit activity.
  
• Click OK.
  
• GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
  
• Save it where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.

Here are the results.

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x01D1C06C0
malicious code @ sector 0x01D1C06C3 !
PE file found in sector at 0x01D1C06D9 !

Got that in mind. We need to do a deeper scan, so please follow the directions for the GMER rootkit scanner.

Woops! Sorry didnt follow the instructions. Also, I accidently deleted all the things in the quarintine. Is that ok?

Yeah that's fine. Post the GMER log when ready.

Here are the results. Sorry about earlier.

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-31 16:43:04
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\JAYJUO~1\LOCALS~1\Temp\pxldypow.sys


---- System - GMER 1.0.15 ----

SSDT E1ED5B78 ZwConnectPort

INT 0x06 \??\C:\WINDOWS\system32\drivers\Haspnt.sys (HASP Kernel Device Driver for Windows NT/Aladdin Knowledge Systems) B3F7816D
INT 0x0E \??\C:\WINDOWS\system32\drivers\Haspnt.sys (HASP Kernel Device Driver for Windows NT/Aladdin Knowledge Systems) B3F77FC2

---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB781E360, 0x33B51D, 0xE8000020]
.text C:\WINDOWS\system32\drivers\hardlock.sys section is writeable [0xB3B4A400, 0x87EE2, 0xE8000020]
.protecthardlockentry point in ".protecthardlockentry point in ".protecthardlockentry point in ".p" section [0xB3BEE620] C:\WINDOWS\system32\drivers\hardlock.sys entry point in ".protecthardlockentry point in ".protecthardlockentry point in ".p" section [0xB3BEE620]
.protecthardlockunknown last code section [0xB3BEE400, 0x5126, 0xE0000020] C:\WINDOWS\system32\drivers\hardlock.sys unknown last code section [0xB3BEE400, 0x5126, 0xE0000020]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Pando Networks\Media Booster\PMB.exe[2536] kernel32.dll!SetUnhandledExceptionFilter 7C8447ED 5 Bytes [33, C0, C2, 04, 00] {XOR EAX, EAX; RET 0x4}

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \FileSystem\Fastfat \Fat SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\Bluetooth
Reg HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\Bluetooth @Driver bthcrp.dll
Reg HKLM\SYSTEM\ControlSet002\Control\Print\Monitors\Bluetooth (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Control\Print\Monitors\Bluetooth @Driver bthcrp.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo?video 5.10 Compression Filter
Reg HKLM\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo?video 5.10 Compression Filter@FriendlyName Indeo? video 5.10 Compression Filter
Reg HKLM\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo?video 5.10 Compression Filter@CLSID {1F73E9B1-8C3A-11D0-A3BE-00A0C9244436}
Reg HKLM\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo?video 5.10 Compression Filter@FilterData 0x02 0x00 0x00 0x00 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo?video 5.10 Compression Filter@EncoderType 1
Reg HKCU\Software\Microsoft\Windows Live\Communications Clients\Shared\2581816539\Groups@ 0
Reg HKCU\Software\Microsoft\Windows Live\Communications Clients\Shared\2581816539\Groups@\0 0

---- EOF - GMER 1.0.15 ----

Do you have a program by Aladdin, the security software vendor?

Now to get you off to a good start we will clean your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your restore points, but this is my method:

• Select Start > All Programs > Accessories > System tools > System Restore.
  
• On the dialogue box that appears select Create a Restore Point
  
• Click NEXT
  
• Enter a name e.g. Clean
  
• Click CREATE

You now have a clean restore point, to get rid of the bad ones:

• Select Start > All Programs > Accessories > System tools > Disk Cleanup.
  
• In the Drop down box that appears select your main drive e.g. C
  
• Click OK
  
• The System will do some calculation and the display a dialogue box with TABS
  
• Select the More Options Tab.
  
• At the bottom will be a system restore box with a CLEANUP button click this
  
• Accept the Warning and select OK again, the program will close and you are done
  

To remove all of the tools we used and the files and folders they created, please do the following:
Please download OTC.exe by OldTimer:

• Save it to your Desktop.
  
