October 25th, 2003, 05:34 AM
Getting rid of Trojan/Backdoor help
well, I have a bit of a problem, it seems my g/f's computer has either a trojan or a back door on it and I have no idea how to get rid of it. I found out because her internet provider sent her an e-mail saying her computer was sending lots of spam e-mails I believe. Anyway, I tried using smackit and AVG to get rid of it but neither worked, at least I don't think they did. AVG did get rid of a virus but now about every 5 seconds an error box pops up saying that AVG had detected trojan BackDoor.Afcore.AI in file Windows\system32:bnweswh.dll. Anyway, it is a huge pain in the ass and I need to get rid of it or her internet provider is going to shut off her internet. Any help would be extremely grateful.
ps. I did a search for something like this but couldn't find anything, sorry if this has been covered somewhere else before
October 25th, 2003, 05:49 AM
I just looked on Symantec's site and found nothing about that and same goes for a google search.. install an AV like Norton that detects **** like that and run scan..
[pong][shadow]Why won\'t anyone give me greenies???[/shadow] [/pong]
October 25th, 2003, 05:53 AM
Go here for the cleaner from Moosoft and down load the Cleaner (it has a 30 day free trial). Run it, and it should cure your g/f's problem.
\"Life should NOT be a journey to the grave with the intention of arriving safely in an attractive and well preserved body, but rather to skid in sideways, Champagne in one hand - strawberries in the other, body thoroughly used up, totally worn out and screaming WOO HOO - What a Ride!\"
October 25th, 2003, 06:51 AM
Afcore is a backdoor Trojan program that appears as a Windows application file (.dll file) with a size of about 110KB. The Trojan has numerous functions that give 'evildoers' almost full control of victim computers.
Infected message body text contains the following:
If you read this, then this program was probably stolen from our laboratory. Author of this software is not responsible for any harm that may be caused by incompetent or malicious persons who use this software possibly running on your machine. Therefore, please remove this software as soon as possible. Click the "Start" menu, select "Run", enter there: rundll32 ,Uninstall and click "OK"
Upon being launched (executed) the backdoor program installs itself into the supplemental file stream of the NTFS that is associated with the system32 catalog system.
The backdoor registers itself into the system registry auto run key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run (assigned name) =
rundll32 (path to the backdoor program),(options)
The file name is formed from a combination of arbitrary symbols.
The backdoor program has several options that it can use:
To remotely uninstall itself from victim machines the backdoor uses the following command:
rundll32 ÄÉÓË:\%windir%\system32:(name of the backdoor.dll file),Uninstall
When the uninstall command is sent, the afcore virus uninstalls itself from the system registry and remaining only in the file stream and is no longer managed by the start system. To remove the afcore backdoor program from the file stream it is necessary to use a special utility.
from a french message board:
try to type in a console
rundll32 c:\\%windir%\\system32:(nom of the file dll), Uninstall then erases the file.
clean the base of the register the key is
HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run (nomdela DLL) =
rundll32 (emplacementdela dll), (options)
Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”
October 25th, 2003, 10:14 AM
have search little bit and found something which will be helpfull.
for all your guys there i want to sahre this searching engine which in my eyes is better then google but not many people know about it (maybe?).www.profusion.com enjoy it
paths just go to this site and type afcore
October 25th, 2003, 10:33 AM
get a cleaner of trojan virus and put a firewall on her computer and always updated her anti-virus every week... try stinger of the cleaner from moosoft .... okay hope you can detached that trrojan
October 25th, 2003, 10:51 AM
A few thoughts for you:
1. Run your AV and spy/ad/trojan/bot killers in safe mode
2. Go to http://www.diamondcs.com.au and get the trial versions of their spy/bot/trojan/worm killers. Also get Registry Prot, but do not install this until your machine is clean.
3. Go to http://www.winpatrol.com and get WinPatrol
4. Go to http://www.swatit.org and get SwatIT v2.1
5. Go to http://vil.nai.com/vil/stinger and get Stinger
6. Go to http://www.spywareinfo.com/~merijn/index.html and get Hijack This ....Be careful, it shows ALL running proceses, not just bad ones.
7. Go to http://www.wilderssecurity.net and getSpyware Blaster and Spyware Guard
8. Go to http://www.sysinternals.com and get Mail Control. This will stop the spamming going out.
As you have been "owned", the only safe way to be sure that you are clean is to reformat your hard drive an re-install all your software, as you do not know what else might have been put on your machine?
Hope this helps
If you cannot do someone any good: don't do them any harm....
As long as you did this to one of these, the least of my little ones............you did it unto Me.
What profiteth a man if he gains the entire World at the expense of his immortal soul?
October 25th, 2003, 01:17 PM
9/ Change ALL your Passwords.. System, internet... banking, shopping, AO, utility companies..etc..
"Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr
October 25th, 2003, 03:43 PM
Click the link below to use Trend Micro's Housecall service. It's been more reliable than anything else I've used, and it costs nothing. .dat files are automatically updated when you connect to the service, and it's accessible via the web.
Trend Microsystems Housecall AV
October 25th, 2003, 09:43 PM
Well guys, your help has been much appreciated, I have tried just about all the utilities posted to get rid of this damn thing but nothing seems to be working. Ah well, looks like it's down to re-formatting the hard drive. Thanks again for all your help, it was muchly appreciated.