Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads

User Tag List

systemhook.dll message

This is a discussion on systemhook.dll message within the Resolved HJT Threads forums, part of the Tech Support Forum category. Hi all I've tried multiple techniques, antivruses, various spwware removers, registry cleaners, etc, but I can not get rid of


 
 
Thread Tools Search this Thread
Old 04-29-2006, 02:58 AM   #1
Guest
 
Join Date: Apr 2006
Posts: 26
OS:



Hi all

I've tried multiple techniques, antivruses, various spwware removers, registry cleaners, etc, but I can not get rid of a dialogue box that pops up every 10 minutes or so..... "ScreenFlasher Run-time error '339' Componenet systemhook.dll' or of its dependencies... blah blah blah

Apologies if I've missed something obvious.

Any and all help appreciated.

The log:

Logfile of HijackThis v1.99.1
Scan saved at 9:37:32 p.m., on 29/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Fast.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\LTMSG.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\taskswitch.exe
C:\PROGRA~1\NORTON~2\WinFax\WFXSWTCH.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunThreatEngine.exe
C:\Program Files\ClocX\ClocX.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Propel Accelerator\propelac.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\MSGTAG\MSGTAG.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Azureus\Azureus.exe
C:\Program Files\Common Files\Symantec Shared\NMain.exe
C:\PROGRA~1\NORTON~1\navw32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Mike.SHUTTLE.001\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\WINDOWS\pchealth\helpctr\System\panels\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\WINDOWS\pchealth\helpctr\System\panels\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: IE_PopupBlocker Class - {656EC4B7-072B-4698-B504-2A414C1F0037} - C:\Program Files\Propel Accelerator\prpl_IePopupBlocker.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [FastUser] C:\WINDOWS\system32\fast.exe
O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\NORTON~2\WinFax\WFXSWTCH.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SunServer] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [ClocX] C:\Program Files\ClocX\ClocX.exe
O4 - HKLM\..\Run: [Propel Accelerator] "C:\Program Files\Propel Accelerator\trayctl.exe" /STARTUPLAUNCH
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [MSGTAG] "C:\Program Files\MSGTAG\MSGTAG.exe" /startup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Allow pop-ups from this site - C:\Program Files\Propel Accelerator\pac-addwl.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Download all by Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download by Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Download selected by Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site by Free Download Manager - file://C:\Program Files\Free Download Manager\dlpage.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\Propel Accelerator\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\Propel Accelerator\pac-image.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - https://update.microsoft.com/windowsu...?1141466327018
O17 - HKLM\System\CCS\Services\Tcpip\..\{6CB2FDC6-9505-4EC6-A1F8-C9814AD611BB}: NameServer = 203.0.178.191
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Mikefnz is offline  
Sponsored Links
Advertisement
 
Old 04-30-2006, 08:55 AM   #2
TSF Enthusiast
 
POADB's Avatar
 
Join Date: Jul 2004
Location: United Kingdom
Posts: 6,574
OS: Win7


Welcome to TSF


Download and install CleanUp!. Do NOT run it yet.

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
  • Click "Options..."
  • Move the arrow down to "Custom CleanUp!"
  • Put a check next to the following:
    • Empty Recycle Bins
    • Delete Cookies
    • Delete Prefetch files
    • Cleanup! All Users
    • Click on the “Temporary Files” and uncheck the box for “Scan drives for file matching” if it’s checked.
  • Click OK
Press the CleanUp! button to start the program. Reboot/logoff when prompted.

WARNING - CleanUp! will delete all files and folders contained within Temporary Directories. If you knowingly have items you would like to keep that are stored in these locations; Move Them Now!!!

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.
  • The program will then begin downloading the latest definition files.
  • Once the files have been downloaded click on NEXT
  • Locate the Scan Settings button & configure to:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK & have it scan My Computer
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply
* Turn off the real time scanner of any existing antivirus program while performing the online scan
POADB is offline  
Old 05-01-2006, 11:20 AM   #3
Guest
 
Join Date: Apr 2006
Posts: 26
OS:


Hi and many thanks for helping.

