Jump to content


Photo

"Windows error service" popup


  • Please log in to reply
4 replies to this topic

#1 shortstop

shortstop

    Member

  • New Member
  • Pip
  • 3 posts

Posted 24 June 2004 - 01:33 AM

I have the "Windows error service" popup that tries to take me to a "noadware" web site to download their stuff.
Also get: “iexplore.exe - Application Error. The application failed to initialize properly (0xc0000142)...” popup.
The HijackThis file is below. The 04 SuperBar Component and AdRotator and a couple of other things have been "fixed" in HJT, only to regenrate with each reboot.
Need help to *permanently* get these things off. I'm willing to go through several diagnostic steps. Thanks for considering this problem.

here's the file:

Logfile of HijackThis v1.97.7
Scan saved at 11:18:00 PM, on 6/23/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\SxgTkBar.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
C:\WINDOWS\essspk.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\QUICKENW\QWDLLS.EXE
C:\WINDOWS\FSScrCtl.exe
C:\WINDOWS\system32\arpa.exe
C:\Program Files\AnalogX\CookieWall\cookie.exe
C:\WINDOWS\services.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\arpa.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\arpa.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\system32\cidaemon.exe
C:\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aldaily.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar_en_2.0.95-deleon.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar_en_2.0.95-deleon.dll (file missing)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SxgTkBar] SxgTkBar.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe -b
O4 - HKLM\..\Run: [DigidesignMMERefresh] C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SuperBar.Component] C:\WINDOWS\system32\inetsrv\services.exe
O4 - HKLM\..\Run: [AdRotator.Application] C:\WINDOWS\system32\drivers\csrss.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Screen Saver Control.lnk = C:\WINDOWS\FSScrCtl.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\QUICKENW\BILLMIND.EXE
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QUICKENW\QWDLLS.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar_en_2.0.95-deleon.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar_en_2.0.95-deleon.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar_en_2.0.95-deleon.dll/cmcache.html
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar_en_2.0.95-deleon.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page - res://c:\program files\google\GoogleToolbar_en_2.0.95-deleon.dll/cmtrans.html
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://*.mt-download.com
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-downlo...tsInstaller.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7862.0042013889
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#2 shortstop

shortstop

    Member

  • New Member
  • Pip
  • 3 posts

Posted 25 June 2004 - 09:06 PM

Here is more info on this same problem:

Each reboot of XP Pro seems to reactivate bad files and processes that were previously deleted. Is something altering my registy on startup? The result is spyware popus (windows error service; noadware).
Some of the facts:

-- some of the files involved are arpa.exe and bhui.exe in system 32, the inetsrv folder of system 32, csrss.exe in drivers folder, and a couple of others.
-- booting into safe mode keeps these from reappearing. BUT if I then try to run regedit (which I really am afraid to do), regedit will not run (hourglass appears and then stops, never opens) *AND* the deleted files mentioned above reappear at that point.
-- booting into normal mode causes these files (and resulting popus) every time.
-- on my Taskmanager, I can see regedit run as one of the process on startup -- that's not right is it??
-- I can manually end the above processes, delete those files, "fix" the bad registry item in Adaware, and then the machine runs smoothly for that session. BUT I have to do that after each and every bootup. AAAAHHHHH!

Log as directly above. Thanks for taking a look.

#3 sarahmartini

sarahmartini

    Member

  • New Member
  • Pip
  • 3 posts

Posted 26 June 2004 - 09:04 PM

Hi there. I too had this terrible problem, my regedit, and notepad would reinstall the nasties after I would get rid of them. So I searched my hardrive for files that were accessed and created on the day my problem started, in my case the files were created on 6/18/2004 at 9:36AM.

So you can try a search of your hard drive for files that were created and that match the dates and times you first started having problems, if you can remeber the date of course. Anyway In my case I found the following duplicate files that seem to be responsible for the trojans reinstalling on my system. I found them in my WINDOWS directory all created on 6/18/2004 at 9:36AM, the files were

NOTEPAD.EXE, PING.EXE, REGEDIT.EXE, WORDPAD.EXE. **remember these are duplicate files I found and they will match the date the trojan installed on your system, don't delete your legit files of the same name.**

I deleted those duplicate files and the the problem with the trojans reinstalling on reboot seemed to stop, except my real NOTEPAD.exe would still install all the trojan files again. So I checked the date it was created and it seemed to be legit other than it said it was modified 6/18/2004 at 9:36AM. I figure maybe the trojan/virus somehow must have altered it. I ended up copying a NOTEPAD.EXE from my WINDOWS folder and pasting it in my WINDOWS/SYSTEM32 folder and let it replace the altered NOTEPAD, seems to have fixed it for me. Also be sure to turn on show hidden files just incase they are hidden on your system.

Hope this makes sense and helps you in some way as I'm not much of a tech person :)

Edited by sarahmartini, 26 June 2004 - 09:08 PM.


#4 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 27 June 2004 - 06:08 AM

Have Hijack This fix all of the following by placing a check in the appropriate boxes and hitting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar_en_2.0.95-deleon.dll (file missing)

O4 - HKLM\..\Run: [SuperBar.Component] C:\WINDOWS\system32\inetsrv\services.exe
O4 - HKLM\..\Run: [AdRotator.Application] C:\WINDOWS\system32\drivers\csrss.exe

O15 - Trusted Zone: http://*.mt-download.com

O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-downlo...tsInstaller.cab

Reboot and delete

files
C:\WINDOWS\system32\drivers\csrss.exe

folders
C:\WINDOWS\system32\inetsrv

These may be hidden files. See HERE for how to show hidden files.

Please post a followup Hijack this log, and say if your problems persist.
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum

#5 shortstop

shortstop

    Member

  • New Member
  • Pip
  • 3 posts

Posted 30 June 2004 - 12:55 AM

Thanks. Problem solved. The clue from sarahmartini was golden. The updated Adaware actually finds and removes this popup. But I also had the bad regedit.exe, notepad.exe, wordpad.exe, etc. So each reboot, the regedit would reinstall the bad stuff. I found that, but then each time notepad would run, the bad stuff would install again. That means every time I tried to save a Hijack This log (*.log files are opened with notepad), the bad files would be installed again. Getting rid of those .exe files was the key.
Also, this is a big clue to anyone who cannot open their Hijack This files. (I didn't think anything at first, because I just used Word to open the *.log file.)
Don't let the bad guys win!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button