Posts by gerbil

We're not quite there yet, Q8i. That trojan/worm causing the problem you have experienced often comes packaged with a rootkit. This tool should expose it if it exists:
Please download Roguekiller from http://majorgeeks.com/RogueKiller_d6983.html
-start it with a dclick and wait for the initial scan to complete. Press the report button, post the log that pops in notepad. Do not remove anything at this stage.

Hmm. Try going Start > Run, and entering the cmd window. Then in that, enter:
regsvr32 /i shell32.dll

In this case, that box in the Edit File Types window being greyed should not matter. If explore is boldened then folders should open in the same window. You do have to restart explorer to have the change take effect.... use Task Manager to end explorer.exe and restart it.

Hello, Q8i. This block, it's the same as before where I made a syntax error from force of habit of normal typing, but with the correction already made here. So start OTL again, and under Custom Scans/Fixes paste in the following:

:OTL
IE:[b]64bit:[/b] - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE:[b]64bit:[/b] - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&form=SNYVDF&pc=MASA&src=IE-SearchBox
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&form=SNYVDF&pc=MASA&src=IE-SearchBox
IE - HKU\S-1-5-21-3950603794-847189768-4124068-1001\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
[2012/08/06 12:38:43 | 000,000,000 | ---D | C] -- C:\Users\Q8iEnG\AppData\Local\{47DC4CE8-594C-4150-B595-E935013DAC07}
[2012/08/06 12:38:31 | 000,000,000 | ---D | C] -- C:\Users\Q8iEnG\AppData\Local\{5AF4FFAC-FAA9-47C4-AD22-542782FFFC61}
DRV:[b]64bit:[/b] - (esgiguard) -- C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys File not found
FF:[b]64bit:[/b] - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF64_11_3_300_270.dll File not found
FF:[b]64bit:[/b] - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=:  File not found
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
HKLM\Software\MozillaPlugins\@nexon.net/NxGame: C:\ProgramData\NexonUS\NGM\npNxGameUS.dll File not found
O4:[b]64bit:[/b] - HKLM..\Run: [IntelTBRunOnce] wscript.exe //b //nologo "C:\Program Files\Intel\TurboBoost\RunTBGadgetOnce.vbs" File not found
O4:[b]64bit:[/b] - HKLM..\Run: [KiesTrayAgent] C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe File not found
O4 - HKU\S-1-5-21-3950603794-847189768-4124068-1001..\Run: [AdobeBridge]  File not found
O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found
O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found
DRV:[b]64bit:[/b] - (esgiguard) -- C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys File not found
O8:[b]64bit:[/b] - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html File not found
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html File not found
O18:[b]64bit:[/b] - Protocol\Handler\livecall - No CLSID value found
O18:[b]64bit:[/b] - Protocol\Handler\ms-help - No CLSID value found
O18:[b]64bit:[/b] - …

Cos all I do is try to type posts. I don't make aeroplanes, either. Nor do I fly them.
I think my point is that I am highly uninterested in learning something for one rare application.

Whoops, that's a syntax error of mine, a typing habit. Sorry, but the first line of that fix should be..
:OTL
So paste the block in again, and move that colon to the front of the line. Press Run Fix, OK, and let it complete.

Hello, Q8i.
Start OTL again, under Custom Scans/Fixes paste in the following:

