Re: backdoor.afcore.bb HELL

From: Shewman (shewman_at_sympatico.ca)
Date: 02/03/04 

Date: Mon, 2 Feb 2004 22:33:00 -0500

OK, here's how I got rid of afcore.bb:

- uninstalled the offending DLL
- got rid of the existing anti-virus program AVG and had her install Norton
- Norton found 2 offending programs, AF.EXE and audio.exe
- reboot and now everything is fine.

"Sandi - Microsoft MVP" <sandi_hardmeier@mvps.org> wrote in message
news:u0WTgk%235DHA.2064@TK2MSFTNGP11.phx.gbl...
> The problem with some malware,is it will recreate itself (with new *.dll
> names) as soon as it detects that one of its processes have been shut down
> or files
> have been deleted. There are two programmes, not just one.. one of which
is
> the classic malware, the other is a monitoring service that restarts the
> malware as soon as it detects the other is deleted, complete with new file
> names.
>
> I would use MSCONFIG and select 'diagnostic startup' to run only basic
> services. Then track down and nuke the malware and all associated files
that
> I could find, using registry entries and MSCONFIG itself to track down as
> many associated files as I could find.
>
> I note that your friend is a long way away. I really don't think this is
> something that can be done remotely. If the reinfector is missed, you're
> back to square one.
>
> --
> _______________________________________
> Sandi - Microsoft MVP since 1999 (IE/OE)
> http://www.mvps.org/inetexplorer
>
> "Shewman" <shewman@sympatico.ca> wrote in message
> news:_cDSb.44891$mf4.1596318@news20.bellglobal.com...
> > Hi,
> >
> > I've got a friend who has this trojan. I can't get rid of it. Found it
in
> > the registry and deleted the entries. Rebooted but the entries get added
> > again. Tried uninstalling the dll, ftdpwmk.dll, but I get access denied.
> > Everytime, I try another i.e. view processes, her PC reboots. Went into
> > safe
> > mode but I can't find the source file(s).
> >
> > I've tried searching google but didn't find anything. Also tried
searching
> > Norton and sophos
> >
> > Anyone have any ideas??? It's an XP PC. Unfortunately, she's a couple of
> > hundred miles away. But I can remote into the PC.
> >
> > Thanks
> >
> >
> >
>

Relevant Pages

  • Re: SW wont delete; msconfig;
    ... I did NOT download this SW, do not visit porn sites, ... > Norton AV already on it. ... > delete all references to PowerScan and ClockSync SW, ... rid of it. ...
    (microsoft.public.windowsxp.general)
  • Re: Internet Explorer has been hijacked by "About:Blank"
    ... programmer who wrote it should have his (sorry about gender discrimination ... To get rid of it I ran CWshredder.exe, which seemed to get rid of it, but as ... Iexplore.exe every time at startup as well as occaisonal extra IE sessions ... I have Norton 2003. ...
    (microsoft.public.windows.inetexplorer.ie6.browser)
  • Re: Problems after uninstalling Norton Antivirus 2004
    ... >>> I uninstalled Norton Antivirus 2004 in preparation for installing ... >> Welcome to the wonderful world of Symantec. ... >> NAV 2004 then follow the directions for uninstalling it. ...
    (microsoft.public.windowsxp.help_and_support)
  • Re: Norton Internet Security 2005
    ... Before I removed it I have around 60 processes running, after uninstalling I now have around 49. ... The uninstall failed so I downloaded the Norton Removal Tool from their website. ... I have no complaints about speed etc. Updating virus definitions is now a painless operation whereas with the 2005 version it was quite "hit or miss" and I had to uninstall/reinstall 2005 several times. ...
    (microsoft.public.windowsxp.general)
  • Re: TCP limit & network issue
    ... At this point anyone who wants to use Norton Antivirus on Vista computers ... Thanks for suggesting using another antivirus package. ... AVG in the end, but it is a strong contender. ... Download your latest norton definitions plus malware definitions + any norton removal tools required for 2009 (from my own and others experience just uninstalling doesnt remove all of it). ...
    (microsoft.public.windows.vista.general)