How Do I Remove Ali.exe Permanently?
My system has been infected with the ali.exe trojan. That's what I think it is!
It starts my default browser (hidden) and sends stuff out into the world. Now I've renamed firefox.exe to something else and now I can see ali.exe coming up in the taskmanager trying to start firefox.exe every 2 seconds!
How can I remove this malware once and for all?
And, HOW did that thing bypass Bitdefender? Bitdefender doesn't even see it as malware!
Thanks for any advice!
Gilbert.
Comments
-
Please put the file in an archive with the password "infected" and attach it to a new post. We'll take a look at it, BD analysts will add detection and we will tell you what to do next. Meanwhile, you can try to kill it's process, remove any reference that points to the trojan in registry at startup (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Run and HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Current Version\Run), and, after uploading it here, you may even try to delete the trojan.
Regards, Andrei.0 -
Thanks for the quick response!
Here's the file...
I did clean the registry and I also killed the process. No use.
The process is coming back again and again trying to start my default browser (Firefox, which I renamed so it can't be run anymore).
You can see ali.exe coming up in the taskmanager, going away, coming back on...
When I delete the file (located in c:\windows\system32\) it only takes a second or so to be fully restored!
I did some research myselfe and this is something I came up with:
http://research.sunbelt-software.com/threa...;threatid=40408
None og those other files listed are on my computer./applications/core/interface/file/attachment.php?id=1124" data-fileid="1124" rel="">ali.rar
0 -
0
-
Cris, here's the log:
Well, there it is AGAIN!!! Ali.exe in my registry! I know I cleand that out just yesterday evening!Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:20:15 PM, on 12/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\Devil\mpx.exe
C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvraidservice.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\ASUS\PC Probe II\Probe2.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\ASUS\AASP\1.00.32\aaCenter.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Plextor\PTPLE\PTPLEICO.exe
C:\Program Files\Total Commander\TOTALCMD.EXE
c:\Program Files\Mozilla Firefox\ffffirefox.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [soundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [bitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"
O4 - HKLM\..\Run: [bDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Launch PC Probe II] "C:\Program Files\ASUS\PC Probe II\Probe2.exe" 1
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [unlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe" -H
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [bandook] C:\WINDOWS\system32\ali.exe
O4 - HKUS\S-1-5-19\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: PlexTools Professional LE.lnk = C:\Program Files\Plextor\PTPLE\PTPLE.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender S.R.L. - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
O23 - Service: TCP/IP (WinServ) - Unknown owner - C:\Documents.exe (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
--
End of file - 8907 bytes0 -
I just checked the registry again. And whaddya know, there it was again! (I cleaned it out after the HijackThis scan)
0 -
You may try doing the exact same steps as above, but in safe mode. When booting, press F8 several times until a menu appears. Select "Safe mode". Try the same steps we said about above, maybe you will succeed in removing it. If you won't manage to get rid of it, tell us and we'll seek another solution.
0 -
Well, I think I got rid of it!
Just so I rebooted in safe mode and ran "AVG Anti-Spyware". I'm not sure if that did the trick. I cleand the registry manually and deleted the file. Ran BitDefender and AVG again. Then adaware just to be sure!
So, as of right now, there seems to be no trace of ali.exe on my computer!
Thanks for all the advice, you guys!
If it should show up again, I'll be back!
Still, how did it bypass BitDefender?0 -
The only way it could have bypassed BD is because BD doesn't detect it yet.
Thanks for the sample, btw, after analyses, a VR will add detection.
Glad that we could help you!
Cheers.0 -
Hello gilu,
Besides ali.exe, you also have another suspect file:O23 - Service: TCP/IP (WinServ) - Unknown owner - C:\Documents.exe (file missing)
Before fixing this line with HijackThis!, please also attach this file to your next post (in a password protected ZIP). Note that this file might be hidden, so set Explorer to show you the hidden and system files.
Folder options -> View -> Show hidden files and folders / Hide protected operating system files(uncheck this one)
Cris.0 -
Besides ali.exe, you also have another suspect file:
O23 - Service: TCP/IP (WinServ) - Unknown owner - C:\Documents.exe (file missing)
There is no such file?!?!?
I can see it in HijackThis but is not to be found on my computer nor the registry.
BTW: I don't use Windows Explorer! I use Total Commander with hidden and system files visible
So I removed it with HijackThis...0 -
There is no such file?!?!?
That's a good thing. Maybe it was already removed by one of the tools you used.I can see it in HijackThis but is not to be found on my computer nor the registry.
BTW: I don't use Windows Explorer! I use Total Commander with hidden and system files visible
I also use TotalCommander. But I had no way of knowing you also use it, so I just gave you all details.So I removed it with HijackThis...
I'm glad you solved this problem.
If you have other problems, don't hesitate to post.
Cris.0
