XXXSERVER - heeeeelp!!!

Hi good folks out there!

I'm being strangled by this bug, I've tried most cures, nothing works.
I'm desperate, please someone help! Here's my HijackThis Log.

Logfile of HijackThis v1.97.7
Scan saved at 22:20:54, on 09/07/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
E:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\ORL\VNC\WinVNC.exe
E:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
E:\WINDOWS\System32\qttask.exe
E:\WINDOWS\System32\Fast.exe
E:\WINDOWS\System32\taskswitch.exe
E:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
E:\Program Files\Common Files\Symantec Shared\ccApp.exe
E:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\WINDOWS\msgaol.exe
E:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE
E:\Program Files\MSN Messenger\msnmsgr.exe
E:\WINDOWS\System32\ctfmon.exe
E:\WINDOWS\System32\wugrds.exe
C:\freeserve\freeserveconnectionkit\atdialler1.exe
E:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
E:\Program Files\Sony Handheld\HOTSYNC.EXE
E:\WINDOWS\System32\devldr32.exe
E:\U T I L I T I E S\Hijackthis\HijackThis.exe
E:\Program Files\Messenger\msmsgs.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/advanced_search?hl=en
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/...b/*http://uk.docs.yahoo.com/info/bt_side.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
O1 - Hosts: 3466709097 sitefinder-idn.verisign.com
O2 - BHO: (no name) - {00110011-4B0B-44D5-9718-90C88817369B} - E:\WINDOWS\sys_ext.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\U T I L I T I E S\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - E:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - E:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [WinVNC] "E:\Program Files\ORL\VNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "E:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [QuickTime Task] E:\WINDOWS\System32\qttask.exe
O4 - HKLM\..\Run: [FastUser] E:\WINDOWS\System32\fast.exe
O4 - HKLM\..\Run: [DVDUpgrade] DVDUpgrd.exe /async
O4 - HKLM\..\Run: [CoolSwitch] E:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "E:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ccApp] "E:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "E:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [TkBellExe] "E:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Update] E:\WINDOWS\csrss.exe /i
O4 - HKLM\..\Run: [StartMenu] E:\WINDOWS\msgaol.exe /i
O4 - HKLM\..\Run: [win updates] wugrds.exe
O4 - HKLM\..\Run: [CreateCD50] E:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE -r
O4 - HKLM\..\RunServices: [win updates] wugrds.exe
O4 - HKCU\..\Run: [msnmsgr] "E:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [win updates] wugrds.exe
O4 - Startup: HotSync Manager.lnk = E:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Freeserve Connection Kit.lnk = C:\freeserve\freeserveconnectionkit\atdialler1.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Acrobat Assistant.lnk = E:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .mid: E:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37457.4343865741
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://download.yahoo.com/dl/installs/yab_af.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - http://register.btinternet.com/templates/btwebcontrol023.cab

 

In addition to the hotkiss dialler you have a SDBOT.KN infection

Use Taskmanager (Ctrl-Alt-Del) to end these running processes if you can
(or use Process Explorer)
E:\WINDOWS\msgaol.exe
E:\WINDOWS\System32\wugrds.exe

Download and run CWShredder by Merijn Bellekom
Run it, press 'Fix', and allow it to fix all it finds.


Run HijackThis again, push Scan and place a check mark next to the following items using your mouse.
Next, close all browser Windows, and push the 'Fix checked' button in HijackThis

O1 - Hosts: 3466709097 sitefinder-idn.verisign.com
O2 - BHO: (no name) - {00110011-4B0B-44D5-9718-90C88817369B} - E:\WINDOWS\sys_ext.dll (file missing)
O4 - HKLM\..\Run: [FastUser] E:\WINDOWS\System32\fast.exe
O4 - HKLM\..\Run: [Update] E:\WINDOWS\csrss.exe /i
O4 - HKLM\..\Run: [StartMenu] E:\WINDOWS\msgaol.exe /i
O4 - HKLM\..\Run: [win updates] wugrds.exe
O4 - HKLM\..\RunServices: [win updates] wugrds.exe
O4 - HKCU\..\Run: [win updates] wugrds.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present


Empty the TIF (Temporary Internet Files)
To do so use Control Panel > Internet Options(or right click the IE icon on the desktop and choose Properties)
Click Delete Files on the General Tab - place a check in the Delete all offline content box and then press OK

Delete all the files in (and any subfolders of) the C:\Windows\Temp\ folder

Set your Explorer up using the info in this link so that hidden and System files are visible
Also Uncheck the "Hide extensions for known file types" box

Reboot to SAFE mode
How to start the computer in Safe mode

Delete the following file(s):
E:\WINDOWS\msgaol.exe
E:\WINDOWS\System32\wugrds.exe
E:\WINDOWS\System32\fast.exe <= see comments below
E:\WINDOWS\csrss.exe <= make sure of folder


Run CWShredder again

Reboot normally

Get a good online virus scan at HouseCall

-----------
Download the latest version of Ad-Aware at http://www.lavasoftusa.com/support/download/
After installing AAW, and before running the program, you NEED to FIRST update the reference file following these instructions.
Now do the following:
- Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Scanning Engine:
check: "Unload recognized processes during scanning."
- Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Cleaning Engine:
Check: "Let Windows remove files in use after reboot."

Press "Scan Now"
- Check option "Use Custom scanning options"
- Check option "Activate In-Depth Scan"
- Press "Select drives\folders to scan"
- Select the active partition which is usually C:

Now press "Next" to let Ad-aware scan your drives...
It will find a number of "bad" files and registry keys.
Right-click in that pane and choose "select all"

Now press "Next" again.
It will ask you whether you'd like to remove all checked items. Click OK.

Finally, close Ad-Aware, and reboot.

------ some partial info (for further cleanup)
wugrds.exe -- http://se.trendmicro-europe.com/enterprise/security_info/ve_detail.php?Vname=WORM_SDBOT.KN

sys_ext.dll was a CWS variant

I thing the fast.exe you have is this one (not 100% positive)
fast.exe http://www.pestpatrol.com/pestinfo/f/fastscan.asp
please check the file sizes according to http://research.pestpatrol.com/Search/FileInfoResults.asp?MD5=b0d12e9e7ac761e0def746862f12ee9a
and if it's actually resource kit stuff - you can leave it

 

Hi IMM,
Thank you very much for your reply.
I'll follow your instrucyions and will reort the results.
CHERRS. Derreck