I am probably out of synch with your methodology as I ran AVG 7.5 before I found your forum. However, what else is new, so I will post the log with an initial introduction and possibly you can figure out what is going on.

Dell Inspirton 3500 laptop, running Win2000 (64meg ram) very slow on internet, whereas it ran very well before I download a TWEAKUI program. ISP tech said to run malware/spyware etc, which I did - Spyware Terminator and AVG 7.5, which found and deleted a number of high threat files, i.e. worms and trojans. I can now connect to internet and get to my home page, but after that can't go anywhere. I am posting the Hijack log and would also like to know if guard.exe (which I believe is a AVG background running program - which has not been initiated by me - unchecked in AVG) could be a problem. It takes up memory when it is not supposed to be running. Here's the log:

Logfile of HijackThis v1.99.1
Scan saved at 9:28:36 PM, on 1/21/2007
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP2 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\spooIsv.exe
C:\WINNT\System32\sysamp.exe
C:\Program Files\DS Clock\dsclock.exe
C:\Program Files\Desksweeper\DeskSweeper.exe
C:\Download\unzip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nytimes.com/
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Spooler SubSystem App] C:\WINNT\System32\spooIsv.exe
O4 - HKLM\..\Run: [Services] C:\WINNT\System32\sysamp.exe
O4 - HKCU\..\Run: [DS Clock] C:\Program Files\DS Clock\dsclock.exe
O4 - Startup: DeskSweeper.lnk = C:\Program Files\Desksweeper\DeskSweeper.exe
O4 - Startup: dsclock.lnk = C:\Program Files\DS Clock\dsclock.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Windows System 32 - Unknown owner - C:\WINNT\sys32.exe (file missing)

guard.exe..... i take it that you have just downloaded AVG.- this, then, is the realtime protection unit. It stops after 30 days unless you feed it money. Let it run while you can have the benefit of it. It will remain in mem even if it is not running.

Okay, now for some fun. You have a rabid emailer which is probably why you cannot get right out into the net, and a backdoor trojan. Fixing them may be easy, or it may be hard.
First, please rename Hijackthis.exe to Simplesimon.exe.

===Restart you computer in Safe Mode:- press F8 several times while POST is running and before IDE detection completes.
- On the Windows Advanced Options Menu, select Safe Mode and press Enter.
- When the Boot Menu appears again, select Microsoft Windows XP and press Enter.
- Log in by using the YOUR NORMAL ACCOUNT, not the Administrator account.
Go Ctrl/Alt/Del once to start task manager. Click processes tab, locate and end these three processes:

spooIsv.exe
sysamp.exe
sys32.exe [watch the spelling of that first one: spoolsv.exe is a real process, don't want to miss the baddie!]

Open an explorer window, go Tools > folder options > view tab and select the button Show hidden files and folders, Apply and OK.
Now in that window navigate to C:\WINNT\System32 and open that folder. Locate the three above .exe files and delete them. And this time the spelling of the first is VERY important. Watch out for and avoid spoolsv.exe.

Now while still in safe mode run hijackthis [SimpleSimon.exe] again; this time search for and put checks against the following if they exist:
C:\WINNT\System32\spooIsv.exe
C:\WINNT\System32\sysamp.exe
O4 - HKLM\..\Run: [Spooler SubSystem App] C:\WINNT\System32\spooIsv.exe
O4 - HKLM\..\Run: [Services] C:\WINNT\System32\sysamp.exe
O23 - Service: Windows System 32 - Unknown owner - C:\WINNT\sys32.exe (file missing)
Press Fix Checked and close hijackthis.
Reboot to normal mode.
Please download Hoster: http://www.funkytoad.com/download/hoster.zip and Extract it to your Desktop.
- click the Restore MS Hosts Button and then click OK and exit Hoster.
Finally run Hijackthis again, and post the log from THIS run.


You have not been keylogged, but your email passwords are compromised. Make new ones. On the other hand, the rogue you had does not like competition so if you had any other bots it has killed them!

What is a rabid emailer and being 'keylogged'? What is the explanation for getting to my homepage but not being able to navigate anywhere else? Are you sure my e-mail password has been compromised? What other effects of this nasty?