• Double click OTC.exe.
  
• Click the CleanUp! button.
  
• If you are prompted to Reboot during the cleanup, select Yes.
  
• The tool will delete itself once it finishes.
  

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

==

Please download TFC by OldTimer to your desktop

• Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  
• It will close all programs when run, so make sure you have saved all your work before you begin.
  
• Click the Start
  button to begin the process. Depending on how often you clean temp
  files, execution time should be anywhere from a few seconds to a minute
  or two. Let it run uninterrupted to completion.
  
• Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

==

Download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.

• Save it to your Desktop.
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Yarr, here be the results for the scan.

Results of screen317's Security Check version 0.99.1
Windows XP Service Pack 2
Out of date service pack!!
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
Symantec AntiVirus
Antivirus up to date!
``````````````````````````````
Anti-malware/Other Utilities Check:
Java 2 Runtime Environment, SE v1.4.2_07
Adobe Flash Player 10
``````````````````````````````
Process Check:
objlist.exe by Laurent
Symantec AntiVirus DefWatch.exe
Symantec AntiVirus Rtvscan.exe
``````````````````````````````
DNS Vulnerability Check:
GREAT! (Not vulnerable to DNS cache poisoning)

`````````End of Log```````````

Please upgrade to Windows XP SP3, because it includes all previously released updates. It also includes a small number of new functionalities. Some of the updates that Service Pack 3 provides, you may not have. It is now available via Windows Update.

More info about SP3: http://www.GeekPolice.net/operating-systems-f20/windows-xp-service-pack-3-information-t16956.htm

==

Please read the following information that I have provided, which will help you prevent malicious software in the future. Please keep in mind, malware is a continuous danger on the Internet. It is highly important to stay safe while browsing, to prevent re-infection.

Software recommendations

Firewall

• Tallemu Online Armor: the free version is just as good as the premium. I have linked you to the free version.
  
• Comodo Firewall: the free version is just as good as the premium. I have linked you to the free version. The optional security suite enhances the firewall by 40% increase. If you would like to install the suite that includes antivirus, then remove your old antivirus first.
  
• PC Tools Firewall Plus: free and excellent firewall.

AntiSpyware

• SpywareBlaster
  SpywareBlaster is a program that prevents spyware from installing on your computer. A tutorial on using SpywareBlaster may be found here.
  
• Spybot - Search & Destroy.
  Spybot - Search & Destroy is a spyware and adware removal program. It also has realtime protection, TeaTimer to help safeguard your computer against spyware. (The link for Spybot - Search & Destroy contains a tutorial that will help you download, install, and begin using Spybot).
  

NOTE: Please keep ALL of these programs up-to-date and run them whenever you suspect a problem to prevent malware problems.

Resident Protection help
A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall, and scanning anti-spyware program at a time. Passive protectors such as SpywareBlaster can be run with any of them.

Rogue programs help
There are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure and looking for anti-spyware programs, you can find out if it is a rogue here:
http://www.spywarewarrior.com/rogue_anti-spyware.htm

Securing your computer

• Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  
• hpHosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. This prevents your computer from connecting to those sites by redirecting them to 127.0.0.1, which is your local computer's loopback address, meaning it will be difficult to infect your computer in the future.
  

Please consider using an alternate browser
Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and add-ons, like NoScript, can make it even more secure. Opera is another good option.

If you are interested:

• Firefox may be downloaded from here: http://www.getfirefox.com
  
• Opera is available here: http://www.opera.com/download/
  

See this page for more info about malware and prevention.

Thank you for choosing GeekPolice. Please see this page if you would like to leave feedback or contribute to our site. Do you have any more questions?

Wow is that all? Thanks for the help then I guess! You're a life saver. You deserve a medal.

You're welcome.

Also, if the laptop suddenly slows down, should I run one of the rootkit finders?

No. Please do not use those tools without expert supervision.

Alright. Thanks!