OTL:
IE:[b]64bit:[/b] - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE:[b]64bit:[/b] - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&form=SNYVDF&pc=MASA&src=IE-SearchBox
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&form=SNYVDF&pc=MASA&src=IE-SearchBox
IE - HKU\S-1-5-21-3950603794-847189768-4124068-1001\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
[2012/08/06 12:38:43 | 000,000,000 | ---D | C] -- C:\Users\Q8iEnG\AppData\Local\{47DC4CE8-594C-4150-B595-E935013DAC07}
[2012/08/06 12:38:31 | 000,000,000 | ---D | C] -- C:\Users\Q8iEnG\AppData\Local\{5AF4FFAC-FAA9-47C4-AD22-542782FFFC61}
DRV:[b]64bit:[/b] - (esgiguard) -- C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys File not found
FF:[b]64bit:[/b] - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF64_11_3_300_270.dll File not found
FF:[b]64bit:[/b] - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=:  File not found
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
HKLM\Software\MozillaPlugins\@nexon.net/NxGame: C:\ProgramData\NexonUS\NGM\npNxGameUS.dll File not found
O4:[b]64bit:[/b] - HKLM..\Run: [IntelTBRunOnce] wscript.exe //b //nologo "C:\Program Files\Intel\TurboBoost\RunTBGadgetOnce.vbs" File not found
O4:[b]64bit:[/b] - HKLM..\Run: [KiesTrayAgent] C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe File not found
O4 - HKU\S-1-5-21-3950603794-847189768-4124068-1001..\Run: [AdobeBridge]  File not found
O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found
O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found
DRV:[b]64bit:[/b] - (esgiguard) -- C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys File not found
O8:[b]64bit:[/b] - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html File not found
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html File not found
O18:[b]64bit:[/b] - Protocol\Handler\livecall - No CLSID value found
O18:[b]64bit:[/b] - Protocol\Handler\ms-help - No CLSID value found
O18:[b]64bit:[/b] - Protocol\Handler\msnim - No CLSID value found
O18:[b]64bit:[/b] - Protocol\Handler\wlmailhtml - No CLSID value found
O20:[b]64bit:[/b] - HKLM Winlogon: VMApplet - (/pagefile) -  File not found
O20 - HKLM …

We need a key that nobody would ever use for anything else. Like that opening apostrophe on the key with the tilde. Nobody uses that....
I'm laughing.

Explorer window, Tools, Folder options... setting correct on that page?
You might also check, while you have that box open, via File Types tab, scrolling down and selecting Folders [not File Folders], then pressing Advanced button, that "explore" is boldened. If not select it, and press Set Default, Okay your way out.

Again, you should run
attrib -r -h F: /s /d
on that drive to unhide any hidden files. If it is the case that there are no hidden files then you should use chkdsk on that drive becasue the NTFS reporting of the file structure is incorrect:
chkdsk f: /f /x

Hi, super c, if you entered....
attrib -r -h "C:\Program Files\Microsoft Games\Rise of Nations" /s /d
you would merely see the prompt reappear after a pause. The job is done, all files in that folder and sub-folders will have had their read-only [and hidden] attributes removed. Take no notice of the green square in any treated folder's Read Only checkbox - that checkbox is only a tool for changing the attribute of all files in the folder [and sub-folders if you set it so in the box that appears], it is meaningless for the folder itself.
You could use...
attrib -r -h "C:\Program Files\Microsoft Games*.*" /s /d
to treat all files in all folders under M$ Games.

I understand all that [except most of what Dani wrote... :(], and I would expect it inside a code segment. But for text passages cannot it be verbatim, slash for slash, * for *, a for apple? Be mindful that many/most who come here for help expect to see what they type in the post; if they coded, or knew html likely they wouldn't be visiting.
I don't live coding.

The green square in the Read Only checkbox indicates that some files in the folder are marked read only, some are not. There are only two files inside, uncheck the one that is Read Only.

Yes, it thinks that this is a switch: -h"C:\Program Files\Microsoft Games\Rise of Nations" because of missing spaces. Place a space before the opening " and one after the closing ". And that should do it.
attrib -r -h "C:\Program Files\Microsoft Games\Rise of Nations" /s /d

cmd is a bit unpredictable, sometimes spaces are important, sometimes not. It rarely hurts to add one between parts of a command, there are spaces between switches and targets in the above line. -h, -r, /s, /d are all switches. A space terminates a switch, but strangely, some commands will accept a series of switches with no intervening spaces. attrib is not one of those. There is no discernible system.

Markdown is a pain. You gotta agree, AD...
Edit Post button gets a workout.

