AvenueMedia.DyFuCA Browser Plug-in

[ann]

I can't get rid of this: my scan identifies it, removes it
but then next scan it's back. Can it be removed or do I
have to learn to live with this one? How nasty is it?

 

[AndyManchesta]

Try scanning in safe mode with MS Antispy,Spybot & Adaware
This can be hard to remove and comes from internet-
optimizer.com which could be nasty if they start
installing other products without your consent.

Check the add/remove screen for any of these and remove
if found :

Active Alert
Internet Optimizer

For the Crmrest installer variant, open the Downloaded
Program Files folder (inside the Windows folder) and
remove the 'Media Manager' entry.

For other variants, open the Windows folder. You should
be able to see a file

'ioptiXXX.dll' (Iopti variant)
'nemXXX.dll' (Nem variant)
'wsemXXX.dll' (Wsem variant)

The XXX differs for different versions; common versions
are 'iopti130.dll', 'nem207.dll' and 'wsem210.dll'.
write down any number's that are found to use later


Open the registry (click 'Start', choose 'Run' and
enter 'regedit') and find the key

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersi
on\Run.

Delete the entries 'DyFuCA' and 'DyFuCA Active Alerts'.

Now open a DOS command prompt window (from Start-

Programs->Accessories), and enter the following commands

copy and paste the first line then press enter and copy
and paste the second line


(for the Iopti variant):

cd "%WinDir%\System"

regsvr32 /u ..\iopti130.dll (Use the number found before)


Or, for the Nem variant:

cd "%WinDir%\System"

regsvr32 /u ..\nem207.dll


Or, for the Wsem variant:

cd "%WinDir%\System"

regsvr32 /u ..\wsem210.dll


Restart the computer and you should be able to delete the
DLL from the Windows folder, and the 'DyFuCA', 'Internet
Optimizer' or 'STWSI' folder you may have inside Program
Files.

c:\program files\internet optimizer
c:\program files\internet optimizer\update


Reboot and check your system to see if its removed this.



Other Dyfuca Registry entries (This is why using MS
Antispy/Spybot & Adaware could help save you alot of work
Run them in safe mode to make removing this easier


Possible Infected registry keys/values


HKEY_CLASSES_ROOT\dyfuca_bh.bhobj.1

HKEY_CLASSES_ROOT\typelib\{0be10b0d-b4db-4693-9b1f-
9aead54d17dc}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on\Uninstall\WSEM Update UninstallString "C:\Program
Files\Internet Optimizer\optimize.exe" /u 1

HKEY_CLASSES_ROOT\typelib\{0be10b0d-b4db-4693-9b1f-
9aead54d17dc}\1.0\0\win32 C:\WINDOWS\wsem303.dll

HKEY_CLASSES_ROOT\typelib\{0be10b0d-b4db-4693-9b1f-
9aead54d17dc}\1.0\FLAGS 0

HKEY_CLASSES_ROOT\typelib\{0be10b0d-b4db-4693-9b1f-
9aead54d17dc}\1.0\HELPDIR C:\WINDOWS\

HKEY_CLASSES_ROOT\typelib\{0be10b0d-b4db-4693-9b1f-
9aead54d17dc}\1.0 DyFuCA_BH 1.0 Type Library

HKEY_CLASSES_ROOT\typelib\{40b1d454-9ca4-43cc-86aa-
cb175eac52fb}

HKEY_CLASSES_ROOT\typelib\{40b1d454-9ca4-43cc-86aa-
cb175eac52fb}\1.0\0\win32 C:\WINDOWS\nem220.dll

HKEY_CLASSES_ROOT\typelib\{40b1d454-9ca4-43cc-86aa-
cb175eac52fb}\1.0\FLAGS 0

HKEY_CLASSES_ROOT\typelib\{40b1d454-9ca4-43cc-86aa-
cb175eac52fb}\1.0\HELPDIR C:\WINDOWS\

HKEY_CLASSES_ROOT\typelib\{40b1d454-9ca4-43cc-86aa-
cb175eac52fb}\1.0 DyFuCA_BH 1.0 Type Library

HKEY_CLASSES_ROOT\dyfuca_bh.bhobj.1\CLSID {8F4E5661-F99E-
4B3E-8D85-0EA71C0748E4}

HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet
Optimizer\Browser Helper

HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet
Optimizer\Browser Helper Version 2.2.0

HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet
Optimizer\Browser Helper ModuleFileName
C:\WINDOWS\nem220.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet
Optimizer\Browser Helper Options 1,URL Search
Optimization,1

HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet
Optimizer\WSE

HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet
Optimizer\WSE Version 3.0.3

HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet
Optimizer\WSE Options 1,Search Engine Optimization,1

HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet
Optimizer\WSE ModuleFileName C:\WINDOWS\wsem303.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet
Optimizer

HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet
Optimizer\Browser Helper Version 2.2.0

HKEY_CLASSES_ROOT\dyfuca_bh.bhobj.1 BHObj Class

HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet
Optimizer\Browser Helper ModuleFileName
C:\WINDOWS\nem220.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet
Optimizer\Browser Helper Options 1,URL Search
Optimization,1

HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet
Optimizer\WSE Version 3.0.3

HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet
Optimizer\WSE Options 1,Search Engine Optimization,1

HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet
Optimizer\WSE ModuleFileName C:\WINDOWS\wsem303.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet
Optimizer TargetDir

HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet
Optimizer CLS wsi24

HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet
Optimizer RID

HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet
Optimizer Version 3.1.1

HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet
Optimizer TAC Yes

HKEY_CLASSES_ROOT\interface\{1c01d150-91a4-4de0-9bf8-
a35d1bdf1001}

HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet
Optimizer ServerVisited 29691361,820020144

HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet
Optimizer UpdateInterval 21600

HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet
Optimizer ID 1-2dbdcad058d805cf6970a4e2

HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet
Optimizer InstallT 1106509364

HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet
Optimizer remember[LLT] 1106509364

HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet
Optimizer Conn 93,3

HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet
Optimizer 403 1024

HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet
Optimizer 404 1024

HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet
Optimizer 410 1024

HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet
Optimizer 500 1024

HKEY_CLASSES_ROOT\interface\{1c01d150-91a4-4de0-9bf8-
a35d1bdf1001}\ProxyStubClsid {00020424-0000-0000-C000-
000000000046}

HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet
Optimizer PendingRemoval

HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet
Optimizer RemovedPrograms Active Alert

HKEY_LOCAL_MACHINE\software\avenue media

HKEY_LOCAL_MACHINE\software\avenue media\Internet
Optimizer\Browser Helper Version 2.2.0

HKEY_LOCAL_MACHINE\software\avenue media\Internet
Optimizer\Browser Helper ModuleFileName
C:\WINDOWS\nem220.dll

HKEY_LOCAL_MACHINE\software\avenue media\Internet
Optimizer\Browser Helper Options 1,URL Search
Optimization,1

HKEY_LOCAL_MACHINE\software\avenue media\Internet
Optimizer\WSE Version 3.0.3

HKEY_LOCAL_MACHINE\software\avenue media\Internet
Optimizer\WSE Options 1,Search Engine Optimization,1

HKEY_LOCAL_MACHINE\software\avenue media\Internet
Optimizer\WSE ModuleFileName C:\WINDOWS\wsem303.dll

HKEY_LOCAL_MACHINE\software\avenue media\Internet
Optimizer TargetDir

HKEY_CLASSES_ROOT\interface\{1c01d150-91a4-4de0-9bf8-
a35d1bdf1001}\ProxyStubClsid32 {00020424-0000-0000-C000-
000000000046}

HKEY_LOCAL_MACHINE\software\avenue media\Internet
Optimizer CLS wsi24

HKEY_LOCAL_MACHINE\software\avenue media\Internet
Optimizer RID

HKEY_LOCAL_MACHINE\software\avenue media\Internet
Optimizer Version 3.1.1

HKEY_LOCAL_MACHINE\software\avenue media\Internet
Optimizer TAC Yes

HKEY_LOCAL_MACHINE\software\avenue media\Internet
Optimizer ServerVisited 29691361,820020144

HKEY_LOCAL_MACHINE\software\avenue media\Internet
Optimizer UpdateInterval 21600

HKEY_LOCAL_MACHINE\software\avenue media\Internet
Optimizer ID 1-2dbdcad058d805cf6970a4e2

HKEY_LOCAL_MACHINE\software\avenue media\Internet
Optimizer InstallT 1106509364

HKEY_LOCAL_MACHINE\software\avenue media\Internet
Optimizer remember[LLT] 1106509364

HKEY_LOCAL_MACHINE\software\avenue media\Internet
Optimizer Conn 93,3

HKEY_CLASSES_ROOT\interface\{1c01d150-91a4-4de0-9bf8-
a35d1bdf1001}\TypeLib {40B1D454-9CA4-43CC-86AA-
CB175EAC52FB}