You mention in your 'fix' When the Boot Menu appears again, select Microsoft Windows XP and press Enter. I don't have XP. I have Win2000. Thanks...ennglish

rabid as in mad dog.. keylogger- a pgm which copies your keystrokes, paying particular attention usually to password entries such as in banking forms, and periodically sends them off, or holds them for collection by a bot.
A short description of the activities of one of your trojans courtesy f-Secure:
-joins and parts IRC channels, changes nick, creates clones, sends raw command, sends messages and notices, floods -channels
-scans for vulnerable computers using a number of exploits (see below) and reports to a hacker
-tries to spread to network shares, bruteforces share passwords using the hardcoded list
-steals logins and passwords (cached passwords, FlashFXP passwords, IE site passwords, MSN passwords)
-steals Outlook account information (SMTP and POP server names, logins and passwords)
-steals HTTP e-mail server logins and passwords (Hotmail)
-sniffs network traffic (packet sniffer)
-downloads and runs files on an infected computer
-opens a pipe-based remote command shell on an infected computer
-act as a proxy server on a selected port
-collects information about an infected system (software and hardware configuration)
-finds and terminates competing bots
-performs a DoS (Denial of Service) attack
-updates itself from Internet
==in short, your computer can be controlled remotely, is a pest to others on the network, and some of your personal info can be collected. You have a backdoor trojan - it opens your computer so that it can be controlled externally.

And the other pest is a worm. It modifies your hosts file so that you cannot contact over the web any AV and similar sites to download removal software. Which is why i recommended running Hoster. I know you have Win2000 - it is in the header of your HT log, but Hoster works for the 2000/xp series. It is just that the button has that label....
It attaches itself to any emails you send so that it may infest others, it uses your address list to send infected emails to your contacts [they'll love you for that..], it generates email addresses and sends infected emails on its own.... And it can also function as a backdoor, letting the controller into your computer.
See what i mean? I DO mean to scare you....And your computer may very well be too busy to let you do anything online.
So it's up to you... i do not expect you to trust me implicitly, but if in doubt...
Try checking your hosts file... %systemdrive%\WINNT\system32\drivers\etc. Drag the hosts file into an open notepad window. See if it has entries other than 127.0.0.1 [you will have to unhide hidden files and folders]

Since speaking with you earlier, another help site answered me and set up some solutions, including running AVG Anti-Spyware, setting up a FixServices.bat file, running HijackThis and deleting the same files as you list (couldn't find C:\WINNT\sys32.exe) , running a program called SDFix. Nothing changed and unfortunately I couldn't complete his instructions because it involved downloading very large programs which I cannot transfer from current program to infected one - not enough floppies and no memory stick now.

It looks like I can follow through on your solution, but let me know if what I already did throws obviates the efficacy of your method. I've already download hoster.zip and I can get it on the infected computer. I also have HijackThis on it, which , if I'm correct, is all I need just now, right?

I tried to get to Panda for a scan but the bugger wouldn't let me go there! Let me know if we should continue. I'm willing to push this old brain (69+ years) at least for a little while.

Yep.. these were my points.. ;sorry i did not outline your expected limitations more fully in my earlier post....but the second post fairly lists what may be happening on your computer and how you are limited in your initial responses.
And no, what you have attempted is no problem, just go ahead and try what i said, and if you succeed then we will try some deeper searching and cleaning. If you don't succeed, we'll try something else. So for now do the thing with HT [rem to change its name!, cos some pests know it by now and block it from seeing them]. We'll get there, but once we start please don't mixnmatch solutions....I'm not being arrogant here, it is that i don't want to lose track of what you are doing. Doing stuff posted here by others is ok cos i can see that, but i'll miss action on other sites.
Cheers, an go for it.
PS.. to see some hidden files/folders like system32: in an explorer window, go tools > folder options > view tab, and press Show hidden files and folders, Apply and OK.
Do this first, and keep the setting before you commence the fix. Have a glance at your hosts file...

P.S. Want to be sure I understand your instructions. You wrote that I should stop the following processes in Task Manager:
spooIsv.exe
sysamp.exe
sys32.exe [watch the spelling of that first one: spoolsv.exe is a real process, don't want to miss the baddie!] This comment in parenthesis is unclear. You also wrote: And this time the spelling of the first is VERY important. Watch out for and avoid spoolsv.exe.

