Dll files

Viruses and worms
1

I did a boot scan when I first installed and had a bunch of dll files infected with win32:winshow.I moved them all to chest and did not delete them.Now I get virus on your computer messages all the time for these same dll files.Can you safely delete dll file viruses??What is the best action on this??

2

Hi, welcome to the forums.

Please Help us to Help you In order to help fully we need more information…
- What OS are you using? is it up to date?
- What avast! version and VPS file (virus database) number, e.g. 0436-4 (see about avast!)
- What was the virus name, what was the filename, where was it found
example (C:\windows\system32\infected-filename.xxx)?
- What actions have you taken to try and resolve the problem?
Also see this thread for further information and advice User’s FAQ.

Moving them to the chest was the best option, until you are sure there will be no harm from deleting them.

The fact that avast keeps finding them, I’m making a guess here that they are found in _restore files, if so, it is likely they were first found/moved from a windows system folder and are being protected by windows.

Answer the above questions and we will be able to give more detailed help, otherwise we are just guessing.

Advice & Tools for virus/trojan/malware Removal & Prevention

3

Winshow is a pop-up opener implemented as an Internet Explorer Browser Helper Object.

Just removing the dll files isn’t enough. You also need to clean the registry.

4

Iam using XP and Avast 4.5.
The viruses are C:windows and C:windows\system 32 and all are dll files.hnxmm.dll,mzkmk.dll,okriy.dll just to name a few.I have tried Spybot and Avast virus cleaner.There are about 50 of these in my chest and I keep getting virus warnings regularly.

5

Click on the link in my signature and from the menu, choose “malware removal instructions”. Clean your entire system.

6

Once system restore is off and problems fixed,Does it need to be turned back on ???

7

Yes you can switch it back on.

If you have other means of going back to an earlier state (backup, hdd imaging, goback, etc.) then you could probably live without it. I have found System Restore to be less than perfect as have others.

SYSTEM RESTORE - Info - Troubleshooting
There are many, many reasons why a System Restore may fail. For example, see “Why are previous restore points not working?” in the “Troubleshooting” section of this official Microsoft page:
http://www.microsoft.com/technet/prodtechnol/winxppro/plan/faqsrwxp.mspx

There’s lots more on that page that’s worth reading too. Note especially the sections on “Does System Restore protect personal data files?” (the short answer: no); “What should I do if System Restore does not work?”; “Why are my restore points missing or deleted?”; “Why does the System Restore Wizard lockup?”; and so on. Just a few minutes on that page ought to convince just about anyone that System Restore is not intended for heavy-duty system protection!

More info:
http://www.kellys-korner-xp.com/xp_restore.htm
http://www.experts-exchange.com/Operating_Systems/WinME/Q_20718080.html
http://www.google.com/search?q=system+restore+fail

8

Now I have a constant browser hijack alarm from spyware guard.I have looked at my Hijack log and found no BHO.Something crazy is going on with this pc.

9

Hi,

why not post the hijackthis-Log here ? :wink:

Also scan & fix with updated Ad-Aware in SafeMode
and run ESCAN & report its findings here

for links/info: work through the link " VirusRemoval" below in my sig or reread Eddy’s page…

:wink:

10

Here is my Hijack log.

ogfile of HijackThis v1.98.2
Scan saved at 10:42:28 PM, on 12/4/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\mfcvt32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\sysbn.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Win Comm\WinComm.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Creative\SBAudigy\Taskbar\CTLTray.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\BootLocker\BLTray.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Documents and Settings\Kevin Maddrey\Desktop\utilities\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\xabvg.dll/sp.html#29126
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\xabvg.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\xabvg.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\xabvg.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
R3 - Default URLSearchHook is missing
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM..\Run: [USSShReg] C:\PROGRA~1\ULEADS~1\ULEADP~1.2\SSaver\Ussshreg.exe /r
O4 - HKLM..\Run: [BootLocker] C:\Program Files\BootLocker\BootLockerStartup.exe
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [sysbn.exe] C:\WINDOWS\sysbn.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [Win Comm] C:\Program Files\Win Comm\WinComm.exe
O4 - HKLM..\RunOnce: [BootLocker] C:\Program Files\BootLocker\winlock.exe /L /S
O4 - HKCU..\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background
O4 - HKCU..\Run: [TaskTray] C:\Program Files\Creative\SBAudigy\Taskbar\CTLTray.exe
O4 - HKCU..\Run: [Taskbar] C:\Program Files\Creative\SBAudigy\Taskbar\CTLTask.exe
O4 - HKCU..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - Startup: BootLocker Tray.lnk = C:\Program Files\BootLocker\BLTray.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Forget Me Not.lnk = C:\Program Files\Broderbund\AG CreataCard\AGRemind.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.static.topconverting.com
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.charter.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab27513.cab
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - (no file)