Hokay. Download OTL from http://oldtimer.geekstogo.com/OTL.exe
=Download TDSSkiller from this link, save it to your desktop:
http://support.kaspersky.com/downloads/utils/tdsskiller.exe -you may need to download it to a clean computer and then transfer it to the desktop using a USB flash drive.
=Download Malwarebytes' Anti-Malware from: http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html

=Start TDSSKiller, click Change Parameters. Under Additional options check both boxes, Verify Driver Digital Signature and Detect TDLFS file system; click OK.
-click Start scan;
-if TDSSKiller finds a rootkit and prompts a Cure then press Continue [a reboot may be required];
-press Continue also on any Skip prompt for suspicious files. Do not delete or quarantine any files.
Post the log from C:.

=Dclick mbam-setup.exe to install the application,
-ensure that it is set to update and start, else start it via the icon, and UPDATE it.
Select "Perform QUICK Scan", then click Scan; the application will guide you through the remaining steps.
ENSURE that EVERYTHING found has a CHECKMARK against it, then click Remove Selected.
If malware has been found [and removed] MBAM will automatically produce a log for you when it completes... do not click the Save Logfile button.
Examine the log: if some files are listed as Delete on Reboot then restart your machine before continuing.
Copy and post that log [it is also saved under Logs tab in MBAM].

=Dclick OTL.exe to start the application; in the window that opens choose, Scan All …

More fun with Markdown. To denote all files, folders in H: drive one seems to have to type two backslashes, so:
Typing H:\* gives H:* in the post.
and H:\ \* gives H:\*
And you wouldn't believe the fun I had typing that. What I had to type is totally different to what is posted, but what is posted is what I want you to see. Got it? Have a play...
Hint. To get that H:\ \* I had to type H: \ \ and \ \* sep by a space.
And to get that hint to post? Oh, my gawd....

Annoying... Try this: open a cmd.exe window alongside a downsized explorer window, drag an affected folder into the cmd window and:
-at the end type: /s /d
-press Home, and in front type: attrib -r -h
...and press Enter. Did that make the change stick to files in that folder?
If so, repeat with other folders. Or use H:\* as your folder to process all folders and files in H: drive in one command.

Use error trapping with an error-handling routine: ERR code 53 [file not found], but you should account for pathname and disk errors : 70 [Disc access denied] and 71 [Disc is not ready]; also 55, 72, 75, 76 can pull you up - check the GWBasic error codes [Gurgle them]. If you don't pay attention to these other error possibilities then... well, computers are unforgiving.
So, set up your error handler, then open and close the file to test it..

ON ERROR GOTO errorfileopen 'enables the error handler errorfileopen
OPEN C:ProgA for INPUT as #1 'tests you can actually read the file
CLOSE
ON ERROR GOTO 0 'terminates the error handler

errorfileopen:
'here you would use SELECT CASE ERR [I prefer this] or a simple IF THEN [ELSE] statement: [IF ERR=53 THEN ... ELSE ....]
RESUME 'takes you back to the CLOSE statement

Me too, I'm rabid on Ctrl-S. OP doesn't seem to use it, hence my ! in "if he doesn't save [by closing pgms!] "
Must be he wants password control over return from sleep.

if he doesn't save [by closing pgms!]

Devices is a good scan to include. Nothing shows above, though.

Sleep issues often have a cause related to power management - ACPI compatibility. Unless you need to use password control to protect your return from sleep, simply doa s caper suggests, and set screen and drives to shut off if no activity for 10 mins.
I think by "i need to close all my programmes. otherwise my data will be loss" he means if he doesn't save [by closing pgms!] he will lose his data when resumption from sleep fails?

i need to close all my programmes. otherwise my data will be loss

regsvr32 wucltui.dll was one I confused with wucltux.dll. Some vista stuff crept into my fix, but no matter. Just another reason to loathe vista... That auto-fix from M$ that you ran covers it [it includes all the terms for xp, vista and W7].
I only let Windows notify me of the available updates, I like to choose what I feel is relevant.
After a virus, sometimes near enough is as good as you can hope for after it is killed. Tracking some minor changes can be exhausting, and unfulfilling.
Cheers.

I loathe IntelliTXT... you're reading something, your right hand is absent-mindedly doodling with the mouse and POP... suddenly you're not reading any more.
Daniweb is welcome to any of my stuff. It's sorta nice having someone claim it as of some value.

