How to delete Trojan.Dyfuca - Removal instructions

Information from Sophos

Name
Dial/DyFuCA-A

Type
Dialler

Detection
Detected by Sophos Anti-Virus since December 2002.

Description
Dial/DyFuCA-A is a porndialer program. Each time the dialler is run, it tries to connect to a pornographic website. When first run, the dialler installs itself to \Program Files\DyFuCA\ and may add the pathname of its executable to the following registry entry so that the dialler is run automatically each time Windows is started:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Recovery
The dialler can be uninstalled by running the executable with a /u command line switch (i.e. Dialler.exe /u). This might not remove the DyFuCA folder and dialler executable, but it should remove any entries added to the System registry.

Information from McAfee

Name
Adware-DFC application

Aliases
Adware-Dyfuca, App/ViewMov-A (Sophos), Trojan.dyfuca

Program Characteristics

This program is detected as a "potentially unwanted application".
This is a program, that when active on a computer, can display pop-up advertising, and may also redirect browsers to websites controlled by the makers of this program. The EULA also allows updates and further programs to be installed on a computer running this application.

It may also send mail and ICQ and AIM messages promoting the software.

Files known to be involved with this application are:

  • COMEDY.EXE
  • NEM211.DLL (the "211" might vary in other versions)
  • OPTIMIZE.EXE
  • VIEW-M~1.EXE

Known variants will add a registry key under

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\

Run under the name DyFuCA or "DyFuCA Active Alerts"

Information from Symantec

Name
Adware.NetOptimizer

Type: Adware

Publisher: Avenue Media

Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

Systems Not Affected: DOS, Linux, Macintosh, OS/2, UNIX, Windows 3.x

Removal: Low

Damage: Low

Summary

Behavior
Adware.NetOptimizer is a program that creates a connection to a server from which it downloads and displays advertisements.

Symptoms
The files are detected as Adware.NetOptimizer.

Transmission
This adware program must be manually installed. However, there are several known programs that have Adware.NetOptimizer within them and that install it as the program itself is installed.

Technical details:

File names: ioptiXXX.dll; nemXXX.dll; wsemXXX.dll
where XX is a 3-digit number referring to the version to the software.

When the program runs, the "DyFuca Active Alert" program periodically displays advertisements.
The program's End User License Agreement (EULA) states that the software may collate data relating to Web browsing habits and send it back to its controllers.
The program can also dynamically update itself.

Removal instructions

Note: Removing this adware component from the system will likely cause the program that installed it to not function as intended. The uninstaller generally identifies the programs that will not work after uninstallation.

Uninstalling the Adware

A. Do one of the following:

  • On the Windows 98 taskbar:
    • Click Start > Settings > Control Panel.
    • In the Control Panel window, double-click Add/Remove Programs.
  • On the Windows Me taskbar:
    • Click Start > Settings > Control Panel.
    • In the Control Panel window, double-click Add/Remove Programs.
      If you do not see the Add/Remove Programs icon, click "...view all Control Panel options."
  • On the Windows 2000 taskbar:
    • By default, Windows 2000 is set up the same as Windows 98, in which case, follow the instructions for Windows 98. Otherwise, click Start, point to Settings, point to Control Panel, and then click Add/Remove Programs.
  • On the Windows XP taskbar:
    • Click Start > Control Panel.
    • In the Control Panel window, double-click Add or Remove Programs.

B. Click "Internet Optimizer."

C. Click Add/Remove, Change/Remove, or Remove (this varies with the operating system). Follow the prompts.

D. Repeat the above process for "Active Alert."

Deleting the value from the registry

WARNING: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry," for instructions.

Click Start, and then click Run. (The Run dialog box appears.)
Type regedit

Then click OK. (The Registry Editor opens.)

Navigate to the key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

In the right pane, delete any value pertaining to DyFuca or "Internet Optimizer."

Exit the Registry Editor.