Hello
Avast tells me that my computer (XP) is infected by 3 Trojans that other virusprogramms cannot find. Today I have used 4 different freeware anti virus and trojan programms, namely AVG, Avast, SpyBotSearch&Destroy and TrendMicroFreeOnlineVirusScan.
Now Avast is the only one who says that I’m infected with the Trojans DyfucDldr-D, DyfucDldr-E and DyfucDldr-G. But Avast says it cannot remove these 3 Trojans.
They are located in files that I cannot find, which are located in subdirectories of TemporaryInternetFiles. Those subdirectories I can find them in my MS-DOS prompt, but not in my WindowsExplorer.
When I google for those 3 trojan names in languages that I speak: English, French, German, Dutch, I end up only in the Avast web-site.
1 Do other VirusProgramms give them different names?
2 Are these 3 Trojans so little dangerous that other VirusProgramms do not care?
3 Is there another way to remove the trojans from my computer?
Hello WhoCares
Thank you for your fast reaction. However, I’m not out of trouble yet.
3 I did your suggestion 3, but it doesn’t solve the problem yet.
4 I read a very lot of different anti-virus-programmes ans spy-bot-like-programms in the answers, but they are mostly dealing with other variants of DyfucDldr, such as B,A and F, so I do not yet know if that is the solution.
5 Googles virus-search-database seems to have never heard of DyfucDldr
6 I was already using spybot 1.3 and there are no more recent updates available.
7 I hope you have some additional tips and tricks ?
Thx Fred
Hello
8 How do I clean the Temp-Int Files for all users?
I am the only user, but there are some other names
mentioned, such as administrator, each user, default user, owner.
9 How do I disable activeX and scripting in IE? I am using XP in the Dutch language (Netherlands), and when I look in the help, it doesn’t mention ActiveX and scripting, so it may have a different name in my language, but if you could mention the clicks and tabs to click, I will find it.
10 The Vgrep link gives a lot of paid anti-virus programms
and I am not so enthousiastic about paying when I am not sure it will kill my virus.
Tnx
Fred
I tried to attach the hijackthis-log-file and the
avast4\data\log\warning.log-file, but this seems to be to much, so I copie-paste it:
Thx Fred
24-5-2004 19:16:05 1085418965 NT AUTHORITY\SYSTEM 1388 Sign of “Win32:DyfucDldr-H [Trj]” has been found in “C:\WINDOWS\optimize.exe” file.
24-5-2004 19:57:00 1085421420 FEDDISK2004\Fedde 1820 Sign of “Win32:DyfucDldr-E [Trj]” has been found in “C:\Documents and Settings\Fedde\Local Settings\Temporary Internet Files\Content.IE5\QVE3MLE3\install[1][UPX]” file.
24-5-2004 20:07:16 1085422036 FEDDISK2004\Fedde 804 Sign of “Win32:DyfucDldr-E [Trj]” has been found in “C:\Documents and Settings\Fedde\Local Settings\Temporary Internet Files\Content.IE5\QVE3MLE3\install[1][UPX]” file.
24-5-2004 20:08:02 1085422082 FEDDISK2004\Fedde 804 Sign of “Win32:DyfucDldr-H [Trj]” has been found in “C:\Documents and Settings\Fedde\Local Settings\Temporary Internet Files\Content.IE5\QVE3MLE3\optimize[1].exe” file.
24-5-2004 20:09:14 1085422154 FEDDISK2004\Fedde 804 Sign of “Win32:DyfucDldr-G [Trj]” has been found in “C:\Documents and Settings\Fedde\Local Settings\Temporary Internet Files\Content.IE5\TMFHHAOU\vviewer[1].cab\vviewer.ocx” file.
24-5-2004 20:18:40 1085422720 FEDDISK2004\Fedde 804 Sign of “Win32:DyfucDldr-H [Trj]” has been found in “C:\Program Files\AntiTrojan_AlwilSoftware\Avast4\DATA\moved\optimize[1].exe.vir” file.
