I was hit with Sasser May 1, removed it a couple days ago. After that, i haven't been able to connect to the internet. Nothing will load in my browsers. My ISP says everything is fine and i should be able to connect. Does anyone have any similiar problems or offer solutions? thanks.

Welcome aboard!

I haven't reviewed all the nasties that sasser does, so maybe someone who has direct experience of this problem can give you a more specific answer, but:
first off, it would help if you could just clarify what actualy happens -
does the browser return a blank page with an error message?
can you use email?
What sort of connection to the net do you have (dial up/cable etc)
Are you using a firewall?

If you can use email, then you can connect to the internet. there are other ways to test, but assuming that the problem lies with your browser, the first step is:
If you are using explorer, then open explorer>tools>internet options>connections and see what is actually there. What connections are listed?

Post back with a few mroe details, and it will be easier to help. You'll find people here who are seriously knowledgeable in some areas, so I'm sure we can help. once again, welcome aboard!

Also, how did you remove Sasser? Have you run any other security scans?

It would probably be a good idea to run HijackThis and post the log with some of those answers so we can see if there is something interfering.... To run HJT, extract it to a permanent folder such as C:\Documents or one you create like C:\HJT. Close all programs you have opened and make sure that all programs are enabled if you use msconfig. Run it and Scan, then Save the log. When the log window appears, Right click to Copy it, open your browser and come here to Paste the log. Do not make any changes until it is checked since most items are either benign or essential to the computer.

Also, how did you remove Sasser? That's a good question Budfred.
I recently posted a link from Microsoft...Stuck it below again just for any relevant info.

Besides their "Automated Check" which doesn't thrill me, there is also a link for manually downloading the removal tool directly. (Below my first link)
http://www.microsoft.com/security/incident/sasser.asp

http://www.microsoft.com/downloads/details.aspx?familyid=76C6DE7E-1B6B-4FC3-90D4-9FA42D14CC17&displaylang=en

Not sure why I even posted this, other than a little more info. :p

go to a command prompt and type ping www.pcguide.com and post back the results

As asked earlier, how do you connect? Dial up, broadband?

How did your remove sasser?

Too many unaswered questions for people to help at this point.

It would also be helpful to know what OS are you using, Win XP, Me, 98, etc...? and are you updated with Windows and I.E. if that is your browser, and have you dumped your temp files lately? If you are getting error boxes please list them exactly as they are shown.

What AV system and anti-spyware do you have, if any, and are they updated? What ISP do you have?

I have Win XP Home, I downloaded the Symantec Sasser removal tool to get rid of the virus. I also run Ad-Aware and use Norton Anti-Virus. I have Alltel DSL to connect to the internet, I did some ping tests with them and they said I'm connected. The tech support guy said there must be something wrong with IE (i also use Firefox). IE shows up with "Page cannot be displayed", Firefox says "The connection to the webpage has been refused". The weird thing was that i was able to connect to the internet while i had the virus. The firewall is turned off. Now my modem software is telling me that I have not obtained the IP address. This is very frustrating.

Please run a HJT log as mentioned above... You can find a link for it in my signature... There are some programs that can do what this is doing if they are broken accidently....

Enlio1 believe me Budfred is correct . Use HJT and post it here. It works honestly.
Stefanus

Have you run the tool a second time as per http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.removal.tool.html

This is what showed up when i used HJT.

Logfile of HijackThis v1.97.7
Scan saved at 2:52:08 PM, on 5/9/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Efficient Networks\Tango Manager\app\TangoService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\LiveUpdate\LiveUpdate.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\server.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 7.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\soundtask.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\EACDownload\veloz_ vlz.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Owner\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gamespot.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
O2 - BHO: MyWay Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - C:\Program Files\MyWay\SrchAstt\1.bin\MYSRCHAS.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [WebSavingsfromEbates] wjview /cp:p "C:\Program Files\WebSavingsfromEbates\System\Code" Main lp: "C:\Program Files\WebSavingsfromEbates"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [RunProg] C:\WINDOWS\server.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 7.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [soundtask] soundtask.exe
O4 - HKLM\..\Run: [System Log Event] csrss32.exe
O4 - HKLM\..\Run: [scvhost] scvhost.exe
O4 - HKLM\..\Run: [eac_wren] C:\DOCUME~1\Owner\LOCALS~1\Temp\EACDownload\veloz_ vlz.exe -k
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [TangoManager] C:\PROGRA~1\EFFICI~1\TANGOM~1\app\TANGOM~1.EXE
O4 - HKLM\..\RunServices: [soundtask] soundtask.exe
O4 - HKLM\..\RunServices: [System Log Event] csrss32.exe
O4 - HKLM\..\RunServices: [scvhost] scvhost.exe
O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsa vings_script0.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - [url]http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab

You are badly infected with at least to virion to use the biological terms and viruses to use the common parlance.

