Logs analysis

Logs analysis

Aliexe Hijack Log

Welcome!

It looks like you're new here. Sign in or register to get started.

Comments

  • ✭✭✭
    edited June 2008

    Upload this files on http://www.virustotal.com/ and leave here the test link !




    F:\Documents and Settings\Mark Gower\Desktop\postcard.exe

  • edited June 2008
    Upload this files on http://www.virustotal.com/ and leave here the test link !


    Thanking you will do now :D


    Upload this files on http://www.virustotal.com/ and leave here the test link !


    Sorry I don't know how to find it :rolleyes: F:Documents and SettingsMark GowerDesktoppostcard.exe

  • ✭✭✭

    Didi you check on your Desktop ?!

  • Didi you check on your Desktop ?!


    Yes I did and also used windows search to check all the drive and it found nothing :unsure:


    F:\Documents and Settings\Mark Gower\Desktop\postcard.exe this is what I used in my search...

  • Yes I did and also used windows search to check all the drive and it found nothing :unsure:


    F:\Documents and Settings\Mark Gower\Desktop\postcard.exe this is what I used in my search...


    Update Spyware Doctor reports 5 infections of Trojan-downloader.Exemas.B and 1 infection of Win32 Backdoor.Bandok


    It can remove them and if you scan again their back :o

  • ✭✭✭

    Type postcard.exe in your Search !!!

  • Type postcard.exe in your Search !!!


    Thanks will do now ;)

  • Thanks will do now ;)


    No still can't find it and searched in hidden file and folders too, also all of drive F .. :blink:

  • ✭✭✭
    edited June 2008

    Your PC may contain viruses, so I suggest you to run ComboFix that will investigate and eliminate all infections it may found (if it has them in its database).


    Download ComboFix from here: http://download.bleepingcomputer.com/sUBs/ComboFix.exe


    Then close all running programs, including web browser, instant messenger, etc and then run ComboFix.


    It will ask you whether it should start cleaning or not. Press 1 and hit Enter. Don't stop it while running. While doing this your screen may disappear but don't worry, it's a normal behaviour.


    At the end ComboFix will generate a log file. Save it and post it here + another HijackThis log !

  • Your PC may contain viruses, so I suggest you to run ComboFix that will investigate and eliminate all infections it may found (if it has them in its database).


    Download ComboFix from here: http://download.bleepingcomputer.com/sUBs/ComboFix.exe


    Then close all running programs, including web browser, instant messenger, etc and then run ComboFix.


    It will ask you whether it should start cleaning or not. Press 1 and hit Enter. Don't stop it while running. While doing this your screen may disappear but don't worry, it's a normal behaviour.


    At the end ComboFix will generate a log file. Save it and post it here + another HijackThis log !


    Thanks champ :D


    ok will post back as soon as it's finished ...

  • edited June 2008
    Your PC may contain viruses, so I suggest you to run ComboFix that will investigate and eliminate all infections it may found (if it has them in its database).


    Download ComboFix from here: http://download.bleepingcomputer.com/sUBs/ComboFix.exe


    Then close all running programs, including web browser, instant messenger, etc and then run ComboFix.


    It will ask you whether it should start cleaning or not. Press 1 and hit Enter. Don't stop it while running. While doing this your screen may disappear but don't worry, it's a normal behaviour.


    At the end ComboFix will generate a log file. Save it and post it here + another HijackThis log !


    Right had some trouble when Combofix rebooted windows as some programs restarted and the one causing the problem was Norton System Works stopping some scripts from Combofix from running (only doing it's job ;) ) so I had to use task manager to shut that down..

    /applications/core/interface/file/attachment.php?id=2224" data-fileid="2224" rel="">ComboFix.txt

    /applications/core/interface/file/attachment.php?id=2225" data-fileid="2225" rel="">hijackthis.log

  • ✭✭✭
    edited June 2008

    The thinks look good now !


    For your safety, run a system scan with Bitdefender Online && SUPERAntiSpyware (free edition) !


    http://www.bitdefender.com/scan8/ie.html


    http://superantispyware.com/

  • The thinks look good now !


    For your safety, run a system scan with Bitdefender Online && SUPERAntiSpyware (free edition) !


    http://www.bitdefender.com/scan8/ie.html


    http://superantispyware.com/


    Hi again http://www.bitdefender.com/scan8/ie.html is running as we speak but it's not in a hurry, has been running over 1hr and says est 7.50hrs left ^_^

  • ✭✭✭
    edited June 2008

    If you have a big HDD, please wait !