Dani, the loss of the view numbers is of no concern to me. How can you differentiate between genuine interest/learning/satisfaction and a passing glance/unfulfillment without some sort of time-spent measure? And how could that be meaningful in itself? Leave it be.
Watching a solved thread continue to accrete posts is a better measure of usefulness, and we have that.

Ah, thanks for that, Mike. A pity that the bump action does not get reset....

I made a slip in that list of registration files. I gave you wuwebv.dll, which is for Vista. It should be wuweb.dll for XP. You should have the latter in system32, delete wuwebv.dll, and run:
regsvr32 wuapi.dll wuaueng.dll wups.dll wups2.dll wuweb.dll wucltux.dll
Sigh.
Try checking for updates manually. There is always one to download...
Svchost instances... yes you can have several running. My sys has 8 just now. Each Svchost holds a group of service libraries that together form a single process which performs some task, say net services. I think.

You might try this online scan [it will not interfere with your TM AV]...
==Eset Online Scanner using IE only: http://www.eset.com/home/products/online-scanner
-with another browser it must install.
And MBAM, of course:
Please download Malwarebytes' Anti-Malware
from: http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html
=Dclick that file, mbam-setup.exe, to install the application,
-ensure that it is set to update and start, else start it via the icon, and UPDATE it.
Select "Perform QUICK Scan", then click Scan; the application will guide you through the remaining steps.
ENSURE that EVERYTHING found has a CHECKMARK against it, then click Remove Selected.
And then get a fresh copy of GMER, and try to run it in Normal mode.

Good work. No need for OTL now; Babylon is a persistent, well-embedded toolbar and redirector, no more.

I see this sort of thing regularly. In the forum page a topic will be bumped up by a poster [name appearing to right]... you go to the post or topic and the bumper's post is just not there. An example, same in FF n Opera:
http://www.daniweb.com/hardware-and-software/microsoft-windows/windows-nt-2000-xp/threads/28182/password-recovery-on-windows-xp-home-sp2#post1835562

It's got cunning. They know you're going to try that...
Download OTL from http://oldtimer.geekstogo.com/OTL.exe
Dclick OTL.exe to start the application; in the window that opens choose, Scan All Users, Minimal Output, Standard Registry ALL, check both LOP and Purity boxes, and then press Run Scan.
The scan will take maybe 5 minutes; 2 notepads will present [they are saved to the place from where you ran OTL.exe] - post both, please.

Puters are just too complex. The GMER scan... I think you are likely clean, so if oyu don't get a Rootkit!! warning, or red lines on the log there is no need to post it.
cheers.

Hmmm, that didn't go fully well...and I don't know why I put in a Combofix service to remove, late nights, I guess.. :), no harm. But this is quite wrong:
File PTYTEMP] not found.
File PTYFLASH] not found.
File PTYJAVA] not found. - It appears that the first 3 characters of each line were missed when you pasted? No problem, no need to rerun the tool.

You are going to have to find a copy of this file on your sys: C:\WINDOWS\system32\wuauserv.dll - perhaps in ServicePackFiles\i386, or Software Distribution, or on an installation cd, or just download it, and copy it over to system32.
Then in a cmd window run this [press Enter each time it waits]:
regsvr32 wuapi.dll wuaueng.dll wups.dll wups2.dll wuwebv.dll wucltux.dll
If that does not restart the update service then I offer this set of commands [you could make a .cmd file of them in Notepad, and run by dclick]:

net stop bits
regsvr32 /u wuaueng.dll /s
regsvr32 wuaueng.dll /s
net start bits
net start wuauserv
wuauclt.exe /resetauthorization /detectnow

And if that doesn't work, then there is the whole hog here: http://support.microsoft.com/kb/971058/en-us
Say how it all goes.

Use this codebox instead for the OTL fix - I added 3 more files/folders to be removed.

