DyFuCA.Internet Optimizer

· Overview ·
· Origins ·
· Distribution ·
· Operation ·
· Risks ·
· Detection and Removal ·
· Research ·

Overview
Summary:	MoneyTree is an ActiveX control used to download premium-rate dialers, generally for porn sites. Dialers are used by a variety of web sites, such as hotactiondating.com
Alias:	Active Alert, Adware/nCase [Panda], All-In-One Telcom, Proclaim Telcom, Spyware/Dyfuca [Panda], TrojanDownloader.Win32.Dyfuca.ac, TrojanDownloader.Win32.Dyfuca.cj [Kaspersky], TrojanDownloader.Win32.Dyfuca.de [Kaspersky], TrojanDownloader.Win32.Dyfuca.gen [Kaspersky], Win32/TrojanDownloader.Dyfica.NAA trojan [Eset]
See Also:	MoneyTree
Category:	Browser Helper Object: (BHO). A component that Internet Explorer will load whenever it starts, shares IE's memory context, can perform any action on the available windows and modules. A BHO can detect events, create windows to display additional information on a viewed page, monitor messages and actions. Microsoft calls it "a spy we send to infiltrate the browser's land." BHOs are not stopped by personal firewalls, because they are seen by the firewall as your browser itself. Some exploits of this technology search all pages you view in IE and replace banner advertisements with other ads. Some monitor and report on your actions. Some change your home page. Backdoor: A secret or undocumented means of getting into a computer system, or software that uses such a means to penetrate a system. Some software has a backdoor placed by the programmer to allow them to gain access to troubleshoot or change the program. Software that is classified as a "backdoor" is designed to exploit a vulnerability in a system, and open it to future access by an attacker. Downloader: A program designed to retrieve and install additional files, when run. Most will be configured to retrieve from a designated web or FTP site. Hijacker: Any software that resets your browser's settings to point to other sites. Hijacks may reroute your info and address requests through an unseen site, capturing that info. In such hijacks, your browser may behave normally, but be slower.
Variants:	MoneyTree/DyFuCA installs dyfuca.ocx and dyfuca.inf in the Downloaded Program Files folder. This variant typically installs InternetOptimizer. MoneyTree/NSLite installs nslite.dll and nslite.inf in the Downloaded Program Files folder. MoneyTree/NSUpdate installs nsupdate.dll and NSupd9x.inf in the Downloaded Program Files folder. MoneyTree/UniDist installs UniDist.ocx and UniDist.inf in the Downloaded Program Files folder.
Similar Pests:	Browser Helper Object · Backdoor · Downloader · Hijacker
Origins
Group:	Avenue Media
By This Group:	DyFuCA ·
Mailing Address:	Avenue Media, NV New Haven Office Center Curacao, AN
EMail:	webmaster@avenuemedia.com
URL:	http://www.avenuemedia.com/
Programming Language:	Visual C
Date of Origin:	Variants from May, 2004 to March, 2005
Distribution
Distribution:	Loaded by ActiveX drive-by-download in pages operated by mtree (domains such as mtreexxx.nl), which are often redirected to by pop-up advertisements, 404 pages at porn hosts and misspelled domains. May also use direct EXE file downloads to distribute the same dialers; this does not leave an ActiveX control loaded.
Prevalence:	DyFuCA.Internet Optimizer: 420.8% More Info
Clot Factor:	DyFuCA.Internet Optimizer: 9 The "Clot Factor" is a measure of how much a pest "gums up" a machine by adding registry entries, files, and directories. As more objects are placed in a machine, manual removal becomes more difficult and more error-prone.
Growth:	DyFuCA.Internet Optimizer: Insufficient data to report growth
Operation
Advertising:	No.
Storage Required:	DyFuCA.Internet Optimizer: at least 1125 KB
Browser Performance:	Likely to slow performance of Internet Explorer.
Risks
Privacy Issues:	No.
Privacy Policy:	http://www.yoogee.com/privacypolicy.html
Security Issues:	Yes. With the control installed, any web page may download and execute arbitrary unsigned code from one of mtree's servers.
Stability Issues:	Yes. May trigger Windows XP error reporting.
Detection and Removal
Automatic Removal:	PestPatrol detects this. PestPatrol removes this.
Manual Removal:	Open the 'Downloaded Program Files' folder (which can be found in the Windows folder), and delete the entry for 'NSUpdateLiteCtrl Class' (NSUpdate variant), 'NSLiteUpdateCtrl Class' (NSLitevariant), 'MoneyTree Dialer' (UniDist variant), 'MultiDist' (MultiDist variant), or 'Software Update Manager' (DyFuCA variant). Follow the additional instructions below.
