My son just called me and said he thinks he has a Trojan Horse on his computer. His OS is WinXP Home. The computer seems to run O.K., but every one in awhile a message will pop up saying, "Trojan Horse down loader DYFICA.AC. To remove run anti-virus software." He runs his anti-virus but it doesn't find anything. I asked him what anti virus program he has and he said it's a free one that he downloaded called AVC. Would appreciate it if anyone has an answer on this. Thanks.
~Frank~

Digging around, it appears that it would be lurking in his restore folder if he has scanned with updated definitions. He must have had it and cured it but the restore points are still containing it.

Have him disable restore, reboot, restore restore, reboot and then he should be golden. :)

Also what OS is the son running? You have to have Windows Messenger turned off or someone can craft these messages and display them with nothing wrong.

Edit: I found this in a-squared forum: link (http://forum.emsisoft.com/viewtopic.php?t=938) , also Adaware may be able to remove it also.

I am pretty sure AdAware and/or Spybot remove dyfuca, but if it is there, it is likely that other things are there too. You might want to have him log on here and post a HJT log after running both Spybot and AdAware....

He might want to download and run PestPatrol (www.pestpatrol.com)-- the scan is free even if it won't delete or quarentine. I'd download and run SwatIt.

If he is Win Me or Xp he has to clear the system restore function as I have found out 3 times alraedy. I'm not sure it is the same in Xp, but in Win Me it goes:

start >> settings >> control panel >> system >> performance >> click file sytem >> click troubleshooting >> put a check in the box next to disable system restore >> reboot if it indicates >> or close back to control panel >> open it back up same way to uncheck disable system restore >> reboot if it incdicates.

I reboot anyway just to be sure.

Then go to start >> programs >> acessories >> system tools >> system restore and create a new restoration date IF he is sure he is clear of the bug, if it was there to begin with.

I'd run Adaware, and Spybot/& Advanced, and my AVG (and PestPatrol, for the free scan again).

I've had four of them and two viruses in the past two months, if I could I'd use use high explosives...in a manner of speaking, of course.

I think FTT hit it right on the head. Same thing happening here. Removed a trogen but my anti-virus shows that the file was still in system restore. Had to remove it twice before it dawned on me[d'oh] just to clear out all the system restore files.
At least the anti-virus told me it was in the system restore files so I didn't have to go crazy looking for it.
Mark:)

Keep in mind that PestPatrol is famous for false positives. It identifies things as being there that are not there.....

Hopefully, IF he has it and it isn't a fake out a posted before, when he runs the AV it will option him to move it to the vault, and when he clicks on that function it will tell him it cannot be be moved because it's in a restore file, and this (name of file) cannot be moved.

Then you'll know #1 it's real, and #2 clean out system restore and that source is cleaned up.

Also, when I have had those problems I ran the 'final' scans--Spybot and Spybot Advanced, Adaware, and AV from Safe Mode. If it gives you the exact name of the horse, you might want to run it through 'search files and folders' in Safe Mode, and if it comes up-- delete there. That worked for me once.

Originally posted by Budfred
Keep in mind that PestPatrol is famous for false positives. It identifies things as being there that are not there.....

Budfred, thanks, I did not know that, and coincidentally, I just ran it and it gave me a CWS.GoogleMS.3. So I ran SB & Advanced and Adaware--got zip. So I ran CWShredder--clean. So I was just thinking--do they do that in hopes you'll panic and run for the paying version, hmmmm. I'm going to run it anyway..makes a nice background to the others, and what the hay, it's free, and you don't even have to take the bottle back for a deposit!!!!

I am not sure why they do that... it may just be that they are even more paranoid than me :D :D or it may be that they are trying to sell something. There are a number of scam spyware scanners that do that to convince you to pay for them.. SpyHunter and SpyKiller come to mind....:rolleyes: :mad: :rolleyes:

Well I'm glad to hear the PestPatrol test was a false positive! For a moment there, I thought you might have been pregnant !> !!! I don't like cigars anyway... :cough cough:

I haven't used 'PP' but maybe the soft isn't capable of differentiating between restore files and normal processes and data.

I had SwatIt also but it never updated so I 'kicked it's can'. I think it found something the very first time I used it but nothing since, even on various pc's.

I'm opting for a concurrent combo of SpywareGuard and SpywareBlaster as of a few days ago, maybe a week, and liking the knowledge that if anything changes to my homepage as I'm surfing, I am notified right away. :cool: The locking of homepage in SBS&D doesn't work (oops, you didn't here that hear... :o ).

Thanks everybody--It seems that you solved his problem. It was in his System Restore as most of you suggested. So, he did as Fruss TT suggested and that seems to have taken care of the problem. I just called him and he said the message used to pop up about every 5 minutes. He has now had his computer running for about 2 hours and it hasn't happened yet.
I think I'll tell him that I figured out the answer all by myself. That way he'll think I'm smart.:cool: :) (Just kidding) I already told him where I got the answer. Thanks again--this sure is a good forum.