Hello Everyone , well yesterday i had the win32 sasser-D 12377.exe virus on my pc .
Very strange . yesterday afternoon i had no more internet on my pc. my router was on line and all i could see was deny , deny , reject .
I put on my tcpveiw program , and bascilly the virus was looking for othe machines. i could not get throw to the internet with my router , but when i changed the direct connection to my modem , i can get on line as you can see
. well avast cleaned the sasser , i also had al microsoft updates. now the computer is still sending out and searching for other machines .
i can get round it by closing the connections its sending out.
service exe
isass.exe
W32.Bobax.A i think what i have is W32.Bobax.A apparently a total new THING. does anyone know of this ? or how it can be cleaned.
this has happened to more people i know , all at the same time yesterday afternoon.
Hi,
are you sure the Spelling is right ? not
services.exe
LSASS.exe
does any virusscanner (like Trend & KAv below) find the BOBAX in those files or anywhere else?
where are they located (full path) ?
WHY do you think you got “bobax” ? please supply link with description
have you also applied MS04-011 ?
did you change all your passwords ?
read here and check if descriptions match …:
Trend
MCafee 
system
3
Hi
Yes you are right .
services.exe
LSASS.exe
i thought it might be as said earlier BOBAX but isnt found anywhere on computer.
link: http://securityresponse.symantec.com/avcenter/venc/data/w32.bobax.a.html
yes i have the update from microsoft insatlled. But not helped me.
What passwords do you mean, that I shoud change ?
Ok at the moment i have service.exe:2024 TCP xx-xx:3456 68-117-194-168.cpe.ga.charter.com:7000 SYN_SENT
C:\Program Files\Internet Explorer\iexplore.exe
Its just going crazy and sending out pings and stuff . and blocks me receiving any websites. Till I close it down manully. I can now get out through my router .
Trend Micro
Always says found WORM SDBOT.D
And says cleaned sucsessfull. But this is everytime I start windows and run the scanner.
Also found and cleaned
BAT_SASSER.A_cmd.ftp this is cleaned total.
This is doing my nut in .
Even my friend had this yesterday and formatted his hard drive. And guess what !! its still there!
This is ugly . maybe if i do a boot scan.
never had a thing like this before.
keep in touch, thanks
@1) these two are normal Windows files, if they are in the System32-folder!! they are suspicious, if anywhere else
@2)
Please be correct in your spelling: is it serviceS.exe or service.exe ?
and supply the full path/folder/filename for any file you consider suspicious, like c:\windows\system32\services.exe
you’ll find this info in the alert/log of your firewall, or in the Trendmicro-report after a scan
also scan every occurence of service(s).exe and lsass.exe on your PC with Trend AND KAV (see below) and report their findings;
set your Explorer to show all files before the search for the files: explorer-> Extras/View → folder options → set it to show all Files/folders, even system and hidden files
Also please post a hijackthis-Log here: www.lurkhere.com
and CHECK!! for new windowsupdates, via IE->extras->Windowsupdates → search for updates
if you have/had Spybot on your PC, you need to change every password ever entered on the PC (admin, main user, users etc…) and also PIN’s, ebay/onlinebanking data
Also close/protect your shared folders
this also if you decide to format your PC !!
SDBOT-Info

Hi again thanks for the info.
well after clearing each virus , it seems another pops up .
Avast updated earlier today and found…
go on have a shot in the dark !!
yes . W32.Bobax.A
Win32:Bobax [Wrm
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\87SPLOXS\217.82.117[1].gif
Win32:SdBot-194-B [Trj]
C:\WINDOWS\system32\smss32.exe[AsPack
so im just going to restart my comp and see if i have manged to get rid of it.
il also check the spelling if it is still there.
well this is the 7th virus to be uncovered .
il be back soon .
thanks for the link.
Hi

Thanks for you help .
I have all under control now.
just hope it stays that way.
Keep you up the good work. Your a star in the net.
Cheers
I’m not sure whether i have the bobax virus or not ???
in my windows/temp file folder there is a file which avast will not scan file is c:\windows\temp\zlt04c0e.tmp i’ve tried todelete this file but it tells me that the file is in use by another process and cannot be closed. i have no idea which process is using it and what to do about it
any ideas 
there seems to be no major hassles but — i thought i would check
thanx
Hi well im not a know all ii this area myself.
if you have the virus normally avast will pick it up after the last update , trend micro also.
i would stay of line , use tcpveiw and see if its looking for a connection connect or send .
the file you could proberly Cut out and Paste into your bin .
terchwizad
thank you for the suggestions 
i tried them but no joy >:(
still can’t find what the hell this thing does and i can’t get rid of it
if anyone has any more ideas i’d appreciate it.
thanks again
:-\
raman
10
You could post a hijackthislog, maybe we can find out some more things:
www.hjt.klaffke.de/en
system
11
herewith the hijackthis file 
it makes absolutly no sense to me 
hope it helps and thanks again for all the help
Logfile of HijackThis v1.97.7
Scan saved at 23:05:42, on 20/05/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\PGPsdkServ.exe
C:\Program Files\Prime95\prime95.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\PROGRA~1\MYWEBS~1\bar\3.bin\mwsoemon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraMD.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\kdx\KHost.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Program Files\VIAudioi\SBADeck\ADeck.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\BBC News alerts\skinkers.exe
C:\Program Files\Microsoft Reference\Bookshelf 99 ENG\Qshlf99Z.exe
C:\Program Files\Network Associates\PGP for Windows 98\PGPtray.exe
C:\Program Files\OpenOffice.org1.1.1\program\soffice.exe
C:\Program Files\Alarm\Alarm.exe
C:\Program Files\WxEx\WxEx.exe
C:\Program Files\SETI@home\SETI@home.exe
C:\Program Files\Outlook Express\msimn.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Leslie Ferguson\Desktop\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM..\Run: [SystemTray] SysTray.Exe
O4 - HKLM..\Run: [SpeedTouch USB Diagnostics] “C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe” /icon
O4 - HKLM..\Run: [PCCClient.exe] “C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe”
O4 - HKLM..\Run: [AtiPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\3.bin\mwsoemon.exe
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM..\Run: [HydraVisionDesktopManager] C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
O4 - HKLM..\Run: [HydraVisionViewport] C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraMD.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
O4 - HKLM..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe
O4 - HKLM..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [SpybotSnD] “C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe”
O4 - HKLM..\RunServices: [MOSearch] C:\PROGRA~1\COMMON~1\System\MOSearch\Bin\mosearch.exe
O4 - HKCU..\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU..\Run: [TClockEx] C:\Program Files\TClockEx\TCLOCKEX.EXE
O4 - HKCU..\Run: [seticlient] C:\Program Files\SETI@home\SETI@home.exe -min
O4 - HKCU..\Run: [BBCNewsalertsCluster] C:\Program Files\BBC News alerts\skinkers.exe
O4 - Startup: OpenOffice.org 1.1.1.lnk = C:\Program Files\OpenOffice.org1.1.1\program\quickstart.exe
O4 - Global Startup: Qshelf99 ENG.lnk = C:\Program Files\Microsoft Reference\Bookshelf 99 ENG\Qshlf99Z.exe
O4 - Global Startup: PGPtray.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra ‘Tools’ menuitem: Sun Java Console (HKLM)
O9 - Extra button: Run WinHTTrack (HKLM)
O9 - Extra ‘Tools’ menuitem: Launch WinHTTrack (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra ‘Tools’ menuitem: Messenger (HKLM)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: cpcScanner - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/download/0/5/c/05c905f4-dd30-427d-a3de-373c3e5552fc/msSecAdv.cab?1070389176729
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} (PatchInstaller.Installer) - file://D:\content\include\XPPatchInstaller.CAB
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/7d90ae05585062/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {79B96C72-C0D0-4DC8-BC7E-9F314A918228} - http://ak.imgfarm.com/images/nocache/myspeedbar/myinitialsetup1.0.0.7.cab
O16 - DPF: {8B1BC605-C593-4865-8F5B-05517F0CD0BB} (MSSecurityAdvisorCD Class) - file://D:\Content\include\msSecUcd.cab
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/SassCln.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?312
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop.com/antivirus/PitPav.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab
O17 - HKLM\System\CCS\Services\Tcpip..{7EF49DD1-915E-492C-894B-01EB3C1E96E6}: NameServer = 62.241.160.200 158.43.240.3
system
12
Hi,
- you don’t have all Windowsupdates → APPLY them
-
→ install, update, scan & fix with Ad-aware, spybot and cwshredder
from http://www.lurkhere.com/~nicefiles/index.html & www.lavasoft.de
-
check all (Startup-)entries in HJT-Log if they are malicious or useless,
and fix them if so…
→ with Log-file from Hijackthis
http://www.spywareinfo.com/~merijn/htlogtutorial.html (english tutorial) in combination with:
a) database http://www.sysinfo.org/startuplist.php or OFFLINE: http://www.pacs-portal.co.uk/startup_pages/start_ups.exe or
http://www.windowsstartup.com/wso/search.php & http://www.reger24.de/processes.php & www.google.de
b) KAV-Scanner (see below)
reboot…
*
if problems remain, tell us exactly what you did so far, and post a new Hijackthis-Log 