PDA

View Full Version : Runtime error or infection



mikefnz
01-05-2006, 09:10 PM
The following (dialogue box) message keeps appearing every 10 minutes or so "Screenflasher Runtime-error '339' Componenet 'systemhook.dll' or one of its dependancies not correctly registered:a file is missing or invalid"

I've tried various anti-viruses, anti-spyware, anti-trojans and registry fixs and it just keeps on appearing. It doesn't seem to be causing any other problems and there doesn't seem to be much help available via Google.

I'm still not sure whether it is a valid error message or not!

I'd appreciate any suggestions.

Cheers

Mike

Running Windows XP Pro SP2

johnboy
02-05-2006, 08:12 AM
Have you uninstalled any thing lately??

Sounds like you have some leftovers that still want to start.

Have a look thru this lot ; If you have'nt already

http://www.google.com/search?hl=en&lr=&q=Screenflasher+&btnG=Search

Jimmy D
02-05-2006, 09:28 AM
not correctly registered? it could be a file that needs to be registered i guess, is it a newish pc? if there is a file name that pops out at you in the details go to run and type: regsvr32 filename
it could work, i dunno

mikefnz
03-05-2006, 09:38 PM
Can't really find much that's useful on 'Screenflasher'. It may not be a virus - not sure. Still trying various anti-viruses and 'Highjack This Log' advice.

The regsvr32 command produces "The specified module could not be found"

Any suggestions much appreciated.

Cheers

Speedy Gonzales
03-05-2006, 10:35 PM
Get the file in my sig below. We'll see whats in startup.

You may have installed this program (or uninstalled it), and its running on startup or something. Or its installed and a file it uses is corrupted. Or hasnt registered itself.

Screenflasher looks like its has something to do with changing SWF files into screensavers, or something.

mikefnz
03-05-2006, 11:04 PM
OK here's the log file:


Logfile of HijackThis v1.99.1
Scan saved at 10:02:00 p.m., on 3/05/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Fast.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\LTMSG.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.e xe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Propel Accelerator\propelac.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunThreatEngine.exe
C:\Program Files\MSGTAG\MSGTAG.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\FireTrust\MailWasher Pro\MailWasher.exe
C:\Documents and Settings\Mike.SHUTTLE.001\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\WINDOWS\pchealth\helpctr\System\panels\blank.ht m
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\WINDOWS\pchealth\helpctr\System\panels\blank.ht m
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = http=localhost:8080
O2 - BHO: IE_PopupBlocker Class - {656EC4B7-072B-4698-B504-2A414C1F0037} - C:\Program Files\Propel Accelerator\prpl_IePopupBlocker.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [FastUser] C:\WINDOWS\system32\fast.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SunServer] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Propel Accelerator] "C:\Program Files\Propel Accelerator\trayctl.exe" /STARTUPLAUNCH
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [MSGTAG] "C:\Program Files\MSGTAG\MSGTAG.exe" /startup
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Allow pop-ups from this site - C:\Program Files\Propel Accelerator\pac-addwl.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Download all by Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download by Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Download selected by Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site by Free Download Manager - file://C:\Program Files\Free Download Manager\dlpage.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\Propel Accelerator\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\Propel Accelerator\pac-image.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1141466327018
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6CB2FDC6-9505-4EC6-A1F8-C9814AD611BB}: NameServer = 203.96.152.4 203.96.152.12
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


Many thanks for your help.

Renmoo
03-05-2006, 11:18 PM
HijackThis log analysis, read my signature :P

Don't mean to take over your job, Speedy :D

Cheers :)

Speedy Gonzales
03-05-2006, 11:19 PM
Boot into safe mode, run hijackthis again. Tick these entries and tick fix checked.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\WINDOWS\pchealth\helpctr\System\panels\blank.ht m

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\WINDOWS\pchealth\helpctr\System\panels\blank.ht m

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe - Update for this is here (http://www.java.com/en/download/manual.jsp)

Then reboot. I wouldnt run too many firewalls at the same time. Looks like you're running Zonealarm and Norton Internet Security? As they can conflict.

mikefnz
03-05-2006, 11:44 PM
Thanks for the quick response.

Done all that. Hopefully that will get rid of the dammed thing! I'll let you know.

Only running Zone alarm with Norton Antivirus. My be something left over from Systemworks.

Many many thanks

Mike

Speedy Gonzales
03-05-2006, 11:51 PM
No worries.

HTH

mikefnz
04-05-2006, 07:47 AM
No joy. It's still there. If all else fails I could reformat and start again........ :yuck:

Speedy Gonzales
04-05-2006, 09:08 AM
See if there's a Screenflasher entry in add/remove programs.

If there is, uninstall it.

Or see if there's a screenflasher folder in program files, if there is delete it, then use ccleaner to clean things up.

mikefnz
04-05-2006, 09:33 AM
Checked all that already. Nothing obvious.

Cheers

Speedy Gonzales
04-05-2006, 09:53 AM
Go to tools / manage add-ons in IE.

And see if there's an entry here for screenflasher. If there is, disable it.

It could be an IE plugin.

mikefnz
04-05-2006, 10:02 AM
Away from home PC now. I'll check tonight.

Cheers

mikefnz
04-05-2006, 06:32 PM
Checked. Everything looks legitimate except something called "Research" with no publisher. Nuke?

Cheers

Mike

Speedy Gonzales
04-05-2006, 06:47 PM
I have that same research entry here. Dunno what it is.

Look here

C:\WINDOWS\Downloaded Program Files

See what files are here.. They're usually small.

That file maybe here... Since this is where files (like Sun Java / flash install info or some part of it / activex files get installed).

Does the name screenflasher come up if u do a search on the hdd??

SolMiester
04-05-2006, 07:11 PM
I think the research entry is to do with ms office.

mikefnz
04-05-2006, 07:59 PM
Checked for a file called screenflasher already - nothing.

Nothing obvious in c:\windows\downloaded.

:confused:

Speedy Gonzales
04-05-2006, 08:06 PM
Can you post a snapshot of this dialogue box, and where it pops up here (http://www.imagef1.net.nz/upload/)

And post the link it gives back here.

mikefnz
05-05-2006, 07:26 AM
Here it is: screenflasher (http://www.imagef1.net.nz/files/screenflasher.bmp)

Speedy Gonzales
05-05-2006, 10:47 AM
I would say, its either a runtime library, thats missing, or that systemhook.dll file isnt on the system.

Do a search for systemhook.dll and see if it comes up. If it does come up, what folder is it in?

mikefnz
05-05-2006, 10:51 AM
I've searched high and low for systemhook.dll. Not on my PC.

There doesn't seem to be much information on it on the www either!

Cheers

Mike