parasites:Dyfuca,blazefind,istbar.

[Hottlips]

Win XP:Ran ad aware and spybot.Hjacklog enclosed needs analysis.
NoAdware showed; Twain tech,Magic control,blazefind,dyfuca,istbar powerscan,dynamic desktop and ipinsight.

Xoftspy showed; dyfuca,proclaim telcom,twaintech,vx2 Better internet,winpup32,cws.mrhop,toprebates,adlogix,mainpean dialler and dynamic desktop.

* Xoftspy 3.44 seems to be more descriptive :Xoftspy did'nt detect istbar.
listed dyfuca as malware. Twaintech as Annoyance,Dynamic desktop as min threat.

*Noadware 2.01
dyfuca recorded as a dialler. Twaintech as Dangerous,Dynamic desktop as dangerous

Which one above is more accurate?

Also windows\nem214.dll and wsem217.dll -are these deletable?or replaceable? what are they for?

*Pal spyware remover detected only nem214.dll and Moneytree.

Hjack log below needs to be analysed. Help!

Logfile of HijackThis v1.97.7
Scan saved at 8:32:32 p.m., on 12/09/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVirus\AVGUARD.EXE
C:\Program Files\AntiVirus\AVWUPSRV.EXE
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AntiVirus\AVGNT.EXE
C:\Program Files\Winad Client\Winad.exe
C:\WINDOWS\System32\mbiwdc.exe
C:\Program Files\Winad Client\WinClt.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Spyware\spywareremover\PAL SPYREM\spyrem.exe
C:\Program Files\Spyware\noadware\NoAdware\NoAdware.exe
C:\Program Files\Spyware\Hijack\HijackThis.exe

R3 - Default URLSearchHook is missing
F1 - win.ini: run=C:\WINDOWS\System32\services\wmplayer.exe
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
O2 - BHO: (no name) - {2E65A557-173C-4DE9-860B-28FC5CACA542} - C:\DOCUME~1\ALLUSE~1\APPLIC~1\Setup\Setup.dll (disabled by BHODemon)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spyware\Spybot\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll
O2 - BHO: (no name) - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\System32\nvms.dll
O2 - BHO: (no name) - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\System32\mscb.dll
O2 - BHO: (no name) - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
O3 - Toolbar: (no name) - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - (no file)
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [AVGCtrl] C:\Program Files\AntiVirus\AVGNT.EXE /min
O4 - HKLM\..\Run: [sysu] "C:\progra~1\ddm\sysu.exe"
O4 - HKLM\..\Run: [QXELSGN] C:\WINDOWS\QXELSGN.exe
O4 - HKLM\..\Run: [Winad Client] C:\Program Files\Winad Client\Winad.exe
O4 - HKLM\..\Run: [WinInit] Win86.exe
O4 - HKLM\..\Run: [WinLogin] win32x.exe
O4 - HKLM\..\Run: [ptvfryy] C:\WINDOWS\System32\mbiwdc.exe
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...14f9bb93ddd5:061a5725d1c04e478de72640af5cb44d
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37663.0798032407
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/Sasser/20/SassCln.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://sea1fd.sea1.hotmail.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} (ddm_download.ddm_control) - http://download.rfwnad.com/cab/ieplugin.CAB
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab


Really concerned about diallers.

 

[dvk01]

All of the so called spyware removers except for adaware anmd spybot you have used are not recommended for use as they either have alot of false positives or are dangerous in themselves

Run hijackthis, tick these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked

R3 - Default URLSearchHook is missing
F1 - win.ini: run=C:\WINDOWS\System32\services\wmplayer.exe
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
O2 - BHO: (no name) - {2E65A557-173C-4DE9-860B-28FC5CACA542} - C:\DOCUME~1\ALLUSE~1\APPLIC~1\Setup\Setup.dll (disabled by BHODemon)

O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll
O2 - BHO: (no name) - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\System32\nvms.dll
O2 - BHO: (no name) - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\System32\mscb.dll
O2 - BHO: (no name) - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
O3 - Toolbar: (no name) - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - (no file)

O4 - HKLM\..\Run: [sysu] "C:\progra~1\ddm\sysu.exe"
O4 - HKLM\..\Run: [QXELSGN] C:\WINDOWS\QXELSGN.exe
O4 - HKLM\..\Run: [Winad Client] C:\Program Files\Winad Client\Winad.exe
O4 - HKLM\..\Run: [WinInit] Win86.exe
O4 - HKLM\..\Run: [WinLogin] win32x.exe
O4 - HKLM\..\Run: [ptvfryy] C:\WINDOWS\System32\mbiwdc.exe
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe

O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...72 640af5cb44d
O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} (ddm_download.ddm_control) - http://download.rfwnad.com/cab/ieplugin.CAB

Reboot into safe mode by following instructions here: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406
then as some of the files or folders you need to delete may be hidden do this:
Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