It seems as if you are saying I should delete spoolsv.exe and yet avoid it. The files you indicated are spelled exactly the same.

ennglish

in task manager if you stop a process it is no big deal - your pc may crashor merely halt if it you choose the wrong one, but no real harm is done, a restart will cure it. If, though, you delete the wrong file in system32 some effort will need to be gone into to rebuild it....
So, in the first case i was telling you to not miss the bad one by stopping the good one, in the second cse i was telling you not to delete spoolsv.exe, as that is a good one [for printing services].
To avoid font problems, SPOOLSV.EXE is a valid M$ file. Leave it alone.
SPOOISV.EXE is the one we need to remove.
The reason for stopping a process is that it is not possible to delete a running process...

Thanks. I figured out the spool (L) problem. I read it wrong: L instead of I. I went into HijackThis (on a dry run) and couldn't find the following files which look like registry entries:
O4 - HKLM\..\Run: [Spooler SubSystem App]
O4 - HKLM\..\Run: [Services] C:\WINNT\System32\sysamp.exe
O23 - Service: Windows System 32 - Unknown owner -

You'll have to give me more explicit instructions on these and on HijackThis. The only place I can see for finding files is in Misc. Tools - Delete and boot or some such bar (I'm not at that computer now. Finally, renaming HijackThis.exe: I would do it from Windows Explorer in the program folder and also on the desktop shortcut. Am I right on this?

Thanks...

The confusions that arise through choice of font plus similar, genuine-sounding names are part of the ploy to avoid detection by the uninitiated [or the careless].
Now. Do not concern yourself with dry runs - I shall do my best to not actually harm your system.
First, we must try to stop the possibility of a malware recognising Hijackthis and also enable you to find them.
Second, we must stop the processes that we wish to remove from running.
Third, we delete those processes.
Fourth, we remove the registry keys that call those processes.
Now i shall reiterate and enlarge upon those instructions.
1. Open an explorer window, navigate to your download\unzip folder and open it; in the right pane rclick Hijackthis.exe, select rename in the context menu and change it to Strawdogs.exe.
Still in that window go to tools > folder options > view tab, look down the list and press the button Show hidden files and folders, Apply and OK.
2.We go to safe mode.... Restart your computer, press F8 several times while POST is running and before IDE detection completes.
- On the Windows Advanced Options Menu, select Safe Mode and press Enter.
- When the Boot Menu appears again, select Microsoft Windows XP and press Enter.
- Log in by using the YOUR NORMAL ACCOUNT, not the Administrator account.
[safe mode loads the bare minimum of drivers and processes necessary to get the OS running so that we can work on it].
We shall proceed with the basic tools. Open task manager via Ctrl-Alt-Delete combined keypress [one only]. Select the processes tab, alphabetise the list by lclicking Image Name header, scroll down and search for these three processes:
spooIsv.exe
sysamp.exe
sys32.exe
---in turn highlight each and click End Process. Those will be the actual names; do not be concerned if you do not find one or any because that just means that they are not running - a function and benefit of safe mode. Close task manager.
3.Click Start, go My Computer and Local Drive C: [or open an explorer window however you wish]
-in the left pane tree [click Folders icon if you must] expand C:; expand WINNT; lclick system32.
-in the right pane search for those three files above and delete each. Collapse WINNT folder.
4.Open download\unzip and dclick Strawdogs.exe. Press Do a System scan only.
-place checks against the following:
C:\WINNT\System32\spooIsv.exe
C:\WINNT\System32\sysamp.exe
O4 - HKLM\..\Run: [Spooler SubSystem App] C:\WINNT\System32\spooIsv.exe
O4 - HKLM\..\Run: [Services] C:\WINNT\System32\sysamp.exe
O23 - Service: Windows System 32 - Unknown owner - C:\WINNT\sys32.exe (file missing)
Press Fix Checked.

Reboot to normal mode. If you have not already done so extract Hoster from its zip file to desktop or your unzip folder.
-dclick the hoster.exe and press Restore MS Hosts button. Ok and close.
-start Strawdogs again, close the explorer window and select Scan and Save a logfile.
Please post that file.
===Get CCleaner from http://www.ccleaner.com/ - and put it in a new folder. You should aim to keep this one for general use. I set it from the install checkboxes to only open from the recycle bin. It's neater that way.
-Now run CCleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...]. Select the Cleaner icon and the Windows tab; press Run Cleaner. Now select the Applications tab and Run Cleaner. Close it.
-Now start AVG a-s 7.5; under Scanner/ Settings set Recommended actions to Quarantine, and run the scan. Save the log file and only then click Apply all actions. Post the log file.

Ok, two files to post. I'll check for them.