Help in removing Trojan horse BackDoor.Afcore.AI

I can't seem to remove the Trojan BackDoor.Afcore.AI.  I'm using AVG antivirus, TrojanHunter, Adaware.. and a few others.  The only one to find it is AVG.. but, only during boot up.

C:\WINDOWS\system32:infjgwk.dll.  I know it's in the system stream of NTFS.

I'm running Windows Server 2003 Standard with all service patches installed.

It does not load i'm gussing, since during boot, the pop-up from AVG Resident Shield says not.

But, it needs to go away!

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.


Afcore is a backdoor Trojan program that appears as a Windows application file (.dll file) with a size of about 110KB. The Trojan has numerous functions that give 'evildoers' almost full control of victim computers.

Infected message body text contains the following:

If you read this, then this program was probably stolen from our laboratory. Author of this software is not responsible for any harm that may be caused by incompetent or malicious persons who use this software possibly running on your machine. Therefore, please remove this software as soon as possible. Click the "Start" menu, select "Run", enter there: rundll32 ,Uninstall and click "OK"
Upon being launched (executed) the backdoor program installs itself into the supplemental file stream of the NTFS that is associated with the system32 catalog system.

The backdoor registers itself into the system registry auto run key:

 HKLM\Software\Microsoft\Windows\CurrentVersion\Run (assigned name) =
 rundll32 (path to the backdoor program),(options)

The file name is formed from a combination of arbitrary symbols.

The backdoor program has several options that it can use:


To remotely uninstall itself from victim machines the backdoor uses the following command:

 rundll32 ÄÉÓË:\%windir%\system32:(name of the backdoor.dll file),Uninstall

When the uninstall command is sent, the afcore virus uninstalls itself from the system registry and remaining only in the file stream and is no longer managed by the start system. To remove the afcore backdoor program from the file stream it is necessary to use a special utility.
SD-WAN: Making It Work for You

As bandwidth requirements and Internet costs grow, businesses naturally want to manage budgets by reducing reliance on their most expensive connection types. Learn more about how to make SD-WAN work for your business in our on-demand webinar!

MaxPalmaAuthor Commented:
CrasyOne.. thanks for the help, I found that information, but it is really does not help in removing the Trojan.  There are about a dozen sites out there that have the same information.  If you notice at the bottom of the information about the Trojan, it talks about "stream it is necessary to use a special utility"... The question is, what is that "utility"?.

Remember we are talking about Windows Server 2003.. Most "utility" programs don't work for this version.. I know, cause I tried =)

Yeah I noticed that to weird

Trojan Information:  Aflooder
A number of students have had their Windows systems compromised by this Trojan program, which apparently uses a vulnerability in Internet Explorer to install itself when you visit certain websites. Exact details about the origins of this program are not available, but this program is designed to allow hackers to take control of a compromised machine and possibly use it to send out spam.

Because this program uses a special technique to embed its active code into the structure of a folder (not as a file inside the folder, but as a part or property of the folder itself), it is unclear if any anti-virus software or tools currently available can remove this tool. Fortunately, the trojan can be removed manually if you carefully follow the steps listed below. These steps involve using the Registry Editor utility in Windows--if you are unfamiliar with the Registry Editor, you may want to consult the Help Desk web page on using the Registry Editor:

Click on the Start button on your desktop, go to Run, type in regedit and click OK.

The Registry Editor window will open. Navigate to the following registry folder: HKEY_Local_Machine\Software\Micrsoft\Windows\CurrentVersion\Run (You do this by clicking on the "+" sign next to the Hkey Local Machine folder, then the "+" sign next to Software, then Microsoft, then Windows, then Current Version, and then click on the actual Run folder).

In the Run folder, you will see a number of entries for programs that are started automatically when Windows starts. Look for an entry that looks like this:

rundll32 C:\Windows\System32:xxxxxxx.dll,Init 1

The xxxxxxx.dll could be any set of letters and numbers ending with ".dll", as this trojan creates this filename randomly. Write down the exact name of this filename.

Leave the Registry Editor window open exactly where it is, but click on the Start button again, and again choose Run.

In the Run text box, type in the following command (replacing xxxxxxx.dll with the filename you wrote down in step 3):

rundll32 C:\Windows\system32:xxxxxxx.dll,Uninstall

This command is case sensitive, so all of the letters in the command and file name must match.

Click the OK button. You should see a window indicating that Aflooder (or AF) is being uninstalled (if there is an OK button to click to proceed, click it).

When it seems that the uninstall has finished, click back on the Registry Editor window. It should still be displaying the contents of the Run folder as it was in step 3. Hit the F5 key on your keyboard to refresh the contents of that Run folder. You may see that the entry you saw in step 3 has disappeared now that the uninstall has taken place. If it has not, click once on that entry:

rundll32 C:\Windows\System32:xxxxxxx.dll,Init 1 highlight it, then hit the Delete key on your keyboard to delete it. If you are asked if you are sure you want to do this, choose Yes.

Close the Registry Editor window, and reboot your computer. Aflooder should now be removed.

Trend Micro, an anti-virus software vendor, claims that you can avoid being re-infected with this trojan by installing the following Internet Explorer security patch: We suggest that you download and install that patch, as it may indeed prevent re-infection.

If Aflooder changed your Internet Explorer home page to, make sure to change it back to normal. The home page setting for Internet Explorer can be found by clicking on Tools on the menu bar, then Internet Options.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
MaxPalmaAuthor Commented:
CrazyOne... thanks, i must have missed that website for info.. but there is the question of the name is close and the information seems to be the same.  But this is "Afcore.AI"... and seems to be a variant of the BackDoor virus.  I'm a bit nervous about going into the registery and/or having the Trojan "un-install" itself.  What if this causes it to replicate or destroy the file system that it has embeded itself into deeply.

You're input is greatly valued!!

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.