Sponsored Links

*Bandook ALI.EXE

Has anybody come across a Trojan that appears as "Bandook ALI.EXE. I can find ali.exe on it's own but very little information on the *Bandook bit. I seem to have caught it!!
I can delete the file from windows/system32/ quite happily and it re-appears. I can delete every registry entry I can find for Bandook and ali.exe and they all re-appear. Every trojan scanner I can download attempts to clear it but doesn't succeed.
I can't boot from a clean system as I have SATA disks and am not sure of the drivers so if I do a clean boot (from say CD) I can't then access the disks to clean them. I believe there is a memory resident portion of this blighter but can't find the method of deleting the keys etc in a sequence that wil totally remove it.
Only info I have found was on a website that mentioned "Prince Ali" and didn't say anything about how to get rid of this thing.
Any help gratefully received.
 
Hi Mel
Thanks for the suggestions BUT nothing untoward shows or is detected. Don't know quite what "ALI.EXE" did/does but it is quite a persistant little blighter. I have managed to upset it by the devious method of making a copy of chkdsk.exe and renaming that to ali.exe and then copying it into windows/system32 - seems the only way to fool it at present. Noticeable now when I boot I end up with an instance of chkdsk running! Bit worrying as to what was going on before!
Think my only sure option at the moment is to reformat the disk and start from scratch, unless you have any more ideas.
 
Sponsored Links
Apologies if this seems obvious, but doing a Google search for "ali.exe" throws up loads of information on this Trojan
 
Hi Bures
Yes obvious and done! The unique part is the *Bandook or sometimes Bandok - the ali.exe seems to be the "package" that is dropped and although all virus/trojan checkers find it none appear to remove it.
Having said that I have now managed by devious means to do so, having fathomed out how things are working and without having to format my disk. If anybody else gets infected I can provide the details but am concerned about posting them on an open forum.
 
I see from google ( http://www.megasecurity.org/trojans/b/bandook/Bandook1.3.html )
Curent Features :
-------------------
*File Manager
*Registry Manager
*Folder Mirroring
*Screen Capture (JPEG / PNG)
*Cam Capture (JPEG / PNG)
*Mic Capture
*Windows Manager
*Ims Spy (MSN/YAHOO/AIM)
*Process Manager
*Protected Password Storage Viewer
*Instant Messenger Passwords Viewer
*Remote Shell
*Online/Offline keylogger
*HTTP Webserver
*Socks 4
*HTTP Proxy
*Port Redirection
*Download File from url
*Mass Download

that it is a pretty nasty piece of work, more of a question of what it doesn't do! :eek:

Remember to change all your windows stored passwords and check your security settings once you are sure you've disposed of it.
 
Top
Cheap BIG ISPs for 100Mbps+
Community Fibre UK ISP Logo
150Mbps
Gift: None
Virgin Media UK ISP Logo
Virgin Media £24.00
132Mbps
Gift: None
Shell Energy UK ISP Logo
Shell Energy £26.99
109Mbps
Gift: None
Plusnet UK ISP Logo
Plusnet £27.99
145Mbps
Gift: None
Zen Internet UK ISP Logo
Zen Internet £28.00 - 35.00
100Mbps
Gift: None
Large Availability | View All
Cheapest ISPs for 100Mbps+
Gigaclear UK ISP Logo
Gigaclear £15.00
150Mbps
Gift: None
YouFibre UK ISP Logo
YouFibre £19.99
150Mbps
Gift: None
Community Fibre UK ISP Logo
150Mbps
Gift: None
BeFibre UK ISP Logo
BeFibre £21.00
150Mbps
Gift: £25 Love2Shop Card
Hey! Broadband UK ISP Logo
150Mbps
Gift: None
Large Availability | View All
Sponsored Links
The Top 15 Category Tags
  1. FTTP (5472)
  2. BT (3505)
  3. Politics (2524)
  4. Openreach (2291)
  5. Business (2251)
  6. Building Digital UK (2234)
  7. FTTC (2041)
  8. Mobile Broadband (1961)
  9. Statistics (1778)
  10. 4G (1654)
  11. Virgin Media (1608)
  12. Ofcom Regulation (1451)
  13. Fibre Optic (1392)
  14. Wireless Internet (1386)
  15. FTTH (1381)
Sponsored

Copyright © 1999 to Present - ISPreview.co.uk - All Rights Reserved - Terms  ,  Privacy and Cookie Policy  ,  Links  ,  Website Rules