:OTL
SRV - File not found [Auto | Stopped] -- C:\WINDOWS\system32\wuauserv.dll -- (wuauserv)
DRV - File not found [Kernel | On_Demand | Unknown] -- D:\DOCUME~1\Sabre2th\LOCALS~1\Temp\mbr.sys -- (mbr)
DRV - File not found [Kernel | On_Demand | Stopped] -- D:\DOCUME~1\Sabre2th\LOCALS~1\Temp\ALSysIO.sys -- (ALSysIO)
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
IE - HKU\S-1-5-21-299502267-287218729-839522115-1003\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\S-1-5-21-299502267-287218729-839522115-1003\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src=IE-SearchBox&Form=IE8SRC
IE - HKU\S-1-5-21-299502267-287218729-839522115-1003\..\SearchScopes\{AD22EBAF-0D18-4fc7-90CC-5EA0ABBE9EB8}: "URL" = http://www.daemon-search.com/search?q={searchTerms}
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\{3A056AA9-CEDF-11E1-8270-B8AC6F996F26}: D:\Documents and Settings\Sabre2th\Local Settings\Application Data\{3A056AA9-CEDF-11E1-8270-B8AC6F996F26}\
O18 - Protocol\Handler\msdaipp - No CLSID value found
:Files
d:\documents and settings\sabre2th\local settings\application data\{3A05A615-CEDF-11E1-8270-B8AC6F996F26}
d:\documents and settings\sabre2th\local settings\application data\{3A056AA9-CEDF-11E1-8270-B8AC6F996F26}
d:\documents and settings\sabre2th\application data\mdgfi.dll
d:\windows\System32\spoolsv.exe|d:\windows\ServicePackFiles\i386\spoolsv.exe /replace
:cleanup
GMER
TDSSKiller
:Commands
[EMPTYTEMP]
[EMPTYFLASH]
[EMPTYJAVA]

That's good, Sabre. There are a few things to fix, still. Btw, once the rootkit was removed, MBAM could see, and so quarantined, that file and folder I listed for manual deletion.
Your d:\windows\System32\spoolsv.exe ... is missing ... there is a good but earlier copy at d:\windows\ServicePackFiles\i386\spoolsv.exe, and OTL will replace the missing file with this, but I recommend you get the later version by downloading KB2347290 from M$ Updates.
Copy the following code into OTL's Custom Fixes/Scans box, then press Run Fix.

:OTL
SRV - File not found [Auto | Stopped] -- C:\WINDOWS\system32\wuauserv.dll -- (wuauserv)
DRV - File not found [Kernel | On_Demand | Unknown] -- D:\DOCUME~1\Sabre2th\LOCALS~1\Temp\mbr.sys -- (mbr)
DRV - File not found [Kernel | On_Demand | Stopped] -- D:\DOCUME~1\Sabre2th\LOCALS~1\Temp\ALSysIO.sys -- (ALSysIO)
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
IE - HKU\S-1-5-21-299502267-287218729-839522115-1003\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\S-1-5-21-299502267-287218729-839522115-1003\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src=IE-SearchBox&Form=IE8SRC
IE - HKU\S-1-5-21-299502267-287218729-839522115-1003\..\SearchScopes\{AD22EBAF-0D18-4fc7-90CC-5EA0ABBE9EB8}: "URL" = http://www.daemon-search.com/search?q={searchTerms}
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\{3A056AA9-CEDF-11E1-8270-B8AC6F996F26}: D:\Documents and Settings\Sabre2th\Local Settings\Application Data\{3A056AA9-CEDF-11E1-8270-B8AC6F996F26}\
O18 - Protocol\Handler\msdaipp - No CLSID value found
:Files
d:\windows\System32\spoolsv.exe|d:\windows\ServicePackFiles\i386\spoolsv.exe /replace
:cleanup
GMER
TDSSKiller
:Commands
[EMPTYTEMP]
[EMPTYFLASH]
[EMPTYJAVA]

Post that log.