HKEY_LOCAL_MACHINE\software\avenue media\Internet
Optimizer 403 1024

HKEY_LOCAL_MACHINE\software\avenue media\Internet
Optimizer 404 1024

HKEY_LOCAL_MACHINE\software\avenue media\Internet
Optimizer 410 1024

HKEY_LOCAL_MACHINE\software\avenue media\Internet
Optimizer 500 1024

HKEY_LOCAL_MACHINE\software\avenue media\Internet
Optimizer PendingRemoval

HKEY_LOCAL_MACHINE\software\avenue media\Internet
Optimizer RemovedPrograms Active Alert

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DyFuCA_BH.BHObj.1

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DyFuCA_BH.BHObj.1
\CLSID {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DyFuCA_BH.BHObj.1
BHObj Class

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DyFuCA_BH.BHObj
HKEY_CLASSES_ROOT\interface\{1c01d150-91a4-4de0-9bf8-
a35d1bdf1001}\TypeLib Version 1.0

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DyFuCA_BH.BHObj\CLSID
{8F4E5661-F99E-4B3E-8D85-0EA71C0748E4}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DyFuCA_BH.BHObj\CurVer
DyFuCA_BH.BHObj.1

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DyFuCA_BH.BHObj BHObj
Class

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DyFuCA_BH.SinkObj.1

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DyFuCA_BH.SinkObj.1
\CLSID {CEA206E8-8057-4A04-ACE9-FF0D69A92297}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DyFuCA_BH.SinkObj.1
SinkObj Class

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DyFuCA_BH.SinkObj

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DyFuCA_BH.SinkObj\CLSI
D {CEA206E8-8057-4A04-ACE9-FF0D69A92297}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DyFuCA_BH.SinkObj\CurV
er DyFuCA_BH.SinkObj.1

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DyFuCA_BH.SinkObj
SinkObj Class

HKEY_CLASSES_ROOT\interface\{1c01d150-91a4-4de0-9bf8-
a35d1bdf1001} IBHObj

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on\App Management\ARPCache\Internet Optimizer

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on\App Management\ARPCache\Internet Optimizer

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on\App Management\ARPCache\Internet Optimizer Changed 0

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversi
on\uninstall\dyfuca

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversi
on\uninstall\internet optimizer

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversi
on\uninstall\internet optimizer DisplayIcon C:\Program
Files\Internet Optimizer\optimize.exe

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversi
on\uninstall\internet optimizer DisplayName Internet
Optimizer

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversi
on\uninstall\internet optimizer
UninstallString "C:\Program Files\Internet
Optimizer\optimize.exe" /u

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on\Uninstall\WSEM Update

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on\Uninstall\WSEM Update DisplayName WSEM Update

 

[Engel]

Please provide feedback if this is working.

1) Open up AntiSpyware
2) Click Tools at the top
3) Click "Submit a Suspected Spyware Report"
4) Fill out the form with as much detail so they can
analyze quickly. Feel free to say what you've got in place
and have tried, and that it didn't work

Boot to Safe Mode.
http://tinyurl.com/pfca

Empty your IE cache and your other temporary file
folders, eg: c:\temp, c:\windows\temp or C:\Documents and
Settings\<name>\Local Settings\Temp (the path to your temp
folder will change depending on your name) - sometimes
programmes can be hidden in there - watch out for
mysterious *.exe files or *.dll files in those folders.

Have you tried scanning with Microsoft Antispyware in safe
mode?
Run a FULL SYSTEM SCAN, check the 3 boxes

Assuming that the installation is on drive C:
1. In "My Computer", right click on the icon for drive C:,
select "Properties".
2. Click tab "Tools".
3. Click button "Check Now".
3. Check both "Automatically fix file system errors"
and "Scan for and attempt recovery of bad sectors".
4. Click "Start".

Follow the instructions to allow system shut-down and
restart. The disk checks will run after restart and
before Windows loads. This scan for bad sectors might
take few minutes if you have a large hard disk: be patient.

Assuming that the installation is on drive C:
1. In "My Computer", right click on the icon for drive C:,
select "Properties".
2. Click tab "Tools".
3.Click button "Defragment Now".
4.Click Defragment.

Run your updated antivirus

Reboot.

If the malware problem comes back further specialised
assistance is available via Ron Kinner.

Get HijackThis.exe from
http://tomcoyote.org/hjt/hjt199//HijackThis.exe

Save it to C:\hjt (new folder) then Open it and select
Scan and Save Log. Note where you saved the log then send
it to Ron Kinner as an attachment. He can probably
identify the problem and tell you how to get rid of it for
good.

Ron email address. (e-mail address removed)
He will tell you what to do next. Put Hijack in the
subject so he will know it's not spam.

For information
HijackThis tutorial:
http://www.bleepingcomputer.com/forums/index.php?
showtutorial=42