The Kaspersy report:

KASPERSKY ON-LINE SCANNER REPORT
Tuesday, May 02, 2006 3:41:04 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 1/05/2006
Kaspersky Anti-Virus database records: 190872
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
G:\

Scan Statistics:
Total number of scanned objects: 122231
Number of viruses found: 3
Number of infected objects: 29
Number of suspicious objects: 0
Duration of the scan process: 02:45:42

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Mike\Local Settings\Application Data\Sunbelt Software\CounterSpy\Quarantine\BB1293B2-0C0D-4113-BA28-4644C8\173E7680-0DB2-40E6-9BEB-BCCA2A Infected: not-a-virus:AdWare.Win32.BargainBuddy.u skipped
C:\Downloads\19724f94c0fd161e89ab94327d8986ddf03.zip/keyfinder.exe/data.rar/officekey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\Downloads\19724f94c0fd161e89ab94327d8986ddf03.zip/keyfinder.exe/data.rar Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\Downloads\19724f94c0fd161e89ab94327d8986ddf03.zip/keyfinder.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\Downloads\19724f94c0fd161e89ab94327d8986ddf03.zip ZIP: infected - 3 skipped
C:\Downloads\BitTorrent-Stable.exe/stream/data0009 Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped
C:\Downloads\BitTorrent-Stable.exe/stream Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped
C:\Downloads\BitTorrent-Stable.exe NSIS: infected - 2 skipped
C:\Program Files\BitTorrent\uninstall.exe/stream/data0002 Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped
C:\Program Files\BitTorrent\uninstall.exe/stream Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped
C:\Program Files\BitTorrent\uninstall.exe NSIS: infected - 2 skipped
C:\unzipped\Windows OS serials\keyfinder.exe/data.rar/officekey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\unzipped\Windows OS serials\keyfinder.exe/data.rar Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\unzipped\Windows OS serials\keyfinder.exe RarSFX: infected - 2 skipped
D:\Downloads\19724f94c0fd161e89ab94327d8986ddf03.zip/keyfinder.exe/data.rar/officekey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
D:\Downloads\19724f94c0fd161e89ab94327d8986ddf03.zip/keyfinder.exe/data.rar Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
D:\Downloads\19724f94c0fd161e89ab94327d8986ddf03.zip/keyfinder.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
D:\Downloads\19724f94c0fd161e89ab94327d8986ddf03.zip ZIP: infected - 3 skipped
D:\Downloads\BitTorrent-Stable.exe/stream/data0009 Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped
D:\Downloads\BitTorrent-Stable.exe/stream Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped
D:\Downloads\BitTorrent-Stable.exe NSIS: infected - 2 skipped
D:\New Backup Job.C000/C/Downloads/19724f94c0fd161e89ab94327d8986ddf03.zip/keyfinder.exe/data.rar/officekey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
D:\New Backup Job.C000/C/Downloads/19724f94c0fd161e89ab94327d8986ddf03.zip/keyfinder.exe/data.rar Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
D:\New Backup Job.C000/C/Downloads/19724f94c0fd161e89ab94327d8986ddf03.zip/keyfinder.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
D:\New Backup Job.C000/C/Downloads/19724f94c0fd161e89ab94327d8986ddf03.zip Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
D:\New Backup Job.C000/C/Downloads/BitTorrent-Stable.exe/stream/data0009 Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped
D:\New Backup Job.C000/C/Downloads/BitTorrent-Stable.exe/stream Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped
D:\New Backup Job.C000/C/Downloads/BitTorrent-Stable.exe Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped
D:\New Backup Job.C000 ZIP: infected - 7 skipped

Scan process completed.
I haven't tried to remove anything yet.

Cheers

Mike
Mikefnz is offline  
Sponsored Links
Advertisement
 
Old 05-02-2006, 12:37 PM   #4
TSF Enthusiast
 
POADB's Avatar
 
Join Date: Jul 2004
Location: United Kingdom
Posts: 6,574
OS: Win7


Those results by Kaspersky are not of major concern. They are password tools etc, but who am I to judge.

Download CCleaner - and Install it.

*Note* On the install please uncheck the option "Add CCleaner Yahoo toolbar and use CCleaner from within IE"

Run CCleaner.
  • On the left, click 'Issues'.
  • Click 'Scan For Issues'.
    *Ccleaner will check for issues in the registry and list them. You can monitor it's progress by the green percentage bar.*
  • Once it has reached 100%. Click 'Fix Selected Issues...'.
    *At this point Ccleaner will ask if you want to back up the registry. This is your choice. If you choose to back up, save the back up file in the folder you installed Ccleaner*
  • Ccleaner will give you a description of each 'issue' found. Click 'Fix All Selected Issues' for speed.
  • Repeat the above steps until CCleaner no longer finds 'issues'.
  • Exit CCleaner.
POADB is offline  
Old 05-03-2006, 01:26 AM   #5
Guest
 
Join Date: Apr 2006
Posts: 26
OS:


Thanks for your advice and yes I must mend my ways and just shell out some cash instead of importing crap into my machine!

