Which software removes some dll files from Windows\System32 folder?

[fred]

Hello,
On each Windows reboot I have the same, two dll files removed from
my Windows\System32 folder.
Which program is responsible for that?
Please advise,
Fred

 

[Pegasus [MVP]]

Hello,
On each Windows reboot I have the same, two dll files removed
from my Windows\System32 folder.
Which program is responsible for that?
Please advise,
Fred

Which files?

 

[fred]

The names will not tell you anything: msgpd.dll and msgphd.dll
They belong to the program I trust and use every day.
However, after each Windows reboot I have to reinstall that program to be
able to use it again.
Thanks,
Fred

 

[PA Bear [MS MVP]]

On each Windows reboot I have the same, two dll files removed
How have you determined that the files have been removed? Are you seeing
"file missing" errors when you reboot?

They belong to the program I trust and use every day.

Phone Dialer Pro (VOIP software), perchance?

There is a very good chance that you are seeing the effects of a hijackware
infection (e.g., Backdoor.Win32.Ripper)!

NB: If you had no anti-virus application installed or the subscription had
expired *when the machine first got infected* and/or your subscription has
since expired and/or the machine's not been kept fully-patched at Windows
Update, don't waste your time with any of the below: Format & reinstall
Windows. A Repair Install will NOT help!

1. See if you can download/run the MSRT manually:
http://www.microsoft.com/security/malwareremove/default.mspx

NB: Run the FULL scan, not the QUICK scan! You may need to download the
MSRT on a non-infected machine, then transfer MRT.EXE to the infected
machine and rename it to SCAN.EXE before running it.

2. [WinXP ONLY!! =>] Run the Windows Live Safety Center's 'Protection' scan
(only!) in Safe Mode with Networking, if need be:
http://onecare.live.com/site/en-us/center/howsafe.htm

3. Run a /thorough/ check for hijackware, including posting the requested
logs in an appropriate forum, not here.

Checking for/Help with Hijackware
http://aumha.net/viewtopic.php?f=30&t=4075
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/data/prevention.htm
http://inetexplorer.mvps.org/tshoot.html
http://www.mvps.org/sramesh2k/Malware_Defence.htm
http://www.elephantboycomputers.com/page2.html#Removing_Malware

**Chances are you will need to seek expert assistance in
http://spywarehammer.com/simplemachinesforum/index.php?board=10.0,
http://www.spywarewarrior.com/viewforum.php?f=5,
http://www.dslreports.com/forum/cleanup,
http://www.bluetack.co.uk/forums/index.php,
http://aumha.net/viewforum.php?f=30 or other appropriate forums as well.**

If these procedures look too complex - and there is no shame in admitting
this isn't your cup of tea - take the machine to a local, reputable and
independent (i.e., not BigBoxStoreUSA) computer repair shop.

 

[ANONYMOUS]

Hello,
          On each Windows reboot I have the same, two dll filesremoved from
my Windows\System32 folder.
Which program is responsible for that?
Please advise,
Fred

It could be some form of virus or it could be that the program itself
is doing that when it is closing. Do you use your system whilst you
are logged in as Administrator i.e. as a user with ADMIN powers? If
so, why not create a normal user account and see if the files are
still deleted.

You could also try to write-protect those two files so that they are
not deleted by you the user. If they are still deleted then clearly a
virus is doing its job.

The best option is always to use the XP system as normal user without
the ADMIN authorities.

Hope this helps and let us know if it solved the isuue..

 

[Pegasus [MVP]]

They are probably being removed by your virus scanner, e.g. because of a
false positive alert. Have you checked its quarantine location?

You can confirm my suspicion like so:
1. Physically disconnect your machine from the Internet.
2. Run msconfig.exe.
3. Disable all scanner-related tasks under the startup tab.
4. Disable all scanner-related services under the services tab.
5. Reboot your machine.
6. If the files are missing, re-install them.
7. Reboot the machine.
If files are no longer missing then it's your virus scanner that does the
damage.
8. Re-enable all scanner-related tasks and services.

 

[ANONYMOUS]

They are probably being removed by your virus scanner, e.g. because of a
false positive alert. Have you checked its quarantine location?

No it can't be. All virus scanners will warn you and/or alert you
before taking any drastic action like deleting a file! Please don't
misinform people or give them false sense of security on these
reputable Microsoft newsgroups.

