Can't get rid of Dyfuca!!!Help!!

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Nathalie Nar

Thread Starter
Joined
Nov 26, 2004
Messages
100
Please help I ran spybot s&d, panda, Hijack this, cw shredder... cant get rid of dyfuca. Any suggestions??? I an running windows xp. I really am not very technical so a simple solution is much appreciated. Thanks :)
 

cybertech

Retired Moderator
Joined
Apr 16, 2002
Messages
72,115
Hi Nathalie Nar, Welcome to TSG!! :)

Create a permanent folder on your hard drive like c:\program files\hjt.
Download Hijackthis and save it to that folder.

Double click on Hijackthis.exe then click on the "Scan" button, then click on "Save Log".

Copy and paste it back here and someone will be happy to review it.

Don't make any changes until instructed to do so.
 

Nathalie Nar

Thread Starter
Joined
Nov 26, 2004
Messages
100
Here it is! What should I do next. I Appreciate your help!



Logfile of HijackThis v1.98.2
Scan saved at 9:37:32 AM, on 26/11/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O18 - Filter: text/html - {0FF5095B-D7A3-40FE-96AA-5D349FC8DC56} - C:\WINDOWS\System32\phmd.dll
O18 - Filter: text/plain - {0FF5095B-D7A3-40FE-96AA-5D349FC8DC56} - C:\WINDOWS\System32\phmd.dll
O19 - User stylesheet: (file missing)
 

cybertech

Retired Moderator
Joined
Apr 16, 2002
Messages
72,115
That is the shortest log I've ever seen! Did you post the entire log?

Run HJT again and put a check in the following:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O18 - Filter: text/html - {0FF5095B-D7A3-40FE-96AA-5D349FC8DC56} - C:\WINDOWS\System32\phmd.dll
O18 - Filter: text/plain - {0FF5095B-D7A3-40FE-96AA-5D349FC8DC56} - C:\WINDOWS\System32\phmd.dll
O19 - User stylesheet: (file missing)

Close all applications and browser windows before you click "fix checked".
 
Joined
Sep 9, 2001
Messages
601
Hi Nathalie

I dont think you gave us a complete log. after you run a "Scan" then clic on "edit>select all > Edit >Copy, then come back here and Paste it in a reply
 

Nathalie Nar

Thread Starter
Joined
Nov 26, 2004
Messages
100
I checked again and that's all there was. I also did what you said and I still could not get rid of Dyfuca... Any other suggestion? Thanks.
 
Joined
Apr 15, 2003
Messages
688
This is rather long, but probably necessary.

Information from Symantec

Name
Adware.NetOptimizer

Type:
Adware

Publisher:
Avenue Media

Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

Systems Not Affected:
DOS, Linux, Macintosh, OS/2, UNIX, Windows 3.x

Removal:
Low

Damage:
Low

Summary

Behavior
Adware.NetOptimizer is a program that creates a connection to a server from which it downloads and displays advertisements.

Symptoms
The files are detected as Adware.NetOptimizer.

Transmission
This adware program must be manually installed. However, there are several known programs that have Adware.NetOptimizer within them and that install it as the program itself is installed.

Technical details:

File names: ioptiXXX.dll; nemXXX.dll; wsemXXX.dll
where XX is a 3-digit number referring to the version to the software.

When the program runs, the "DyFuca Active Alert" program periodically displays advertisements. The program's End User License Agreement (EULA) states that the software may collate data relating to Web browsing habits and send it back to its controllers. The program can also dynamically update itself.

Removal instructions
Note: Removing this adware component from the system will likely cause the program that installed it to not function as intended. The uninstaller generally identifies the programs that will not work after uninstallation.

Uninstalling the Adware

A. Do one of the following:

* On the Windows 98 taskbar:
o Click Start > Settings > Control Panel.
o In the Control Panel window, double-click Add/Remove Programs.
* On the Windows Me taskbar:
o Click Start > Settings > Control Panel.
o In the Control Panel window, double-click Add/Remove Programs. If you do not see the Add/Remove Programs icon, click "...view all Control Panel options."
* On the Windows 2000 taskbar:
o By default, Windows 2000 is set up the same as Windows 98, in which case, follow the instructions for Windows 98. Otherwise, click Start, point to Settings, point to Control Panel, and then click Add/Remove Programs.
* On the Windows XP taskbar:
o Click Start > Control Panel.
o In the Control Panel window, double-click Add or Remove Programs.

B. Click "Internet Optimizer."

C. Click Add/Remove, Change/Remove, or Remove (this varies with the operating system). Follow the prompts.

D. Repeat the above process for "Active Alert."

Deleting the value from the registry

WARNING: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry," for instructions.

Click Start, and then click Run. (The Run dialog box appears.)
Type regedit


Then click OK. (The Registry Editor opens.)