Read This (http://www.liutilities.com/products/wintaskspro/processlibrary/scvhost/)

and

This (http://securityresponse.symantec.com/avcenter/venc/data/w32.naco.d@mm.html)

At this point I would download stinger and see if you can get it to run.

Also try a virus scan with your present AV and post back the results.

Okay, you do have some problems here in addition to the virus that classicsoftware mentioned... To start, please extract HijackThis to a permanent folder such as one you create like C:\HJT. You are running it from the Desktop and that will put backups all over your Desktop...

Then use HJT to mark/fix:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/cus...://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/cus...://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
O4 - HKLM\..\Run: [RunProg] C:\WINDOWS\server.exe
O4 - HKLM\..\Run: [scvhost] scvhost.exe
O4 - HKLM\..\RunServices: [scvhost] scvhost.exe

Then you have a whole bunch of unidentified and/or suspicious items. Unless you recognize any of these as valid, I suggest fixing them. If you are not sure, you can find the program and check Properties to see if it looks like it is from a legit program....

O4 - HKLM\..\Run: [WebSavingsfromEbates] wjview /cp "C:\Program Files\WebSavingsfromEbates\System\Code" Main lp: "C:\Program Files\WebSavingsfromEbates"
O4 - HKLM\..\Run: [soundtask] soundtask.exe
O4 - HKLM\..\Run: [System Log Event] csrss32.exe
O4 - HKLM\..\Run: [eac_wren] C:\DOCUME~1\Owner\LOCALS~1\Temp\EACDownload\veloz_
vlz.exe -k
O4 - HKLM\..\RunServices: [soundtask] soundtask.exe
O4 - HKLM\..\RunServices: [System Log Event] csrss32.exe
O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsa
vings_script0.htm

These are part of a program that is borderline malware and I suggest fixing them....

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gamespot.com/
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab

This one is a free tool used by developers to set up live updates of programs. It is not clear if it is clean, but it is possible for malware writers to abuse it even if it is, so I recommend fixing it:

O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe

This is a program that loads some malware onto your system even though it is not technically malware itself, I strongly recommend fixing it:

O2 - BHO: MyWay Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - C:\Program Files\MyWay\SrchAstt\1.bin\MYSRCHAS.DLL

Then reboot to Safe Mode and see if you can find any of these in Add/Remove Programs and remove them there. If they aren't there, find them and delete them. You may have to have WinXP set to show all hidden files to find them. Do not remove if you opted to keep any of them...

C:\WINDOWS\server.exe
C:\WINDOWS\System32\soundtask.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\EACDownload\veloz_
vlz.exe
C:\Program Files\MyWay
C:\Program Files\LiveUpdate\LiveUpdate.exe
C:\Program Files\WebSavingsfromEbates

When you finish, reboot and post a fresh log...

IT'S WORKING NOW!! BWA HA HA HA HA HA HA HA!!!!!!!!
It was a problem with the drivers. It wouldn't recognize my modem for 2 days, such a huge problem but a simple solution.

Because of this problem I punched my monitor and slammed it into the wall....it's ok though. Now i can dream of getting a wireless network....when i get rich. Now b/c of the virus, i'm paranoid about security, is that a good thing?

Thanks to everyone who responded to my situation.

:)

Now is the time to get your security beefed up so you won't have to go through this again. Please post a last HJT log so we know it is clean though.
:D

Logfile of HijackThis v1.97.7
Scan saved at 12:03:54 AM, on 5/11/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Efficient Networks\Tango Manager\app\TangoService.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\EFFICI~1\TANGOM~1\app\TangoManager.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\hijackthis\HijackThis.exe

O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [TangoManager] C:\PROGRA~1\EFFICI~1\TANGOM~1\app\TANGOM~1.EXE
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{CFBB2033-AE3E-4D53-B242-88933824AA8C}: NameServer = 166.102.165.11 166.102.165.13


Someday i'll have Norton 04 whenever my friend has the time to give it to me; until then I have AVG and trialware of Norton AV and Internet Security.

Your log looks clean now...

I urge you to skip the Norton and stay with AVG... If you really want to pay for an AV, get NOD32... A good firewall is crucial too... Being paranoid about this stuff these days is healthy... it is getting pretty vicious out there....

Here is my speech for staying clean:

This is a good time to set up protection against further attacks. You need an antivirus that is updated, a good firewall and a spyware blocker like SpywareBlaster and also IE-Spyads. All of these have good free versions available... be very cautious about any security software that advertises in popups or other intrusive ways, they are not only usually useless, but also often have malware in them....