Done all that.

The message still keeps appearing. I am beginning to suspect that it may be real, although the 'Screenflasher' in the top left indicates something else?

Any suggestions much appreciated.
Mikefnz is offline  
Old 05-03-2006, 06:10 AM   #6
TSF Enthusiast
 
POADB's Avatar
 
Join Date: Jul 2004
Location: United Kingdom
Posts: 6,574
OS: Win7


Have you downloaded any joke, hoax viruses?
There is a joke virus known as ScreenFlasher that behaves in a simular way.

Or do you have a ScreenFlasher program? is MSGTAG a program you use? What exactly does it do?

Update Norton, and run a full system scan.
POADB is offline  
Old 05-03-2006, 10:30 PM   #7
Guest
 
Join Date: Apr 2006
Posts: 26
OS:


I haven't knowingly downloaded the joke screenflasher and in theory Norton Antivirus should pick that up and nuke it.

I keep Norton up to date. Updated this morning and ran a check. Clean, according to Mr Norton.

MSGTAG is legitimate. It is a message tag program that tells you when an email has been received. Not had a problem with it - I've been running it for about two years.

Cheers

Mike
Mikefnz is offline  
Old 05-04-2006, 12:59 AM   #8
TSF Enthusiast
 
POADB's Avatar
 
Join Date: Jul 2004
Location: United Kingdom
Posts: 6,574
OS: Win7


I see you all ready have Ewido. So please skip the download part of the next instructions, but make sure you update the database.

REBOOT TO SAFE MODE

Download Ewido Security Suite - Install & Update it's database but do not run it yet.

** Please disable all other antivirus programs before proceeding.**

Run Ewido:
  • Click Scanner
  • Click Complete System Scan to begin scanning.
  • Click OK when prompted to clean files
  • With the first file it prompts to clean, select the option - "Perform action on all infections" - & choose clean and click OK
  • Once finished, click the Save report button
  • Save the report to your desktop
Close Ewido
* Ewido scan would require at least an hour. I suggest that you go grab a cup of coffee & do something else while you wait for it to complete.
POADB is offline  
Old 05-04-2006, 03:23 AM   #9
Guest
 
Join Date: Apr 2006
Posts: 26
OS:


Doesn't appear to be much:

ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 10:13:45 p.m., 4/05/2006
+ Report-Checksum: 339C45C8

+ Scan result:

:mozilla.47:C:\Documents and Settings\Mike.SHUTTLE.001\Application Data\Mozilla\Firefox\Profiles\i9znk2mr.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.48:C:\Documents and Settings\Mike.SHUTTLE.001\Application Data\Mozilla\Firefox\Profiles\i9znk2mr.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.56:C:\Documents and Settings\Mike.SHUTTLE.001\Application Data\Mozilla\Firefox\Profiles\i9znk2mr.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
:mozilla.58:C:\Documents and Settings\Mike.SHUTTLE.001\Application Data\Mozilla\Firefox\Profiles\i9znk2mr.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup
:mozilla.59:C:\Documents and Settings\Mike.SHUTTLE.001\Application Data\Mozilla\Firefox\Profiles\i9znk2mr.default\cookies.txt -> TrackingCookie.Qksrv : Cleaned with backup
:mozilla.60:C:\Documents and Settings\Mike.SHUTTLE.001\Application Data\Mozilla\Firefox\Profiles\i9znk2mr.default\cookies.txt -> TrackingCookie.Qksrv : Cleaned with backup
:mozilla.27:C:\RECYCLER\NPROTECT\00008116.MOZ -> TrackingCookie.Hitbox : Cleaned with backup


::Report End
Mikefnz is offline  
Old 05-04-2006, 04:06 AM   #10
TSF Enthusiast
 
POADB's Avatar
 
Join Date: Jul 2004
Location: United Kingdom
Posts: 6,574
OS: Win7


Download and run Blacklight

Note that you must have local administrative privileges to run the program.

Click Scan. BlackLight will use Windows Explorer (the desktop process) to scan for hidden items. Your anti-virus software or personal firewall might display a warning that says Blacklight (blbeta.exe) is trying to manipulate the Windows Explorer process (explorer.exe). If you want to continue the scan, you should allow BlackLight to do this

When it finishes, click Next. You may get a screen similar to the picture below. Click on Close

BlackLight beta would create a log file "fsbl-<date-and-time>.log". By default, the log file is in the same directory as the executable. Please post the log

POADB is offline  
Old 05-04-2006, 11:29 AM   #11
Guest
 
Join Date: Apr 2006
Posts: 26
OS:


I had already run Blacklight. Ran it again. Nothing found, no log either.

