Hi,
I am definitely Not a programmer and don't have all the knowledge you guys do.

But I need some help.

How can I find the program that keeps popping up and telling me kbhook.dll file is missing?

It is not in my computer anywhere and not in my registry.

A Google search turns up that it appears to be a file that Microsoft VisualBasic programmers use involving the Keyboard.

But Microsoft won't let me access the download site to install it. I don't know what program it is associated with...or IF I even really need the program that keeps telling me it is missing.

Can anybody tell me how to find out which file or program keeps needing it and telling me that with that pop up?

Thanks
I'd REALLY appreciate some help on this, Please!

It's an ancient DLL, and you got its purpose exactly. I'm a little confused that an app is starting without your invoking it; is this happening on startup? Do you have some internet gadgets hanging around, etc.?

Anyway, finding it should be easy. I'll guess that the program that uses it, has its name embedded within (standard stuff). That is, unless it's a more recent VB thing, but then it would show in the registry (VB5/6 puts everything in the registry).

Open the Find applet in Windows Explorer (called Search on W2K), and go to where text to search for is (not the name of the file or folder). Enter the text "kbhook", and make sure the search is not case sensitive. Try looking in the Windows directory first, but you may have to broaden your search. The filename to search for can be blank, or you can try "*.exe" for faster results, although it might not be in an exe.

If that doesn't work, please post back. There are lots of sharp people on this site, so I'm sure someone can come up with a solution.

Cheers

Thanks for answering, Jeff J.

This is so weird. I'm at work now and not in front of the Win98SE home computer where I'm having the problem. I first noticed the file yesterday evening when my Norton antivirus popped up and told me the file contained the Trojan Horse virus, so I chose to delete it. Then at shutdowns and reboots(not at startup), I started getting that popup message that "Project1" was missing it.

I did a File and Folder search and of course it wasn't there. I looked in my CAB files and didn't find it(others on the 98 board say they can't find it in their Windows installation disks either). I did are regedit registry search and nothing came up.

I'm using a Win NT system here at work, and just for the heck of it, I did a Finf File search and found the file here too! It was in my System32 folder. I stared at it in disbelief. Then right clicked it to possible find out more about it, and I instantly got a Norton popup message saying it was infected and Norton had just that second(that I had right clicked it), it deleted it.

(I'm wondering if one of the things I copied onto a floppy from work and took home was how it got on my home computer)

But anyway, I did a regedit search here and see it listed in my registry as a shared file(even though not in my home registry).

I'll try the searches you mentioned when I get home. But what do you mean by a text search...and the filename may be blank?

Are you saying it is antique and I don't need it?

It's not part of a standard Windows install, nor any other major program I'm aware of. It might be part of a nasty thing crawling inside your computers. Then again, maybe part of a legitimate 3rd party program that got infected. Hopefully you'll know after the search.

Sorry I wasn't clearer about the Find applet. Let's see, on Win98, I believe there are 3 fields on the first tab, unlike in Win95/NT4 with only 2. The first is for the name of the file to find, which is what you can leave blank, the second is now for text to find within the file, which is where you enter "kbhook", and the last one is for which folder to start searching from (enter "c:" if you have patience to be thorough).

The file you're looking for will not be named kbhook.dll, but the file probably does contain the text for the name of kbhook.dll, which is how C/C++ (and older VB) programs know which DLL to use. That is one way programmers use to find out what files an EXE or DLL depends on.

By ancient, I only meant that the kbhook.dll I'm thinking of, goes back to Win3x, and so it's not the sort of thing modern programs use. It's not an important point, it just hints that the program may be old, written by a less experienced programmer, or what have you.

Being listed as a shared file in the registry, means that it was probably part of a legitimate installation. Those entries are intended to provide an easy way to see if "commonly-used", or shared files, are already on the system, whether it's likely another program also depends on something, and so forth. The number associated with the file, is supposed to be the count of how many programs rely on that file. It never worked as intended, though, and I think it's unlikely kbhook.dll is used by numerous programs on your computer. Probably just one. If you only find one file that contains the text "kbhook", then I doubt any other program will be affected by not having it available.

Please post back with how it turns out; my curiosity is peaked...

And I appreciate your knowledgable help, Jeff.

All the SharedDLL registry entry says is it is in my System32 file and apparently shared by only one other program, because it says "0x00000001 (1).

If you think it is a legitimate program that was downloaded, how can we find out which one? And or, which other file is sharing it?

(I WISH I was at home in front of the computer that needs the most help from you!)

That would indicate that no other program is using it, that is, just one program ever used it at all. That also means I'm confident you can delete it without affecting anything else.

When you're able to do the search, then the name of the resulting file should give a clue as to what program this is all about. Hopefully the name will be descriptive, or if it's an EXE or DLL, it may have Windows version info embedded into it.

If so, then right-clicking on the file, and clicking on Properties, will show the properties dialog. If there's a "Version" tab present, then click on it, and you should see the version, manufacturer, product line, and so on. That will depend on whether the file is really old or not, and how professional the programmer was.

Jeff,
All that registry stuff only pretains to my work computer. It is not in my home computer were I really need the help.

I'm about to leave for home now and at about 4:30 Central US time I'll be home. Would you possibly be able to check back and see what my text file search shows?

Another thought. What little I know about Trojan viruses makes me think that there would be more than only one file infected, right? Wouldn't there be others? Maybe an EXE file or others in the Trojan application? So why did a complete updated Norton and PANDA virus scans both say my computer was clean last night?

Very weird. Your thoughts?
(I'll check back in about an hour and a half when I get home)

Thanks so very much!

Jeff,
I'm home now. And that text search has been crunching for 10 mins and HAS brought up 16 files and folders, and is not thru searching yet.

Some I recognize as Norton stuff involved(I guess with catching it) and sfclog from when I was trying to restore it from CAB files.

But many I don't recognize. I'll check them out and let you know about it all when it is thru searching. Wow!!!

What about my question on my system being clean per Norton and PANDA? That means none of these are virus files, right? Or what?

And I can delete or uninstall any of these files and folders it's finding also, right?

Are you there, Jeff?

It just stopped, and here's the list of one's I don't recognize(I again scan them and they are all free of viruses):

Default.sf0

System.rsc

03.28.02 (BackedUp registry files)
itdlgn03.dll(something to do with lotus...last modified in 96)?

netscape.hst

Anything look funny with those?

In a manner of speaking, yes.

I expected it to be a long search, as every file on the drive is going to be searched. Just whatever you do, don't delete anything before you post here first, since there will be other files that may contain the text "kbhook", yet may be false alarms. You can post them here if you can (with full paths), or email them to me if there's too much. I can probably narrow it down.

About the spread of viruses, that's difficult to say. The only way an antivirus program can find every instance of a virus, is to scan every file on your drive, similarl to what you're doing with the search. Obviously, that takes enourmous time, so most antivirus programs rarely scan everything all the time. To really pick your system clean, it's good to run a manual scan on the entire drive, and make sure you select "check all files", or whatever its called. It may take over an hour, but it's advisable in your situation. Many antivirus only scan when a file is accessed (or downloaded), which is what happened in your case. That's normally sufficient.

I don't know about the specific virus you got, but I don't think the virus is directly related to that specific file. Just scan your drive(s), and you should be good.

The itdlgn03.dll might be it. Try checking it's version info. If that doesn't work, open it in notepad, and search for the text. It would be great if you could post a few lines before and after the text here (just don't save the file!). All the other files are harmless; false alarms.

Default.sf0 is a standard Windows dir file, an old version of Default.sfc. System.rsc is an old backup of your registry, probably from a Norton installation. Netscape.hst is a history file for Netscape, which might remember how the file got downloaded, or something.

Hi Jeff,

I did do a conplete virus scan twice(yesterday afternoon with Norton and last night using PANDA on-line virus scans)nothing is infected.

I DID click "Save" on the search results, but I don't know where the saved list went. Did I screw up? Why do you say not to save the file?)

Another thing, Jeff. Somebody on the 98 side of this board found a site to download a clean kbhook.dll file, and I did(and scanned it with Norton...HaHa), but I need to put it somewhere other than my desktop to be recognized and I don't know where. I've put it in C, WINDOWS, SYSTEM and SYSTEM32, and LOTUS each time restarting my computer to see if it "liked" those locations. Same message each restart(or a variation saying "Can't find DLL entry point Removehook in kbhook.dll"

Where else should I try putting it now? (HaHa...don't say it!...HaHa) Really, where should I try?

PS---the lotus file gave me a version number. but I didn't write it down. Does it matter which version of Lotus?

Got to go to a family function now, but I'll be back in a little while.

I'd appreciate any other thoughts you or anybody else has!

I only meant don't hit save in notepad, because it would overwrite the file you opened. Notepad is really only intended for text files, although it is possible to see the text part of EXE and DLL files with it.

C:\Windows\System is the only place you need to put it, although there's no harm putting it elsewhere too (now now, let's not go there, I mean, you know!).

If it's happening on startup, then I don't think it's lotus, but if you can email me a copy of itdlgn03.dll I can tell for sure.

See if you have any shortcuts on your Start menu, under Start>>Programs>>Startup. Let me know if you do. Also, in regedit, look under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. You probably have entries in there. That lists the add-on stuff that runs on startup. If you can post them back here, I might be able to see if any are likely to need anything like kbhook.dll.

Jeff,
I did put it in C:\Windows\System...still got the message at shutdown.

No, it never happens at startup, only shutdown and restart.

Nothing in Start\Programs\Startup...it's "empty".

Very few items in that registry key, and they look normal and Ok

Since this thing is not tied to startup, maybe a registry key that is tied to shutdown/restart would be better to look at. Is there one?

I don't know what else we can do?

Can I run a "Containing text" search again, and drag and drop the kbhook.dll file into each one at a time? Would that do anything?

What kinds of programs execute at shutdown and restarts?

It's a keyboard hook for some app. Some old word processor scans for the cap lock and displays caplock status within the app, what a waste of a hook. Try searching for kbhook.* or kbhook.exe!

Heres the source file for kbhook.exe
------------
ftp://ftp.microsoft.com/softlib/mslfiles/KBHOOK.EXE

Here is kbhook2.exe source!
-------------
ftp://ftp.microsoft.com/softlib/mslfiles/KBHOOK2.EXE

Thanks for the help, Fred; I was running out of ideas. That makes a lot of sense, so maybe this is tied to lotus after all. Say, H.C., what's happening with that itdlgn03.dll file for lotus? Can you send me a copy? Try putting your kbhook.dll in the same directory as that file, wherever it is. It's possible there is a service that needs to unload when Windows shuts down. That would explain why the Removehook function is being sought, to stop hooking the keyboard messages.

I can't remember the details of a lotus install too well, but perhaps there's a service that runs in Windows, even if lotus itself isn't running. That's common with office suites; M$ Office has the problematic findfast service, for example. If this is the case, then disabling the service might solve your whole problem.

If you want to keep whatever service is running, then there still might be a problem with the kbhook.dll you've replaced. It's not like it's a standard Windows DLL or anything, it's the kind of file any vendor can modify with their own functions. Well, let's see what wants to use it first.

Guys,

I'm back and I figured it out.

that file is NOT infected by a virus, it is a false reading by the latest upgrade of Norton.

That file DOES have to do with keyboards just as you guys have been telling me.

The file is part of a parental monitoring program we use on our computer to make sure our teenagers are browsing porn sites, etc. I uninstalled it this morning, and the messages stopped. I reinstalled it and instantly got the Norton "Trojan Horse" virus alert. I've email the program creator and told him.

Thank you for all the help, Jeff and Fred.

I appreciate your help in getting me thru locatinf the "problem"....it appears the problem is Norton!

Thanks again, you've been awesome!

Oops!!

I meant are Not!

sorry,

We knew what you meant, H.C., but you can't expect Pedantic to let that one go =) No one is saying it was a Freudian slip that reflects a naughty side in you, or anything :) Heaven forbid!

Cheers