Help in removing Trojan horse BackDoor.Afcore.AI

I can't seem to remove the Trojan BackDoor.Afcore.AI.  I'm using AVG antivirus, TrojanHunter, Adaware.. and a few others.  The only one to find it is AVG.. but, only during boot up.

C:\WINDOWS\system32:infjgwk.dll.  I know it's in the system stream of NTFS.

I'm running Windows Server 2003 Standard with all service patches installed.

It does not load i'm gussing, since during boot, the pop-up from AVG Resident Shield says not.

But, it needs to go away!

Who is Participating?
Yeah I noticed that to weird

Trojan Information:  Aflooder
A number of students have had their Windows systems compromised by this Trojan program, which apparently uses a vulnerability in Internet Explorer to install itself when you visit certain websites. Exact details about the origins of this program are not available, but this program is designed to allow hackers to take control of a compromised machine and possibly use it to send out spam.

Because this program uses a special technique to embed its active code into the structure of a folder (not as a file inside the folder, but as a part or property of the folder itself), it is unclear if any anti-virus software or tools currently available can remove this tool. Fortunately, the trojan can be removed manually if you carefully follow the steps listed below. These steps involve using the Registry Editor utility in Windows--if you are unfamiliar with the Registry Editor, you may want to consult the Help Desk web page on using the Registry Editor:

Click on the Start button on your desktop, go to Run, type in regedit and click OK.

The Registry Editor window will open. Navigate to the following registry folder: HKEY_Local_Machine\Software\Micrsoft\Windows\CurrentVersion\Run (You do this by clicking on the "+" sign next to the Hkey Local Machine folder, then the "+" sign next to Software, then Microsoft, then Windows, then Current Version, and then click on the actual Run folder).

In the Run folder, you will see a number of entries for programs that are started automatically when Windows starts. Look for an entry that looks like this:

rundll32 C:\Windows\System32:xxxxxxx.dll,Init 1

The xxxxxxx.dll could be any set of letters and numbers ending with ".dll", as this trojan creates this filename randomly. Write down the exact name of this filename.

Leave the Registry Editor window open exactly where it is, but click on the Start button again, and again choose Run.

In the Run text box, type in the following command (replacing xxxxxxx.dll with the filename you wrote down in step 3):

rundll32 C:\Windows\system32:xxxxxxx.dll,Uninstall

This command is case sensitive, so all of the letters in the command and file name must match.

Click the OK button. You should see a window indicating that Aflooder (or AF) is being uninstalled (if there is an OK button to click to proceed, click it).

When it seems that the uninstall has finished, click back on the Registry Editor window. It should still be displaying the contents of the Run folder as it was in step 3. Hit the F5 key on your keyboard to refresh the contents of that Run folder. You may see that the entry you saw in step 3 has disappeared now that the uninstall has taken place. If it has not, click once on that entry:

rundll32 C:\Windows\System32:xxxxxxx.dll,Init 1 highlight it, then hit the Delete key on your keyboard to delete it. If you are asked if you are sure you want to do this, choose Yes.

Close the Registry Editor window, and reboot your computer. Aflooder should now be removed.

Trend Micro, an anti-virus software vendor, claims that you can avoid being re-infected with this trojan by installing the following Internet Explorer security patch: We suggest that you download and install that patch, as it may indeed prevent re-infection.

If Aflooder changed your Internet Explorer home page to, make sure to change it back to normal. The home page setting for Internet Explorer can be found by clicking on Tools on the menu bar, then Internet Options.
Live Q & A: Securing Your Wi-Fi for Summer Travel

Traveling this summer? Join us on June 18, 2018 for a live stream to learn about the importance of Wi-Fi security and 3 easy measures you can start taking immediately to protect your private data while using public Wi-Fi. Follow us today to learn more!


Afcore is a backdoor Trojan program that appears as a Windows application file (.dll file) with a size of about 110KB. The Trojan has numerous functions that give 'evildoers' almost full control of victim computers.

Infected message body text contains the following:

If you read this, then this program was probably stolen from our laboratory. Author of this software is not responsible for any harm that may be caused by incompetent or malicious persons who use this software possibly running on your machine. Therefore, please remove this software as soon as possible. Click the "Start" menu, select "Run", enter there: rundll32 ,Uninstall and click "OK"
Upon being launched (executed) the backdoor program installs itself into the supplemental file stream of the NTFS that is associated with the system32 catalog system.

The backdoor registers itself into the system registry auto run key:

 HKLM\Software\Microsoft\Windows\CurrentVersion\Run (assigned name) =
 rundll32 (path to the backdoor program),(options)

The file name is formed from a combination of arbitrary symbols.

The backdoor program has several options that it can use:


To remotely uninstall itself from victim machines the backdoor uses the following command:

 rundll32 ÄÉÓË:\%windir%\system32:(name of the backdoor.dll file),Uninstall

When the uninstall command is sent, the afcore virus uninstalls itself from the system registry and remaining only in the file stream and is no longer managed by the start system. To remove the afcore backdoor program from the file stream it is necessary to use a special utility.
MaxPalmaAuthor Commented:
CrasyOne.. thanks for the help, I found that information, but it is really does not help in removing the Trojan.  There are about a dozen sites out there that have the same information.  If you notice at the bottom of the information about the Trojan, it talks about "stream it is necessary to use a special utility"... The question is, what is that "utility"?.

Remember we are talking about Windows Server 2003.. Most "utility" programs don't work for this version.. I know, cause I tried =)

MaxPalmaAuthor Commented:
CrazyOne... thanks, i must have missed that website for info.. but there is the question of the name is close and the information seems to be the same.  But this is "Afcore.AI"... and seems to be a variant of the BackDoor virus.  I'm a bit nervous about going into the registery and/or having the Trojan "un-install" itself.  What if this causes it to replicate or destroy the file system that it has embeded itself into deeply.

You're input is greatly valued!!

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.