[Corday]

Hi, i have a HP nw9440 laptop with 2gb ram.

I installed Vista two days ago, and its been running pretty smooth since. Today i installed Autodesk Inventor, Microsoft Office and Registry Booster 2. I don't know if any of those programs is the source of this error. It could be a malware/spyware/anything aswell, but NOD32 nor Windows Defender gives any alerts.

The message that pops up (ui0detect.exe) says (this is translated from Swedish to English):

-------------------------------
Dialogue for identifying of interactive services.

A message from a program cannot be shown on your desktop.

The program might need information or permission to be able to perform an activity.

(Button) -> Show Message
(Button) -> Remind me in a few minutes

Detailed program information:

Program or unit(s) that needs attention.

Messageheader:
Program searchpath: c:\Recyclers\svchost.exe
Recieved: the 17 july 2007, 12:40:17

This problem is caused by an incompatibility with Windows Vista.
Contact the supplier of the program or the unit for more information.
----------------------------------

If i press the "Show message", vista turns off Aero style and takes me to a blank screen with a light-blue background. One window is there that says that when i am done with my actions i can press a button to go back to vista.

The strange thing is that there should be something in this blank page that requires my action.. But there is nothing! Only the option to go back to vista. And when i do, the error-message appears again after a few minutes.

After searching around abit here i found a post that had a similar error and in the salvation there was something about some services called Messander and Messanger. So i checked my services list and found Mespanger. Could this be something?

The (probably) easy solution for this error would be to uninstall the programs, but since i am using both Inventor and Office in my daily work, i will need to solve this problem one way or another.

I uninstalled RegistryBooster 2, but that didnt help.

Is there any way of finding out more/getting more information about this error and which application might be causing it? I have no idea why it says C:\Recyclers\svchost.exe.. Why would svchost.exe be in Recyclers? I did a dos search there but nothing was there.

Please share if you have any ideas...
If you need more info/screenshots about the computer or software, please let me know.

[Dad-MSFT]

You've got malware pal.

The resident 'malware experts' will be inundating you with instructions shortly.

[Corday]

Thanks Dad-MSFT.

I did some more research and found out that the service named "Mespanger" is bound to the process "svchost.exe" by rightclicking on it and pressing "Go to process".

Looking in "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Mespanger" i found out the following:
DisplayName = Mespanger
ErrorControl = 0x00000001 (1)
ImagePath = c:\Recyclers\svchost.exe
ObjectName = LocalSystem
Start = 0x00000002 (2)
Type = 0x00000110 (272)

Hope this can be of any help.
Now i am clueless.. I didn't try to take any measures against the service or the svchost.exe in Recyclers directory yet.

[uhaligani]

Dad may well be right. Ui0dtect is a legit Microsoft servie. A program you have installed (admitting it could be malware!) is trying to interact with the computer. It is not neccessarily harmful. An example could be one of your installed programs attempting an auto update.
You can stop the popup by disabling the service (Interactive services detection) , but this might result in a loss of some useful data a program is trying to send you. I have had mine disabled since installation, many months ago, with no obvious harmful effects.

[Dad-MSFT]

Quote:

Originally Posted by uhaligani

Dad may well be right. Ui0dtect is a legit Microsoft servie. A program you have installed (admitting it could be malware!) is trying to interact with the computer. It is not neccessarily harmful. An example could be one of your installed programs attempting an auto update.
You can stop the popup by disabling the service (Interactive services detection) , but this might result in a loss of some useful data a program is trying to send you. I have had mine disabled since installation, many months ago, with no obvious harmful effects.

The pertinent point is that svchost.exe is running out of C:\recycler. Only malware does that. There are no legitimate apps that run as services from the recycle bin.

[Corday]

Thanks uhaligani, but i am kind of leaning more towards that this is a vicious malware, because of the placement in c:\Recyclers\svchost.exe, and the suspect service name "Mespanger".

Currently, if it wasnt for ui0detect running, i might've never caught notice of it in the first place, so it'll stay on for now

Maybe this should be moved to the security section?