    Do somethin' else, put leave BD to finish the scan !

  • If you have a big HDD, please wait !


    Do somethin' else, put leave BD to finish the scan !


    Hi I did let run ;)


    It estimated the time but took 4hrs to run so half the time was ok...


    The most important thing it's all clean after the scan but after reboot it's back <img class=" /> it's in the start up reg and it was also clean after running superantispyware until the reboot too!!


    superantispyware finds it and removes it and if you scan again it's back. <img class=" />

  • ✭✭✭

    Hmmm....


    Let's try this : download Malwarebytes' Anti-Malware and run a complete scan !


    http://www.malwarebytes.org/


    Clean all the mallware after the scan !

  • edited June 2008
    Hmmm....


    Let's try this : download Malwarebytes' Anti-Malware and run a complete scan !


    http://www.malwarebytes.org/


    Clean all the mallware after the scan !


    Well we're winning nothing was found using Malwarebytes and now when rebooting at startup I get the windows error noise and a box appears saying windows can't find the file called ali.exe and so on.


    Some of the bug is left behind here, I've added a couple of screen shots to show you ;)

    post-13835-1213357359_thumb.jpg

    post-13835-1213357380_thumb.jpg

  • ✭✭✭

    Deactivate ali.exe from statup !


    Ali.exe is a trojan !


    It was deleted !


    Uncheck that from startup ;)

  • Deactivate ali.exe from statup !


    Ali.exe is a trojan !


    It was deleted !


    Uncheck that from startup ;)


    Hey again crysty2k5, If I uncheck it from start up it replaces it self straight away..

    post-13835-1213410370_thumb.jpg

    post-13835-1213410393_thumb.jpg

    post-13835-1213410493_thumb.jpg

    post-13835-1213410525_thumb.jpg

  • Hello mag,


    Can you please download sdfix from here. Double click on it allow it to install in C:\SDFIX


    Now reboot your pc into safe by pressing several times on the F8 button before the windows splash screen select safe mode press enter. Log in with your account. Now go to C:\SDFIX and double click on RunThis.bat Type y to start the cleaning process. When it finishes you will be prompted to press any key on your keyboard do that. Once you are in normal mode wait till you see finished and press again any key now you will get back on your desktop. Please post the content of Report into your next reply.


    Best regards,


    Niels

  • edited June 2008
    Hello mag,


    Can you please download sdfix from here. Double click on it allow it to install in C:SDFIX


    Now reboot your pc into safe by pressing several times on the F8 button before the windows splash screen select safe mode press enter. Log in with your account. Now go to C:SDFIX and double click on RunThis.bat Type y to start the cleaning process. When it finishes you will be prompted to press any key on your keyboard do that. Once you are in normal mode wait till you see finished and press again any key now you will get back on your desktop. Please post the content of Report into your next reply.


    Best regards,


    Niels


    Hey thanks Niels' Will do now as you stated above, I'll reply when finished :D


    Hello mag,


    Can you please download sdfix from here. Double click on it allow it to install in C:SDFIX


    Now reboot your pc into safe by pressing several times on the F8 button before the windows splash screen select safe mode press enter. Log in with your account. Now go to C:SDFIX and double click on RunThis.bat Type y to start the cleaning process. When it finishes you will be prompted to press any key on your keyboard do that. Once you are in normal mode wait till you see finished and press again any key now you will get back on your desktop. Please post the content of Report into your next reply.


    Best regards,


    Niels


    OK 1 report ready for viewing :rolleyes:


    OK 1 report ready for viewing :rolleyes:


    But it's back again <img class=" />

    /applications/core/interface/file/attachment.php?id=2246" data-fileid="2246" rel="">report.txt

  • ✭✭✭
    edited June 2008


    Turn off System Restore !


    system_restore2.jpg


    Pack this file F:\Windows\system32\ali.exe in a zip or rar archive protected by the password infected and attach it here !


    Reboot in Safe Mode and delete F:\Windows\system32\ali.exe


    Then, disable it from statup !

  • Hello mag,


    I can see a trace of an infection in the sdfix log. What I let you do was just making a logfile so I can see if I see suspecious entry.


