PDA

View Full Version : Manual Removal Guide for DyFuCA



Friday
2008-11-28, 18:32
The following instructions have been created to help you to get rid of "DyFuCA" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.

If this guide was helpful to you, please consider donating towards this site (http://www.safer-networking.org/index.php?page=donate).

Threat Details:

Categories:
malware

Description:
Drive-by download connecting to sextracker.com and trying to download Internet Optimizer by Avenue A Media
Removal Instructions:

Autorun:

Please use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd), RunAlyzer (http://www.safer-networking.org/index.php?page=runalyzer) or msconfig.exe to remove the following autorun entries.

Entries named "iefeatures" and pointing to "C:\WINDOWS\SYSTEM\IEFEATURES.exe".
Entries pointing to "DyFuCA\update\update.exe".
Entries pointing to "DyFuCA".

Installed Software List:

You can try to uninstall products with the names listed below; for items identified by other properties or to avoid malware getting active again on uninstallation, use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd) or RunAlyzer (http://www.safer-networking.org/index.php?page=runalyzer) to locate and get rid of these entries.

Products that have a key or property named "DyFuCA Software Installer".

Files:

Please use Windows Explorer or another file manager of your choice to locate and delete these files.

The file at "<$WINDIR>\nem211.dll".
The file at "<$WINDIR>\nem213.dll".
The file at "<$WINDIR>\nem214.dll".
The file at "<$WINDIR>\nem215.dll".
The file at "<$WINDIR>\nem217.dll".
The file at "<$WINDIR>\nem218.dll".
The file at "<$WINDIR>\wsem212.dll".
The file at "<$WINDIR>\wsem213.dll".
The file at "<$WINDIR>\wsem214.dll".
The file at "<$WINDIR>\wsem215.dll".
The file at "<$WINDIR>\wsem216.dll".
The file at "<$WINDIR>\wsem217.dll".
The file at "<$WINDIR>\wsem300.dll".
The file at "<$WINDIR>\wsem301.dll".
The file at "<$WINDIR>\wsem302.dll".
The file at "<$WINDIR>\nem214.dll".
The file at "<$WINDIR>\SYSTEM\istinstall_adlogix.exe".
The file at "<$WINDIR>\SYSTEM\MSrdk.xml".
The file at "<$WINDIR>\TEMP\bundleradlogix.exe".
The file at "<$WINDIR>\Downloaded Program Files\DYFUCADI.INF".
The file at "<$WINDIR>\Downloaded Program Files\DYFUCADI.OCX".
The file at "<$WINDIR>\ioptil30.dll".
The file at "<$WINDIR>\nem210.dll".
The file at "<$WINDIR>\nem212.dll".
The file at "<$WINDIR>\nem214.dll".
The file at "<$WINDIR>\nem216.dll".
The file at "<$WINDIR>\nem219.dll".
The file at "<$WINDIR>\wsem210.dll".
The file at "<$WINDIR>\wsem218.dll".
Make sure you set your file manager to display hidden and system files. If DyFuCA uses rootkit technologies, use our RootAlyzer (http://forums.spybot.info/downloads.php?id=8) or our Total Commander anti-rootkit plugins (http://forums.spybot.info/downloads.php?id=3).
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!

Folders:

Please use Windows Explorer or another file manager of your choice to locate and delete these folders.

The directory at "Newmsrdk".
The directory at "<$PROGRAMFILES>\DyFuCA".
Make sure you set your file manager to display hidden and system files. If DyFuCA uses rootkit technologies, use our RootAlyzer (http://forums.spybot.info/downloads.php?id=8) or our Total Commander anti-rootkit plugins (http://forums.spybot.info/downloads.php?id=3).
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!

Registry:

You can use regedit.exe (included in Windows) to locate and delete these registry entries.

A key in HKEY_CLASSES_ROOT\ named "DyFuCA_BH.SinkObj.1", plus associated values.
Delete the registry key "{8F4E5661-F99E-4B3E-8D85-0EA71C0748E4}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{AA4939C3-DECA-4A48-A454-97CD587C0EF5}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{1C01D150-91A4-4DE0-9BF8-A35D1BDF1001}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{EEE4A2E5-9F56-432F-A6ED-F6F625B551E0}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{0BE10B0D-B4DB-4693-9B1F-9AEAD54D17DC}" at "HKEY_CLASSES_ROOT\TypeLib\".
A key in HKEY_CLASSES_ROOT\ named "DyFuCA_BH.SinkObj", plus associated values.
Delete the registry key "{00000010-6F7D-442C-93E3-4A4827C2E4C8}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{00000010-6F7D-442C-93E3-4A4827C2E4C8}" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\".
Delete the registry key "{CEA206E8-8057-4A04-ACE9-FF0D69A92297}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry value "BandRest" at "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\".
Delete the registry key "iefeatures" at "HKEY_LOCAL_MACHINE\Software\".
Delete the registry key "DyFuCA" at "HKEY_LOCAL_MACHINE\Software\FCI\".
Delete the registry key "{F7F808F0-6F7D-442C-93E3-4A4827C2E4C8}" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\".
Delete the registry key "{8F4E5661-F99E-4B3E-8D85-0EA71C0748E4}" at "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\".
A key in HKEY_CLASSES_ROOT\ named "DyFuCA_BH.BHObj", plus associated values.
Delete the registry key "{F7F808F0-6F7D-442C-93E3-4A4827C2E4C8}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{40B1D454-9CA4-43CC-86AA-CB175EAC52FB}" at "HKEY_CLASSES_ROOT\TypeLib\".
Delete the registry key "FCI" at "HKEY_CURRENT_USER\Software\".
Delete the registry key "FCI" at "HKEY_LOCAL_MACHINE\Software\".
If DyFuCA uses rootkit technologies, use our RegAlyzer (http://www.safer-networking.org/index.php?page=regalyzer), RootAlyzer (http://forums.spybot.info/downloads.php?id=8) or our Total Commander anti-rootkit plugins (http://forums.spybot.info/downloads.php?id=3).

Browser:

The following browser plugins or items can either be removed directly in your browser, or through the help of e.g. Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd) or RunAlyzer (http://www.safer-networking.org/index.php?page=runalyzer).

Please check your bookmarks for links to "http://www.searchnav.com".

Final Words:

If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,
Please read these instructions (http://forums.spybot.info/showthread.php?t=288) before requesting assistance,
Then start your own thread in the Malware Removal Forum (http://forums.spybot.info/forumdisplay.php?f=22) where a volunteer analyst will advise you as soon as available.