	Stop Running Processes: Kill these running processes with Task Manager: actalert.exe c:\temp\optimize.exe desktopdir+\optimize[1].exe programfilesdir+\internet optimizer\install.exe programfilesdir+\internet optimizer\sim\fleok\msbb.exe programfilesdir+\internet optimizer\sim\msbb.exe programfilesdir+\internet optimizer\update\install.exe programfilesdir+\internet optimizer\update\optimize.exe programfilesdir+\internet optimizer\update\optimize313.exe systemroot+\180ax.exe systemroot+\ixizgfcp.exe systemroot+\system32\saie.exe systemroot+\temp\optimize.exe
	Remove AutoRun Reference: Go To the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. If you find the value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run internet optimizer \url search optimization, delete it and reboot the machine immediately. If you find the value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\180ax, delete it and reboot the machine immediately. If you find the value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\internet optimizer, delete it and reboot the machine immediately. If you find the value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\ixizgfcp, delete it and reboot the machine immediately. If you find the value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\media access, delete it and reboot the machine immediately. If you find the value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\msbb, delete it and reboot the machine immediately. If you find the value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\saie, delete it and reboot the machine immediately.
	Unregister DLLs: Unregister these DLLs with Regsvr32, then reboot: nem218.dll profilepath+\local settings\temp\msbbhook.dll programfilesdir+\internet optimizer\sim\ncmyb.dll systemroot+\180axhook.dll systemroot+\ncmyb.dll systemroot+\nem216.dll systemroot+\nem220.dll systemroot+\system32\saiehook.dll systemroot+\windows\nem220.dll
	Clean Registry: Remove these registry items (if present) with RegEdit: HKEY_CLASSES_ROOT\clsid\{00000010-6f7d-442c-93e3-4a4827c2e4c8} HKEY_CLASSES_ROOT\clsid\{8f4e5661-f99e-4b3e-8d85-0ea71c0748e4} HKEY_CLASSES_ROOT\clsid\{a3fdd654-a057-4971-9844-4ed8e67dbbb8} HKEY_CLASSES_ROOT\clsid\{cea206e8-8057-4a04-ace9-ff0d69a92297} HKEY_CLASSES_ROOT\clsid\{f7f808f0-6f7d-442c-93e3-4a4827c2e4c8} HKEY_CLASSES_ROOT\typelib\{40b1d454-9ca4-43cc-86aa-cb175eac52fb} HKEY_CLASSES_ROOT\typelib\{58634367-d62b-4c2c-86be-5aac45cdb671} HKEY_LOCAL_MACHINE\software\avenue media\internet optimizer HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{00000010-6f7d-442c-93e3-4a4827c2e4c8} HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{f7f808f0-6f7d-442c-93e3-4a4827c2e4c8} HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run internet optimizer \url search optimization HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\180ax HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\internet optimizer HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\ixizgfcp HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\media access HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\msbb HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\saie HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\a95kfrhe HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\kapabout
	Remove Files: Remove these files (if present) with Windows Explorer: actalert.exe c:\temp\optimize.exe desktopdir+\optimize[1].exe nem218.dll optimize.vexe profilepath+\local settings\temp\msbbhook.dll programfilesdir+\internet optimizer\install.exe programfilesdir+\internet optimizer\sim\fleok\msbb.exe programfilesdir+\internet optimizer\sim\msbb.exe programfilesdir+\internet optimizer\sim\ncmyb.dll programfilesdir+\internet optimizer\update\install.exe programfilesdir+\internet optimizer\update\optimize.exe programfilesdir+\internet optimizer\update\optimize313.exe systemroot+\180ax.exe systemroot+\180axhook.dll systemroot+\ixizgfcp.exe systemroot+\ncmyb.dll systemroot+\nem216.dll systemroot+\nem220.dll systemroot+\system32\saie.exe systemroot+\system32\saiehook.dll systemroot+\temp\optimize.exe systemroot+\windows\nem220.dll
	Remove Directories: Remove these directories (if present) with Windows Explorer: programfilesdir+\internet optimizer programfilesdir+\internet optimizer\update
	Restore Settings: After following the instructions above, you will still need to restore your original settings and prevent this from happening again. Here''s how.
Research
File Analyses:	DyFuCA.Internet Optimizer: actalert.exe · install.exe · msbb.exe · nem216.dll · nem218.dll · optimize.exe · optimize.vexe · optimize[1].exe
More Info:	AllTheWeb, AltaVista, AOL Search, Ask Jeeves, Google, HotBot, Lycos, LookSmart, MSN, Yahoo!
Research By:	Andrew Clover PestPatrol's Pest Research Center
Last Revised:	April 02, 2005