Last night i left my pc with ABC running and when i this morning wanted to Start IE i got a warning that i was infected with the backdoor. coreflood trojanthat was in c/windows/system32.(kbdgb1ee.dll). I did put system restore off and tried to delete the file in safe mode but i and also NAV 2002 can't delete the file even the file that is suppose to be in the regisrty i couldn't find ( symantec website ) . When i put autoprotect off i can use my comp but when i eanable it i get flood of the processor. Anybody know what to do next ?


I tried this trojan scan http://www.windowsecurity.com/trojanscan/trojanscan.asp but it didn't find anything.


Specs : NAV 2002 , Za firewall Pro 4.5.538.000 and running on windows xp



Ps Did i get it through the firewall or ABC, i heard that ZA wasn't to good but i forgot to change it

Hi shadowrave,
Try TDS-3
you can download it at tds.diamondcs.com.au, don't forget to update the list once you downloaded.
TDS-3 should find the trojan and remove it!
hope this helps!
greetz

Tried it, it found the file but couldn't delete it

Did you also scan in the safe mode? just a question.... i'm not sure what next to try.. i 'm searching internet,
maybe i'll find more...
respect

Maybe this can be usefull

http://support.microsoft.com/?kbid=263455

I tried it in safe mode with the same result, i got system restore of.

The log from tds3 :can Control Dumped @ 19:09:26 05-07-04
Positive identification (DLL): RAT.Afcore.gen (dll)
File: c:\windows\system32\kbdgb1ee.dll



Hijack this log :Logfile of HijackThis v1.98.0
Scan saved at 18:57:41, on 5-7-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\DU Meter\DUMeter.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\1by1\1by1.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\System32\taskmgr.exe
F:\downloads\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.home.nl
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.home.nl
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
F0 - system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: Popup Manager - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - C:\Program Files\Popup Manager\PopupMgr_1.0.1.8P.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: kbdgb1ee - {E6F8E625-7A04-4E7A-8DD5-A02D768A455D} - C:\WINDOWS\System32\kbdgb1ee.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O16 - DPF: {003FADA5-8FEE-11D6-AFB7-0004768F6183} (CryptoRSA Control) - https://www.p3.postbank.nl/sesam/CAX.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} (PatchInstaller.Installer) - file://H:\content\include\XPPatchInstaller.CAB
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

Eveything works okay as long i don't enable autoprotect on my NAV

shouldn't it be obvious ...... fix that and delete the file

Didn't see that but after hijack deleted it and i started nav up it came back .

you have to fix it AND delete the file

you should be able to delete it now that hijackthis fixed it

Its an Autoproxy trojan , you will have to find the executable file and the .dll to fully remove it ..

Hijack this proabably isnt capable of dealing with it , its a browser hijack removal tool not a trojan remover.

Did TDS-3 give you a reason why it couldnt delete the .dll file ?

If the trojan is loaded into the memory space of explorer.exe youll need to unload it / uninstall it first before you can properly kill it too.

You may also be able to do this with TDS-3 or System safety monitor or another process viewer type program .

-------------------------------------------------------------------------------

Here's a very good guide to removing the same type of trojan :
http://www.helpdesk.umd.edu/virus/alerts/aflooder.shtml

--------------------------------------------------------------------------------


Try downloading this below and set it up , it will give you some extra protection against trojans trying to get in and self install and might help you track the executable file down if it ever launches again , and will give you a detailed view of your system files , including active .dll files .

http://maxcomputing.narod.ru/ssme.html?lang=en


#################################################

You could have a variant of this one below , but this information may help you track it down as well as thee link I posted above.

#################################################

Also known as: Backdoor/Apdoor, Backdoor.Apdoor (Kaspersky), Backdoor/Apdoor.Server, CoreFlood (McAfee) , Backdoor.Coreflood (Symantec), Win32/CoreFlood.5120.Trojan, Win32/CoreFlood.DLL.20480.Trojan


CoreFlood is a backdoor trojan.

It consists of two components, a DLL that contains the core backdoor features and the executable that activates the DLL.

Once activated, CoreFlood copies itself to both the System directory and default Temporary directory, along with a DLL.

