View Full Version : Dyfica.2AK Virus

04-11-2004, 07:43 PM
Virus - my AVG discovered it yesterday - put it in the Vault but now its back.

04-11-2004, 07:49 PM
Spybot should deal to this one

04-11-2004, 07:52 PM
Hmm looks like this might be a trojan/dialler. Cant find anything about Difica

U could try spybot see if it detects it. Or Adaware.

See if there's a folder called dyfuca in program files

Information from Sophos




Detected by Sophos Anti-Virus since December 2002.


Dial/DyFuCA-A is a porndialer program. Each time the dialler is run, it tries to connect to a pornographic website. When first run, the dialler installs itself to \Program Files\DyFuCA\ and may add the pathname of its executable to the following registry entry so that the dialler is run automatically each time Windows is started: HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Recovery The dialler can be uninstalled by running the executable with a /u command line switch (i.e. Dialler.exe /u). This might not remove the DyFuCA folder and dialler executable, but it should remove any entries added to the System registry.

Information from McAfee

Adware-DFC application

Adware-Dyfuca, App/ViewMov-A (Sophos), Trojan.dyfuca

Program Characteristics

This program is detected as a "potentially unwanted application".
This is a program, that when active on a computer, can display pop-up advertising, and may also redirect browsers to websites controlled by the makers of this program. The EULA also allows updates and further programs to be installed on a computer running this application.

It may also send mail and ICQ and AIM messages promoting the software.

Files known to be involved with this application are:

* NEM211.DLL (the "211" might vary in other versions)

Known variants will add a registry key under

* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\

Run under the name DyFuCA or "DyFuCA Active Alerts"

Information from Symantec



Avenue Media

Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

Systems Not Affected:
DOS, Linux, Macintosh, OS/2, UNIX, Windows 3.x




Adware.NetOptimizer is a program that creates a connection to a server from which it downloads and displays advertisements.

The files are detected as Adware.NetOptimizer.

This adware program must be manually installed. However, there are several known programs that have Adware.NetOptimizer within them and that install it as the program itself is installed.

Technical details:

File names: ioptiXXX.dll; nemXXX.dll; wsemXXX.dll
where XX is a 3-digit number referring to the version to the software.

When the program runs, the "DyFuca Active Alert" program periodically displays advertisements. The program's End User License Agreement (EULA) states that the software may collate data relating to Web browsing habits and send it back to its controllers. The program can also dynamically update itself.

Removal instructions
Note: Removing this adware component from the system will likely cause the program that installed it to not function as intended. The uninstaller generally identifies the programs that will not work after uninstallation.

Uninstalling the Adware

A. Do one of the following:

* On the Windows 98 taskbar:
o Click Start > Settings > Control Panel.
o In the Control Panel window, double-click Add/Remove Programs.
* On the Windows Me taskbar:
o Click Start > Settings > Control Panel.
o In the Control Panel window, double-click Add/Remove Programs. If you do not see the Add/Remove Programs icon, click "...view all Control Panel options."
* On the Windows 2000 taskbar:
o By default, Windows 2000 is set up the same as Windows 98, in which case, follow the instructions for Windows 98. Otherwise, click Start, point to Settings, point to Control Panel, and then click Add/Remove Programs.
* On the Windows XP taskbar:
o Click Start > Control Panel.
o In the Control Panel window, double-click Add or Remove Programs.

B. Click "Internet Optimizer."

C. Click Add/Remove, Change/Remove, or Remove (this varies with the operating system). Follow the prompts.

D. Repeat the above process for "Active Alert."

Deleting the value from the registry

WARNING: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry," for instructions.

Click Start, and then click Run. (The Run dialog box appears.)
Type regedit

Then click OK. (The Registry Editor opens.)

Navigate to the key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run

In the right pane, delete any value pertaining to DyFuca or "Internet Optimizer."

Exit the Registry Editor.

04-11-2004, 08:09 PM
you could have it in system restore or simply you are reinfecting yourself (which seems to be fairly comman).