Copy of dialogue box attached.

Cheers
Attached Images
File Type: bmp screenflasher.bmp (226.0 KB, 18 views)
Mikefnz is offline  
Old 05-04-2006, 11:37 AM   #12
TSF Enthusiast
 
POADB's Avatar
 
Join Date: Jul 2004
Location: United Kingdom
Posts: 6,574
OS: Win7


Try this.

Go to Start > Run and type or copy and paste the following:

regsvr32 systemhook.dll

If the popup box contines, let me know what you're doing at the point of it popping up.
POADB is offline  
Old 05-04-2006, 11:46 AM   #13
Guest
 
Join Date: Apr 2006
Posts: 26
OS:


Done that already as well! The response is:
Loadlibrary("Systemhook.dll") failed - The specified module could not be found.

I'll try and keep track of what I am doing when it pops up. I'm pretty sure that it will pop up after say 15 minutes with the PC 'idle'.

Cheers
Mikefnz is offline  
Old 05-04-2006, 11:49 AM   #14
TSF Enthusiast
 
POADB's Avatar
 
Join Date: Jul 2004
Location: United Kingdom
Posts: 6,574
OS: Win7


Using Uninstall Manager
  • Double click on HijackThis.exe to run it.
  • Go to Config || Misc Tools
  • click the button labelled "Open Uninstall Manager"
  • To get a quick uninstall Log, click the "Save List" button

Right click on this link https://www.greyknight17.com/spy/RegSrch.vbs and choose 'Save As'. Save it somewhere. Now run that program and do a search for these files (if more than one, make sure to search and save them separately):

ScreenFlasher
systemhook.dll

Save the file/files and post the results in the forum.
POADB is offline  
Old 05-04-2006, 12:06 PM   #15
Guest
 
Join Date: Apr 2006
Posts: 26
OS:


Ok the results:

Uninstall list:

Ad-Aware SE Personal
Adobe Acrobat 7.0 Professional
Adobe Photoshop Elements 3.0
Adobe Reader 7.0.7
ATnotes Version 9.5
Azureus
Battlefield 2(TM) Demo
BitTorrent 4.4.1
Broadcom Gigabit Integrated Controller
CCleaner (remove only)
CuteFTP 6 Professional
EasyCleaner
ewido anti-malware
FileZilla (remove only)
Firefox Screensaver v1.0
Free Download Manager 1.9
Google Desktop
Google Toolbar for Internet Explorer
High Definition Audio Driver Package - KB835221
HijackThis 1.99.1
Hotfix for Windows XP (KB896344)
Hotfix for Windows XP (KB912475)
Iconicity 1.5
Interactive 3D Characters
Interactive Primary Spelling Tutor 1.4
Interactive Primary Spelling Tutor 6 letter words
iTunes
IZArc 3.5 beta 3
J2SE Runtime Environment 5.0 Update 3
J2SE Runtime Environment 5.0 Update 6
Junior Spelling Tutor 5 letter words
Kaspersky On-line Scanner
Kids Junior Spelling Tutor 4.0
LimeWire 4.10.9
LiveReg (Symantec Corporation)
LiveUpdate 1.80 (Symantec Corporation)
Macromedia Dreamweaver 8
Macromedia Extension Manager
Macromedia Flash Player 8
MailWasher Pro
[email protected]
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft .NET Framework 2.0
Microsoft Office Professional Edition 2003
Mozilla Firefox (1.5.0.3)
Mozilla Thunderbird (1.5.0.2)
MSGTAG
Multimedia Launcher
MWSnap 3
Norton AntiVirus 2003
Norton WMI Update
NVIDIA Drivers
Painkiller SP Demo 2
Panda ActiveScan
Pdf995
PdfEdit995
Picasa 2
PowerDVD
PowerProducer
Powertoys For Windows XP
Propel Accelerator
QuickTime
Realtek AC'97 Audio
RegDoctor 1.42
RegistryFix v5.5
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Steam(TM)
Sunbelt CounterSpy
SWF 'n Slide Pro 1.010
SyncBack
Tomb Raider: Legend Demo 1.0
TrueCrypt
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB900930)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB912945)
Windows Defender
Windows Defender Signatures
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Format SDK Hotfix - KB891122
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinZip
ZoneAlarm
Regsrch lists:

Screenflasher (seems to just be my screencaptures, probably should have used a different word!)

