After having removed the scardstp.dll file from my system 32 folder and doing a full scan of my drives yesterday, I was relieved but still a bit worried. I’m aware that i have to edit my registry and delete the values added by Backdoor.Coreflood. I didn’t do it yesterday. I was too tired. I finally got around to doing it today.
Before doing anything to my registry I decided to check the Backdoor.Coreflood information page at Symantec Security Response again. I have checked that page so many times in the past few days but i checked the page again nevertheless just to see if i had somehow missed something. To my surprise,i saw that the technical information and removal instructions had been updated on the 8th, i.e yesterday. It was not updated yesterday when I had checked that info page. :confusion: Then again, it is the Symantec United States website. Mauritius is about 8 hrs or more ahead. ( time zone differences)
I notice that they modified step 4:
4. Run a full system scan.
If any files are detected as infected with Backdoor.Coreflood, write down the full path to and the file name of the infected file or files.
Important: Do not skip this step. You will need the file names later in the removal.
Click Delete.
If your Symantec antivirus product reports that it cannot delete an infected file, proceed to section 5 (modifying the registry), then restart the computer and manually delete the file.
< -- This part has been added.
I did step 5 today, Reversing the Changes Made to the Registry.
5. Click Start > Run. Type regedit ,then click OK.
Navigate to the key:
HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/CurrentVersion/Run
In the right pane, delete any value that refers to any files that were detected as Backdoor.Coreflood.
< -- This was in the original Backdoor.Coreflood page. In fact, it was the only thing they said to delete in the registry. Since i did not have any registry entries which was pointing to the dll file, I was quite a loss of what to do the other day.
The updated part:
Note: All the variants do not add an entry to this key.
Navigate to and select the key:
HKEY_LOCAL_MACHINE/Software/Classes/CLSID
Click Edit > Find.
In the “Find what” box, type the file name of the .dll file that was detected as Backdoor.Coreflood in section 4.
If you find an entry of the form:
“(Default)”=”%System%/< detected file name >.dll in the registry key:
HKEY_LOCAL_MACHINE/Software/Classes/CLSID/{< random clsid >}/InProcServer32 then write down the < random clsid > value >
Then, in the left pane, delete the subkey:
HKEY_LOCAL_MACHINE/Software/Classes/CLSID/{< random clsid >}
Next, click Edit > Find to repeat the search, as there may be more than one such key. Delete any that are found.
I found 05DCA568-15BF-76C1-DED2-FC2A429F800D on my first search
and
52F82601-784E-5F74-268B-21BF713CF7AA1BF713CF7AA on my second search.
I deleted them promptly.
I did the Search again and in ComDlg32/OpenSave/MRU/*, I found the value i with path referring to that scardstp.dll file. I deleted that registry entry i and did another search. This time in ComDlg32/OpenSave/MRU/dll, i saw another registry entry with path to scardstp.dll I deleted this one too. There was nothing mentioned about these two in the information page but I’m confident i did the right thing. -crossed fingers-
Navigate to and delete the key:
HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/CurrentVersion/
Explorer/Browser Helper Objects/{< random clsid >}
where {< random clsid >} matches one of the values found and deleted in the previous searches.
In my case, it was
52F82601-784E-5F74-268B-21BF713CF7AA1BF713CF7AA
.
Navigate to and delete the key:
HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/CurrentVersion/
Explorer/ShellIconOverlayIdentifiers/< detected file name >
Note: < detected file name > should match the name of the infected dll file.
Mine was scardstp.dll so i deleted
HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/CurrentVersion/
Explorer/ShellIconOverlayIdentifiers/scardstp
Exit the Registry Editor.
Restart the computer.
If you could not delete any files in section 4, use Windows Explorer to locate and delete them.
< -Since I had already deleted the dll file in system 32, I did not have to do this again.
Now the next thing I’m gonna do is download ZoneAlarm. In the free version i get the option of trying ZoneAlarm Pro for 15 days and then switching to the free version after those 15 days trial. Maybe I’ll keep on using ZoneAlarm Pro. I really need a good firewall. My brother David and my friend James recommended ZoneAlarm.
my previous entries related to this:
link 1
link 2
spam spam spam spam spam spam spam spam spam...
that’s odd. I know other people who got hit by the virus and they managed to remove it fine by following the instrucitons.
sorry for not being able to help you get rid of it.
any simple way to remove/kill the backdoor.coreflood virus as my computer has recently got hit…tried some of the above suggestions but it still didn’t work…thanks
Wow
you are venturing yourself in the registry, if i were you – i would i have simply downloaded the removal tool from symantec 
James : I have been fiddling about in the registry quite a few times now. Always to get rid of trojans and viruses. Hopefully with ZoneAlarm,my computer will be protected.I’m not used to using ZoneAlarm yet. For some reason,it’s preventing me from using my FTP program. I will have to read the Help page in order to know how I’m supposed to configure ZoneAlarm.
Removal tool?There is no removal tool for Backdoor.Coreflood at symantec. :confusion:
Well..ZoneAlarm Pro’s pretty good.. just get the CD key or crack the program by visiting the Astalavista page (if you haven’t gone there already)
ahaaaaa.. while surfin on the net.. i miraculously got on ur blog.. and *surprise* that was aline..
.. the registry thing and bla bla bla.. really impressed..
..
nice page to be honest.. and erm.. im impressed that u know much about computer stuffs
anyways.. hope u doing fine..
and going to Shanghai? eh? O.o.. but not shockin at all.. i mean u like asian things, according to ur MI page.. korean songs and stuffs..
anyways.. keep it up
-Dean
yep…Zonealarm would be a good move, also get Ad-Aware at http://www.lavasoftusa.com/ and AVG as an anti-virus (free) at Grisoft.com. I have had these for quite some time and have yet to have any major intrusions in my system or network. I run Ad-aware daily and remove all spyware. I also use Cleanup to free space up (found at http://cleanup.stevengould.org/)
2006! Can you believe this dumb virus is still around? Anyway, for me it was nessesary to edit the registry, restart, and remove files after regedit all in SAFE MODE. Might be important for others as your page gets good ranking in Google for this issue. (Oh and thanks so much for the help on this!)