Remove all old versions of Java.
Delete RKill and its log
Go Start, and Run d:\documents and settings\Sabre2th\Desktop\Virus hunting\ComboFix.exe /Uninstall

I just looked more closely at your screenshots... you still have Korean set as the default input language [that is why it is being used at startup as the system language]; you will have to change that default to another language before you can remove Korean as a service. That default also sets your keyboard layout to being one of the allowed set for that language.
There are other tools available which give a more in-depth look at your system, the one I prefer is OTL, but I must say that so far I do not see any indication of malware. If you still fear a rootkit then perhaps try GMER, but generally rootkits are there for a purpose such as to make money from your actions by pushing your searches through a pay per click advertising site - you would likely notice.
==Download gmer.zip from http://www.majorgeeks.com/GMER_d5198.html ...or the exe from http://www.gmer.net/download.php - it will have some obscure name.
-dclick on gmer.zip and unzip the file to its own folder or to your desktop.
-close all running programs.
-dclick the .exe to start it; wait for the intial scan to complete [a few seconds]. Press the Copy button, open Notepad and paste into it.
-Then, if you did NOT get a warning at startup about rootkit activity, leave checkmarks ONLY at System, IAT/EAT, Devices, Modules, Processes, Threads and Services; click the Scan button and wait for the scan to finish …

Hello, Michael, the fact that when you highlight Korean in the Text Sevices window the Add button is available rather indicates that the system thinks Korean in not already enabled.
Your point about costs.... just because something is free doesn't mean it is not valuable and worthwhile. Most of us here use the free AV services; I use the free Avast. Hasn't failed me once.
Your Symantec Endpoint is a full AV+AS service, it will scan everything that comes in and goes out of your system, and everything that starts or is called, automatically. [It would mark files as safe so as not to scan them again needlessly, the mark is removed if they are altered].
So, let's see what's going on... and I see nothing to alarm in that log [know that Trend Micro have not continued development on Hijackthis, it is less of a useful tool than once it was]. There are several orphaned entries, but they were never malicious, nothing to bother about.
Here is a link that you may find interesting:
http://social.technet.microsoft.com/Forums/en-US/officeitpro/thread/96ca33fc-cb59-49c5-81f8-6819d29c5de5/

Hi, killza.
Dclick OTL.exe to start the program; paste the following code into the Custom Scans/Fixes textbox.

:OTL
IE:[b]64bit:[/b] - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE:[b]64bit:[/b] - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKU\S-1-5-21-1090674650-1369377874-28042127-1000\..\SearchScopes,DefaultScope = {0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}
IE - HKU\S-1-5-21-1090674650-1369377874-28042127-1000\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKU\S-1-5-21-1090674650-1369377874-28042127-1000\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = http://search.babylon.com/?q={searchTerms}&affID=113480&tt=010712_5&babsrc=SP_ss&mntrId=6860447b00000000000000238bc075d1
IE - HKU\S-1-5-21-1090674650-1369377874-28042127-1000\..\SearchScopes\{3B098C3C-A6BF-46C0-8A93-EB1F5F87DE18}: "URL" = http://search.yahoo.com/search?fr=mcafee&p={SearchTerms}
IE - HKU\S-1-5-21-1090674650-1369377874-28042127-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://search.babylon.com/?affID=113480&tt=010712_5&babsrc=HP_ss&mntrId=6860447b00000000000000238bc075d1
IE - HKU\S-1-5-21-1090674650-1369377874-28042127-1000\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = http://search.babylon.com/?q={searchTerms}&affID=113480&tt=010712_5&babsrc=SP_ss&mntrId=6860447b00000000000000238bc075d1
CHR - default_search_provider: Search the web (Babylon) (Enabled)
CHR - default_search_provider: search_url = http://search.babylon.com/?q={searchTerms}&affID=113480&tt=010712_5&babsrc=SP_ss&mntrId=6860447b00000000000000238bc075d1
FF:[b]64bit:[/b] - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{F53C93F1-07D5-430c-86D4-C9531B27DFAF}: C:\Program Files (x86)\AVG\AVG2012\Firefox\DoNotTrack\ [2012/07/02 13:22:09 | 000,000,000 | ---D | M]
CHR - plugin: AVG Internet Security (Enabled) = C:\Users\Jimmy\AppData\Local\Google\Chrome\User Data\Default\Extensions\jmfkcklnlgedgbglfkkgedjfmejoahla\12.0.0.2191_0\plugins/avgnpss.dll
O2:[b]64bit:[/b] - BHO: (AVG Do Not Track) - {31332EEF-CB9F-458F-AFEB-D30E9A66B6BA} - C:\Program Files (x86)\AVG\AVG2012\avgdtiea.dll File not found
O2:[b]64bit:[/b] - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No CLSID value found.
O2 - BHO: (AVG Do Not Track) - {31332EEF-CB9F-458F-AFEB-D30E9A66B6BA} - C:\Program Files (x86)\AVG\AVG2012\avgdtiex.dll File not found
O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No CLSID value found.
O9:[b]64bit:[/b] - Extra Button: AVG Do Not Track - {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - C:\Program Files (x86)\AVG\AVG2012\avgdtiea.dll File not found
O9 - Extra Button: AVG Do Not Track - {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - C:\Program Files (x86)\AVG\AVG2012\avgdtiex.dll File not found
O18:[b]64bit:[/b] - Protocol\Handler\grooveLocalGWS - No CLSID value found
O18:[b]64bit:[/b] - Protocol\Handler\livecall - No CLSID value …

