Bandok_ J Trojan

Discussion in 'Malware Help (A Specialist Will Reply)' started by dt196, Feb 27, 2006.

  1. dt196

    dt196 Private E-2

    If someone could help me is getting rid of this trojan. I have run all the programs that are required before posting with no luck. Panda active scan finds it but cannot remove it. It places the file "Ali.exe" in the windows system32 file. If I delete it in the registry or startup file it just reproduces itself. I first noticed it when my Norton antivirus kept saying it was scanning messages (like when I send email) every couple minutes. I closed all internet traffic with my Norton Firewall and that stopped it. Webroot Spy Sweeper finds it in the startup folder and when I have it remove it, it comes back in a few seconds. Help!
     
    dt196, Feb 27, 2006
    #1
  2. dt196

    dt196 Private E-2

    I forgot to atatatch the logs.I've went thru all the steps outlined. The bitdefender was saved as a .txt file 5 different times, but it looks like html to me. The attatched Panda active scan had to be taken in normal mode because in safe mode the screen resolution wouldn't let me see all of the page. I did a google search for this trojan and came up with a couple links. They are
    http://www.sophos.com/virusinfo/analyses/trojbandokj.html
    http://www.auditmypc.com/process/ali.asp
    I really would like to get this fixed as the alternative is to reload windows.
    Thanks
     

    Attached Files:

    dt196, Feb 27, 2006
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes and that is exactly what it is supposed to be.....and HTML file with a .txt extension so it can be attached here!
     
    chaslang, Feb 27, 2006
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Make sure viewing of hidden files is enabled (per the tutorial).

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    O4 - HKLM\..\RunOnce: [*Bandook] C:\WINDOWS\system32\ali.exe
    O4 - HKCU\..\Run: [Bandook] C:\WINDOWS\system32\ali.exe
    O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

    After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete    :
    C:\WINDOWS\bupl.dll
    C:\WINDOWS\system32\ali.exe

    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

    Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
    Now run Ccleaner (installed while running the READ ME FIRST)    .

    Make sure you tell me how things are working now.

    Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.
     
    chaslang, Feb 27, 2006
    #4
  5. dt196

    dt196 Private E-2

    I ran HJT and fixed the 3 items you had me fix. The bupl.dll would not delete. I got an access denied. It is not writh protected so i ran task manager with the following
    taskmgr.exe
    Iexplore.exe
    explorer.exe
    svchost.exe
    scchost.exe
    svchost.exe
    Isass.exe
    services.exe
    winlogon.exe
    csrss.exe
    system
    system idel processes

    Everytime I ended Iexplore.exe, it started itself up again. I didn't know what program to end to be able to delete the bupl.dll file, so it's still there. Every time I deleted the system32\ ali.exe file, it replaced itself, so I couldn't delete it. I was able to delete all the files in the Prefetch file. After I was done and returned to normal mode, I ran HJT again jus to check. Both ali.exe files were back but the 020 file was gone.
    Something is restoring those files.
     
    dt196, Feb 27, 2006
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Download Pocket KillBox and extract it to its own folder someplace you can find it later.

    Now run Pocket Killbox:
    Choose Tools > Delete Temp Files and click OK.

    Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note many of the file list below may not exist but we need to check for them anyway.

    C:\WINDOWS\bupl.dll
    C:\WINDOWS\system32\ali.exe

    If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

    After reboot attach a new HJT log and tell me how the steps went.
     
    chaslang, Feb 27, 2006
    #6
  7. dt196

    dt196 Private E-2

    Thanks Chaslang. That seemed to keep it from starting up. On the first reboot, I got the message "windows cannot find C: Windows\system32\ali.exe" bla, bla, bla. I then rebooted again and that message didn't come up this time. I still find the ali.exe checked in the system configeration utility startup. Should I get rid of it there too? Also there is at least some remanents of bandook/ali.exe still in the registry. Can I safely remove those? Before when I removed them from the registry, they just came right back. There doesn't seem to be any reference to ali.exe in the new HJT log. How can I get rid of all the pieces left behind? Do I need to get rid of the line O4 - HKCU\..\Run: [Bandook] C:\WINDOWS\system32\ali.exe in HJT?
    On another note, ever since I ran the first 1-6 required steps, when I open a web page up, it is very small. A lot smaller than before all this repair started. Is there some thing I have to change to get the pages to be like before?
     
    dt196, Feb 28, 2006
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    First just have HJT fix what we tried to fix before:

    O4 - HKLM\..\RunOnce: [*Bandook] C:\WINDOWS\system32\ali.exe
    O4 - HKCU\..\Run: [Bandook] C:\WINDOWS\system32\ali.exe

    This should remove them from startup.
     
    chaslang, Feb 28, 2006
    #8
  9. dt196

    dt196 Private E-2

    HJT was able to remove them this time. I also went into the registry and removed the last 3 remenants of bandook/ ali.exe. Thanks so much. You have saved me the time consuming task of reloading Windows.
     
    dt196, Feb 28, 2006
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

    After that, you should work thru the below link:

    How to Protect yourself from malware!
     
    chaslang, Feb 28, 2006
    #10

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds