Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: Getting rid of Trojan/Backdoor help

  1. #1
    Junior Member
    Join Date
    Oct 2003

    Getting rid of Trojan/Backdoor help

    well, I have a bit of a problem, it seems my g/f's computer has either a trojan or a back door on it and I have no idea how to get rid of it. I found out because her internet provider sent her an e-mail saying her computer was sending lots of spam e-mails I believe. Anyway, I tried using smackit and AVG to get rid of it but neither worked, at least I don't think they did. AVG did get rid of a virus but now about every 5 seconds an error box pops up saying that AVG had detected trojan BackDoor.Afcore.AI in file Windows\system32:bnweswh.dll. Anyway, it is a huge pain in the ass and I need to get rid of it or her internet provider is going to shut off her internet. Any help would be extremely grateful.

    ps. I did a search for something like this but couldn't find anything, sorry if this has been covered somewhere else before

  2. #2
    Join Date
    Oct 2003
    I just looked on Symantec's site and found nothing about that and same goes for a google search.. install an AV like Norton that detects **** like that and run scan..
    [pong][shadow]Why won\'t anyone give me greenies???[/shadow] [/pong]

  3. #3
    Macht Nicht Aus moxnix's Avatar
    Join Date
    May 2002
    Huson Mt.
    Go here for the cleaner from Moosoft and down load the Cleaner (it has a 30 day free trial). Run it, and it should cure your g/f's problem.
    \"Life should NOT be a journey to the grave with the intention of arriving safely in an attractive and well preserved body, but rather to skid in sideways, Champagne in one hand - strawberries in the other, body thoroughly used up, totally worn out and screaming WOO HOO - What a Ride!\"
    Author Unknown

  4. #4
    Senior Member
    Join Date
    Nov 2001

    Afcore is a backdoor Trojan program that appears as a Windows application file (.dll file) with a size of about 110KB. The Trojan has numerous functions that give 'evildoers' almost full control of victim computers.

    Infected message body text contains the following:

    If you read this, then this program was probably stolen from our laboratory. Author of this software is not responsible for any harm that may be caused by incompetent or malicious persons who use this software possibly running on your machine. Therefore, please remove this software as soon as possible. Click the "Start" menu, select "Run", enter there: rundll32 ,Uninstall and click "OK"
    Upon being launched (executed) the backdoor program installs itself into the supplemental file stream of the NTFS that is associated with the system32 catalog system.

    The backdoor registers itself into the system registry auto run key:

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run (assigned name) =
    rundll32 (path to the backdoor program),(options)

    The file name is formed from a combination of arbitrary symbols.

    The backdoor program has several options that it can use:


    To remotely uninstall itself from victim machines the backdoor uses the following command:

    rundll32 :\%windir%\system32:(name of the backdoor.dll file),Uninstall

    When the uninstall command is sent, the afcore virus uninstalls itself from the system registry and remaining only in the file stream and is no longer managed by the start system. To remove the afcore backdoor program from the file stream it is necessary to use a special utility.


    from a french message board:

    try to type in a console
    rundll32 c:\\%windir%\\system32:(nom of the file dll), Uninstall then erases the file.
    clean the base of the register the key is
    HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run (nomdela DLL) =
    rundll32 (emplacementdela dll), (options)
    Bukhari:V3B48N826 The Prophet said, Isnt the witness of a woman equal to half of that of a man? The women said, Yes. He said, This is because of the deficiency of a womans mind.

  5. #5
    Senior Member
    Join Date
    Jun 2003
    have search little bit and found something which will be helpfull.

    for all your guys there i want to sahre this searching engine which in my eyes is better then google but not many people know about it (maybe?).www.profusion.com enjoy it
    paths just go to this site and type afcore
    happy cleaning

  6. #6
    get a cleaner of trojan virus and put a firewall on her computer and always updated her anti-virus every week... try stinger of the cleaner from moosoft .... okay hope you can detached that trrojan

  7. #7
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    United Kingdom: Bridlington

    A few thoughts for you:

    1. Run your AV and spy/ad/trojan/bot killers in safe mode
    2. Go to http://www.diamondcs.com.au and get the trial versions of their spy/bot/trojan/worm killers. Also get Registry Prot, but do not install this until your machine is clean.
    3. Go to http://www.winpatrol.com and get WinPatrol
    4. Go to http://www.swatit.org and get SwatIT v2.1
    5. Go to http://vil.nai.com/vil/stinger and get Stinger
    6. Go to http://www.spywareinfo.com/~merijn/index.html and get Hijack This ....Be careful, it shows ALL running proceses, not just bad ones.
    7. Go to http://www.wilderssecurity.net and getSpyware Blaster and Spyware Guard
    8. Go to http://www.sysinternals.com and get Mail Control. This will stop the spamming going out.

    As you have been "owned", the only safe way to be sure that you are clean is to reformat your hard drive an re-install all your software, as you do not know what else might have been put on your machine?

    Hope this helps


  8. #8
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    oh and

    9/ Change ALL your Passwords.. System, internet... banking, shopping, AO, utility companies..etc..

    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

  9. #9
    Junior Member
    Join Date
    Oct 2003


    Click the link below to use Trend Micro's Housecall service. It's been more reliable than anything else I've used, and it costs nothing. .dat files are automatically updated when you connect to the service, and it's accessible via the web.

    Trend Microsystems Housecall AV

  10. #10
    Junior Member
    Join Date
    Oct 2003
    Well guys, your help has been much appreciated, I have tried just about all the utilities posted to get rid of this damn thing but nothing seems to be working. Ah well, looks like it's down to re-formatting the hard drive. Thanks again for all your help, it was muchly appreciated.
    There are 10 types of people in the world.
    Those who understand binary, and those who don\'t.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts