[AvatarOfLight]

As described. I have a small problem with my laptop.

Everytime windows starts AntiVir warns me that:

C:\Documents and Settings\Eigenaar\Local Settings\Temp\Installer.exe

Contains the Virus/Trojan DR/Dyfuca.DB.2.
It offcourse offers to remove, quarantine, etc.
None of these options actually get rid of the problem. And this warning will appear @ every statup.

In addition to the warning it opens a popup to dead page (404).
If I remember correctly it used to go to some site named Pinkie's Palace, but dont quote me on that.

Full latest version AntiVir and AddAware scans did not solve this problem.

Antivir has a page on a seemingly similairnamed virus.
http://www.avira.com...yfuca.db.1.html
This is DB1 and not DB2 though.

Searching the net has brought me to a few sites that seemed usefull, but were in another language. Here's a french one for example:
http://forum.telecha...messages-1.html

I try to make sense of it, but I really cant.
Hope you can help me out!

Greets and thanks in advance.





Logfile of HijackThis v1.99.1
Scan saved at 12:01:27, on 24/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\xampp\filezillaftp\filezillaserver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
c:\wamp\apache2\bin\Apache.exe
c:\wamp\mysql\bin\mysqld-nt.exe
C:\Program Files\Raxco\PerfectDisk\PDSched.exe
C:\wamp\apache2\bin\Apache.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\TEMP\IXP000.TMP\JAVASUN.EXE
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe
D:\Program Files\Skype\Phone\Skype.exe
C:\wamp\wampserver.exe
C:\WINDOWS\system32\taskmgr.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\hijackthis_199\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {892D6E2F-A4B4-AC66-CF6E-FCBAA835129C} - C:\WINDOWS\system32\atzzaud.dll (file missing)
O2 - BHO: (no name) - {B8005E5D-8984-9C50-E22A-CF979A073FA5} - C:\WINDOWS\system32\atzzaud.dll (file missing)
O2 - BHO: (no name) - {D96A4014-909C-881F-FB6B-8B13F21258F3} - C:\WINDOWS\system32\fuz.dll (file missing)
O2 - BHO: (no name) - {E9477065-BDDF-B959-D658-CA3EC52275C5} - C:\WINDOWS\system32\fuz.dll (file missing)
O2 - BHO: (no name) - {FD089AAF-5516-5A97-4347-2B50D3503FC0} - C:\WINDOWS\system32\iowuj.dll (file missing)
O4 - HKLM\..\Run: [SunJava5.0] C:\WINDOWS\TEMP\IXP000.TMP\JAVASUN.EXE
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [AdwareAlert] C:\Program Files\AdwareAlert\AdwareAlert.Exe -boot
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Active Desktop Calendar] C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe
O4 - HKCU\..\Run: [Skype] "D:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: WampServer.lnk = C:\wamp\wampserver.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {21F49842-BFA9-11D2-A89C-00104B62BDDA} (ChartFX Internet Control) - http://www.surveywor...oad/CfxIEAx.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} (elitectl.DemoCtl) - http://cabs.elitemed...s/mediaview.cab
O16 - DPF: {A1426AC5-8CE5-4A00-B71E-011D35709AC6} (Progetto1.int_ver34) - http://advnt01.com/dialer/nl_ver34.CAB
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apache2 - Unknown owner - C:\Program Files\xampp\apache\bin\apache.exe" -k runservice (file missing)
O23 - Service: FileZilla Server FTP server (FileZilla Server) - Unknown owner - C:\Program Files\xampp\filezillaftp\filezillaserver.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: mysql - Unknown owner - C:\Program Files\xampp\mysql\bin\mysqld-nt.exe" --defaults-file=mysql\bin\my.cnf mysql (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: wampapache - Unknown owner - c:\wamp\apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: wampmysqld - Unknown owner - c:\wamp\mysql\bin\mysqld-nt.exe
O23 - Service: Microsoft Windows HelpFile (Windows Helpfile) - Unknown owner - C:\WINDOWS\services.exe (file missing)

Edited by AvatarOfLight, 24 March 2006 - 05:17 AM.

[Advertisements]

Hello AvatarOfLight and welcome to Geeks to Go

As an introduction, please note that I am not Superhuman, I do not know everything, but what I do know has taken me years to learn. I am happy to pass on this information to you, but please bear in mind that I am also fallible.

Please note that you should have Administrator rights to perform the fixes. Also note that multiple identity PC’s (family PC’s) present a different problem; please tell me if your PC has more than one individual’s setting, but continue with the fix.