To be safe, use Avast to scan both iexplore.exe in Pgm Files\Internet Explorer and explorer.exe in \Windows.
Rerun Rkill [the flashing black cmd windows are normal] and when Avast alerts you set the permission to Allow and Ok it each time. Rkill.exe etc should finalise and present a log in a notepad, and disappear as a running process. It is important to try to run all these procedures in Normal mode

In W7 that Readyboost could really only be an easy-to-use method of creating a page file on the flashdrive? It's never going to be actual RAM, but it would be virtual memory. You can do the same in XP, just insert the UFD, go System and thru to the Page File setting section - the UFD will be listed as a candidate for a page file. Slow, though... say for USB2.0 maybe 250Mb/s, cf a Sata II hdd page file at 500Mb/s. Sata II burst speeds are perhaps 2 or 3 times that...
Your sys would be more capable.

Sabre, make sure that all your Avast services are running. Some failed to start earlier.
The rootkit has regenerated after some earlier action. Right, you need to follow these instructions carefully: firstly, you shall download some tools and updates; secondly attempt a couple of deletions, then run the tools in the order given WITHOUT any reboot until Combofix demands it [a reboot would restart any malware configured to start at boot].
-download Rkill, save it to your desktop, from http://www.bleepingcomputer.com/download/rkill/
-download this file also to your DESKTOP: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
-download OTL from http://oldtimer.geekstogo.com/OTL.exe
-update MBAM, don't scan yet.
Okay, run these tools in Normal mode, close all other applications but keep a copy of these instructions open in a notepad.
**Dclick the Rkill icon to start it, if it runs successfully a notepad log will pop, don't post it. If it doesn't run, try running the downloads from one or both of these sites:
http://download.bleepingcomputer.com/grinler/rkill.scr
http://download.bleepingcomputer.com/grinler/rkill.com
If none work, please say.
**Run TDSSkiller, if TDSS or TDLFS show again then quarantine them.

**Do a Full scan with the updated MBAM, fix what it finds but do not reboot even if requested.

**attempt to delete this file and folder; you will have to show hidden files and folders in explorer, else use the cmd window and DIR, then DEL.
file- D:\windows\assembly\GAC\Desktop.ini
folder- D:\Documents and Settings\Sabre2th\Local Settings\Application Data{156cc7ff-8a28-25e2-b67c-d02b1d0250a9}\

**Combofix: turn …

Apache2.2\bin\httpd.exe

Hi again, sabre.
Please rerun TDSSkiller, and Delete these two entries when they show:
\Device\Harddisk0\DR0 ( TDSS File System ) - warning
\Device\Harddisk0\DR0 - detected TDSS File System (1)
-post the log.

Now let's see if this can detect more of that rootkit. Download aswMBR from http://www.bleepingcomputer.com/download/aswmbr/
Start it, press Scan [it will download virus definitions from Avast], then Save log. Post that, please.
An MBR.dat file will appear on your desktop, it is a copy of your MBR. Do not delete it.