 

[Pegasus [MVP]]

They are probably being removed by your virus scanner, e.g. because of a
false positive alert. Have you checked its quarantine location?

No it can't be. All virus scanners will warn you and/or alert you
before taking any drastic action like deleting a file! Please don't
misinform people or give them false sense of security on these
reputable Microsoft newsgroups.

=================

It's a bold claim to say that "all virus scanners" will warn you. They
should but unless you have personally checked each and every one of them
your claim is pure guesswork. It's the same as saying "All adult Americans
know who Barack Obama is" but you can't be sure until you've asked every one
of them.

Furthermore it is easily possible that the OP overlooked or misinterpreted
the warning if there was one. This is what I tried to alert him to.

Lastly, I don't have the faintest idea what you mean with "give them a false
sense of security". Please explain.

 

[Tom Willett]

No, not all virus scanners will warn and alert you *unless* you have
instructed them to do so. Normally, the default is to quarantine or delete.

They are probably being removed by your virus scanner, e.g. because of a
false positive alert. Have you checked its quarantine location?

No it can't be. All virus scanners will warn you and/or alert you
before taking any drastic action like deleting a file! Please don't
misinform people or give them false sense of security on these
reputable Microsoft newsgroups.

 

[Jose]

Hello,
          On each Windows reboot I have the same, two dll filesremoved from
my Windows\System32 folder.
Which program is responsible for that?
Please advise,
Fred

A popular solution for files that get removed on reboot is to first
change the files to read only, then hidden and read only and then
create a batch file to replace the missing files from some other
location and add this to your boot sequence. You can also create a
desktop shortcut to run a batch file whenever the need arises.

Sure beats a reinstall of the mysterious application!

Thought I would throw that out early...

One should (always) start with some scans for malicious software using
reputable tools first so you can eliminate the obvious, then proceed
to the not so obvious.

 

[ANONYMOUS]

No, not all virus scanners will warn and alert you *unless* you have
instructed them to do so. Normally, the default is to quarantine or delete.

Which brand are you using Pig? Do you still lick people's asses
especially of your fellow Pig Society Memeber?

I use AVG (free version), Symantec and Avast (on different machines I
hasten to add) and all these three warns you and in Avast you can
instruct it not to take any action. You also get a speech voice of
some nutter warning you of a virus attack in Avast.

When you say "*unless* you have instructed them to do so" clearly this
vindicates my original statement. You can only instruct if and only
if you are warned or alerted How else can you "instruct them" Do
you just second guess an imminent attack?

Mind boggles with pigs around here!

 

[fred]

Thank you all.
I have traced the problem to SuperAntiSpyware.
Fred

 

[fred]

Bingo!
Both dll belong to Phone Dialer Pro software.
I am surprised you know that, PABear.
Are you using that software yourself?
I have found out that is the best phone dialer available anywhere.
I've traced the problem to SuperAntiSpyware.
Thanks,
Fred

How have you determined that the files have been removed? Are you seeing
"file missing" errors when you reboot?

They belong to the program I trust and use every day.

Phone Dialer Pro (VOIP software), perchance?

There is a very good chance that you are seeing the effects of a
hijackware infection (e.g., Backdoor.Win32.Ripper)!

NB: If you had no anti-virus application installed or the subscription had
expired *when the machine first got infected* and/or your subscription has
since expired and/or the machine's not been kept fully-patched at Windows
Update, don't waste your time with any of the below: Format & reinstall
Windows. A Repair Install will NOT help!

1. See if you can download/run the MSRT manually:
http://www.microsoft.com/security/malwareremove/default.mspx

NB: Run the FULL scan, not the QUICK scan! You may need to download the
MSRT on a non-infected machine, then transfer MRT.EXE to the infected
machine and rename it to SCAN.EXE before running it.

