gtr88 Posted March 19, 2008 Share Posted March 19, 2008 Hey I'm new here and I have a problem.I have vista and I keep getting a message saying "A program can't display a message on your desktop."Message title: Windows Internet ExplorerProgram Path: C:\Windows\system32\IEFRAME.dllAlso I've been noticing that when I close Firefox it doesn't close in the task manager. I don't know if I've got a virus or what's going on.Any help would be appreciated. Link to comment Share on other sites More sharing options...
cluberti Posted March 19, 2008 Share Posted March 19, 2008 You have a service, or an app running as one, that is trying to pop-up a window from the SYSTEM (session 0) desktop to your logged-on session. By default, this is NOT allowed anymore - it worked in XP/2003/downlevel OSes because in those OSes, you logged into session 0, but not so anymore in Vista / Server 2008.The fact that it's ieframe.dll in IE trying to do it indicates some app or service running under system is suspicious (most apps use their own windows under their own apps to display windows, so some app using IE is definitely at least suspicious). I'd run autoruns to disable all non-Microsoft items, and perhaps shellexview to disable all non-Microsoft shell extensions, and msconfig to disable non-Microsoft services and see if the problem goes away. Link to comment Share on other sites More sharing options...
jessicalbustos Posted March 20, 2008 Share Posted March 20, 2008 I've had the same exact problem (with that same file ext.) for about a week now. Dell help suckkkkks. and though I spent hundreds on warranties they won't touch it for free....I've thought of tons of things it could be (recently had itunes update, vista update, downloaded bittorrent, and used a key gen). I uninstalled bittorrent and several other crappy peer to peer things I rarely used, and have added itunes and realplayer type stuff to my firewall protection in case they were accessing something... I am a novice a techy stuff, but since I'm born into the computer generation, and not totally mentally deficient, I've been googling things and taking some steps others have. I have looked into my services and found what could be a few odd things, but googled them and seems ok. I downloaded hijack app. and will post my log here as well.To reiterate and be very specific: I get the Interactive services dialog box-- which asks you to click to view the program... This flips me out of Windows and onto a "different screen" (if you will) which is ALL pop ups (plus the windows dialog (when did dialog drop the -ue at the end?) box to "return to system").I can sometimes close all the popups at which point sometimes i can switch back, or have to use cntrl+alt+del to get back to windows. I THOUGHT I fixed this after uninstalling BitTorrent today-- since it didn't come back for hours and hours... Then I restarted (after messing in msconfig, but not changing anything) and they started to come back right when the system rebooted.I am worried it is a virus- although so many say it's a 'service' error problem.... This problem is common enough that at least 2 people on this site alone have experienced it. Hopefully it's not a virus, or is fixable; I'm not really experiencing any other problems (except my touchpad won't let me scroll down, which stupid dell remote access might have jacked up).Sorry so long a post, but want to be detailed. PS NOTE the stllvr file near the end... I think this might not be good???? I can't find anything for sure on it by googling. PLUS, I don't know how to fix things if I even know their bad... I'm a quick learner though. Please help!!! THANKS! HIjackthis log::Logfile of Trend Micro HijackThis v2.0.0 (BETA)Scan saved at 1:43:16 AM, on 3/20/2008Platform: Windows Vista (WinNT 6.00.1904)Boot mode: NormalRunning processes:C:\Windows\system32\taskeng.exeC:\Windows\system32\Dwm.exeC:\Windows\Explorer.EXEC:\Windows\System32\WLTRAY.EXEC:\Program Files\Alwil Software\Avast4\ashDisp.exeC:\Program Files\Common Files\Real\Update_OB\realsched.exeC:\Program Files\Common Files\AOL\Loader\aolload.exeC:\Program Files\Windows Defender\MSASCui.exeC:\PROGRA~1\MOZILL~1\FIREFOX.EXEC:\Windows\system32\mmc.exeC:\Windows\system32\SearchFilterHost.exeC:\Users\Jessica\Documents\Programs\HiJackThis_v2.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by DellR0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O1 - Hosts: ::1 localhostO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dllO2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dllO2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dllO2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dllO2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dllO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dllO4 - HKLM\..\Run: [broadcom Wireless Manager UI] C:\Windows\system32\WLTRAY.exeO4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeO4 - HKLM\..\Run: [MSConfig] "C:\Windows\system32\msconfig.exe" /autoO4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imAppO4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MIC273~1\Office12\REFIEBAR.DLLO13 - Gopher Prefix: O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dllO20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLLO20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\480\G2AWinLogon.dll (file missing)O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dllO23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeO23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeO23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exeO23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exeO23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exeO23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exeO23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exeO23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exeO23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exeO23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exeO23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\480\g2aservice.exeO23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exeO23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: Window Net Dns (MyDNS) - Unknown owner - C:\Program Files\Outlook Express\svchost.exeO23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exeO23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exeO23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exeO23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exeO23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exeO23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Windows\system32\STacSV.exeO23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exeO23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXEO23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe--End of file - 7186 bytes Link to comment Share on other sites More sharing options...
cluberti Posted March 20, 2008 Share Posted March 20, 2008 I'm moving this to the proper forum, as this does appear to be potentially malicious (I can't think of a valid app that would have been designed to act this way, but I've been wrong in the past - shoddy programmers do exist ). Link to comment Share on other sites More sharing options...
jessicalbustos Posted March 20, 2008 Share Posted March 20, 2008 (edited) ok; but I am new and do not know exactly how to track my post in order to review the answers... this question is preliminary to my checking out the site, so forgive me if it's totally obvious, I've yet to examine my options thoroughly. if you're not too busy, could you direct me on that via this post? sorry if i'm being one of those obnoxious folks here..... EDIT: it appears it just "goes" to the new forum. told you i wasn't paying attention... thanks!!!! Edited March 20, 2008 by jessicalbustos Link to comment Share on other sites More sharing options...
jessicalbustos Posted March 20, 2008 Share Posted March 20, 2008 btw: i've been looking at/examining that file (c:\windows\system32\IEFRAME.dll) by searching it, then right clicking, then properties... one thing i saw was the 'people' with access included ... i cannot for the life of me think of it now--- something like trusted_____ ((something- it's a windows/microsoft thing... but a new weird thing on vista-- read about here actually))..... anyway, all i did there was make myself-- the administrator-- the one who could change permissions (sorry this is so choppy-- i'm very much not familiar with this stuff)....The IMPORTANT thing I just noticed while examing that file in properties, AND Internet Explorer in properties, is that A) the said .dll file was created on valentines day, Feb 14... B) Internet Explorer says it was created on Oct. 1 (when I got my new computer) and then says "modified" and "accessed" Feb 14...This can't really be a coincidence, can it??? Something got me then, right??? Am I way off?I am avoiding sleep to fix this problem... I suck! Might be noted that I NEVER use IE, but always mozilla--- in the event it is even opened it's usually because something else prompted it to (rare... something like ms outlook that i never use or something like that).hope this gives a little more info... Link to comment Share on other sites More sharing options...
nitroshift Posted March 20, 2008 Share Posted March 20, 2008 @jessicalbustosI had a look at your hijackthis log and marked with >> << the items that seem dodgy (to say the least). Run hijackthis again, mark these entries and click the "Fix Selected Items" to get rid of them.Good Luck! hijackthis.txt Link to comment Share on other sites More sharing options...
fairyprincess Posted March 20, 2008 Share Posted March 20, 2008 I may be wong, but didn't you say your running Vista, yet you have. O23 - Service: Window Net Dns (MyDNS) - Unknown owner - C:\Program Files\Outlook Express\svchost.exeFirstly i've never seen svchost.exe running from anywhere other than system folder, and secondly, Outlook Express isn't on Vista, 3rdly why would a DNS service run from outlook express?If it was me, thats where i would be looking.I'm thinking it was designed for XP to hide itself and by calling it Window NET DNS it would be allowed by through firewalls by people, now its on vista its trying to access a .dll and vista is stopping it. Link to comment Share on other sites More sharing options...
fairyprincess Posted March 20, 2008 Share Posted March 20, 2008 And after a quick google for Window Net Dns (MyDNS) you get thishttp://www.threatexpert.com/report.aspx?ui...a1-246acf70b258it was from your keygen, and firstly before you do anythign else, at the bottom of the page * The following port was open in the system:Port Protocol Process1039 UDP svchost.exe (%ProgramFiles%\Outlook Express\svchost.exe) * The following Internet Connection was established:Server Name Server Port Connect as User Connection Passwordcpk.easy78.cn 80 (null) (null)I would close that up NOW Link to comment Share on other sites More sharing options...
jessicalbustos Posted March 20, 2008 Share Posted March 20, 2008 First of all, THANKS to all of you so much...1. I deleted the said files in the hijackthis--- except i couldn't find C:\Windows\system32\SearchFilterHost.exe this in my log (I might have already deleted it after searching on it... I was up late last night.2. Window Net Dns (MyDNS) - Unknown owner - C:\Program Files\Outlook Express\svchost.exe -- THIS will NOT delete/be repaired.3. I looked at the link to ThreatExpert and that appears to be exactly what has happened, unfortunately. But, I do not know how to fix those problems, if it is possible... I think what I would do is find all those files created and delete them... Can things just be deleted or will they have to be uninstalled? Is there a certain place I should go to find them/search them and delete them? Other than a windows search or "run"?Will that work? Is there something less obvious I should be doing? I"M glad to have met the acquaintances of so many fine computer peeps. Link to comment Share on other sites More sharing options...
fairyprincess Posted March 20, 2008 Share Posted March 20, 2008 (edited) Yeah, you need to go through the steps of using the list on threatexpert to delete the registry entries and files that were created, also check your firewall settingsto get rid of the service that is running, you might have to stop it first by using task manager, going to process view, then from the view -> select coloum menu, scroll down to command line and tick that box, then you should be able to sort the running processes by where they are executing from, (if you can't see C:\program files\Outlook Express\scvhost.exe in the list, make sure view all processes are running and go through the UAC dialogue. You can then right click on the process and click on end process. This will then allow you to disable it.I would then advise running an anti-root kit tool aswell as spyware, as the initial problem seams to be this scvhost process which has then silently been downloading and installing other crap on your system which might be hiding. I would remove everything you can then run hijack this again to see if things have re-appeared in the list.If your unsure on how to do anything just say and i or someone else will give you more detailed help. Edited March 20, 2008 by fairyprincess Link to comment Share on other sites More sharing options...
jessicalbustos Posted March 20, 2008 Share Posted March 20, 2008 I definitely might need more details: currently i've spent hours and hours and hours on it, and need to focus on some other things; what seems funny is that this doesn't really effect performance; just annoying pop ups.What I have tried:Was using the file extensions in the threat expert but couldn't find any of it... I searched via my computer and a few other ways... seems like i can't find temporary internet file folders or "local" folders-- i htink vista changes the way one writes them (for example, ms config use to be as written, now on vista it's msconfig (no space.... or at least that's what a friend told me as she tried ot find ms config on my machine). At any rate, I will come back to this, likley tomorrow morning, as I am swamped the rest of the day, and fortunatelycan still fucntion on my machine... thanks for everything... I'll check back here in the a.m. asap! Link to comment Share on other sites More sharing options...
jessicalbustos Posted March 24, 2008 Share Posted March 24, 2008 fairy princess, et all:i'm at a loss. I tried goign back to the threatalert page and couldn't find those directions again. Not to mention when I did try searching for the files, I found nothing, but I think this is due to my lack of tech-savyness. After messing with various things, most of which were directions from here, the Interactive Services dialogue box would go away; however any time I re-start the system, the box continues to reappear. The c:\program files\outlook express.svchost.exe will not be repaired/deleted using hijackthis, and I can't find it showing in the task manager or in services. there is another suspicious file: c:\windows\system32\IEFRAME.dll which I do not know what it is and/or what to do with it. The interactive services dialogue box shows it as one of the programs that cannot be accessed by vista, or whatever that s*** means. I am a poor dumb american with warranties on my dell, but which dell still won't touch other than to restore the whole system. This problem doesn't seem that bad, considering everything functions fine, except that the dialogue box continues to pop up, and I know that this cannot really be a good thing. I've thought about allowing someone to remote access my computer (like Dell does, but via windows... which I have no clue how to do, really), but am worried about frauds, etc.... Maybe I should cough up the dough (i.e. not pay a bill) to let dell on call handle this?This is getting beyond my control and scope of knowledge. Plus I got too much homework to do to worry about this!!! Help if you can. Link to comment Share on other sites More sharing options...
jessicalbustos Posted March 24, 2008 Share Posted March 24, 2008 BTW: I am the one who put the Microsoft 2003 stuff on here... i thought my system didn't come with a word processor, but i just realized (by looking in my computer disc stuff from this computer) that it had microsoft works 8.0..So, microsoft outlook 03 is on my computer; but has been since i got it, oct. 07. Link to comment Share on other sites More sharing options...
fairyprincess Posted March 25, 2008 Share Posted March 25, 2008 Hi, can you run an administrator cmd.exe (type cmd into the start menu then right click and do run as admin), then type sc query and scroll back up the list till you find the window dns service then run sc delete "SERVICE_NAME" (rather than the display name). if you scroll back and can find the service on the list as its been written over then run sc query > C:\services.txt, then open you c drive and run services.txt, (you can delete it after (note it will have admin rights, dont worry just acept UAC promt)), that should remove it the service properly. Second thought, you might have to run net stop "SERVICE_NAME" to stop the service befor you delete it, cant remeber though)After than, simply go to program files directory and delete the complete Outlook express folder as its all not sposed to be there.Ignore IEFRAM.dll thats supposed to be there.Just find the link in the post and the go through deleting everything it says has been created as you would with any normal file. (clean out recycling bin to save the space after) Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now