Help any news on W32.Bobax.A

[techwizad]

Hello Everyone , well yesterday i had the win32 sasser-D 12377.exe virus on my pc .
Very strange . yesterday afternoon i had no more internet on my pc. my router was on line and all i could see was deny , deny , reject .
I put on my tcpveiw program , and bascilly the virus was looking for othe machines. i could not get throw to the internet with my router , but when i changed the direct connection to my modem , i can get on line as you can see . well avast cleaned the sasser , i also had al microsoft updates.  now the computer is still sending out and searching for other machines .

i can get round it by closing the connections its sending out.

service exe
isass.exe

W32.Bobax.A      i think what i have is  W32.Bobax.A    apparently a total new THING.   does anyone know of this ?  or how it can be cleaned.
this has happened to more people i know , all at the same time yesterday afternoon.

[whocares]

service exe
isass.exe

W32.Bobax.A    

Hi,

are you sure the Spelling is right ? not
services.exe
LSASS.exe

does any virusscanner (like Trend & KAv below) find the BOBAX in those files or anywhere else?
where are they located (full path) ?
WHY do you think you got "bobax" ? please supply link with description

have you also applied MS04-011 ?
did you change all your passwords ?

read here and check if descriptions match ..:

Trend
MCafee

[techwizad]

Hi
Yes you are right .
services.exe
LSASS.exe

i thought it might be as said earlier BOBAX but isnt found anywhere on computer.

link: http://securityresponse.symantec.com/avcenter/venc/data/w32.bobax.a.html

yes i have the update from microsoft insatlled. But not helped me.

What passwords do you mean, that I shoud change ?


Ok at the moment i have service.exe:2024   TCP   xx-xx:3456   68-117-194-168.cpe.ga.charter.com:7000   SYN_SENT   
C:\Program Files\Internet Explorer\iexplore.exe

Its just going crazy and sending out pings and stuff . and blocks me receiving any websites. Till I close it down manully. I can now get out through my router .

Trend Micro

Always says found  WORM  SDBOT.D

And says cleaned sucsessfull. But this is everytime I start windows and run the scanner.

Also found and cleaned

BAT_SASSER.A_cmd.ftp this is cleaned total.

This is doing my nut in .
Even my friend had this yesterday and formatted his hard drive. And guess what !! its still there!

This is ugly . maybe if i do a boot scan.
never had a thing like this before.

keep in touch, thanks

[whocares]

1)
services.exe
LSASS.exe

2)
Ok at the moment i have service.exe:2024   TCP   xx-xx:3456   68-117-194-168.cpe.ga.charter.com:7000   SYN_SENT  
C:\Program Files\Internet Explorer\iexplore.exe

@1) these two are normal Windows files, if they are in the System32-folder!! they are suspicious, if anywhere else

@2)
Please be correct in your spelling: is it serviceS.exe or service.exe ?

and supply the full path/folder/filename for any file you consider suspicious, like c:\windows\system32\services.exe

you'll find this info in the alert/log of your firewall, or in the Trendmicro-report after a scan

also scan every occurence of service(s).exe and lsass.exe on your PC with Trend AND KAV (see below) and report their findings;
set your Explorer to show all files before the search for the files: explorer-> Extras/View -> folder options -> set it to show all Files/folders, even system and hidden files

Also please post a hijackthis-Log here: www.lurkhere.com


and CHECK!! for new windowsupdates, via IE->extras->Windowsupdates -> search for updates

if you have/had Spybot on your PC,  you need to change every password ever entered on the PC (admin, main user, users etc..) and also PIN's, ebay/onlinebanking data
Also close/protect your shared folders
this also if you decide to format your PC !!

SDBOT-Info




 

[techwizad]

Hi again thanks for the info.

well after clearing each virus , it seems another pops up .

Avast updated earlier today and found............

go on have a shot in the dark !!

yes .  W32.Bobax.A

Win32:Bobax [Wrm

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\87SPLOXS\217.82.117[1].gif

Win32:SdBot-194-B [Trj]

C:\WINDOWS\system32\smss32.exe\[AsPack

so im just going to restart my comp and see if i have manged to get rid of it.

il also check the spelling if it is still there.

well this is the 7th virus to be uncovered .

il be back soon .

thanks for the link.

[techwizad]

Hi
 

Thanks for you help .

I have all under control now.

just hope it stays that way.  

Keep you up the good work.  Your a star in the net.