    Please download killbox from here.Double click on it to run. In the Full path section please type this or copy this:


    F:\WINDOWS\SoftwareDistribution\Download\e80b3f6bcac336a99ba82da063d253e5\BITA.tmp Select the option delete on reboot now press on the button that looks like a red circle with a white cross inside. You will be asked to reboot choose yes.


    Can you find a file called bupl.dll inside the windows folder?


    Best regards


    Niels

  • edited June 2008
    Hello mag,


    I can see a trace of an infection in the sdfix log. What I let you do was just making a logfile so I can see if I see suspecious entry.


    Please download killbox from here.Double click on it to run. In the Full path section please type this or copy this:


    F:WINDOWSSoftwareDistributionDownloade80b3f6bcac336a99ba82da063d253e5BITA.t


    mp Select the option delete on reboot now press on the button that looks like a red circle with a white cross inside. You will be asked to reboot choose yes.


    Can you find a file called bupl.dll inside the windows folder?


    Best regards


    Niels


    Thanks again.


    F:WINDOWSSoftwareDistributionDownloade80b3f6bcac336a99ba82da063d253e5BITA.t


    mp is what I put in for killbox and it said it has been removed by an outside program..


    Also I couldn't find bupl.dll inside the windows folder...


    Turn off System Restore !


    Pack this file F:Windowssystem32ali.exe in a zip or rar archive protected by the password infected and attach it here !


    Reboot in Safe Mode and delete F:Windowssystem32ali.exe


    Then, disable it from statup !


    system restore is now off!!


    And I will check out the rest.. ;)


    system restore is now off!!


    And I will check out the rest.. ;)


    So far Spybot SD is stopping it in the black and white list for Registry changes :D


    No windows error noises anymore but haven't rebooted it yet..


    Will report back with my finding ;)


    Turn off System Restore !


    Pack this file F:Windowssystem32ali.exe in a zip or rar archive protected by the password infected and attach it here !


    Reboot in Safe Mode and delete F:Windowssystem32ali.exe


    Then, disable it from statup !


    There is no file to pack now only a reference to it if that makes sence :unsure:

  • Hello mag,


    Can you please make a new combofix and hijack this log. Please also navigate to F:\WINDOWS\SoftwareDistribution\Download\e80b3f6bcac336a99ba82da063d253e5 see if BITA.tmp is still there. Do you mean by reference that there is still a trace in msconfig? To be able to remove that you can follow the instructions that were given in the topic that crysty2k5 referred to in this topic.


    That is good sign that you couldn't find bupl.dll.


    Best regards,


    Niels

  • edited June 2008
    Hello mag,


    Can you please make a new combofix and hijack this log. Please also navigate to F:WINDOWSSoftwareDistributionDownloade80b3f6bcac336a99ba82da063d253e5 see if BITA.tmp is still there. Do you mean by reference that there is still a trace in msconfig? To be able to remove that you can follow the instructions that were given in the topic that crysty2k5 referred to in this topic.


    That is good sign that you couldn't find bupl.dll.


    Best regards,


    Niels


    Hello Niels,


    A new Combofix + Hijack this log will be done soon.. ;)


    Hello Niels,


    A new Combofix + Hijack this log will be done soon.. ;)


    Right here goes..

    /applications/core/interface/file/attachment.php?id=2253" data-fileid="2253" rel="">log.txt

    /applications/core/interface/file/attachment.php?id=2254" data-fileid="2254" rel="">hijackthis.log

  • Hello mag,


    I can't see anything suspecious anymore both into your hijackthis log and combofix log.


    Best regards,


    Niels

  • ✭✭✭
    edited June 2008

    First of all, Happy Birthday mag !


    The logs are clean...


    Do you still have problems ?!

  • edited June 2008
    Hello mag,


    I can't see anything suspecious anymore both into your hijackthis log and combofix log.


    Best regards,


    Niels


    Hello Niels,


    All seems good but still have the Windows Error noise going off here and there :wacko:


    Apart from that working very well..


    Thanks..


    First of all, Happy Birthday mag !


    The logs are clean...


    Do you still have problems ?!


    Thanks for the b/day wishes crysty2k5 :D


    The only problem is as I said in the reply to Niels but that aside all is good.


    Thanks..


    Hey guys just had this "The system has recovered from a serious error." it shut down while using the PC and that was on the screen after it re-started itself..