24-5-2004 20:18:40 1085422720 FEDDISK2004\Fedde 804 Sign of “Win32:DyfucDldr-G [Trj]” has been found in “C:\Program Files\AntiTrojan_AlwilSoftware\Avast4\DATA\moved\vviewer.ocx.vir” file.
24-5-2004 20:18:40 1085422720 FEDDISK2004\Fedde 804 Sign of “Win32:DyfucDldr-E [Trj]” has been found in “C:\Program Files\AntiTrojan_AlwilSoftware\Avast4\DATA\moved[UPX].vir” file.
Logfile of HijackThis v1.97.7
Scan saved at 12:36:10, on 26-5-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Thanx for the fast reaction.
I have much less pop-ups already, but I still have the Trojans. I show you both my log-files again.
I believe I disabled AVG, because I renamed the avgw.exe-file to avgw.e_e.
Logfile of HijackThis v1.97.7
Scan saved at 16:05:01, on 26-5-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
26-5-2004 15:44:12 1085579052 FEDDISK2004\Fedde 1180 Sign of “Win32:DyfucDldr-E [Trj]” has been found in “C:\Documents and Settings\Fedde\Local Settings\Temporary Internet Files\Content.IE5\QVE3MLE3\install[1][UPX]” file.
26-5-2004 15:45:45 1085579145 FEDDISK2004\Fedde 1180 Sign of “Win32:DyfucDldr-G [Trj]” has been found in “C:\Documents and Settings\Fedde\Local Settings\Temporary Internet Files\Content.IE5\TMFHHAOU\vviewer[1].cab\vviewer.ocx” file.
26-5-2004 15:48:49 1085579329 FEDDISK2004\Fedde 1180 Sign of “Win32:DyfucDldr-G [Trj]” has been found in “C:\Program Files\AntiTrojan_AlwilSoftware\Avast4\DATA\moved\vviewer.ocx.vir” file.
26-5-2004 15:48:49 1085579329 FEDDISK2004\Fedde 1180 Sign of “Win32:DyfucDldr-E [Trj]” has been found in “C:\Program Files\AntiTrojan_AlwilSoftware\Avast4\DATA\moved[UPX].vir” file.
26-5-2004 16:00:24 1085580024 NT AUTHORITY\SYSTEM 1600 Sign of “Win32:DyfucDldr-E [Trj]” has been found in “C:\Program Files\AntiTrojan_AlwilSoftware\Avast4\DATA\moved[UPX].vir.vir” file.
26-5-2004 16:00:34 1085580034 NT AUTHORITY\SYSTEM 1600 Sign of “Win32:DyfucDldr-G [Trj]” has been found in “C:\Program Files\AntiTrojan_AlwilSoftware\Avast4\DATA\moved\vviewer.ocx.vir.vir” file.
close all programs & browser windows, then go ControlPanel-InternetOptions-General-Delete files- check OFFLINE files → OK
delete the files in the MOVED folder manually or with avast (P.S.: you moved them there yourself!)
mavbe you have to pause avast shield for this
if you still get them in the Temp-Int-files, you didn’t configure your IE-Browser securely enough;
please reread above links on this (the blue lines in my postings)
I did what you advised and it still doesn’t work.
Your conclusion is that I didn’t configure my IE-Browser securely enough. How do I configure it securely enough? Just re-install IE ? Or re-install XP?
WHAT doesn’t work ??
you can’t delete the files because they’re locked, you can’t find them, they reappaear or or or…?
Most of us here are not clairvoyant
Please post what you did, what didn’t work, and new scanreport
Did you at least manage to delete the files in:
Avast4\DATA\moved ?
Try deletion in SafeMode (F8-Boot)
Secure IE:
you do know that the blue lines in the above postings are web-links, which you can click and read ?
and PLEASE use the board search & google:
e.g.:
http://www.microsoft.com/windows/ie/using/howto/privacy/secprivessntl.asp