2. [WinXP ONLY!! =>] Run the Windows Live Safety Center's 'Protection'
scan (only!) in Safe Mode with Networking, if need be:
http://onecare.live.com/site/en-us/center/howsafe.htm

3. Run a /thorough/ check for hijackware, including posting the requested
logs in an appropriate forum, not here.

Checking for/Help with Hijackware
http://aumha.net/viewtopic.php?f=30&t=4075
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/data/prevention.htm
http://inetexplorer.mvps.org/tshoot.html
http://www.mvps.org/sramesh2k/Malware_Defence.htm
http://www.elephantboycomputers.com/page2.html#Removing_Malware

**Chances are you will need to seek expert assistance in
http://spywarehammer.com/simplemachinesforum/index.php?board=10.0,
http://www.spywarewarrior.com/viewforum.php?f=5,
http://www.dslreports.com/forum/cleanup,
http://www.bluetack.co.uk/forums/index.php,
http://aumha.net/viewforum.php?f=30 or other appropriate forums as well.**

If these procedures look too complex - and there is no shame in admitting
this isn't your cup of tea - take the machine to a local, reputable and
independent (i.e., not BigBoxStoreUSA) computer repair shop.
--
~Robear Dyer (PA Bear)
MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002

The names will not tell you anything: msgpd.dll and msgphd.dll
They belong to the program I trust and use every day.
However, after each Windows reboot I have to reinstall that program to be
able to use it again.

 

[Pegasus [MVP]]

They are probably being removed by your virus scanner, e.g. because of a
false positive alert. Have you checked its quarantine location?

No it can't be. All virus scanners will warn you and/or alert you
before taking any drastic action like deleting a file! Please don't
misinform people or give them false sense of security on these
reputable Microsoft newsgroups.

=======

I trust you will read the OP's conclusion. It was an anti-spyware issue
after all that caused his problem.

 

[PA Bear [MS MVP]]

Actually, S*PERAntiSpyware might be acting properly & protecting you!
Depending on where you obtained/downloaded Phone Dialer Pro, some Bad Guys
(e.g., Backdoor.Win32.Ripper) might have "come along for the ride."

Bingo!
Both dll belong to Phone Dialer Pro software.
I am surprised you know that, PABear.
Are you using that software yourself?
I have found out that is the best phone dialer available anywhere.
I've traced the problem to SuperAntiSpyware.

On each Windows reboot I have the same, two dll files removed
from my Windows\System32 folder.

How have you determined that the files have been removed? Are you seeing
"file missing" errors when you reboot?

They belong to the program I trust and use every day.

Phone Dialer Pro (VOIP software), perchance?

There is a very good chance that you are seeing the effects of a
hijackware infection (e.g., Backdoor.Win32.Ripper)!

NB: If you had no anti-virus application installed or the subscription
had
expired *when the machine first got infected* and/or your subscription
has
since expired and/or the machine's not been kept fully-patched at Windows
Update, don't waste your time with any of the below: Format & reinstall
Windows. A Repair Install will NOT help!

1. See if you can download/run the MSRT manually:
http://www.microsoft.com/security/malwareremove/default.mspx

NB: Run the FULL scan, not the QUICK scan! You may need to download the
MSRT on a non-infected machine, then transfer MRT.EXE to the infected
machine and rename it to SCAN.EXE before running it.

2. [WinXP ONLY!! =>] Run the Windows Live Safety Center's 'Protection'
scan (only!) in Safe Mode with Networking, if need be:
http://onecare.live.com/site/en-us/center/howsafe.htm

3. Run a /thorough/ check for hijackware, including posting the requested
logs in an appropriate forum, not here.

Checking for/Help with Hijackware
http://aumha.net/viewtopic.php?f=30&t=4075
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/data/prevention.htm
http://inetexplorer.mvps.org/tshoot.html
http://www.mvps.org/sramesh2k/Malware_Defence.htm
http://www.elephantboycomputers.com/page2.html#Removing_Malware

**Chances are you will need to seek expert assistance in
http://spywarehammer.com/simplemachinesforum/index.php?board=10.0,
http://www.spywarewarrior.com/viewforum.php?f=5,
http://www.dslreports.com/forum/cleanup,
http://www.bluetack.co.uk/forums/index.php,
http://aumha.net/viewforum.php?f=30 or other appropriate forums as
well.**

If these procedures look too complex - and there is no shame in admitting
this isn't your cup of tea - take the machine to a local, reputable and
independent (i.e., not BigBoxStoreUSA) computer repair shop.
--
~Robear Dyer (PA Bear)
MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002

The names will not tell you anything: msgpd.dll and msgphd.dll
They belong to the program I trust and use every day.
However, after each Windows reboot I have to reinstall that program to
be
able to use it again.

Which files?

On each Windows reboot I have the same, two dll files removed
from my Windows\System32 folder.
Which program is responsible for that?