Before we get underway, you may wish to print these instructions for easy reference during the fix, although please be aware that many of the required URLs are hyperlinks in the red names shown on your screen. Part of the fix may require you to be in Safe Mode, which will not allow you to access the internet, or my instructions!

You have a mixture of malware. Let’s see what we can do with the first sweep.

To start please download the following programmes, we will run them later. Please save them to a place that you will remember, I suggest the Desktop:

CCleaner
Ewido Security Suite

Go to Start>Run and type Services.msc then hit OK
Scroll down and find these services:

Network Monitor
Microsoft Windows HelpFile (Windows Helpfile)

When you find them, double-click on each one. In the next window that opens, click the Stop button, then click on Properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then OK.

Run HiJackThis. Click on None of the above, just start the program. Now, click on the Config button (bottom right), then click on Misc Tools, then click on Delete an NT Service a window will pop up. Enter this item into that field (copy and paste):

Network Monitor
Windows Helpfile

Click OK.

It should pull up information about the service, when it asks if you want to reboot now click YES

Install Ewido Security Suite.

• Install Ewido security suite
• When installing, under "Additional Options" uncheck..
  • Install background guard
  • Install scan via context menu
  • You will need to update Ewido to the latest definition files.
  • On the left hand side of the main screen click update.
  • Then click on Start Update.
• The update will start and a progress bar will show the updates being installed.
  (the status bar at the bottom will display "Update successful")

If you are having problems with the updater, you can use this link to manually update Ewido.
Ewido manual updates
Do NOT run a scan yet.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:

Safe Mode

Launch Ewido, there should be an icon on your desktop, double-click it.

• The programme will now open to the main screen.
• When you run Ewido for the first time, you will get a warning "Database could not be found!". Click OK.

Once the updates are installed do the following:

• Click on scanner
• Click on Complete System Scan and the scan will begin.
• You will be prompted to clean the first infection.
• Select "Perform action on all infections", then proceed.
• Once the scan has completed, there will be a button located on the bottom of the screen named Save report
• Click Save report.
  
• Save the report .txt file to your desktop and include it in your reply.

Now close Ewido security suite.

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O2 - BHO: (no name) - {892D6E2F-A4B4-AC66-CF6E-FCBAA835129C} - C:\WINDOWS\system32\atzzaud.dll (file missing)
O2 - BHO: (no name) - {B8005E5D-8984-9C50-E22A-CF979A073FA5} - C:\WINDOWS\system32\atzzaud.dll (file missing)
O2 - BHO: (no name) - {D96A4014-909C-881F-FB6B-8B13F21258F3} - C:\WINDOWS\system32\fuz.dll (file missing)
O2 - BHO: (no name) - {E9477065-BDDF-B959-D658-CA3EC52275C5} - C:\WINDOWS\system32\fuz.dll (file missing)
O2 - BHO: (no name) - {FD089AAF-5516-5A97-4347-2B50D3503FC0} - C:\WINDOWS\system32\iowuj.dll (file missing)
O16 - DPF: {21F49842-BFA9-11D2-A89C-00104B62BDDA} (ChartFX Internet Control) - http://www.surveywor...oad/CfxIEAx.cab
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} (elitectl.DemoCtl) - http://cabs.elitemed...s/mediaview.cab
O16 - DPF: {A1426AC5-8CE5-4A00-B71E-011D35709AC6} (Progetto1.int_ver34) - http://advnt01.com/dialer/nl_ver34.CAB
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: Microsoft Windows HelpFile (Windows Helpfile) - Unknown owner - C:\WINDOWS\services.exe (file missing)

Now close all windows other than HiJackThis, then click Fix Checked.

There is almost certainly bound to be some junk (leftover bits and pieces) on your system that is doing nothing but taking up space. I would recommend that you run CCleaner. Install it, update it, check the default setting in the left-hand pane, ensure you uncheck old prefetch data found under the system tab, and under the heading of Utilities uncheck Ewido Security Suite log, then click Analyze> Run Cleaner. You may be fairly surprised by how much it finds. Also click Issues then Scan for issues – fix selected issues

Post back a fresh HijackThis log (from normal mode) and I will take another look. (Don't forget the Ewido log also).

[Crustyoldbloke]

Hello AvatarOfLight and welcome to Geeks to Go

As an introduction, please note that I am not Superhuman, I do not know everything, but what I do know has taken me years to learn. I am happy to pass on this information to you, but please bear in mind that I am also fallible.

Please note that you should have Administrator rights to perform the fixes. Also note that multiple identity PC’s (family PC’s) present a different problem; please tell me if your PC has more than one individual’s setting, but continue with the fix.

Before we get underway, you may wish to print these instructions for easy reference during the fix, although please be aware that many of the required URLs are hyperlinks in the red names shown on your screen. Part of the fix may require you to be in Safe Mode, which will not allow you to access the internet, or my instructions!

You have a mixture of malware. Let’s see what we can do with the first sweep.

To start please download the following programmes, we will run them later. Please save them to a place that you will remember, I suggest the Desktop:

CCleaner
Ewido Security Suite

Go to Start>Run and type Services.msc then hit OK
Scroll down and find these services:

Network Monitor
Microsoft Windows HelpFile (Windows Helpfile)

When you find them, double-click on each one. In the next window that opens, click the Stop button, then click on Properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then OK.

Run HiJackThis. Click on None of the above, just start the program. Now, click on the Config button (bottom right), then click on Misc Tools, then click on Delete an NT Service a window will pop up. Enter this item into that field (copy and paste):

Network Monitor
Windows Helpfile

Click OK.

It should pull up information about the service, when it asks if you want to reboot now click YES

Install Ewido Security Suite.

• Install Ewido security suite
• When installing, under "Additional Options" uncheck..
  • Install background guard
  • Install scan via context menu
  • You will need to update Ewido to the latest definition files.
  • On the left hand side of the main screen click update.
  • Then click on Start Update.
• The update will start and a progress bar will show the updates being installed.
  (the status bar at the bottom will display "Update successful")

If you are having problems with the updater, you can use this link to manually update Ewido.
Ewido manual updates
Do NOT run a scan yet.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:

Safe Mode

Launch Ewido, there should be an icon on your desktop, double-click it.

• The programme will now open to the main screen.
• When you run Ewido for the first time, you will get a warning "Database could not be found!". Click OK.

Once the updates are installed do the following:

• Click on scanner
• Click on Complete System Scan and the scan will begin.
• You will be prompted to clean the first infection.
• Select "Perform action on all infections", then proceed.
• Once the scan has completed, there will be a button located on the bottom of the screen named Save report
• Click Save report.
  
• Save the report .txt file to your desktop and include it in your reply.

Now close Ewido security suite.

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O2 - BHO: (no name) - {892D6E2F-A4B4-AC66-CF6E-FCBAA835129C} - C:\WINDOWS\system32\atzzaud.dll (file missing)
O2 - BHO: (no name) - {B8005E5D-8984-9C50-E22A-CF979A073FA5} - C:\WINDOWS\system32\atzzaud.dll (file missing)
O2 - BHO: (no name) - {D96A4014-909C-881F-FB6B-8B13F21258F3} - C:\WINDOWS\system32\fuz.dll (file missing)
O2 - BHO: (no name) - {E9477065-BDDF-B959-D658-CA3EC52275C5} - C:\WINDOWS\system32\fuz.dll (file missing)
O2 - BHO: (no name) - {FD089AAF-5516-5A97-4347-2B50D3503FC0} - C:\WINDOWS\system32\iowuj.dll (file missing)
O16 - DPF: {21F49842-BFA9-11D2-A89C-00104B62BDDA} (ChartFX Internet Control) - http://www.surveywor...oad/CfxIEAx.cab
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} (elitectl.DemoCtl) - http://cabs.elitemed...s/mediaview.cab
O16 - DPF: {A1426AC5-8CE5-4A00-B71E-011D35709AC6} (Progetto1.int_ver34) - http://advnt01.com/dialer/nl_ver34.CAB
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: Microsoft Windows HelpFile (Windows Helpfile) - Unknown owner - C:\WINDOWS\services.exe (file missing)

Now close all windows other than HiJackThis, then click Fix Checked.

There is almost certainly bound to be some junk (leftover bits and pieces) on your system that is doing nothing but taking up space. I would recommend that you run CCleaner. Install it, update it, check the default setting in the left-hand pane, ensure you uncheck old prefetch data found under the system tab, and under the heading of Utilities uncheck Ewido Security Suite log, then click Analyze> Run Cleaner. You may be fairly surprised by how much it finds. Also click Issues then Scan for issues – fix selected issues

Post back a fresh HijackThis log (from normal mode) and I will take another look. (Don't forget the Ewido log also).

[Crustyoldbloke]

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.