11

This is the result from my HijackThis Log Analyzer:

CHECKING HIJACKTHIS, INTERNET EXPLORER, WINDOWS AND SOFTWARE FIREWALL:

You are using the latest version of HijackThis.
Old version of Internet Explorer detected, please update.
Your Operating System is not up-to-date. (Latest service pack not installed)
No software firewall detected. If you are not using a
hardware firewall, it is highly recommended to install one.

THESE ITEMS ARE HARMFULL AND SHOULD BE FIXED/REMOVED :

\windows\mfcvt32.exe
\progra~1\aws\weathe~1\weather.exe
r1 - hkcu\software\microsoft\internet explorer\main,search bar = res://c:\windows\xabvg.dll/sp.html#29126
r1 - hklm\software\microsoft\internet explorer\main,default_page_url = about:blank
r1 - hklm\software\microsoft\internet explorer\main,default_search_url = res://c:\windows\xabvg.dll/sp.html#29126
r1 - hklm\software\microsoft\internet explorer\main,search bar = res://c:\windows\xabvg.dll/sp.html#29126
r1 - hklm\software\microsoft\internet explorer\main,search page = res://c:\windows\xabvg.dll/sp.html#29126
r3 - default urlsearchhook is missing
o4 - hkcu..\run: [weather] c:\progra~1\aws\weathe~1\weather.exe 1
o15 - trusted zone: *.frame.crazywinnings.com
o15 - trusted zone: *.static.topconverting.com
o16 - dpf: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
o16 - dpf: {01113300-3e00-11d2-8470-0060089874ed} (support.com configuration class) - http://support.charter.com/sdccommon/download/tgctlcm.cab
o16 - dpf: {0e5f0222-96b9-11d3-8997-00104bd12d94} (pcpitstop utility) - http://www.pcpitstop.com/pcpitstop/pcpitstop.cab
o16 - dpf: {2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (minibugtransporterx class) - http://wdownload.weatherbug.com/minibug/tricklers/aws/minibugtransporter.cab?
o16 - dpf: {2fc9a21e-2069-4e47-8235-36318989db13} (ppsdkactivexscanner.mainscreen) - http://www.pestscan.com/scanner/axscanner.cab
o16 - dpf: {74d05d43-3236-11d4-bdcd-00c04f9a3b61} (housecall control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
o16 - dpf: {b8be5e93-a60c-4d26-a2dc-220313175592} (zoneintro class) - http://zone.msn.com/binframework/v10/zintro.cab27513.cab
o18 - protocol: icoo - {4a8dadd4-5a25-4d41-8599-cb7458766220} - (no file)

THE FOLLOWING ITEMS ARE NOT NEEDED TO LOAD
AT BOOTIME FOR THE SYSTEM TO WORK PROPERLY:

o4 - hklm..\run: [winampagent] c:\program files\winamp\winampa.exe
o4 - hklm..\run: [ussshreg] c:\progra~1\uleads~1\uleadp~1.2\ssaver\ussshreg.exe /r
o4 - hklm..\run: [bootlocker] c:\program files\bootlocker\bootlockerstartup.exe
o4 - hklm..\runonce: [bootlocker] c:\program files\bootlocker\winlock.exe /l /s
o4 - hkcu..\run: [msmsgs] “c:\program files\messenger\msmsgs.exe” /background
o4 - startup: bootlocker tray.lnk = c:\program files\bootlocker\bltray.exe
o4 - global startup: forget me not.lnk = c:\program files\broderbund\ag creatacard\agremind.exe
o4 - global startup: winzip quick pick.lnk = c:\program files\winzip\wzqkpick.exe

WE HAVE NO INFO ON THE FOLLOWING ITEMS. THEY CAN BE BAD OR GOOD.
YOU HAVE TO VERIFY THEM MANUALLY. PLEASE TELL US IF YOU HAVE INFO ON THEM :

\windows\sysbn.exe
o4 - hklm..\run: [sysbn.exe] c:\windows\sysbn.exe

12

Okay,I have deleted the things on my Hijack list,but about 5 will not delete.They come back on the very next scan.Iam still infested with Win 32 Winshow virus alerts constantly.

                          ???
13

Which ones are comming back?
Did you disable system restore, before removing them?
(disable system restore, reboot, remove them, reboot)