Need help on DyfucDldr [Trj], for XP

Hello
Avast tells me that my computer (XP) is infected by 3 Trojans that other virusprogramms cannot find. Today I have used 4 different freeware anti virus and trojan programms, namely AVG, Avast, SpyBotSearch&Destroy and TrendMicroFreeOnlineVirusScan.

Now Avast is the only one who says that I’m infected with the Trojans DyfucDldr-D, DyfucDldr-E and DyfucDldr-G. But Avast says it cannot remove these 3 Trojans.
They are located in files that I cannot find, which are located in subdirectories of TemporaryInternetFiles. Those subdirectories I can find them in my MS-DOS prompt, but not in my WindowsExplorer.

When I google for those 3 trojan names in languages that I speak: English, French, German, Dutch, I end up only in the Avast web-site.

1 Do other VirusProgramms give them different names?
2 Are these 3 Trojans so little dangerous that other VirusProgramms do not care?
3 Is there another way to remove the trojans from my computer?

Thanks
Fred

Hi,

  1. yes
  2. nope
  3. close all Programs & Browser windows; go to control panel → InternetOptions → General → Delete (Temp.Int.) files → Check OFFLINE files → Ok
    that’S it
  1. YES, there IS a board-search here: if you’d entered
    dyfucdldr
    into it, it would have told you all you’d need to know

  2. Search for… or enter the specific variant’s name HERE

  3. update to Spybot 1.3 and run online-update and then a full scan

:wink:

Hello WhoCares :wink:
Thank you for your fast reaction. However, I’m not out of trouble yet.
3 I did your suggestion 3, but it doesn’t solve the problem yet.
4 I read a very lot of different anti-virus-programmes ans spy-bot-like-programms in the answers, but they are mostly dealing with other variants of DyfucDldr, such as B,A and F, so I do not yet know if that is the solution.
5 Googles virus-search-database seems to have never heard of DyfucDldr
6 I was already using spybot 1.3 and there are no more recent updates available.

7 I hope you have some additional tips and tricks ? :wink:
Thx Fred

Hmmm Spybot removes DyFlUcA from computers
so why not this variant?

google is not everything !!
I find hits on each variant you listed via the VGREP-link, don’t you ?

did you clean the Temp-Int-files for EACH user ?
you probably get re-“infected” everytime you use your unsecured IE

disable activeX & scripting in IE, except for know secure sites

have you read all the VGREP-Links ?

This is Adware, so most conventional AV-scanner won’t detect it (yet)

Hello
8 How do I clean the Temp-Int Files for all users?
I am the only user, but there are some other names
mentioned, such as administrator, each user, default user, owner.
9 How do I disable activeX and scripting in IE? I am using XP in the Dutch language (Netherlands), and when I look in the help, it doesn’t mention ActiveX and scripting, so it may have a different name in my language, but if you could mention the clicks and tabs to click, I will find it.
10 The Vgrep link gives a lot of paid anti-virus programms
and I am not so enthousiastic about paying when I am not sure it will kill my virus.
Tnx
Fred

Hi,
please post a hijackthis-log: www.lurkhere.com

and report the avast trojan-findings exactly with full path /filename

and PLEASE use the board search & google:
e.g.:
http://www.microsoft.com/windows/ie/using/howto/privacy/secprivessntl.asp

http://www.geocities.com/yosponge/browser.html

I tried to attach the hijackthis-log-file and the
avast4\data\log\warning.log-file, but this seems to be to much, so I copie-paste it:
Thx Fred

