NT Authority Shutdown

Here is some background. Had some nasty trojans and Viruses removed recently. This virus greyed out Firewall protocols in SP2 so I decided to remove and reinstall SP2. I forgot to install firewall protection and lets just say my problems are a lot worse than before. I have been infected with the Trojan Collected 5 L to start with and noticed that I have a lot more since I have done a Hijack This File (which I can only do in safe mode). I also did a scan with wmav as well and here is what the files say.

Any help that I can get will be greatly appreciated.

I am presently trying to install critical updates so I can get SP2 back on the computer, but can't get by the critical update 329834. Also an NT Authority window pops up with System32\LSASS.exe terminated and windows will now shut down.

Have scanned computer with AVG (finds and deletes 2 files) recreated everytime windows reboots.
Have scanned computer with Spybot Search and Destroy (no infections detected).
Have scanned and deleted files with Ad-Aware SE

Logfile of HijackThis v1.99.1
Scan saved at 11:12:38 PM, on 5/17/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus...aults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.shaw.ca/start/enca
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-ca\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Compaq32 Service Drivers] msconfig32.exe
O4 - HKLM\..\RunServices: [Compaq32 Service Drivers] msconfig32.exe
O4 - HKCU\..\Run: [Compaq32 Service Drivers] msconfig32.exe
O4 - HKCU\..\RunServices: [Compaq32 Service Drivers] msconfig32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZBzeb032YYCA
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei-2/FunBuddyIconsFWBInitialSetup1.0.0.8-2.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1116380556424
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O18 - Protocol: intu-res - {9CE7D474-16F9-4889-9BB9-53E2008EAE8A} - C:\Program Files\Common Files\Intuit\intu-res.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: UStorage Server Service - OTi - C:\WINDOWS\system32\UStorSrv.exe

Tue May 17 23:18:22 2005 => File C:\DOCUME~1\OWNER\RDRIV.SYS infected by "Trojan.Win32.Rootkit.l" Virus! Action Taken: No Action Taken.
Tue May 17 23:18:14 2005 => File C:\WINDOWS\system32\msconfig32.exe infected by "Backdoor.Win32.Rbot.gen" Virus! Action Taken: No Action Taken.
Tue May 17 23:18:22 2005 => File C:\DOCUME~1\OWNER\RDRIV.SYS infected by "Trojan.Win32.Rootkit.l" Virus! Action Taken: No Action Taken.
Tue May 17 23:19:34 2005 => File C:\WINDOWS\winsmc.exe infected by "Backdoor.Win32.SdBot.xd" Virus! Action Taken: No Action Taken.
Tue May 17 23:20:39 2005 => File C:\WINDOWS\System32\msdirectx.sys infected by "Trojan.Win32.Rootkit.h" Virus! Action Taken: No Action Taken.
Tue May 17 23:20:45 2005 => File C:\WINDOWS\System32\msnpg.exe infected by "Backdoor.Win32.Rbot.gen" Virus! Action Taken: No Action Taken.

 

Welcome to WindowsBBS dhbass

Run the Sasser Removal Tool from Microsoft, and install the update recommended only. I do not recommend re-installing SP2 until you're cleaned up. Post back with results and we'll continue with the other infection. Try to keep your internet browing to a minimum until then.

Suggest you download and install a firewall, such as Zone Alarm or Sygate, ASAP.

 

Sorry about that
Thanks for the help!!!!!
I have McAfee Firewall installed but it the icon turns black and deletes itself when the mouse is hovered over it. It stays red in safe mode.
I was able to install the critical update 835732, but only in safe mode. I can't open the control panel add/remove programs to check to see if it was installed.
Scanned the computer with AVG and found and healed 1 file
C: Documents and Settings\Owner\MSDIRECTX.SYS
This file always is regenerated when the computer reboots.
Trend Micro's Online scan found 2 files
1. Worm SDBOT.BKW was deleted
2. Worm SDBOT.BUY was uncleanable since it is in use.
(C:\WINDOWS\system32\msconfig32.exe)
Sasser removal tool did its job and touch wood the NT Authority Shutdown is cured!!!! Yahoo

 

Please post a new HijackThis log, as well as the results of a new MWAV scan.