Hello, sabre,
==Download TDSSkiller from this link, save it to your desktop:
http://support.kaspersky.com/downloads/utils/tdsskiller.exe -you may need to download it to a clean computer and then transfer it to the desktop using a USB flash drive.
-click Change Parameters. Under Additional options, check both boxes, Verify Driver Digital Signature and Detect TDLFS file system; click OK.
-click Start scan;
-if TDSSKiller finds a rootkit and prompts a Cure then press Continue [a reboot may be required];
-press Continue also on any Skip prompt for suspicious files. Do not delete or quarantine any files.
Post the log from D:.

Mmm, it's looking bad. If it will not boot further without the hdd [it would ask for a boot device] then it comes down to video [it's integrated, untouchable], BIOS itself corrupted, or a mb failure. RAM failure [you would need to test the stick in another system] should result in beeps sounding. If the BIOS is corrupted then things get expensive : a preprogrammed chip and a technician to solder the new chip.
I cannot think of any fresh approaches. There may be an internal voltage supply failing, but you would need a tech to check/repair those.

Let's see where it is hiding. Download OTL from http://oldtimer.geekstogo.com/OTL.exe
Dclick OTL.exe to start it, in the window that opens choose Minimal Output, Scan All Users, Standard Registry ALL, check both LOP and Purity boxes, and then press Run Scan.
The scan will take maybe 5 minutes; 2 notepads will present [they are saved to the place where you ran OTL.exe from] - post both, please.

May as well provide an update on the performance of W8 as it pertained to my sys. It can act as a Beware! there be wolves! caution to others with a similar setup.
I have two hdds with my XP sys, the first holds several partitons with XP alone with a tiny 50MB page file in one; temp stuff like emails, browser files, pgm data, downloads etc in another, then an apps drive, and some dedicated data partitions. The second hdd has the main page file [500 - 1500MB] in one partition, backups in a second, and another data partition. Plus unallocated space for any recovery installation.
As I said i would, I installed W8 over an imaged XP [upgraded it] which i had put to a C: partition on a separate, third hdd. I then fired up with this XP image drive alone. I used the iso, did not bother loading it to a USB, just fitted it into Alcohol which was in another Applications partition [ an image also] on that hdd. Upgrade went well, not a single issue, and W8 fired up after the necessary couple of restarts. Worked as it should.
Then I got silly. I connected my XP hdds and let W8 see them. Sure, it could, I could browse, play the music, check pics, whatever. Some pgms did not work, the ones that Setup informed me about, but i only played with a few. I restarted the sys. HOLY CRAP!! Chkdsk …

Hello, killza. The gun anti-virus helpers are indisposed; I might be a bit of a mug, but these instructions should see you clear.
You have a choice to make: you keep ONE of either AVG or McAfee. It sounds like you installed McAfee recently, in that case you must remove AVG [if that is your choice]. In the case of AV tools, generally two is much poorer than one: they interfere, squabble if you will, and the job does rarely get done. A slow machine is also a [minor] result.
Firstly, use Program Controls to uninstall AVG, then go to this site: http://www.avg.com/ww-en/utilities and select the [2nd] AVG Remover; run it.
McAfee have a similar tool at http://service.mcafee.com/FAQDocument.aspx?id=TS101331 [MCPR.exe, instructions are there...] I put this information up in case you wish to keep AVG instead.

Done? Now to remove Babylon. Uninstall it from Program control.
The toolbar appears to be attached only to IE, so remove it from IE Add-ons.
Change your homepage.
Delete these folders:
C:\Users\Jimmy\AppData\Roaming\Babylon
C:\ProgramData\Babylon
C:\Program Files (x86)\BabylonToolbar
That should suffice. But check Firefox Add-ons, and Chrome Extensions and Options for it; remove if found. Homepages, too.
The logs appear otherwise clean. Update and rerun Malwarebytes, the quick scan; post that log.

And the 11CA version is probably the best.

Gmer can stick occasionally on some systems that are clean. Try running it in Safe mode firstly to see if you have a good copy, then properly in Normal mode... it can only detect rootkits that are running, many do not start in safe mode.

Ah, no. You have to get BIOS to run. Try holding down the Esc key as you power it up [or even F2]. Esc may get you to the drive boot option menu.
If BIOS still will not run then I suspect a hardware problem as above. Disconnect your hdd coupling and try.