need help pls.

[auleep]

a few days ago, i realised that my computer had some kind of browser hijacking program on it.(im using firefox) So, according to the reccomendation of some ppl i installed ad aware se and ran a full system scan.

it found quite a few critical objects. so i tried to delete them. this was when i ran into a problem.

ad aware was not able to delete the files that were causing the problem. it said that i should try to close all open browser windows prior to the removal of the files or tthat i should try re-running ad aware. the files are:

C:\WINDOWS\dXNIcg\asappsrv.dll

there are two more files which ad aware couldnt delete:

C\WINDOWS\system32\dn6001jme.dll

and

C:\WINDOWS\dXNIcg\command.exe

when i tried to delete the files manually, i couldnt find them! when i checked in the C:\WINDOWS folder, i couldnt find any dXNIcg file to delete.

any help would be appreciated. pls try to give me an easy to follow guide as im not exactly a computer whiz. thanks.

 

[dreaming<>demon]

Ok,
Try this.

1. Open your ad-aware program and do a check for updates.

2. Now with Ad-Aware open, locate the button at the top of the program that looks like a yellow cog - click it - its your configuration tool for ad-aware.

3. You will now see a list of buttons "General" "Scanning" etc etc..
click on the "Startup" one.

4. You will be given some options to choose from. Select "Perform Full system scan" and click the "PROCEED" button to save these changes.

This will perform a scan with ad-aware before windows starts up, giving it a chance to remove those files before they load.

5. Now close all your open programs including ad-aware, and restart your computer.

Ad-aware is now set to run at startup of your machine. Let me know once you have tried this.

 

[auleep]

i still have a problem. whenever i close ad aware after selecting perform full system scan and clicking proceed, the startup scan mode changes back to no automated scanning.

pls help. thnx

 

[Jam3s-Zer0]

Ad aware sometimes reports files that arnt virus/spyware ect.
Im not an expert on this but i think they are windows files.

when i tried to delete the files manually, i couldnt find them! when i checked in the C:\WINDOWS folder, i couldnt find any dXNIcg file to delete.

Have you tryed viewing hidden files and folders? Maybes there hidden for a reason. (windows files)

Also i would change your browser to something safer than an open source browers. I reccommend Opera. Click my sig to download it. Some features are-
Free to use
Tabbed browsing and pop-up blocking
Integrated search
Great security
Speed
Password manager
Customization
Mouse gestures
Notes
Cookie control
ect...

 

[dreaming<>demon]

Download these three programs :

1.CCleaner - http://www.filehippo.com/download_ccleaner/

2. eTrust Pest Patrol (Trial) - http://www.download.com/eTrust-PestPatrol-Anti-Spyware/3000-8022_4-10345714.html?tag=pdp_prod

3. Hijack This - http://www.download.com/3000-8022-10227353.html

----

Install Hijack this here : C:\HJT
Install other programs in the default install path.

-Please scan with CCleaner, and remove what it finds.
also, click the "ISSUES" button and do a scan and remove.

-Do a scan with pest patrol after it does UPDATES remove what it finds.

-Finally, do a scan with HJT, select the "Do a System Scan and save a logfile" button. DO NOT remove anything that Hijack this finds , please copy the logfile it creates (using Notepad) , and post your log here.

 

[dreaming<>demon]

Just to clear if they are windows files or not - check here :

http://www.softwaretipsandtricks.com/dangerous_files/2305-asappsrvdll.html

 

[auleep]

here's my logfile:


Logfile of HijackThis v1.99.1
Scan saved at 4:03:13 PM, on 3/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\Program Files\Yzxwoar\Cywpue.exe
C:\HP all in one\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\outlook\outlook.exe
C:\mousepad.exe
C:\Program Files\SurfAccuracy\SAcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\program files\mailskinner\mailskinner.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
D:\Program Files\Sparks\SmartProtector-Pro.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\HP all in one\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Documents and Settings\user\astr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\CCleaner\ccleaner.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\user\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.qu123.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
R3 - Default URLSearchHook is missing
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Ins3DT] E:\INSTALL4\INS3DT.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [Mcyzyy] C:\Program Files\Yzxwoar\Cywpue.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\HP all in one\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [winlog] winlog.exe
O4 - HKLM\..\Run: [keyboard] C:\\keyboard.exe
O4 - HKLM\..\Run: [mousepad] C:\\mousepad.exe
O4 - HKLM\..\Run: [gimmysmileys] C:\\gimmysmileys.exe
O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe
O4 - HKLM\..\RunServices: [winlog] winlog.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Instant Access] rundll32.exe EGDACCESS_1074.dll,InstantAccess
O4 - HKCU\..\Run: [MailSkinner] c:\program files\mailskinner\mailskinner.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [SPSTEALT] "D:\Program Files\Sparks\SmartProtector-Pro.exe" /stealt
O4 - Global Startup: Date Manager.lnk = C:\RECYCLER\NPROTECT\00024361.EXE
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\HP all in one\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: PrecisionTime.lnk = C:\Program Files\PrecisionTime\PrecisionTime.exe
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {B2B0AEDF-7CDF-4792-BB67-7654AD1E1B13} - http://scripts.downloadv3.com/binaries/IA/sysinetsvc32_EN_XP.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{27F52AC3-8609-47CD-BE6F-ECE535212982}: NameServer = 202.188.0.133 202.188.1.5
O17 - HKLM\System\CCS\Services\Tcpip\..\{C8DDF20F-36AF-4F17-B1EC-5F8C1C7BD084}: NameServer = 202.188.0.133,202.188.1.5
O17 - HKLM\System\CS1\Services\Tcpip\..\{27F52AC3-8609-47CD-BE6F-ECE535212982}: NameServer = 202.188.0.133 202.188.1.5
O20 - Winlogon Notify: SMDEn - C:\WINDOWS\system32\f0l00a3med.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\dXNlcg\command.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD File System Service (InCDsrv) - Unknown owner - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

 

[dreaming<>demon]

Wow, you appear to have a number of problems..
I have noticed that you have a adware problem associated to "GAIN" ( an advertising threat ) and to find more entries of this problem I strongly recommend downloading these programs ( 1 being highest priority ) :

1.) SpyBot Search and Destroy .......http://www.download.com/3000-8022-10122137.html

2.)Ewido........http://www.download.com/Ewido-Security-Suite/3000-8022_4-10326287.html

3.) CWS ( cool web search remover)...http://www.trendmicro.com/cwshredder/

4.) KillBox ....... http://www.bleepingcomputer.com/files/killbox.php ( you may also need "WinRAR" to extract this download - http://www.download.com/3000-2250-10007677.html )

I know there is a fair bit of downloading, I am sorry for this, however, these are very effective programs, and should prove to be an essential tool.

*Please run a scan with Spybot then Ewido, and then CWS after updating . DO NOT run KillBox yet. Remove any entires they may find. Also, with SpyBot - click on the "IMMUNISE" button, and then the immunise key ( this will block sites that have been proven to have malicious content ).

These .exe files are problems that need to be stopped :

C:\Program Files\Yzxwoar\Cywpue.exe

C:\mousepad.exe

C:\Program Files\SurfAccuracy\SAcc.exe

D:\Program Files\Sparks\SmartProtector-Pro.exe

C:\Documents and Settings\user\astr.exe

Instructions : Run "KillBox" , copy the path names above and paste them in the killbox window, click the round red button with a white X on it.
EG :
C:\mousepad.exe -----then press red button
D:\Program Files\Sparks\SmartProtector-Pro.exe -----then press red button

NOTE - Do not remove any other processes than the FIVE I have listed above. This will end the processes for you.

Color legend : Purple = required further actions please read next to entry before proceeding

Red = remove immediately, no further actions required.

