I have at least a few problems.

Uninstall it since it is of no use to you and is just wasting system resources.

Please attach the other logs requested in the READ & RUN ME
- AVG Antispyware
- PandaActiveScan


Then run this WareOut Removal and also attach the requested log from it.


Why does Symantec need the below to be running all the time to support Ghost? Why can just Ghost and nothing else be run only when you need to use it?
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

All documentation for these processes indicates they are part of Symantec Security Center and antivirus. What do they have to do with Ghost?

C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe is describe as part of Norton Personal Firewall and Norton Internet Security. Sndsrvc.exe is the module controlling the send scan for outbound email if the optioin is selected to integrate into the mail client. It is not necessary if you do not scan outbound email. Why is it needed? If it is part of a firewall then you are conflicting with ZoneAlarm.

Thus based on the above and the fact that I see the below in your ShowNew log, you need to either uninstall all the Norton junk or uninstall AVG. You have multiple antivirus/security suites installed. If you want to keep Norton then AVG must go. Personally I would dump Norton in the blink of an eye.

DisplayName"="Norton AntiVirus Parent MSI"
"DisplayName"="Norton Ghost"
"DisplayName"="Norton SystemWorks 2004 Professional (Symantec Corporation)"
"DisplayName"="Norton SystemWorks 2004 Professional"
"DisplayName"="Symantec Network Drivers Update"

If you want to keep AVG then uninstall all Norton stuff except Norton Ghost!

 

Attach new logs from ShowNew and HJT after following those steps and also uninstalling all of the Norton stuff.

 

Possibly! You may have forgotten to run CCleaner to clean all user accounts first or you may have forgotten to empty all quarantine folder etc first which could make the log verify big. Or you may have lots of stuff in System Restore. You can compress it into a ZIP file and try uploading that.

Uninstall the below old versions of software:
J2SE Runtime Environment 5.0 Update 6
Mozilla Firefox (1.5.0.3)
Make sure you reboot after uninstalling the above!

After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

Then install the current version of FireFox from: Mozilla Firefox

I still see the below from Symantec/Norton installed. Are they showing in Add/Remove programs to uninstall?
Norton AntiVirus Parent MSI
Symantec Network Drivers Update

If they are not showing, run this Getting Uninstall Programs List From The Registry and attach the requested log.

Let's remove another left over service from Symantec.

• Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
• On the page that opens, scroll down to Symantec Network Drivers Service
• then right click the entry, select Properties and press Stop Service.
• When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
• Click OK until you get back to Windows.

• Next, run HJT, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
• At the lower right, click on the Config button
• Then click the Misc tools button
• Select Delete an NT Service
• Copy/pasteSNDSrvc into the box that opens, and press OK
• If you receive any error messages just ignore them and continue.
• Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.

Continue by downloading a tool we will need - Pocket KillBox

Save it to its own folder somewhere that you will be able to locate it later.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O17 - HKLM\System\CCS\Services\Tcpip\..\{861777AD-8B0B-4913-9828-B4D66F113861}: NameServer = 85.255.115.43,85.255.112.124
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.43 85.255.112.124
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.43 85.255.112.124
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.43 85.255.112.124
O20 - Winlogon Notify: satau320 - satau320.dll (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

After clicking Fix, exit HJT.

Now run Pocket Killbox by doubleclicking on killbox.exe

• select File, Cleanup, Delete All Backups
• Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
• Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINNT\system32\dmnrp.exe
C:\WINNT\system32\csmkd.exe

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).
If Killbox does not reboot just reboot your PC yourself.

After reboot locate the below folder and delete if found:
C:\Program Files\Symantec

Now run Ccleaner!

Now attach the below new logs and tell me how the above steps went.

1. GetUnKey.txt log from the new scan ran at the top of the procedure.
2. ShowNew
3. HJT

Make sure you tell me how things are working now!

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

The below file is still there! Either delete it manually or use Killbox again to delete it.
C:\WINNT\system32\csmkd.exe

Let me know if you get it deleted. Attach a new ShowNew log if you below you got it deleted.

Also delete the below folder:
C:\Documents and Settings\Administrator\Local Settings\Application Data\Sunbelt Software


Also download HOSTER and then follow the below steps.

• Unzip Hoster to a convenient folder such as C:\Hoster
• Run Hoster.exe, click Restore Microsoft's Hosts File and then click OK.
• Click the X to exit the program

 

Okay you're logs are clean. Now it is time to get your version or Windows 2000 updated. You are way out of date with updates and this is a major security risk. The instructions in the link in the below steps will take care of this.

If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
6. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
7. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
8. If you are running Windows XP or Windows ME, do the below:
   • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
9. After doing the above, you should work thru the below link:
   • How to Protect yourself from malware!

 

I'm not sure what this is from but it is not malware and it will take you to the same start page. You could try shutting down SpywareGuard and doing a reset of web settings and your home page to see what happens, but I repeat, it is not a problem.

I have updated literally several dozen PCs from Win 2000 original version all the way thru to SP4 without having a problem. If your PC had any infections when you tried to update or if your antivirus program (Norton is notorius for this) interfered with the update, then maybe that was your problem. Running with the version you have is just too high a security risk and you can run into MAJOR malware problems with that version due to all the security holes.

Yes backup all your data first. This is always a recommed procedure before doing any kind of update (although many people never do the backups and just update).

 

I doubt it has anything to do with the amount of memory.

You should update to the current version of FireFox though and see if it works better. I suggest uninstalling your old version first and then installing the new version. I know you said you could not update Sun Jav but you should update FireFox.

Have you see this problem with FireFox since cleaning the malware from your PC?

 

Not true. Even Windows 98 can be used! See this: http://www.mozilla.com/en-US/firefox/system-requirements.html

Also note the the current SP level for Windows 2000 is SP4 not SP2.

Why are you telling me this?

 

The minimum requirements are on the link I gave your for FireFox. It says.

 

Yes! That is what I requested in message number 9.

 

Yes that should be next right after you do some backups if you are concerned that it may cause you problems!