It then calls the DLL function "init" to start the backdoor service.

Once the DLL operates in the memory, the executable terminates.

The trojan uses randomly generated 7-character filenames.
For example, AOYXVPK.EXE and AOYXVPK.DLL

[yours has an eight char file name , so obviously a newer version .. ]

kbdgb1ee.dll


It creates a registry key to start itself on Windows restart:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\<trojan filename> = "%System%\<trojan filename>.exe"

Note: '%System%' is a variable location. The trojan determines the location of the current Windows folder by querying the operating system. The default installation location for the Windows directory for Windows 2000 and NT is C:\Winnt\System32; for 95,98 and ME is C:\Windows\System; and for XP is C:\Windows\System32.


Backdoor Functionality
The trojan DLL contains the main backdoor features. It has only one exported function "init". Once the function called, it creates an event . If the event already exists on the system, the trojan terminates. The event name varies from variant to variant. The following are known:

APCORE 02/17/03 17:46:14
AICORE 08/27/03 19:34:41

The trojan installs Windows hook procedures to Explorer.exe in order to monitor Windows messages directed to Explorer.exe.

Besides monitoring windows hook installations and windows messages, it also intercepts keyboard and mouse activities. The intercepted information is saved in a file under the user's temp directory. The filename is the same 7 random characters used for the executable.

Note: Due to the way it infects the system, to remove the trojan from system memory, Explorer.exe needs to be terminated before the trojan executable files can be removed.

It provides the following remote control functions:

configure number of the listening port
set or kill timer
save log file changes to disk
clean up log file
terminate trojan process
restart trojan process
uninstall trojan process
retrieve local IP address
set ID to registry key "HKEY_LOCAL_MACHINE\SOFTWARE\autoproxy"
verify dial up connections
send back received commands
look for a window
connect to a URL

#####################################################


other links on this trojan:

http://securityresponse.symantec.com/avcen....coreflood.html
http://www.lurhq.com/autoproxy.html

Td3 just said it couldn't delete the file. I tried all of the sulutions that you suggestedc but they didn't work So then i set up an another xp and then i deleted the file and all is good for now I found after another scan an infected file A0000016.dll that was in C:\System Volume Information\_RESTO~1\RP1.
Strange that NAV didn't find that before.


If i only knew if i got it from an install or crappy Za that didn't do his job or through ABC it self

I just did a scan with td3 and it found something in the Za logs :



http://members.home.nl/paulussen/trojan.JPG


So i guess it was the firewall after all ?
Can i track the one that did this?

I switched to sygate and it blocked already a lot off scans on my pc and some mac spoofing that was going on.
Also i found out that NAv directed me to another variant off the virus , so the register keys weren't there that was on the symantec page. It seems that it was a newer version just like Moore said.

Hi Shadowrave , sorry I didnt see your last reply on the 7th.. good to know youve been able to hunt this thing down..

good to see you are now running sygate , it should give you a bit better protection as long as you have the advanced rules setup properly.

there are some handy links for sygate in the firewall guide just in case:
http://www.bluetack.co.uk/forums/index.php?showtopic=770


hey did you download system saftey monitor at all ? , this program will help catch any new system files / trojans that try to hook into other programs and processes and then you can track them down and remove them.

SSM will also give you a better view of all the hidden processes , windows and system files that are currently in use or activated by your programs , and monitor your registry for changes , but first you will need to set up rules for your trusted programs and then any trojans files will be easier to spot.

let me know how things go ..

I have already put in a few Ip that were trying to scan my pc all the time, when i trace them with sygate there's like a lot of ip in the screen i get and it says hop above it so i guess that that are other infected pc's ? I seem to get also some a lot of mac spoofing now.

I also got rid of the grc keylogger that was in my registry wich spysweeper found. There were also some kbdgb1ee keys in the registry that nav didn't find.




I downloaded it but it took me ages, i tried it and it is very handy. Had to shut it off because my memory was lacking, well i guess xp and only 128 mb don't go together with NAV 2004 on it, memory is on his way Very handy program i must say, only im just looking how i have to set my rules for my programs. I have the latest beta version that was on the page.