Downloader.Dyfica.H AND Downloader.Dia.A

Discussion in 'adware, spyware & hijack cleaning' started by JaynaD, Dec 26, 2003.

Thread Status:
Not open for further replies.
  1. JaynaD
    Offline

    JaynaD Registered Member

    Greetings;

    My husband turned on our computer xmas morning to find our AVG Anti-Virus had detected a virus, which it could not remove.
    I have run various online scans on the system, and none of them have detected the virus'.
    A google search for the names of the 2 virus' in this posts' title has let me find out I need to post a HiJack This log, and get some kind-hearted computer deity to sort me out.

    I've have run Ad-Aware (updated), and SpyBot (updated), which had me reboot to remove some of the icky things, and now I have my HiJack this log.

    As a side note, my husband went out today and bought the T3 Tungsten he's been saving for, and his &*^$%$ of a wife (me) won't let him install his software until the virus' are gone, so if someone could analyse my log ASAP, you will be making my life a lot less grump-filled. :)

    Also, our Outlook Express mail program has been locking up when we launch it for about 2 weeks. We've been accessing our server online to read our mail, because reinstalling the program hasn't worked. Perhaps the clue to our troubles with Outlook also lie in this log?

    Thank you in advance for your help.
    JaynaD

    *******************

    Logfile of HijackThis v1.97.7
    Scan saved at 12:29:18 PM, on 26/12/2003
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\SSDPSRV.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
    C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
    C:\PROGRAM FILES\QUICKENW\QAGENT.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\LEXMARKX73\ACMONITOR_X73.EXE
    C:\PROGRAM FILES\LEXMARKX73\ACBTNMGR_X73.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE
    C:\WINDOWS\SYSTEM\LEXBCES.EXE
    C:\WINDOWS\SYSTEM\MRTMNGR.EXE
    D:\ACTIVE PROGRAM FILES\ZONE ALARM\ZONEALARM\ZONEALARM.EXE
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\WINDOWS\DVZCOMMON\DVZMSGR.EXE
    C:\PROGRAM FILES\PALM\HOTSYNC.EXE
    C:\WINDOWS\SYSTEM\LEXPPS.EXE
    C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.msn.com/
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar_en_2.0.95-deleon.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\ACTIVE PROGRAM FILES\ADOBE\READER\ACTIVEX\ACROIEHELPER.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar_en_2.0.95-deleon.dll
    O3 - Toolbar: GameBar - {4E7BD74F-2B8D-469E-C0FF-FD69B994BD7D} - C:\PROGRA~1\GAMERI~1\GAMEBAR\GAMEBAR.DLL
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup
    O4 - HKLM\..\Run: [QAGENT] C:\PROGRAM FILES\QUICKENW\QAGENT.EXE
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
    O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
    O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
    O4 - HKLM\..\Run: [LexStart] Lexstart.exe
    O4 - HKLM\..\Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\msconfig.exe /reminder
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
    O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
    O4 - Startup: DataViz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
    O4 - Startup: PowerReg Scheduler.exe
    O4 - Global Startup: ZoneAlarm.lnk = D:\Active Program Files\Zone Alarm\ZoneAlarm\zonealarm.exe
    O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmsearch.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmsimilar.html
    O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmbacklinks.html
    O8 - Extra context menu item: Translate Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmtrans.html
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
    O16 - DPF: Yahoo! Go Fish - http://download.games.yahoo.com/games/clients/y/zt3_x.cab
    O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potb_x.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37702.716087963
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/games/clients/y/pyt1_x.cab
    O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.yahoo.com/games/play/client/exentctl_0_0_0_1.ocx
    O16 - DPF: {B91AEDBE-93DF-4017-8BB3-F1C300C0EC51} (InstallShield Setup Player 2K2) - http://www.ultrasoft.com/money/oneclick/setup.exe
    O16 - DPF: {0FC6BF2B-E16A-11CF-AB2E-0080AD08A326} (LiveUpdate Crescendo) -
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/0450e68e4af28412e600/netzip/RdxIE601.cab
    O16 - DPF: Yahoo! Dice - http://download.games.yahoo.com/games/clients/y/dct2_x.cab
    O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/games/clients/y/mjst3_x.cab
    O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://content.kontiki.com/kdx/v2.11/kontiki/kontiki/current/kdx.cab
    O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} (ddm_download.ddm_control) - http://download.rfwnad.com/cab/crack.CAB
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
    O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4311/mcfscan.cab
  2. Doc Watson
    Offline

    Doc Watson Registered Member

    I'm not certain I can be of much help with this one, but the thing that stood out in your log were the Google Toolbar entries.

    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar_en_2.0.95-deleon.dll

    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\ACTIVE PROGRAM FILES\ADOBE\READER\ACTIVEX\ACROIEHELPER.DLL

    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar_en_2.0.95-deleon.dll

    I have the Google Toolbar installed on my system and there is NO entry in the C:\Program Files folder for Google. Also have NO googletoolbar_en_2.0.95-deleon.dll file anywhere on my system. I did a Google for that .dll file and the results came back with a number of forums with posts from people with the same or very similar file entries in their logs. All had similar problems to yours and one person ran a special Trojan finder and found 2 on his system missed by his AV software. I'll run searches on the other files mentioned in these lines, but I'm bettin' that the problem is here.
  3. Unzy
    Offline

    Unzy Registered Member

    Hi JaynaD,

    Do you know the exact location where AVG detected the so called infected files?


    Doc Watson,

    Those entries you point out are either legit or optional (user's choice)

    Hope to hear from you soon,

    Cheers,
  4. JaynaD
    Offline

    JaynaD Registered Member

    C:\WINDOWS\Downloaded Program Files\TEST.OCX is where Dyfica is hiding
    and
    C:\Program Files\DDM\O\OPTIMIZE.EXE is where Dia.A is.
    Thanks so very much for investigating this for me!

    JaynaD
  5. dvk01
    Offline

    dvk01 Global Moderator

    run hijackthis, tick these entries listed belowand ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked



    O16 - DPF: {0FC6BF2B-E16A-11CF-AB2E-0080AD08A326} (LiveUpdate Crescendo) -
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/0450e68e4af28412e600/netzip/RdxIE601.cab

    O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://content.kontiki.com/kdx/v2.11/kontiki/kontiki/current/kdx.cab
    O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} (ddm_download.ddm_control) - http://download.rfwnad.com/cab/crack.CAB
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab

    then reboot into safe mode & delete
    C:\Program Files\DDM (entire folder )

    then do another scan & you should find the virus all gone
  6. JaynaD
    Offline

    JaynaD Registered Member

    My deity has a name, and it's dvk01

    Thank you, dvk01!

    If you are a PDA man, you will know how happy you have made my husband. I'd offer to pay you back sometime, but I think you already know the technology I'm an expert in ... (Ctrl, Alt, Delete)
    If you live somewhere in Canada I could one-day ship you some awesome baking ... :)

    The virus is all gone, and I now have two new toys which will give me a false sense of computer literacy (AdAware and SpyBot).
    Hope you all have a happy holiday season.

    JaynaD
  7. yokenny
    Offline

    yokenny Registered Member

    That is an older version of the Google Toolbar.

    The newer version needs to be downloaded and installed.
Thread Status:
Not open for further replies.