[Dad-MSFT]

I'm not qualified to give security advice as per the forum regulations, but if it were me:

Locate the malware file in Windows Explorer.
Right Click it.
Get Properties.
Go to the Security Tab.
Go to the Advanced button.
Click to DESELECT 'inherit permissions from parent'.
When prompted, choose to REMOVE ALL permissions.

This will make the malware file completely inaccessible to you, system, everyone. That file will live there forever, but it will no longer cause trouble.

Reboot.

Delete the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Mespanger key.

Then figure out how the malware got on the system in the first place and shore up your security.

1. Strong passwords.
2. Automatic Updates
3. CURRENT Antivirus subscription.

[Corday]

Thanks again Dad-MSFT.

I have automatic updates on and NOD32 updated as per this day... Which kind of left me abit disappointed. I had higher thoughts of NOD32.

However, i tried entering safe-mode to delete c:\Recyclers\svchost.exe, but it wasnt there, and typing in "del c:\Recyclers\svchost.exe" in a cmd doesnt work either because "file does not exist". Now, how do i delete something in the recycler folder that isn't there and cant be seen, but yet exists?

I am aware that your method probably will work fine, but as a matter of policy, i don't want the code of a useless good-for-nothing hacker laying around in my computer for whatever reason.

There has to be a way to remove this file and all traces of this malware ever existing from the system...

[Dad-MSFT]

Can you get into C:\recycler in Safe Mode?

Start->Run-> C:\recycler

If you can, can you create a text file called svchost.exe?

If you can create it, I'm confused.

Can you confirm that the file is actually there in normal mode, but absent in Safe mode? I suppose it's not beyond the realm of possibility that some other malware is spawning svchost.exe to run from recycler and then tearing it down on restart, but that seems kind of silly.

You might want to get advice from the malware board here. My methods are not their methods.

[Corday]

Ok, to make things clearer: The svchost.exe does not appear in the recycler in normal mode, nor in failsafe.

I liked your idea about creating a svchost.exe in the recycler
It did give an interesting result. The recycler was completly empty when i tried. I created a "new textfile", renamed it to svchost.exe. Explorer asked if i wanted to change it to a .exe, [Yes], then it asks if it want to rename the file to svchost (2).exe.

I also tried to remove the Recyclers folder in its whole, but that failed... Maybe that cant even be done if the system was healthy tho..

Ok, im all out of ideas again..

PS. How do i get the malware board to see this? Can i move the thread, or should i create a new one?

[Dad-MSFT]

I don't know. I'm new here.

So, if you can't create a file with the same name in the same directory, one of two things is going on:

run attrib svchost.exe -h -r -s in C:\recycler.

That's the ghetto style way of hiding files from admin. If it's just attrib'd, it will pop up and you will at least see it.

If not, you start thinking about user mode or kernel mode rootkits.

I have tools that can detect and remove them, but they are proprietary. You might try Blacklight or Rootkit Revealer in that case if you wanted to pursue it on your own.

[Corday]

Dad-MSFT, you're the hero!

The attrib svchost.exe -h -r -s worked!

I must admit i had serious doubt, because the "del" command wouldnt work saying there was no such file.. I figured, how would attrib command work. Apparently it did, some wondrous way

I had to go to failsafe mode again though, to be able to remove the file. Funny thing is that when i rebooted into failsafe, the svchost.exe was hidden again So, after doing the attrib command once more, followed by a del, and a comprehensive registry cleanup, its all GONE!

BIG creds to Dad-MSFT for his commitment in helping me. Reward him well moderators

[kingofdawn]

I have just had the same problem. Ihave no idea where did come from.

Anyway, you are looking for this in the C:\Recycler whereas it sits in C:\Recyclers folder, which is different than the system folder for recycler bin.

Sebastian

[ixlone]

Can someone explain the attrib thing to me please?

I'm having this problem too, and its rather frustrating.

Thanks!

[ixlone]

It seems svchost.eve is part of the avast anti virus program, as soon as i updated like it was requesting me too do i stopped receiving the message.