New virus??? Can't get it off!! 7

[WhiteTornado]

Hi,

I got the Backdoor.Afcore.AI virus, caught by AVG, I also used Norton and Panda and they did not see it. AVG cannot run in safe mode, so it was not able to do anything though. But I credit it the fact it at least found it.

This is a nasty virus, it creates this TTDWLFE thing which starts with windows and creates a blue screen crash every time, and it is quick.

Using some wits I figure to start using MSCONFIG in restricted mode and though the virus tried to load it was not allowed, so ONLY then was I able to remove the code in the registry, otherwise, whatever I found in RUN would just come right back when I exited the registry.

However, despite the fact I desactivated it, no more blue screen, I still get the message from AVG, that it is in C:\WINNT\SYSTEM32:TTDWLFE but I cannot find the DLL anywhere, in administrator mode in safe mode, all files showing etc....

I tried all other known anti virus, none can find it, and that exact virus is nowhere on the net.

Wild!!

Any tips??

Cheers!

 

[jrbarnett]

Hi,

I would check before doing the scan that as well as "Show hidden and system files" being enabled, you have "Hide protected operating system files" unticked as well, then use AVG to run a full scan of the system.

If you had this a while ago and it now can't be found, I would run the AVG virus vault and see if it got put in there - delete it from there if so - and if not, disable system restore (start -> right click my computer -> system restore tab and untick "Enable system restore&quot, then reboot and reactivate it in case it has got a copy put in there.

John

 

[Friedy]

Are you sure you got the right name? because I can not find a virus called Backdoor.Afcore.AI. Try searching

http://securityresponse.symantec.com/

and if it is so new you mite get some ideas on how to remove it.

 

[8619]

Not sure if this will work but I have heard in a few cases where Restoring you computer settings to a date before you got infected may resolve this. If you don't know how to use "System Restore" you can email me at akauz@comcast.net

 

[gpalmer711]

Check out

http://www.f-secure.com/v-descs/afcore_q.shtml

for details on the Trojan.


Greg Palmer

----------------------------------------
Any feed back is appreciated.

 

[Korak]

I had a similar virus problem, but a different virus. AVG found it, but kept coming back as saying it was there. Ran Norton and nothing. I resolved it by uninstalling AVG then reinstalling.worked. Just get your reg key before you remove

 

[bcastner]

You might consider the 30-day trial of TDS-3, which claims that it can remove Streams files from NTFS volumes:

http://tds.diamondcs.com.au/index.php?page=download

 

[WhiteTornado]

Hi,

All your answers are usable to me, here is some input started with jrbarnett:

tks for the tip - I usually always show hidden files, but I beleive I might have overlooked the system files - I am not at home right now, but will do that tonight.

Friedy, yes I got the right name, I know this is not anywhere on the net, I made sure I did have the right name when I realized I could not get anything on it.

I thought of using system restore, I figure I could try that, unfortunately, I was not able to go back to an earlier date, now, I think of it, I think I disabled it as per instructions on removing these viruses on XP... something to try...

good link on the trojan, I saw it too, it is not exactly the same but seems like of the same family.

Good idea on the re-install, I will do that if I don't get luck with using TDS-3 which looks very pertinent.

Thank you all for your answers.

Tonight I will put these into effect and report back.

Cheers!

 

[SYAR2003]

Afcore is a backdoor Trojan program that appears as a Windows application file (.dll file) with a size of about 110KB. The Trojan has numerous functions that give 'evildoers' almost full control of victim computers.

Infected message body text contains the following:


If you read this, then this program was probably stolen from our laboratory. Author of this software is not responsible for any harm that may be caused by incompetent or malicious persons who use this software possibly running on your machine. Therefore, please remove this software as soon as possible. Click the "Start" menu, select "Run", enter there: rundll32 ,Uninstall and click "OK"
Upon being launched (executed) the backdoor program installs itself into the supplemental file stream of the NTFS that is associated with the system32 catalog system.

The backdoor registers itself into the system registry auto run key:


HKLM\Software\Microsoft\Windows\CurrentVersion\Run (assigned name) = rundll32 (path to the backdoor program),(options)
The file name is formed from a combination of arbitrary symbols.

The backdoor program has several options that it can use:

DebugBreakpoint DebugInit Init InitService SpawnedInit Uninstall
To remotely uninstall itself from victim machines the backdoor uses the following command:


rundll32 ÄÉÓË:\%windir%\system32name of the backdoor.dll file),Uninstall
When the uninstall command is sent, the afcore virus uninstalls itself from the system registry and remaining only in the file stream and is no longer managed by the start system. To remove the afcore backdoor program from the file stream it is necessary to use a special utility.

Get disinfection tool here:

http://www.kasperskylab.nl/clean.htm

 

[WhiteTornado]

Thanks SYAR2003 for this great tip - great link on this removal tool too.

I followed one of the advice above and uninstalled AVG, I did not get the message thereafter - since then I dismantled that comp, but I think I have not formated the drive - when I get a chance I will check out the removal tool to see if there still was some bits left.

Cheers!