trojan-backdoor-bobax

SpySweeper detected and quarantined what it titled trojan-backdoor-bobax March 21. SSweeper says that this trojan opens ports and rewrites code for complete remote control of a computer, and advises changing all passwords and bank account numbers. 2-3 days had passed since my last sweep with SS.

Have followed all steps with these exceptions: could not run Bitdefender in safe mode with networking -- the computer could not detect wireless networks in safe mode, so I ran it in normal boot. Panda effectively froze--one file every minute or so, and after 9 hours I stopped the scan--also in normal mode.

AdAware, SpyBot, Bitdefender, Windows Defender, AVG free 7.5.466, SpySweeper, and Ewido report 0 infected files.

I am hoping you will check for suspicious code or other evidence of tampering, and tell me I really do not have to change bank account numbers.

Also, since I am trying to stay offline, I have copied the three attached textfiles to the desktop of a friend's computer and uploaded from there.

And, if it matters, after running the various cleaners and scans as owner then as administrator in safe mode, ( probably 6 re-starts in safe mode in all) the computer took exception to re-booting in safe mode again .... took 4 or 5 attempts for windows to recognize the command and not open in normal mode.

 

Have uploaded shownew files. --used the old download in error, from trying not to go online, downloading to friend's computer, and copying to mine. They were from your site in Aug 06.

Your site will not let me attach getrun. Says I have already done so. Tried to rename file as new getrun.txt and name.txt, and it still will not let me upload. Do you want it posted in the text of a message?
Edit/Delete Message

SpySweeper version is 5.3.2.2361, the most current, same as the one which found bobax. I can find no option in SpySweeper that shows logs or shows a history of past sweeps. I deleted the quarantine file before running HJT.

HOW CAN YOU DISABLE Teatimer? I thought I did that last year. I have looked for actual instructions both here and at Spybot sites. Read and Run Me just says to do it.

Thank you for your help. I know it is hard to deal with people who do not understand how to do basic stuff. I think I downloaded the trojan along with a movie trailer, from a link on a public forum.

Does it matter that Add and Remove programs has incorrect dates for last used? Most recent date found was Feb 07.

Thanks again.

 

attached are getrun and shownew txt files from your link in R&Rme, downloaded to my own program files. Have deleted all other versions.

Have deleted the suggested entry in HJT log from 4/2.

Have disabled TeaTimer.

Have uninstalled Counterspy.

Windows Defender still installed - why is it to be removed? It has found nothing bad yet, since Aug of 06, but neither has spybot. It did show me the file you referenced via HJT. Sent that info to Webroot thinking it might be bogus, but they did not respond to the notice.

I will install Zone Alarm and disable or uninstall Defender as per your instructions.

Should I go through the disable system restore procedure also?

Thanks for your clear and timely responses.

 

Also--just ran avg 7.5 free and it reports 0 threats, but system32\ntoskrnl.exe and user32.dll as changed. These seem to be important files. Have not tried to restart in case I can't.

 

New newfiles uploaded. Did not uninstall Defender because it is my only firewall. Have read that ZoneAlarm has trouble with Mozilla. I am sharing a DSL connection whose router is in another building and I cannot access it to reboot if it malfunctions.