Cheers

[autolycus]

I'm not sure whether i have the bobax virus or not
in my windows/temp file folder there is a file which avast will not scan file is c:\windows\temp\zlt04c0e.tmp i've tried todelete this file but it tells me that the file is in use by another process and cannot be closed. i have no idea which process is using it and what to do about it
any ideas
there seems to be no major hassles but --- i thought i would check
thanx

[techwizad]

Hi well im not a know all ii this area myself.

if you have the virus normally avast will pick it up after the last update , trend micro also.

i would stay of line , use tcpveiw and see if its looking for a connection  connect or send .

the file you could proberly Cut out and Paste into your bin .

[autolycus]

terchwizad

thank you for the suggestions
i tried them but no joy
still can't find what the hell this thing does and i can't get rid of it
if anyone has any more ideas i'd appreciate it.

thanks again
 

[raman]

You could post a hijackthislog, maybe we can find out some more things:

www.hjt.klaffke.de/en

[autolycus]

herewith the hijackthis file
it makes absolutly no sense to me  
hope it helps and thanks again for all the help
----------------------------------------------------------------------
Logfile of HijackThis v1.97.7
Scan saved at 23:05:42, on 20/05/2004
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\PGPsdkServ.exe
C:\Program Files\Prime95\prime95.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\PROGRA~1\MYWEBS~1\bar\3.bin\mwsoemon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraMD.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\kdx\KHost.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Program Files\VIAudioi\SBADeck\ADeck.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\BBC News alerts\skinkers.exe
C:\Program Files\Microsoft Reference\Bookshelf 99 ENG\Qshlf99Z.exe
C:\Program Files\Network Associates\PGP for Windows 98\PGPtray.exe
C:\Program Files\OpenOffice.org1.1.1\program\soffice.exe
C:\Program Files\Alarm\Alarm.exe
C:\Program Files\WxEx\WxEx.exe
C:\Program Files\SETI@home\SETI@home.exe
C:\Program Files\Outlook Express\msimn.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Leslie Ferguson\Desktop\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [AtiPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\3.bin\mwsoemon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [HydraVisionDesktopManager] C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
O4 - HKLM\..\Run: [HydraVisionViewport] C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraMD.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
O4 - HKLM\..\RunServices: [MOSearch] C:\PROGRA~1\COMMON~1\System\MOSearch\Bin\mosearch.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [TClockEx] C:\Program Files\TClockEx\TCLOCKEX.EXE
O4 - HKCU\..\Run: [seticlient] C:\Program Files\SETI@home\SETI@home.exe -min
O4 - HKCU\..\Run: [BBCNewsalertsCluster] C:\Program Files\BBC News alerts\skinkers.exe
O4 - Startup: OpenOffice.org 1.1.1.lnk = C:\Program Files\OpenOffice.org1.1.1\program\quickstart.exe
O4 - Global Startup: Qshelf99 ENG.lnk = C:\Program Files\Microsoft Reference\Bookshelf 99 ENG\Qshlf99Z.exe
O4 - Global Startup: PGPtray.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Run WinHTTrack (HKLM)
O9 - Extra 'Tools' menuitem: Launch WinHTTrack (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: cpcScanner - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/download/0/5/c/05c905f4-dd30-427d-a3de-373c3e5552fc/msSecAdv.cab?1070389176729
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} (PatchInstaller.Installer) - file://D:\content\include\XPPatchInstaller.CAB
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/7d90ae05585062/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {79B96C72-C0D0-4DC8-BC7E-9F314A918228} - http://ak.imgfarm.com/images/nocache/myspeedbar/myinitialsetup1.0.0.7.cab
O16 - DPF: {8B1BC605-C593-4865-8F5B-05517F0CD0BB} (MSSecurityAdvisorCD Class) - file://D:\Content\include\msSecUcd.cab
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/SassCln.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?312
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop.com/antivirus/PitPav.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7EF49DD1-915E-492C-894B-01EB3C1E96E6}: NameServer = 62.241.160.200 158.43.240.3

[whocares]

Hi,

- you don't have all Windowsupdates -> APPLY them


1) --> install, update, scan & fix with Ad-aware, spybot and cwshredder
from http://www.lurkhere.com/~nicefiles/index.html & www.lavasoft.de

2) check all (Startup-)entries in HJT-Log if they are malicious or useless,  
and fix them if so...
--> with Log-file from Hijackthis
http://www.spywareinfo.com/%7Emerijn/htlogtutorial.html (english tutorial) in combination with:

a) database http://www.sysinfo.org/startuplist.php or OFFLINE: http://www.pacs-portal.co.uk/startup_pages/start_ups.exe or
http://www.windowsstartup.com/wso/search.php & http://www.reger24.de/processes.php & www.google.de
b) KAV-Scanner (see below)

reboot..
*
if problems remain, tell us exactly what you did so far, and post a new Hijackthis-Log