Green = User preference ( eg Google Toolbar )

***NOW, please run Hijack this, do a system scan. Locate these entries below, and place a Checkmark next to them. ( only the ones I listed )

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
[/b]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.qu123.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cus...//www.yahoo.com

R3 - Default URLSearchHook is missing

O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART If you have Kazaa, Limewire etc, and you want to have these open then keep this. However, these entries indicate that you could have multiple ports that are not protected from unsolicited access.

O4 - HKLM\..\Run: [Mcyzyy] C:\Program Files\Yzxwoar\Cywpue.exe

O4 - HKLM\..\RunServices: [winlog] winlog.exe
O4 - HKLM\..\Run: [winlog] winlog.exe --PLEASE READ INFO AT THIS LINK BEFORE REMOVAL-- :
http://www.liutilities.com/products/wintaskspro/processlibrary/winlog/

O4 - HKLM\..\Run: [keyboard] C:\\keyboard.exe

O4 - HKLM\..\Run: [mousepad] C:\\mousepad.exe

O4 - HKLM\..\Run: [gimmysmileys] C:\\gimmysmileys.exe

O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe

O4 - HKCU\..\Run: [Instant Access] rundll32.exe EGDACCESS_1074.dll,InstantAccess

O4 - HKCU\..\Run: [SPSTEALT] "D:\Program Files\Sparks\SmartProtector-Pro.exe" /stealt
-PLEASE OPEN CONTROL PANEL > ADD/REMOVE PROGRAMS - locate "SMARTPROTECTOR PRO" and remove.

O4 - Global Startup: Date Manager.lnk = C:\RECYCLER\NPROTECT\00024361.EXE
-PLEASE OPEN CONTROL PANEL > ADD/REMOVE PROGRAMS - locate "DATE MANAGER" and remove.

O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe

O4 - Global Startup: PrecisionTime.lnk = C:\Program Files\PrecisionTime\PrecisionTime.exe

O16 - DPF: {B2B0AEDF-7CDF-4792-BB67-7654AD1E1B13} - http://scripts.downloadv3.com/binar...svc32_EN_XP.cab

PLEASE VISIT THIS WEB PAGE FOR FURTHER REMOVAL INSTRUCTIONS - : [url]http://securityresponse.symantec.com/avcenter/venc/data/dialer.instantaccess.html[/url]

O17 - HKLM\System\CCS\Services\Tcpip\..\{27F52AC3-8609-47CD-BE6F-ECE535212982}: NameServer = 202.188.0.133 202.188.1.5

O17 - HKLM\System\CCS\Services\Tcpip\..\{C8DDF20F-36AF-4F17-B1EC-5F8C1C7BD084}: NameServer = 202.188.0.133,202.188.1.5

O17 - HKLM\System\CS1\Services\Tcpip\..\{27F52AC3-8609-47CD-BE6F-ECE535212982}: NameServer = 202.188.0.133 202.188.1.5 Not really sure what they are, they appear suspicious, so please consider carefully if you recognise what they may be associated to before removal.

O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\dXNlcg\command.exe (file missing)

After placing a checkmark next to these entries, click the "fix" key.

Now, click START > RUN .
In the window, type msconfig click OK.
Click on the "STARTUP" tab
Look through the list carefully, if you find Cywpue , mousepad , SAcc , astr , or Smartprotector , then uncheck them by clicking the tick next to them.
Click Apply, then OK. ( only those entires ).
you will be prompted to restart, click no for now.



I suggest getting a free firewall aka Zone Alarm - its free - http://www.download.com/3000-2092-10039884.html

Also, after performing all of this, Run ad-aware with a full system scan.
Then do a disk cleanup Click START > All Programs > Accessories > System Tools - Disk cleanup. A window will pop up in a minute or so, then just click OK.

Then do a defrag -Click START > All Programs > Accessories > System Tools - Disk Defragmenter.
Once it opens, Click the ANALYSE button, then click the "DEFRAGMENT" button. This will take a while ( 5 to 30 mins approx ) - it will re-organise your local drives, to make your system and games run a lot smoother.

After this restart your computer.

Hope your sanity is restored soon.