    Also this 20-30sec after

    post-13835-1213670910_thumb.jpg

  • Hello mag,


    Sorry a bit late but still a Happy Birthday.


    For concerning the windows error can you please do this. Press the windows button together with r now type eventvwr press enter. Now open the application and system logbooks and post the error entries here that occured when you had that error message.


    Best regards,


    Niels

  • edited June 2008
    Hello mag,


    Sorry a bit late but still a Happy Birthday.


    For concerning the windows error can you please do this. Press the windows button together with r now type eventvwr press enter. Now open the application and system logbooks and post the error entries here that occured when you had that error message.


    Best regards,


    Niels


    A bit late for B/day is not a problem.. Thanks Niels ;)


    Ok will post the error entries..


    A bit late for B/day is not a problem.. Thanks Niels ;)


    Ok will post the error entries..


    Todays errors...

    /applications/core/interface/file/attachment.php?id=2259" data-fileid="2259" rel="">report1.txt

  • Hello mag,


    Can you please do the following once you are in the evenviewer doubleclick on the error entries. Please press on the icon that looks like 2 piece of paper now press on paste once you are in notepad. I know that it's my fault but I needed a description of the errormessage. Sorry for that. Can you please do that and attach it also in a new txt file. When does it normally happens that windows error noise? What are you doing at that particular moment?


    Best regards,


    Niels

  • Hello mag,


    Can you please do the following once you are in the evenviewer doubleclick on the error entries. Please press on the icon that looks like 2 piece of paper now press on paste once you are in notepad. I know that it's my fault but I needed a description of the errormessage. Sorry for that. Can you please do that and attach it also in a new txt file. When does it normally happens that windows error noise? What are you doing at that particular moment?


    Best regards,


    Niels


    Hi Niels, sorry but I'm still not sure what you mean "looks like 2 piece of paper" so is this correct :unsure:


    post-13835-1213756639_thumb.jpg

    /applications/core/interface/file/attachment.php?id=2264" data-fileid="2264" rel="">report.txt

  • Hello mag,


    My problem is that I don't know how it's called in English. No, you first need to double click on an entry. First you need to left click on an entry that has an error sign a red circle with a white cross inside. So it will high light in blue. After that double click on it. If you have done that then you should see an icon that looks like 2 papers.


    Best regards,


    Niels

  • Hello mag,


    My problem is that I don't know how it's called in English. No, you first need to double click on an entry. First you need to left click on an entry that has an error sign a red circle with a white cross inside. So it will high light in blue. After that double click on it. If you have done that then you should see an icon that looks like 2 papers.


    Best regards,


    Niels


    Hello Niels,


    2 pages ?? But I don't speak English I speak "Australian" <img class=" /> :lol::rolleyes:


    Now I think I've got it and went back as far as the error that shut down the P.C..


    /applications/core/interface/file/attachment.php?id=2274" data-fileid="2274" rel="">new.txt

    new.txt 21.6K
  • Hello mag,


    Thanks for the information. From what I looked the problem might be caused by Zonealarm and Norton update service. So if understand it correctly your pc automatically reboot or shutdown itself? If that is the case can you please do the following : click on start,right click on my computer choose properties,advanced,press on the settings button that is located under the startup and repair (recover) settings (it could have a different name because I don't know how it's called in Australian (English). Under Write Debugging Information select minidump. Once it again appears can you please do this click on start,my computer,windows,Minidump,attach the dmp file (that are all the files that are stored in that folder). Be sure to not send any error reports to Microsoft before copying the dmp file otherwise the minidump folder will be empty.


    Best regards,


    Niels

  • Hello mag,


    Thanks for the information. From what I looked the problem might be caused by Zonealarm and Norton update service. So if understand it correctly your pc automatically reboot or shutdown itself? If that is the case can you please do the following : click on start,right click on my computer choose properties,advanced,press on the settings button that is located under the startup and repair (recover) settings (it could have a different name because I don't know how it's called in Australian (English). Under Write Debugging Information select minidump. Once it again appears can you please do this click on start,my computer,windows,Minidump,attach the dmp file (that are all the files that are stored in that folder). Be sure to not send any error reports to Microsoft before copying the dmp file otherwise the minidump folder will be empty.


    Best regards,


    Niels


    Thanks very much for your information Niels + your English is fine :)

Welcome!

It looks like you're new here. Sign in or register to get started.

Welcome!

It looks like you're new here. Sign in or register to get started.