dyfuca malware leftovers

An IE window launches every time i log on to the net. It searches for www.qdentica.com. From some of the research I did on the net I deduct that it is part of an wrigly piece of malware called DyFuCA. I think something called x.bat started, Wininstall.exe which set this thing in motion and from this web page my PC began downloading all sorts of crap (Internet optimizer, power scan, and and all other sorts of xxx filth).

I have taken the steps advised in the "Do not post Until you have read this. How to: Spyware, Trojan" Thread. I have run Hijack this! and analized each log entry at the web pages provided in the "no Hijack this log files before reading" thread.

I am now running zone alarm also and it doesn't seem to catch this thing.

The good news is I seem to remain spyware ect. free. All scans are comming up clean. Since running a miriad of spyware ect. programs, the web page does nothing except for pop up at the begining of each internet session. It s not that bad compared but I would still like to make it stop. Any advise?

 

By the way I run Netscape 7.2 as my browser not IE.

 

Hi Johnmezz

If you are certain that you've exhausted the Tutorial's options ( including the Online Scans), then go ahead and send us a HijackThis Log. Make sure to follow the instructions below:

Note that your HijackThis should be up-to-date (v1.99) and MUST be extracted to its own safe folder – C:\Program Files\HijackThis!
If you need a Fresh Download of HJT, get it HERE: HijackThis v1.99

Also note that, before you scan, you MUST close all running programs including your web browser, e-mail and items in the system tray.

Please save your HJT Log as a .txt File and attach it via the "Manage Attachments" tool in the Additional Options section when you post.

I’ve been tied up with work these days, but somebody will try to take a look at your log when they get a chance.

Best
PP

 

Here is the .txt

Thanks for looking at this! Let me know what you think....

 

Your XP is Waaay out of date. You should update to SP1a (BUT NOT SP2 until your machine is clean).

You have a few trojans. I will try to post something for you when I get some free time - Really busy this weekend!

PP

 

Hi John,

Please print out these instructions so that you can operate with All Browser Windows CLOSED.
Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.

Now, look in Task Manager (Ctrl-Alt-Del) for the following running processes and, if you see any of them, try to END them if possible:

sst2.exe
eudr.exe
?ttrib.exe

Now scan with HijackThis and Check the Boxes for the following:

O4 - HKLM\..\Run: [USBHWDRV] C:\sst2.exe

O4 - HKLM\..\Run: [Win32 USB2 Driver] winsnd32.exe

O4 - HKLM\..\Run: [Microsoft Internet Updater] msinternat.exe

O4 - HKLM\..\Run: [dxCd4fd2] C:\WINDOWS\lpyoa.exe

O4 - HKLM\..\RunServices: [Microsoft Internet Updater] msinternat.exe

O4 - HKLM\..\RunServices: [Win32 USB2 Driver] winsnd32.exe

O4 - HKCU\..\Run: [Microsoft Internet Updater] msinternat.exe

O4 - HKCU\..\Run: [Owsc] C:\Documents and Settings\John\Application Data\eudr.exe ---> If you recognize this as something you want to keep, leave it alone.

O4 - HKCU\..\Run: [Vrcruj] C:\WINDOWS\System32\?ttrib.exe

O4 - HKCU\..\Run: [Win32 USB2 Driver] winsnd32.exe

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files Enabled and navigate to and DELETE the following if they should remain:

C:\sst2.exe
C:\WINDOWS\lpyoa.exe
msinternat.exe ---> You’ll need to search your machine for this one using Windows Explorer
C:\Documents and Settings\John\Application Data\eudr.exe
C:\WINDOWS\System32\?ttrib.exewinsnd32.exe ---> You’ll need to search your machine for this one using Windows Explorer

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Reboot to Normal Windows and Scan with HijackThis and attach that log.
Let me know of any problems you may have encountered with the above instructions and how your computer is running now. I will try to check back when time permits.

Best luck
PP

 

Yessss! The problem is solved! Thanks you so much for your time. I have learned so much from you and all of the others. A few short weeks ago I didn't know anything about cleaning this junk out of a pc but the tutorials I recieved here and then some one on one with you gave me some confidence. Here is the .txt. Again thanks a million!

 

You're Welcome Your HJT Log looks good!

Now, you MUST go to Windows Updates and get Updated!!!!
This is the first line of defense!!!!

Also, take a peek HERE: How to Protect yourself from malware!

Happy & Safe Computing!

PP