Hi and Gd Day,
I'm using Winxp.Recently i'm unable to surf the net. I've run adaware but didnt solve the problem. I've run Hijackthis and this is my log. Hope u're able to help me solve my problems. Thx in advance.

Logfile of HijackThis v1.97.7
Scan saved at 7:52:50 PM, on 5/31/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\waumgrd.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\Ui7410.exe
C:\WINDOWS\System32\msiexec.exe
D:\Mamapapa files\Downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com.sg/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://servicestage.symantec.com/techsupp/servlet/ProductMessages?module=3019&error=6&language=English&product=NAV
R3 - Default URLSearchHook is missing
O2 - BHO: MyWay Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - C:\Program Files\MyWay\SrchAstt\1.bin\MYSRCHAS.DLL
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O2 - BHO: (no name) - {82315A18-6CFB-44a7-BDFD-90E36537C252} - C:\Program Files\QuickSearch\QuickSearchBar1_27.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O3 - Toolbar: QuickSearch Search Bar - {82315A18-6CFB-44a7-BDFD-90E36537C252} - C:\Program Files\QuickSearch\QuickSearchBar1_27.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Microsoft Update] mssvc32.exe
O4 - HKLM\..\Run: [skynetave.exe] C:\WINDOWS\skynetave.exe
O4 - HKLM\..\Run: [Windows Guard] waumgrd.exe
O4 - HKLM\..\Run: [Microsoft Office] lserv.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [CpeStart] C:\WINDOWS\System32\CpeStart.exe
O4 - HKLM\..\Run: [ircxyxul] C:\WINDOWS\ircxyxul.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
O4 - HKLM\..\RunServices: [Microsoft Update] mssvc32.exe
O4 - HKLM\..\RunServices: [Windows Guard] waumgrd.exe
O4 - HKLM\..\RunServices: [Microsoft Office] lserv.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Windows Guard] waumgrd.exe
O4 - HKCU\..\Run: [Microsoft Update] mssvc32.exe
O4 - HKCU\..\Run: [Microsoft Office] lserv.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O10 - Broken Internet access because of LSP provider 'c:\windows\system32\lsp.dll' missing
O16 - DPF: {91BE8DAC-957E-416C-B735-E2B63CDB915B} (MyEMessengerSetup Control) - http://www.myemessenger.com/activex/MyEMessengerSetupProject.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38130.9385763889
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/Flash/swflash.cab

Recommended Answers

All 5 Replies

You have the sasser worm. Download the removal tool from here http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.removal.tool.html .

Once done remove Newdotnet, either from add/remove programs, or by going here. & scrolling down to the uninstall tool.

Download LSPfix from here
On the opening screen, click the "I know what I'm doing" checkbox. Check all instances of "lsp.dll" (and nothing else), and move them to the "Remove" pane. Then click Finish.

Go here for an on-line scan & set it to autoclean for you.

Please go here & install ALL critical updates required for your system. That includes getting service pack 1 for both XP & IE.

Hey crunchie,
How can you tell she has the sasser worm with this log.

Hi Crunchie,
I've scanned my pc using the sasser removal tool. I dont have one. I've downloaded the LSPfix but i'm not sure how to use it. When i execute the LSP fix i got this few things in the KEEP box which are 1. mswsock.dll - descrp: Tcpip, 2. winrnr.dll - descrp: NTDS and 3. rsvpsp.dll descrp: (Protocol handler). Under REMOVE is lsp.dll. What am i supposed to do with them? Can u describe in details pls. Btw why cant i just fix and check from the hijackthis program? Im unable to activate SP1 since i dont have the key. Please advice. Thx in advance.

This entry when googled comes up as sasser. O4 - HKLM\..\Run: [skynetave.exe] C:\WINDOWS\skynetave.exe

You cannot use HJT to fix the 010 entries as you may lose the ability to connect to the net!
Start LSPfix & you will find entries in the left window. Tick the *I know what I'm doing* box & move all instances of lsp.dll to the right window by highlighting it & press the relevant arrow to move it. DO NOT MOVE ANYTHING ELSE!!
Press finish.

You've got more than the worm going on there as well (all of that MyWay/MySearch stuff needs to go). Please download and run the following spyware removal tools, letting them fix anything they find:

Ad Aware

SpyBot Search & Destroy

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.