Help in removing Trojan horse BackDoor.Afcore.AI

Posted on 2003-11-12
Last Modified: 2013-12-04
I can't seem to remove the Trojan BackDoor.Afcore.AI.  I'm using AVG antivirus, TrojanHunter, Adaware.. and a few others.  The only one to find it is AVG.. but, only during boot up.

C:\WINDOWS\system32:infjgwk.dll.  I know it's in the system stream of NTFS.

I'm running Windows Server 2003 Standard with all service patches installed.

It does not load i'm gussing, since during boot, the pop-up from AVG Resident Shield says not.

But, it needs to go away!

Question by:MaxPalma
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
LVL 49

Expert Comment

ID: 9732773
LVL 49

Expert Comment

ID: 9732782
LVL 44

Expert Comment

ID: 9732839

Afcore is a backdoor Trojan program that appears as a Windows application file (.dll file) with a size of about 110KB. The Trojan has numerous functions that give 'evildoers' almost full control of victim computers.

Infected message body text contains the following:

If you read this, then this program was probably stolen from our laboratory. Author of this software is not responsible for any harm that may be caused by incompetent or malicious persons who use this software possibly running on your machine. Therefore, please remove this software as soon as possible. Click the "Start" menu, select "Run", enter there: rundll32 ,Uninstall and click "OK"
Upon being launched (executed) the backdoor program installs itself into the supplemental file stream of the NTFS that is associated with the system32 catalog system.

The backdoor registers itself into the system registry auto run key:

 HKLM\Software\Microsoft\Windows\CurrentVersion\Run (assigned name) =
 rundll32 (path to the backdoor program),(options)

The file name is formed from a combination of arbitrary symbols.

The backdoor program has several options that it can use:


To remotely uninstall itself from victim machines the backdoor uses the following command:

 rundll32 ÄÉÓË:\%windir%\system32:(name of the backdoor.dll file),Uninstall

When the uninstall command is sent, the afcore virus uninstalls itself from the system registry and remaining only in the file stream and is no longer managed by the start system. To remove the afcore backdoor program from the file stream it is necessary to use a special utility.
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

LVL 44

Expert Comment

ID: 9732880

Author Comment

ID: 9732901
CrasyOne.. thanks for the help, I found that information, but it is really does not help in removing the Trojan.  There are about a dozen sites out there that have the same information.  If you notice at the bottom of the information about the Trojan, it talks about "stream it is necessary to use a special utility"... The question is, what is that "utility"?.

Remember we are talking about Windows Server 2003.. Most "utility" programs don't work for this version.. I know, cause I tried =)

LVL 44

Accepted Solution

CrazyOne earned 500 total points
ID: 9732954
Yeah I noticed that to weird

Trojan Information:  Aflooder
A number of students have had their Windows systems compromised by this Trojan program, which apparently uses a vulnerability in Internet Explorer to install itself when you visit certain websites. Exact details about the origins of this program are not available, but this program is designed to allow hackers to take control of a compromised machine and possibly use it to send out spam.

Because this program uses a special technique to embed its active code into the structure of a folder (not as a file inside the folder, but as a part or property of the folder itself), it is unclear if any anti-virus software or tools currently available can remove this tool. Fortunately, the trojan can be removed manually if you carefully follow the steps listed below. These steps involve using the Registry Editor utility in Windows--if you are unfamiliar with the Registry Editor, you may want to consult the Help Desk web page on using the Registry Editor:

Click on the Start button on your desktop, go to Run, type in regedit and click OK.

The Registry Editor window will open. Navigate to the following registry folder: HKEY_Local_Machine\Software\Micrsoft\Windows\CurrentVersion\Run (You do this by clicking on the "+" sign next to the Hkey Local Machine folder, then the "+" sign next to Software, then Microsoft, then Windows, then Current Version, and then click on the actual Run folder).

In the Run folder, you will see a number of entries for programs that are started automatically when Windows starts. Look for an entry that looks like this:

rundll32 C:\Windows\System32:xxxxxxx.dll,Init 1

The xxxxxxx.dll could be any set of letters and numbers ending with ".dll", as this trojan creates this filename randomly. Write down the exact name of this filename.

Leave the Registry Editor window open exactly where it is, but click on the Start button again, and again choose Run.

In the Run text box, type in the following command (replacing xxxxxxx.dll with the filename you wrote down in step 3):

rundll32 C:\Windows\system32:xxxxxxx.dll,Uninstall

This command is case sensitive, so all of the letters in the command and file name must match.

Click the OK button. You should see a window indicating that Aflooder (or AF) is being uninstalled (if there is an OK button to click to proceed, click it).

When it seems that the uninstall has finished, click back on the Registry Editor window. It should still be displaying the contents of the Run folder as it was in step 3. Hit the F5 key on your keyboard to refresh the contents of that Run folder. You may see that the entry you saw in step 3 has disappeared now that the uninstall has taken place. If it has not, click once on that entry:

rundll32 C:\Windows\System32:xxxxxxx.dll,Init 1 highlight it, then hit the Delete key on your keyboard to delete it. If you are asked if you are sure you want to do this, choose Yes.

Close the Registry Editor window, and reboot your computer. Aflooder should now be removed.

Trend Micro, an anti-virus software vendor, claims that you can avoid being re-infected with this trojan by installing the following Internet Explorer security patch: We suggest that you download and install that patch, as it may indeed prevent re-infection.

If Aflooder changed your Internet Explorer home page to, make sure to change it back to normal. The home page setting for Internet Explorer can be found by clicking on Tools on the menu bar, then Internet Options.

Author Comment

ID: 9733867
CrazyOne... thanks, i must have missed that website for info.. but there is the question of the name is close and the information seems to be the same.  But this is "Afcore.AI"... and seems to be a variant of the BackDoor virus.  I'm a bit nervous about going into the registery and/or having the Trojan "un-install" itself.  What if this causes it to replicate or destroy the file system that it has embeded itself into deeply.

You're input is greatly valued!!


Featured Post

The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Group Policies review 1 122
Windows 2012 session collection security. 2 99
Can't copy file to system32 folder permissons issue 5 1,056
Thin secure Windows 10 5 107
Users of Windows 10 Professional can disable automatic reboots using the policy editor. This tool is not included in the Windows home edition. But don't worry! Follow the instructions below to install (a Win7) policy editor on your Windows 10 Home e…
Security measures require Windows be logged in using Standard User login (not Administrator).  Yet, sometimes an application has to be run “As Administrator” from a Standard User login.  This paper describes how to create a shortcut icon to launch a…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question