Delete these files

C:\WINDOWS\alchem.exe
C:\WINDOWS\System32\mbiwdc.exe
C:\WINDOWS\QXELSGN.exe
C:\WINDOWS\System32\services\wmplayer.exe
C:\WINDOWS\twaintec.dll
C:\WINDOWS\2_0_1browserhelper2.dll
C:\WINDOWS\System32\nvms.dll
C:\WINDOWS\System32\mscb.dll
C:\WINDOWS\System32\msbe.dll

and Delete these folders

C:\Program Files\Winad Client
C:\program files\ddm
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA \Setup

then go to C:\Documents and Settings\USER NAME\Local Settings\Temp and select everything in that folder and delete it (repeat for every user name/account )

and select EVERYTHING in C:\windows\temp except temporary internet files, cookies and history folders and delete all that as well

1) Open Control Panel
2) Click on Internet Options
3) On the General Tab, in the middle of the screen, click on Delete Files
4) You may also want to check the box "Delete all offline content"
5) Click on OK and wait for the hourglass icon to stop after it deletes the temporary internet files
6) You can now click on Delete Cookies and click OK to delete cookies that websites have placed on your hard drive

then
Reboot normally &

Download and unzip or install these programs/applications if you haven't already got them. If you have them, then make sure they are updated and configured as described

Spybot - Search & Destroy from http://security.kolla.de
AdAware SE from http://www.lavasoft.de/support/download

Run Sybot S&D

After installing, first press Online, press search for updates, then tick the updates it finds, then press download updates. Beside the download button is a little down pointed arrow, select one of the servers listed. If it doesn't work or you get an error message then try a different server

Next, close all Internet Explorer and OE windows, press 'Check for Problems', and have SpyBot remove all it finds that is marked in RED.

then reboot &

Run ADAWARE

Before you scan with AdAware, check for updates of the reference file by using the "webupdate".
the current ref file should read at least SE1R7 06.09.2004 or a higher number/later date
Then ........
click the "Scan" button. and select full scan

When scan is finished, mark everything for removal and get rid of it. (Right-click the window and choose"select all" from the drop down menu) then press next and then say yes to the prompt, do you want to remove all these entries. You can safely ignore any MRU entries though and not delete them

reboot again

then post a new hijackthis log to check what is left

 

[dvk01]

Also update HJT to the latest version 1.98.2 before posting a new log or fixing the above

 

[Hottlips]

Thanks for instructions will do shortly but....i happen to try manual removal for dyfuca..action/results listed below.

Dyfuca manual removal…http://www.pestpatrol.com/PestInfo/d/dyfuca.asp

Follow these steps to remove DyFuCA from your machine. Begin by backing up your registry and your system, and/or setting a Restore Point, to prevent trouble if you make a mistake.

Stop Running Processes:
Kill these running processes with Task Manager:
actalert.exe
c:\spedia\setup.exe
systemroot+\system32\ssupdate.exe
systemroot+\temp\thi6026.tmp\preinstt.exe
update.exe


Remove AutoRun Reference:

Go To the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run.
If you find the value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\safesurfingupdate, delete it and reboot the machine immediately.
Unregister DLLs:

Unregister these DLLs with Regsvr32, then reboot:
systemroot+\nem214.dll
systemroot+\wsem216.dll
wsem218.dll

Clean Registry:

Remove these registry items (if present) with RegEdit:
HKEY_CLASSES_ROOT\clsid\{d8e25c53-9508-4f5c-9249-d98d438891d5}
HKEY_CLASSES_ROOT\dyfuca_bh.bhobj
HKEY_CLASSES_ROOT\dyfuca_bh.bhobj.1
HKEY_CLASSES_ROOT\dyfuca_bh.sinkobj
HKEY_CLASSES_ROOT\dyfuca_bh.sinkobj.1
HKEY_CLASSES_ROOT\safesurfinghelper.iebho
HKEY_CLASSES_ROOT\safesurfinghelper.iebho.1
HKEY_CLASSES_ROOT\typelib\{00211813-6223-4c6a-be8d-4d2676cd1361}
HKEY_CURRENT_USER\software\avenue media
HKEY_LOCAL_MACHINE\software\avenue media
HKEY_LOCAL_MACHINE\software\fci
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\safesurfingupdate
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstal l\dyfuca
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstal l\internet optimizer
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstal l\internet optimizer active alert
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstal l\internet optimizer software installer
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\dyfuca
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\internet optimizer
HKEY_LOCAL_MACHINE\software\safesurfing\update




Remove Files:

Remove these files (if present) with Windows Explorer:
actalert.exe
c:\documents and settings\administrator\desktop\second thought.lnk
c:\spedia\setup.exe
systemroot+\nem214.dll
systemroot+\system32\ssupdate.exe
systemroot+\temp\thi6026.tmp\preinstt.exe
systemroot+\wsem216.dll
update.exe
wsem218.dll

after completing above...