Navigate to the key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

In the right pane, delete any value pertaining to DyFuca or "Internet Optimizer."

Exit the Registry Editor.
 

cybertech

Retired Moderator
Joined
Apr 16, 2002
Messages
72,115
Download AdAware SE Personal: http://www.lavasoftusa.com/support/download/

Install the program and launch it.

On the bottom right-hand corner of the main window click on Check for updates now then click Connect and download the latest reference files.

In the main window: Click Start and under Select a scan Mode tick Perform full system scan.

Deselect Search for negligible risk entries.

To start the scan, click the Next button.

When the scan is finished mark everything for removal and get rid of it. (Right-click the window and choose select all from the drop down menu and then click Next)

Reboot and post another log.
 

Nathalie Nar

Thread Starter
Joined
Nov 26, 2004
Messages
100
No more dyfuca!!! Thanks so much. The adaware got rid of that and much more. Any other programs I should run???
 
Joined
Sep 9, 2001
Messages
601
Nathalie Nar, I would also go here and download and install Spybot S&D and install it
http://www.majorgeeks.com/download2471.html

Then I would go here

http://www.majorgeeks.com/download4392.html

and download the DSO Exploit fix.

The DSO Exploit is a security gap in IE. Microsoft did already repair this, so if you have all Windows updates and patches installed, it will not be dangerous for your system. Spybot S&D will still find it, because it contains an invalid value. Spybot S&D just has to reset that value. Unfortunately, in the current version, it sets again an incorrect value, so it is found in the next scan. Please update your main program.
 

Nathalie Nar

Thread Starter
Joined
Nov 26, 2004
Messages
100
Logfile of HijackThis v1.97.7
Scan saved at 8:27:11 AM, on 30/11/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Adobe\Acrobat 5.0\Reader\AcroRd32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Natali\Desktop\HijackThis.exe

O2 - BHO: (no name) - {5E624714-6344-4E2D-9850-2AAC0BF6D866} - C:\WINDOWS\System32\klnlijn.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab

Here it is, I just ran adaware SE again and it found alot of coolwebsearch. Does it ever go away? I find it comes back after a day or so.

Any other suggestions? I ran spybot and it no longer showed a threat.

Thanks!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 

cybertech

Retired Moderator
Joined
Apr 16, 2002
Messages
72,115
Somehow you have reverted back to the old version of HJT and you are running it from the desktop.

Delete all of your hijackthis shortcuts and the actual hijackthis.exe's.

Create a permanent folder on your hard drive for Hijackthis, like My Documents\HJT
Click on this link to download the new version of Hijackthis post a log using that version from your permanent folder.
 

Nathalie Nar

Thread Starter
Joined
Nov 26, 2004
Messages
100
Logfile of HijackThis v1.98.2
Scan saved at 1:35:01 PM, on 30/11/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Natali\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Natali\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Natali\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Natali\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Natali\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Natali\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {0A631549-95F8-40D4-AC37-00178C9CF12E} - C:\WINDOWS\System32\jnab.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O18 - Filter: text/html - {24238360-9333-4D19-BEC5-F98DE7A74CC6} - C:\WINDOWS\System32\jnab.dll
O18 - Filter: text/plain - {24238360-9333-4D19-BEC5-F98DE7A74CC6} - C:\WINDOWS\System32\jnab.dll

Did what you said, Hope it's right. Does this make more sense? Also how can I find my volume on my desktop I seem to have lost it in this process. Thankyou!!!!!!!!
 

cybertech

Retired Moderator
Joined
Apr 16, 2002
Messages
72,115
Run HJT again and put a check in the following:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Natali\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Natali\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Natali\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Natali\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Natali\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Natali\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {0A631549-95F8-40D4-AC37-00178C9CF12E} - C:\WINDOWS\System32\jnab.dll
O18 - Filter: text/html - {24238360-9333-4D19-BEC5-F98DE7A74CC6} - C:\WINDOWS\System32\jnab.dll
O18 - Filter: text/plain - {24238360-9333-4D19-BEC5-F98DE7A74CC6} - C:\WINDOWS\System32\jnab.dll

Close all applications and browser windows before you click "fix checked".


Restart in Safe Mode

Open Windows Explorer. Go to Tools, Folder Options and click on the View tab.
Make sure that "Show hidden files and folders" is checked.
Also uncheck "Hide protected operating system files".
Now click "Apply to all folders", Click "Apply" then "OK"

Delete this file: C:\WINDOWS\System32\jnab.dll

Go to Start, Run, type %temp%, click OK
Delete the entire contents of this folder.

Empty your Temporary Internet Files and history in Internet Options.

Go to Internet Options, Programs
Click the "Reset Web Settings" Button to reset your home and search pages.

Reboot and post another log.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top