24-5-2004 19:16:05 1085418965 NT AUTHORITY\SYSTEM 1388 Sign of “Win32:DyfucDldr-H [Trj]” has been found in “C:\WINDOWS\optimize.exe” file.
24-5-2004 19:57:00 1085421420 FEDDISK2004\Fedde 1820 Sign of “Win32:DyfucDldr-E [Trj]” has been found in “C:\Documents and Settings\Fedde\Local Settings\Temporary Internet Files\Content.IE5\QVE3MLE3\install[1][UPX]” file.
24-5-2004 20:07:16 1085422036 FEDDISK2004\Fedde 804 Sign of “Win32:DyfucDldr-E [Trj]” has been found in “C:\Documents and Settings\Fedde\Local Settings\Temporary Internet Files\Content.IE5\QVE3MLE3\install[1][UPX]” file.
24-5-2004 20:08:02 1085422082 FEDDISK2004\Fedde 804 Sign of “Win32:DyfucDldr-H [Trj]” has been found in “C:\Documents and Settings\Fedde\Local Settings\Temporary Internet Files\Content.IE5\QVE3MLE3\optimize[1].exe” file.
24-5-2004 20:09:14 1085422154 FEDDISK2004\Fedde 804 Sign of “Win32:DyfucDldr-G [Trj]” has been found in “C:\Documents and Settings\Fedde\Local Settings\Temporary Internet Files\Content.IE5\TMFHHAOU\vviewer[1].cab\vviewer.ocx” file.
24-5-2004 20:18:40 1085422720 FEDDISK2004\Fedde 804 Sign of “Win32:DyfucDldr-H [Trj]” has been found in “C:\Program Files\AntiTrojan_AlwilSoftware\Avast4\DATA\moved\optimize[1].exe.vir” file.
24-5-2004 20:18:40 1085422720 FEDDISK2004\Fedde 804 Sign of “Win32:DyfucDldr-G [Trj]” has been found in “C:\Program Files\AntiTrojan_AlwilSoftware\Avast4\DATA\moved\vviewer.ocx.vir” file.
24-5-2004 20:18:40 1085422720 FEDDISK2004\Fedde 804 Sign of “Win32:DyfucDldr-E [Trj]” has been found in “C:\Program Files\AntiTrojan_AlwilSoftware\Avast4\DATA\moved[UPX].vir” file.

Logfile of HijackThis v1.97.7
Scan saved at 12:36:10, on 26-5-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiTrojan_AlwilSoftware\Avast4\aswUpdSv.exe
C:\Program Files\AntiTrojan_AlwilSoftware\Avast4\ashServ.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Conexant\CnxDslTb.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\gffzclqt.exe
C:\PROGRA~1\ANTITR~1\Avast4\ashDisp.exe
C:\VirusTools\PerfectProcessAntiSpyware\ppshield.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Outlook Express\msimn.exe
C:\Office97\Office\Winword.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Fedde\Local Settings\Temp\Tijdelijke map 1 voor hijackthis1977.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.zonnet.nl/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Fedde’s Internet Explorer
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1B46C609-D9F8-4687-8A33-1E603D9A672C} - C:\WINDOWS\efnzr.dll
O2 - BHO: (no name) - {41353F8B-78CE-48A5-BE44-153ED293D192} - C:\PROGRA~1\POPUPP~1\PopLib.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\ANTITR~2\SDHelper.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM..\Run: [CnxDslTaskBar] C:\Program Files\Conexant\CnxDslTb.exe
O4 - HKLM..\Run: [EPSON Stylus C44 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 “EPSON Stylus C44 Series” /O6 “USB001” /M “Stylus C44”
O4 - HKLM..\Run: [AVG_CC] C:\PROGRA~1\GRISOF~1\AVG6\avgcc32.exe /STARTUP
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [bmzz] C:\WINDOWS\gffzclqt.exe
O4 - HKLM..\Run: [webHancer Survey Companion] “C:\Program Files\webHancer\Programs\whSurvey.exe”
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ANTITR~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [Perfect Process shield] C:\VirusTools\PerfectProcessAntiSpyware\ppshield.exe
O4 - HKCU..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU..\Run: [MSMSGS] “C:\Program Files\Messenger\MSMSGS.EXE” /background
O9 - Extra button: PopupPopper Configuratiescherm (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra ‘Tools’ menuitem: Windows Messenger (HKLM)
O16 - DPF: {003FADA5-8FEE-11D6-AFB7-0004768F6183} (CryptoRSA Control) - https://www.p3.postbank.nl/sesam/CAX.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) - http://a840.g.akamai.net/7/840/537/7d90ae05585062/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37949.0066550926
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Hi,

please read these instrctions:

http://tomcoyote.com/hjt/
http://www.spywareinfo.com/~merijn/htlogtutorial.html

  1. move hijackthis.exe to a new, empty folder and rerun it from there, or you’lle lose backups…

  2. fix above items

  3. you have avast & avg-Tasks running at the same time; disable either AVG or avast

Thanx for the fast reaction.
I have much less pop-ups already, but I still have the Trojans. I show you both my log-files again.
I believe I disabled AVG, because I renamed the avgw.exe-file to avgw.e_e.