Ran spybot –came up clean
AdAware – [email protected],[email protected]_bin.txt,[email protected],@z1.adserver.txt.
Spysweeper:

- Adware..Winad,BargainBuddy,Twain-tech powerscan,opensite, moneytree,Istbar, HotasHell and eaccelaration.
*hotasHell scanned as dialler.

Running s/ware.. Twain Tech – twaintec.dll,Winad – winad.exe.

Cookie shield removed- [email protected],[email protected],@realmedia.txt,@maxserving.txt,@fastclicks.txt,@com.txt,@atwola.txt,@as-us.falkag.txt,@advertising.txt.

Xoftspy:22 items found.
Adlogix,meanpean,vx2betterinternet,twaintech,proclaim telcom etc.
* I will check actual reg entries and if present I’ll assume valid detection of parasite –some not detected by other scan progs.ie spybot.

* will perform instructions by dvk01 later.
Xoftspy?good or bad see link http://netrn.net/spywareblog/archives/2004/04/29/xoftspy-dont-buy-heres-why/

Useful Spyware removal link

thanks.Hope this has helped someone.

 

[dvk01]

read here what it says about xoftspy & other similar so called spyware removal programs

http://www.spywarewarrior.com/rogue_anti-spyware.htm

 

[Hottlips]

After following instructions as given ran...
Spybot - clean result
AdAware - surprisingly found traces of ...
180Solutions(TAC index:8):6 total references
AdLogix(TAC index:6):1 total references
BargainBuddy(TAC index:8):19 total references
BlazeFind(TAC index:5):2 total references
BroadCastPC(TAC index:7):35 total references
CasinoPalazzo(TAC index:4):2 total references
CoolWebSearch(TAC index:10):42 total references
Dialer(TAC index:5):5 total references
DyFuCA(TAC index:3):7 total references
EGroup Dialer(TAC index:5):4 total references
EPSystems DialerMaker(TAC index:5):8 total references
istbar(TAC index:6):23 total references
Lop(TAC index:7):1 total references
MetaDirect(TAC index:5):1 total references
MRU List(TAC index:0):56 total references
Navpmc(TAC index:7):3 total references
Other(TAC index:5):11 total references
Possible Browser Hijack attempt(TAC index:3):4 total references
SideFind(TAC index:5):4 total references
Tracking Cookie(TAC index:3):3 total references
VX2(TAC index:10):10 total references

Removed these as rerquested via Adaware. Rebooted and ran again.
Found...
BargainBuddy(TAC index:8):4 total references
BlazeFind(TAC index:5):2 total references
CoolWebSearch(TAC index:10):3 total references
Dialer(TAC index:5):3 total references
DyFuCA(TAC index:3):3 total references
EGroup Dialer(TAC index:5):1 total references
EPSystems DialerMaker(TAC index:5):8 total references
istbar(TAC index:6):2 total references
Lop(TAC index:7):1 total references
MRU List(TAC index:0):56 total references
Navpmc(TAC index:7):2 total references
SideFind(TAC index:5):1 total references
VX2(TAC index:10):5 total references
Removed as required.

Ran hJack log
Logfile of HijackThis v1.97.7
Scan saved at 7:57:06 p.m., on 16/09/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVirus\AVGUARD.EXE
C:\Program Files\AntiVirus\AVWUPSRV.EXE
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AntiVirus\AVGNT.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Spyware\Hijack\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spyware\Spybot\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [AVGCtrl] C:\Program Files\AntiVirus\AVGNT.EXE /min
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37663.0798032407
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/Sasser/20/SassCln.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://sea1fd.sea1.hotmail.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab


Ran Xoftspy just to see..guess what...
1) AdLogix
2) AdLogix
3) Dynamic Desktop MediaName: software\ddm
4) MainPean DialerName: Software\Freeware
5) NCaseName: SOFTWARE\180solutions
6) NetPalName: typelib\{0cf28135-b1dc-4f50-ab58-7cf5701a6ed6}
7) NetPalName: software\microsoft\windows\currentversion\uninstall\npo
8) Winpup32Name: Interface\{48E59291-9880-11CF-9754-00AA00C00908}
9) Winpup32Name: Interface\{48E59292-9880-11CF-9754-00AA00C00908}
10) CWS.mrhopName:Software\Microsoft\Internet Explorer\Main\Local Page:C:\WINDOWS\System32\blank.htm
Scan Finished

None of these exist... As Spybot/adawareSE came up clean.
1.Spy Sweeper came up with similar items as AdAware.
2.. Found traces of Dyfuca still present even after I had manually removed all known traces of it. AdAware got the ones I missed.
3. Found Winad.exe still present but removed it via Spybot/AdAware.
4. Spysweeper came up close to AdAware for scan results.So AdAware,Spybot and Spysweeper you can't go wrong. All Ihave to do is remove completely Xoftspy.

Thanks Dvk01.Have sent email to you.