[HKEY_USERS\S-1-5-21-1715567821-436374069-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU]
"a"="C:\\Mike's folders\\screenflasher"

[HKEY_USERS\S-1-5-21-1715567821-436374069-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*]
"d"="C:\\Documents and Settings\\Mike.SHUTTLE.001\\My Documents\\Screenflasher.CLP"

[HKEY_USERS\S-1-5-21-1715567821-436374069-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*]
"e"="C:\\Mike's folders\\screenflasher"

[HKEY_USERS\S-1-5-21-1715567821-436374069-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*]
"f"="C:\\Mike's folders\\screenflasher.bmp"

[HKEY_USERS\S-1-5-21-1715567821-436374069-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\bmp]
"a"="C:\\Mike's folders\\screenflasher.bmp"

[HKEY_USERS\S-1-5-21-1715567821-436374069-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\CLP]
"a"="C:\\Documents and Settings\\Mike.SHUTTLE.001\\My Documents\\Screenflasher.CLP"

[HKEY_USERS\S-1-5-21-1715567821-436374069-1343024091-1003\Software\MirWoj\MWSnap\Saving]
"LastSavePath"="C:\\Mike's folders\\screenflasher.bmp"


and systemhook.dll

[HKEY_USERS\S-1-5-21-1715567821-436374069-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU]
"a"="regsvr32 systemhook.dll\\1
"
Mikefnz is offline  
Old 05-04-2006, 12:23 PM   #16
TSF Enthusiast
 
POADB's Avatar
 
Join Date: Jul 2004
Location: United Kingdom
Posts: 6,574
OS: Win7


I assume you can open this image?

C:\Mike's folders\screenflasher.bmp - and that this si the image you uploaded?
POADB is offline  
Old 05-04-2006, 12:32 PM   #17
TSF Enthusiast
 
POADB's Avatar
 
Join Date: Jul 2004
Location: United Kingdom
Posts: 6,574
OS: Win7


I think it's time to bring in some heavy duty scanners.

Download WinPfind.zip - Unzip to Drive C

Locate & double-click on WinPFind.exe.
  1. Click Start Scan
  2. Once the Scan is Complete
    1. Go to the WinPFind folder & locate WinPFind.txt
    2. Post the results in your next post!
* This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more.

SilentRunners.vbs - Right click & choose Save As... SilentRunners.vbs

Before proceeding, disable any anti-virus or anti-spyware programs that may block/disable scripts
Double-click SilentRunners.vbs to run it. This will take a few minutes.
When it's done, you'll receive the prompt "All Done!". It will create a file called "Startup Programs". Post ALL its contents here in your next reply.

Download StartDreck

Unzip to its own folder and start the program:
Press 'Config'
Press 'mark all'

Uncheck the following boxes only:
System/Running Process -> List Modules
System/Drivers -> NT Services
System/Drivers -> NT Kernel- and FS-drivers
Press 'OK'

Press 'Save' and select the location to save the log file (default is the same folder as the application)

So I'll be requiring:

SilentRunners log
StartDreck Log
and WinPFind log.
POADB is offline  
Old 05-04-2006, 12:42 PM   #18
Guest
 
Join Date: Apr 2006
Posts: 26
OS:


Yes, that's the image I uploaded.

I'll try those porgrams tonight.

Gotta go to work!

Cheers
Mikefnz is offline  
Old 05-04-2006, 01:11 PM   #19
TSF Enthusiast
 
POADB's Avatar
 
Join Date: Jul 2004
Location: United Kingdom
Posts: 6,574
OS: Win7


Mike,

I would also liek for you to search for this files existence:

flasher.exe
- and delete it if found. Please let me know.

Also, can you re-search the registry as before, but this time use just systemhook, and see what that gives us.
POADB is offline  
Old 05-04-2006, 03:27 PM   #20
Guest
 
Join Date: Apr 2006
Posts: 26
OS:


Already serached for flasher. Nothing came up.
Mikefnz is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2
Powered by vBadvanced CMPS v3.2.3


All times are GMT -7. The time now is 03:57 PM.


Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
User Alert System provided by Advanced User Tagging v3.1.0 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
Copyright 2001 - 2018, Tech Support Forum

Windows 10 - Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts