Trojan Horse, BackDoor.AFcore.Al

chemdata · Guest

I am using the free version of AVG and the AVG Resident Shield informed me that I had a virus called Trojan Horse, BackDoor.AFcore.Al which was found in c:\WINDOWS\system32:ilidsmb.dll and that I could remove it with AVG for Windows. I ran my version of avg with no success. I also tried norton and trend with no success either. Does anyone have any ideas on what this virus is and how to get rid of it. Thanks.

BillC · Posted: Tue Oct 28, 2003 10:40 am Post subject:

After a quick search, I could not find a reference to the Backdoor Trojan you named, but it probably has other names that could lead us to a cure. If it is a trojan, try the online trojan scan at GFi\'s TrojanScan and see what it finds. You might find a fix there.

Jamming · Colonel Premium Member Joined: Jun 22, 2002 Posts: 1874

You could also download a trial version of TrojanHunter, at: http://www.trojanhunter.com

paulus · Cadet Joined: Oct 29, 2003 Posts: 1 Location: USA

I have the same trojan in my system and was recognized by avg. it was found on c:\windows\system32:bchcoxe.dll file

I tried TrojanHunter but it didn't find any trojan.
I also tried the removal-information for backdoor.afcore.q but no result.

I would be very pleased if there is any solution for this.

claire · Posted: Wed Oct 29, 2003 4:12 pm Post subject:

Could you send this file to ?

Magnus will try to examin the file and will tell you how to remove it with
Trojan Hunter (he will make a new ruleset if necessary)

BillC · Posted: Wed Oct 29, 2003 8:40 pm Post subject:

I've looked and still can not find anything on either of these .dlls. It must be a newbie in the trojan arena. Mind you, I'm not an expert, but if you were to post a HijackThis log here, I'd like to see it. Others may have some ideas from viewing the log too.

You can find HijacK This Here. Open it, hit scan, and then post the log here. I'm not at all sure I can help, but I will give it a go.

Chemdata · Guest

I tried all the other suggestions without success so I thought I would try the "Hijack This" suggestion. There follows the Hijack this logfile. I think I see the file I should delete but I think I will let the experts make that decision. Thanks for the help.

Logfile of HijackThis v1.97.3
Scan saved at 2:48:50 AM, on 11/1/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\HPINST~1\plugin\bin\PCHButton.exe
C:\Program Files\SETI@home\[email protected]
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Owner\My Documents\MyDownloads\AVG70\Hijackthis\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us6.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us6.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us6.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us6.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\Program Files\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [jljdsmb] rundll32 C:\WINDOWS\System32:jljdsmb.dll,Init 1
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IS CfgWiz] C:\Program Files\Common Files\Symantec Shared\cfgwiz.exe /GUID NIS /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.7\THGuard.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPINST~1\plugin\bin\PCHButton.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [seticlient] C:\Program Files\SETI@home\[email protected] -min
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\RunOnce: [ICQ] C:\Program Files\ICQ\ICQ.exe -trayboot
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .mid%20: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chat - http://cs5.chat.sc5.yahoo.com/c381/chat.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/...acscom.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/d052...scan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/C...6062037037
O16 - DPF: {AE775D48-49AA-11D1-8F1C-00C04FB67063} (MS Investor Ticker) - http://fdl.msn.com/public/investor/v5/Ticker.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/Templ...s/outc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\windows: NameServer = 69.57.146.14
O17 - HKLM\System\CCS\Services\Tcpip\..\{A5DB4D1B-71EB-4071-B6A0-E3DB83F163B3}: NameServer = 209.244.0.3 209.244.0.4
O17 - HKLM\System\CCS\Services\Tcpip\..\{BE38BA05-C777-4C5C-9AFE-4410CCDA0D43}: NameServer = 69.57.146.14
O17 - HKLM\System\CCS\Services\Tcpip\..\{EE11E91D-23E9-40CF-A89D-2D97BAB4CCD1}: NameServer = 69.57.146.14
O17 - HKLM\System\CS1\Services\Tcpip\..\windows: NameServer = 69.57.146.14

phoenix22 · Posted: Sat Nov 01, 2003 5:06 am Post subject:

this one looks like a delete .....don't delete it completely yet....keep it in the backup section of HiJack this.........but before you do this go to Panda.....and run their on line stuff............

check our links here first:
http://www.computercops.biz/postt4639.html

then go to Panda:
http://www.pandasoftware.com/virus_info/

BillC · Posted: Sat Nov 01, 2003 10:44 am Post subject:

I've looked over your log and it looks clean to me except for this:

O4 - HKLM\..\Run: [jljdsmb] rundll32 C:\WINDOWS\System32:jljdsmb.dll,Init 1

Close all browsers, run HJT again, put a check beside the above entry, then click fix. Once done, reboot. See if that cures your ills.

Frankly, I've not seen this one before. Let us know if you have any other troubles.

Chemdata · Guest

Thanks. I will try the Panda site suggestion.
Before I proceed with the "Hijack This" removal what happens when:
I don't delete it completely but put it in the backup section of Hijack?
When do I delete it completely?
When do I bring it back out of backup?
how do I know I should bring it back out of backup?
and what other questions should I have asked before proceeding with the "hijack This" solution?

phoenix22 · Posted: Sat Nov 01, 2003 1:39 pm Post subject:

that's what i forgot ..the entry Bill put in there....when we are sure that's the culprit then we delete it...from HJT

Chemdata · Guest

I would like to thank everyone for their suggestions and in particular Bill for his suggesting I try "Hijack This Here". I tried the Panda site and used their online virus scanner. Although it did not do anything with the backdoor.afcore.al it was able to find five other viruses I had and Norton, Trend and AVG did not detect. The "Hijack This Here" worked great and was extremely easy to use. For now I think I am virus free. Once again thanks for the help.

TonyKlein · Posted: Sun Nov 02, 2003 7:25 am Post subject:

claire · Posted: Sun Nov 02, 2003 8:01 am Post subject:

Many thanks for this useful info Tony Klein Smile

phoenix22 · Posted: Sun Nov 02, 2003 10:15 am Post subject:

you TK .........are a gift from above......many thanks...and we reallly appreciate you helping out in here.......now if i could get PW to stop in once in a while and MHln.....never mind I was dreaming again.....hmmmmm or was it wihful thingking......anyhow I'll store that link in the kinks.....


	Home ˇ Topics ˇ Submit News ˇ Top 10 This entire site, Cops Themes, and Computer Cops are Š 2002 - 2004 Computer Cops, LLC. All rights reserved. You can syndicate our news using the file RSS 0.91, ultramode.txt, or RSS 1.0. Acceptable Use Policy. Use signifies your agreement. Engine Copyright Š 2002 by PHP-Nuke, GNU/GPL Licensed. ICRA Member. Paul Laudanski, Member of Computer Cops, LLC Server Load: 679 pages served in previous 5 minutes. Page Rendered: 0.456 seconds.