Logfile of HijackThis v1.97.7
Scan saved at 16:05:01, on 26-5-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiTrojan_AlwilSoftware\Avast4\aswUpdSv.exe
C:\Program Files\AntiTrojan_AlwilSoftware\Avast4\ashServ.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\PROGRA~1\ANTITR~1\Avast4\ashDisp.exe
C:\VirusTools\PerfectProcessAntiSpyware\ppshield.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\VirusTools\HijackThis\ht04\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.zonnet.nl/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Fedde’s Internet Explorer
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM..\Run: [EPSON Stylus C44 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 “EPSON Stylus C44 Series” /O6 “USB001” /M “Stylus C44”
O4 - HKLM..\Run: [AVG_CC] C:\PROGRA~1\GRISOF~1\AVG6\avgcc32.exe /STARTUP
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ANTITR~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [Perfect Process shield] C:\VirusTools\PerfectProcessAntiSpyware\ppshield.exe
O4 - HKCU..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU..\Run: [MSMSGS] “C:\Program Files\Messenger\MSMSGS.EXE” /background
O9 - Extra button: PopupPopper Configuratiescherm (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra ‘Tools’ menuitem: Windows Messenger (HKLM)
O16 - DPF: {003FADA5-8FEE-11D6-AFB7-0004768F6183} (CryptoRSA Control) - https://www.p3.postbank.nl/sesam/CAX.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) - http://a840.g.akamai.net/7/840/537/7d90ae05585062/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37949.0066550926
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

26-5-2004 15:44:12 1085579052 FEDDISK2004\Fedde 1180 Sign of “Win32:DyfucDldr-E [Trj]” has been found in “C:\Documents and Settings\Fedde\Local Settings\Temporary Internet Files\Content.IE5\QVE3MLE3\install[1][UPX]” file.
26-5-2004 15:45:45 1085579145 FEDDISK2004\Fedde 1180 Sign of “Win32:DyfucDldr-G [Trj]” has been found in “C:\Documents and Settings\Fedde\Local Settings\Temporary Internet Files\Content.IE5\TMFHHAOU\vviewer[1].cab\vviewer.ocx” file.
26-5-2004 15:48:49 1085579329 FEDDISK2004\Fedde 1180 Sign of “Win32:DyfucDldr-G [Trj]” has been found in “C:\Program Files\AntiTrojan_AlwilSoftware\Avast4\DATA\moved\vviewer.ocx.vir” file.
26-5-2004 15:48:49 1085579329 FEDDISK2004\Fedde 1180 Sign of “Win32:DyfucDldr-E [Trj]” has been found in “C:\Program Files\AntiTrojan_AlwilSoftware\Avast4\DATA\moved[UPX].vir” file.
26-5-2004 16:00:24 1085580024 NT AUTHORITY\SYSTEM 1600 Sign of “Win32:DyfucDldr-E [Trj]” has been found in “C:\Program Files\AntiTrojan_AlwilSoftware\Avast4\DATA\moved[UPX].vir.vir” file.
26-5-2004 16:00:34 1085580034 NT AUTHORITY\SYSTEM 1600 Sign of “Win32:DyfucDldr-G [Trj]” has been found in “C:\Program Files\AntiTrojan_AlwilSoftware\Avast4\DATA\moved\vviewer.ocx.vir.vir” file.

you do have the trojans, but they are inactive

just delete the files:

  • close all programs & browser windows, then go ControlPanel-InternetOptions-General-Delete files- check OFFLINE files → OK
  • delete the files in the MOVED folder manually or with avast (P.S.: you moved them there yourself!)

mavbe you have to pause avast shield for this

if you still get them in the Temp-Int-files, you didn’t configure your IE-Browser securely enough;
please reread above links on this (the blue lines in my postings)

I did what you advised and it still doesn’t work.
Your conclusion is that I didn’t configure my IE-Browser securely enough. How do I configure it securely enough? Just re-install IE ? Or re-install XP?

WHAT doesn’t work ??
you can’t delete the files because they’re locked, you can’t find them, they reappaear or or or…?
Most of us here are not clairvoyant
Please post what you did, what didn’t work, and new scanreport

Did you at least manage to delete the files in:
Avast4\DATA\moved ?
Try deletion in SafeMode (F8-Boot)


Secure IE:
you do know that the blue lines in the above postings are web-links, which you can click and read ?

and PLEASE use the board search & google: e.g.: http://www.microsoft.com/windows/ie/using/howto/privacy/secprivessntl.asp

http://www.geocities.com/yosponge/browser.html

:wink:

did you follow these instrcutions ?
disabled activeX & scripting etc etc…?