Re: backdoor.afcore.bb HELL

From: Gijs (Guest.1134cz_at_mail.webservertalk.com)
Date: 02/04/04 

Date: Tue, 3 Feb 2004 21:54:05 -0600

Hi there!

I had the same problem, took me 3 hours to get rid of this nasty little
basterd! But if you know what to do, it will only take you 3 minutes :P

I copied this from an other forum, it worked fine for me. Only remember
to log in as administrator, otherwise you'll get the message "acced
denied"......took me half an hour to figure that out :P......me so
stupid.....I used norton for a final scan to remove all infected files
or whatever they were.

Click on the Start button on your desktop, go to Run, type in regedit
and click OK.

The Registry Editor window will open. Navigate to the following
registry folder:
HKEY_Local_Machine\Software\Micrsoft\Windows\CurrentVersion\Run (You do
this by clicking on the "+" sign next to the Hkey Local Machine folder,
then the "+" sign next to Software, then Microsoft, then Windows, then
Current Version, and then click on the actual Run folder).

In the Run folder, you will see a number of entries for programs that
are started automatically when Windows starts. Look for an entry that
looks like this:

rundll32 C:\Windows\System32:xxxxxxx.dll,Init 1

The xxxxxxx.dll could be any set of letters and numbers ending with
".dll", as this trojan creates this filename randomly. Write down the
exact name of this filename.

Leave the Registry Editor window open exactly where it is, but click on
the Start button again, and again choose Run.

In the Run text box, type in the following command (replacing
xxxxxxx.dll with the filename you wrote down in step 3):

rundll32 C:\Windows\system32:xxxxxxx.dll,Uninstall

This command is case sensitive, so all of the letters in the command
and file name must match. <b>Make sure that you are logged in as
Adminstrator!!!!</b>Otherwise you'll get the message"acced denied".

Click the OK button. You should see a window indicating that Aflooder
(or AF) is being uninstalled (if there is an OK button to click to
proceed, click it).

When it seems that the uninstall has finished, click back on the
Registry Editor window. It should still be displaying the contents of
the Run folder as it was in step 3. Hit the F5 key on your keyboard to
refresh the contents of that Run folder. You may see that the entry you
saw in step 3 has disappeared now that the uninstall has taken place.
If it has not, click once on that entry:

rundll32 C:\Windows\System32:xxxxxxx.dll,Init 1

..to highlight it, then hit the Delete key on your keyboard to delete
it. If you are asked if you are sure you want to do this, choose Yes.

Close the Registry Editor window, and reboot your computer. Aflooder
should now be removed.

Trend Micro, an anti-virus software vendor, claims that you can avoid
being re-infected with this trojan by installing the following Internet
Explorer security patch: http://tinyurl.com/33prq We suggest that you
download and install that patch, as it may indeed prevent re-infection.

If Aflooder changed your Internet Explorer home page to
www.surferbar.com, make sure to change it back to normal. The home page
setting for Internet Explorer can be found by clicking on Tools on the
menu bar, then Internet Options.

Gijs -
------------------------------------------------------------------------
Posted via http://www.webservertalk.com
------------------------------------------------------------------------
View this thread: http://www.webservertalk.com/message105803.html